Skip to content

fix: handle Apple's new trustedPhoneNumbers location in auth response#1325

Open
matzekl wants to merge 1 commit intoicloud-photos-downloader:masterfrom
matzekl:fix/sms-trusted-phone-numbers-parsing
Open

fix: handle Apple's new trustedPhoneNumbers location in auth response#1325
matzekl wants to merge 1 commit intoicloud-photos-downloader:masterfrom
matzekl:fix/sms-trusted-phone-numbers-parsing

Conversation

@matzekl
Copy link
Copy Markdown

@matzekl matzekl commented Mar 22, 2026

Summary

  • Apple moved trustedPhoneNumbers from twoSV.phoneNumberVerification to twoSV.bridgeInitiateData.phoneNumberVerification in the HTML response from https://idmsa.apple.com/appleauth/auth
  • This causes get_trusted_phone_numbers() to return an empty list, hiding the SMS 2FA option entirely
  • Combined with iOS 26 removing the manual "Get Verification Code" button from Settings, users have no way to authenticate
  • The fix checks both the original and new location, falling back to bridgeInitiateData when the original path is empty

Fixes #1322

How I found this

Captured the actual Apple auth response and compared the JSON structure to what the parser expects:

# What the parser looks for (old):
twoSV.phoneNumberVerification.trustedPhoneNumbers → []  (empty)

# Where Apple now puts it (new):
twoSV.bridgeInitiateData.phoneNumberVerification.trustedPhoneNumbers → [{id: 1, ...}]

Test plan

  • Verified the parser returns 0 devices with the unpatched code against a live Apple auth response
  • Verified the parser returns the correct trusted phone number after the fix
  • Built a patched Docker image and confirmed the SMS option (a: (***) ***-**88) now appears in the 2FA prompt
  • Backwards compatible: still checks the original location first

🤖 Generated with Claude Code

@claude
fix: handle Apple's new trustedPhoneNumbers location in auth response
591b178 
Apple moved trustedPhoneNumbers from twoSV.phoneNumberVerification to
twoSV.bridgeInitiateData.phoneNumberVerification in their auth page
HTML (observed with iOS 26.4+). This caused get_trusted_phone_numbers()
to return an empty list, hiding the SMS 2FA option and leaving users
with no way to authenticate (since iOS 26 also removed the manual
"Get Verification Code" button from Settings).

The fix checks both locations, falling back to bridgeInitiateData
when the original path returns no results.

Fixes icloud-photos-downloader#1322

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@matzekl matzekl mentioned this pull request Mar 22, 2026
Open
@boredazfcuk boredazfcuk mentioned this pull request Mar 22, 2026
Open
@myMartek myMartek mentioned this pull request Mar 25, 2026
Open
@dotnjet
Copy link
Copy Markdown

dotnjet commented Apr 2, 2026

I run it with two accounts. One is connected to an iPhone with iOS 26.3 and the 2nd one with iOS 26.4.
It is the update to iOS 26.4 causing it.

@naszta
Copy link
Copy Markdown
Contributor

naszta commented Apr 3, 2026

Nice, can we merge it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@billimek billimek billimek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

It seems that I don't receive the two-factor authentication code anymore when icloudpd requests it.

4 participants

@matzekl @dotnjet @naszta @billimek