Trigger push notification to trusted devices during 2FA

rhoopr · rhoopr · commit 230b719b1cc4 · 2026-04-02T10:40:17.000-04:00
Apple now requires a POST to /auth/bridge/step/0 to initiate push notifications for 2FA codes. Without this, some accounts only receive a "website login" email instead of a 2FA code on their trusted devices. Ref: icloud-photos-downloader/icloud_photos_downloader#1327
diff --git a/src/auth/mod.rs b/src/auth/mod.rs
@@ -115,6 +115,16 @@ pub async fn authenticate(
     if requires_2fa {
         tracing::info!("Two-factor authentication is required");
 
+        // Trigger push notification to trusted devices. Some Apple accounts
+        // require this bridge step to receive 2FA codes; without it they only
+        // get a "website login" email. Non-fatal: we log and continue if it
+        // fails, since the user can still enter a code from a trusted device.
+        if let Err(e) =
+            twofa::trigger_push_notification(&mut session, &endpoints, &client_id, domain).await
+        {
+            tracing::warn!(error = %e, "Failed to trigger push notification");
+        }
+
         let verified = if let Some(c) = code {
             // Headless: code provided directly (e.g. submit-code subcommand)
             twofa::submit_2fa_code(&mut session, &endpoints, &client_id, domain, c).await?
diff --git a/src/auth/srp.rs b/src/auth/srp.rs
@@ -13,7 +13,8 @@ use super::session::Session;
 use crate::auth::error::AuthError;
 
 /// Apple's public OAuth widget key — embedded in icloud.com's JavaScript.
-const APPLE_WIDGET_KEY: &str = "d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d";
+pub(crate) const APPLE_WIDGET_KEY: &str =
+    "d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d";
 
 /// RFC 5054 2048-bit SRP group prime (same as srp::groups::G_2048).
 const N_HEX: &str = concat!(
diff --git a/src/auth/twofa.rs b/src/auth/twofa.rs
@@ -1,16 +1,78 @@
+use std::fmt::Write as _;
 use std::io::{self, Write};
+use std::time::{SystemTime, UNIX_EPOCH};
 
 use anyhow::{Context, Result};
+use rand::Rng;
 use reqwest::header::HeaderMap;
+use uuid::Uuid;
 
 use super::endpoints::Endpoints;
 use super::session::Session;
-use super::srp::get_auth_headers;
+use super::srp::{get_auth_headers, APPLE_WIDGET_KEY};
 use crate::auth::error::AuthError;
 use crate::auth::responses::AccountLoginResponse;
 
 const TWO_FA_CODE_LENGTH: usize = 6;
 
+/// Trigger a push notification to trusted devices for 2FA code entry.
+///
+/// Apple requires a POST to `/auth/bridge/step/0` to initiate the push
+/// notification flow. Without this, some accounts receive a "website login"
+/// email instead of a 2FA code on their trusted devices.
+///
+/// See: icloud-photos-downloader/icloud_photos_downloader#1327
+pub async fn trigger_push_notification(
+    session: &mut Session,
+    endpoints: &Endpoints,
+    client_id: &str,
+    domain: &str,
+) -> Result<()> {
+    let timestamp_ms = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .context("System clock before UNIX epoch")?
+        .as_millis();
+    let session_uuid = format!("{}-{}", Uuid::new_v4(), timestamp_ms);
+
+    let mut ptkn_bytes = [0u8; 64];
+    rand::rng().fill_bytes(&mut ptkn_bytes);
+    let mut ptkn = String::with_capacity(128);
+    for b in &ptkn_bytes {
+        write!(ptkn, "{b:02x}").expect("writing to String cannot fail");
+    }
+
+    let data = serde_json::json!({
+        "sessionUUID": session_uuid,
+        "ptkn": ptkn,
+    });
+
+    let overrides: [(&str, &str); 4] = [
+        ("Accept", "application/json, text/plain, */*"),
+        ("Content-type", "application/json; charset=utf-8"),
+        ("X-Apple-App-Id", APPLE_WIDGET_KEY),
+        ("X-Apple-Domain-Id", "3"),
+    ];
+    let headers = get_auth_headers(domain, client_id, &session.session_data, Some(&overrides))?;
+
+    let url = format!("{}/bridge/step/0", endpoints.auth);
+    tracing::debug!(url = %url, "Triggering push notification to trusted devices");
+
+    let response = session
+        .post(&url, Some(data.to_string()), Some(headers))
+        .await?;
+
+    let status = response.status();
+    if !status.is_success() {
+        let text = response.text().await.unwrap_or_default();
+        tracing::warn!(
+            status = %status,
+            body = %text,
+            "Bridge step failed, continuing with standard 2FA flow"
+        );
+    }
+    Ok(())
+}
+
 /// Check whether a string is a valid 6-digit 2FA code.
 fn is_valid_2fa_code(code: &str) -> bool {
     code.len() == TWO_FA_CODE_LENGTH && code.chars().all(|c| c.is_ascii_digit())
