Skip to content

fix(auth): append trailing slash to native/fast authenticate endpoint#507

Merged
majd merged 1 commit into
majd:mainfrom
Vadim-B52:fix_api
Jul 5, 2026
Merged

fix(auth): append trailing slash to native/fast authenticate endpoint#507
majd merged 1 commit into
majd:mainfrom
Vadim-B52:fix_api

Conversation

@Vadim-B52

@Vadim-B52 Vadim-B52 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Apple's account bag now returns the authentication endpoint as https://auth.itunes.apple.com/auth/v1/native/fast. That endpoint only responds correctly when the path has a trailing slash; posting to it without the slash makes Apple's edge return a 301/204 with an empty or HTML body, so 'ipatool auth login' fails to parse the response and silently dies (observed as the 'plist: unexpected hex digit' error or a -5000 with no usable message).

ipatool posted the endpoint verbatim as received from the bag. Add authenticateURL() to normalize /native/ endpoints by appending the trailing slash (legacy MZFinance endpoint left untouched), and use it in loginRequest.

Also improve http client diagnostics: when an XML response body is not a property list, return 'unexpected response from Apple (HTTP ): ' instead of the opaque plist parse error.


Summary by cubic

Fix login failures against Apple’s native auth endpoint by appending a trailing slash. Also make XML error responses readable when Apple returns HTML instead of a plist.

  • Bug Fixes
    • Normalize /native/ auth endpoints via authenticateURL() to append a trailing slash; used in loginRequest and leaves legacy MZFinance endpoints unchanged.
    • Improve pkg/http XML handling: when the body isn’t a plist, return unexpected response from Apple (HTTP <code>): <snippet> with HTML stripped, avoiding the opaque “plist: unexpected hex digit” error.

Written for commit a69db1ab97731d50037c1cfaf9152ca75119d60d. Summary will update on new commits.

Review in cubic

Apple's account bag now returns the authentication endpoint as
https://auth.itunes.apple.com/auth/v1/native/fast. That endpoint only
responds correctly when the path has a trailing slash; posting to it
without the slash makes Apple's edge return a 301/204 with an empty or
HTML body, so 'ipatool auth login' fails to parse the response and
silently dies (observed as the 'plist: unexpected hex digit' error or a
-5000 with no usable message).

ipatool posted the endpoint verbatim as received from the bag. Add
authenticateURL() to normalize /native/ endpoints by appending the
trailing slash (legacy MZFinance endpoint left untouched), and use it in
loginRequest.

Also improve http client diagnostics: when an XML response body is not a
property list, return 'unexpected response from Apple (HTTP <code>):
<snippet>' instead of the opaque plist parse error.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jpstotz

jpstotz commented Jul 2, 2026

Copy link
Copy Markdown

I think we already have quite a few PRs on that topic. It would be nice if you could describe your changes compared to the other PRs like #505 #502 #493 ...

@tap3w0rm

tap3w0rm commented Jul 5, 2026

Copy link
Copy Markdown

Confirmed this fixes the auth login failure on Windows.

Environment:

  • Windows
  • ipatool v2.3.0 release failed with:
    failed to unmarshal xml: plist: error parsing text property list: unexpected hex digit h``
  • Built this PR branch at a69db1a
  • Login completed successfully with the patched build
  • Successfully downloaded an App Store IPA afterward

Thanks for the fix.

@majd majd merged commit fd63034 into majd:main Jul 5, 2026
13 checks passed
chrismessina added a commit to chrismessina/raycast-ios-apps that referenced this pull request Jul 6, 2026
Two related robustness improvements to how the extension detects and
validates the ipatool CLI:

- Typed IpatoolSetupError propagation. validateIpatoolInstallation()
  now accepts { throwOnFailure } and can throw a typed error instead of
  silently returning false. ensureAuthenticated() re-throws it; the
  search/details paths degrade gracefully ([] / null); the download
  hook surfaces it as a failure toast. Setup-error toasts now offer
  "Open Preferences" plus a new "Copy Logs" action (log-actions.ts)
  that tails recent Raycast logs for bug reports. Removes the old
  console-only installation-instructions toast.
- Require ipatool 2.3.1 as the minimum version. 2.3.1 restored App
  Store login after Apple moved the authenticate endpoint
  (majd/ipatool#507), so older builds can no longer authenticate. The
  gate switches from strict equality to a >= comparison via a new
  compareVersions() helper, so 2.3.1 and every future release pass.
  Error copy changes from "version mismatch" to "outdated / need vX or
  newer" with a `brew upgrade ipatool` hint.
- paths.ts: expandHomePath() so a ~-prefixed ipatoolPath preference
  resolves, complementing the "Open Preferences" CTA.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants