Improve [Re-]authentication flow by replacing local user interface of the icloudpd with a remote option (thus, running icloudpd in a headless mode).
1. Context
Most common use case for icloudpd is to keep iCloud Photo collection synchronized to local storage/collection. Latency between adding the original to iCloud and the asset appearing in the local storage is the main effectiveness metric for this use case.
icloudpd runs as a process with command line interface (CLI) and terminal input/output. As part of the operation user input may be required, e.g. password and multi-factor authentication (MFA) token for iCloud.
While password is known by user ahead of time and can be provided as a CLI parameter, MFA token is generated during the authentication process and must be supplied by user in order for the authentication to complete and the image downloading to start.
Authentication to iCloud periodically expires (once in a couple of month? - Apple's decision), leaving icloudpd in a non-operating state until user re-authenticates.
2. Challenge
Many users run icloudpd on servers (e.g. NAS) without immediate UI into the running app (running as a service). To authenticate with password or MFA token into iCloud, user must 1) connect to the NAS (e.g. ssh or WebUI), 2) find running instance of the icloudpd, e.g. get docker container id) 3) connect to the terminal interface of the running instance of the icloudpd (e.g. docker attach) and supply password/MFA token. That process is cumbersome and painful.
Expired authentication ends with a request for password or, more often, with exception and program termination. Unless user employs external monitoring and alerting, expired authentication will be unnoticed and local storage will be unsynchronized with iCloud for a long time.
When icloudpd is expecting input from the user, all processing is stopped. That is a blocker for supporting more that one account per instance of the icloudpd - feature that may be valuable for many users who download images for more than one iCloud account in the household.
3. Solution Options
There are multiple options available to solve the challenges, each with its own set of trade offs. Some solutions may be combined.
3.1. Do Nothing
The pain of connecting to remote host may be not a pain at all (or tolerable) and dev efforts better be put on other features. Some pain may be alleviated with remote connection to docker daemon.
Re-authentication flow can be detected with regular manual inspection of the running icloudpd process.
3.2. Remote GUI
X Window System is an existing technology to separate services for user interface. Requires adding GUI code to the app. I am not familiar with that tech.
3.3. Chat Bots for Messaging Systems
Integrate icloudpd with messaging systems and provide simple chat-bot-like interaction, e.g. "icloudpd requires MFA token for your@appleid.address account. Please respond with 6 digits". Interfaces to Messaging Systems (MS) are implemented in related project.
It is unclear to me if two-way chat-bot-like interfaces are possible with APIs available for MS (feasibility). icloudpd will have to hold credentials for the MS account of the user (security implication).
3.4. WebUI
Integrate web server into icloudpd and accept password/MFA through web UI. Web interface can be used for communicating other information to the user - downloading progress, errors etc.
Web page can be "turned into" mobile app ("Add to Home Screen" option on iOS) - becomes an icon on the home screen. In that mode, icon can have badges (e.g. exclamation mark in red circle) and alert a user through iOS Notification System (even if the "app" is not in foreground). These capabilities improve user experience and allow users to react on re-authentication requests faster.
4. Evaluation
If my understanding of the problem/pain is correct, then with my knowledge of the Messaging System capabilities, Web UI seems to be a first choice.
I would love to hear opinions from others.
Improve [Re-]authentication flow by replacing local user interface of the
icloudpdwith a remote option (thus, runningicloudpdin a headless mode).1. Context
Most common use case for
icloudpdis to keep iCloud Photo collection synchronized to local storage/collection. Latency between adding the original to iCloud and the asset appearing in the local storage is the main effectiveness metric for this use case.icloudpdruns as a process with command line interface (CLI) and terminal input/output. As part of the operation user input may be required, e.g. password and multi-factor authentication (MFA) token for iCloud.While password is known by user ahead of time and can be provided as a CLI parameter, MFA token is generated during the authentication process and must be supplied by user in order for the authentication to complete and the image downloading to start.
Authentication to iCloud periodically expires (once in a couple of month? - Apple's decision), leaving
icloudpdin a non-operating state until user re-authenticates.2. Challenge
Many users run
icloudpdon servers (e.g. NAS) without immediate UI into the running app (running as a service). To authenticate with password or MFA token into iCloud, user must 1) connect to the NAS (e.g. ssh or WebUI), 2) find running instance of theicloudpd, e.g. get docker container id) 3) connect to the terminal interface of the running instance of theicloudpd(e.g. docker attach) and supply password/MFA token. That process is cumbersome and painful.Expired authentication ends with a request for password or, more often, with exception and program termination. Unless user employs external monitoring and alerting, expired authentication will be unnoticed and local storage will be unsynchronized with iCloud for a long time.
When
icloudpdis expecting input from the user, all processing is stopped. That is a blocker for supporting more that one account per instance of theicloudpd- feature that may be valuable for many users who download images for more than one iCloud account in the household.3. Solution Options
There are multiple options available to solve the challenges, each with its own set of trade offs. Some solutions may be combined.
3.1. Do Nothing
The pain of connecting to remote host may be not a pain at all (or tolerable) and dev efforts better be put on other features. Some pain may be alleviated with remote connection to docker daemon.
Re-authentication flow can be detected with regular manual inspection of the running
icloudpdprocess.3.2. Remote GUI
X Window System is an existing technology to separate services for user interface. Requires adding GUI code to the app. I am not familiar with that tech.
3.3. Chat Bots for Messaging Systems
Integrate
icloudpdwith messaging systems and provide simple chat-bot-like interaction, e.g. "icloudpd requires MFA token for your@appleid.address account. Please respond with 6 digits". Interfaces to Messaging Systems (MS) are implemented in related project.It is unclear to me if two-way chat-bot-like interfaces are possible with APIs available for MS (feasibility).
icloudpdwill have to hold credentials for the MS account of the user (security implication).3.4. WebUI
Integrate web server into
icloudpdand accept password/MFA through web UI. Web interface can be used for communicating other information to the user - downloading progress, errors etc.Web page can be "turned into" mobile app ("Add to Home Screen" option on iOS) - becomes an icon on the home screen. In that mode, icon can have badges (e.g. exclamation mark in red circle) and alert a user through iOS Notification System (even if the "app" is not in foreground). These capabilities improve user experience and allow users to react on re-authentication requests faster.
4. Evaluation
If my understanding of the problem/pain is correct, then with my knowledge of the Messaging System capabilities, Web UI seems to be a first choice.
I would love to hear opinions from others.