appstore: Fix/invalid auth code

[coleleavitt]

This pull request improves error handling for App Store login, specifically around two-factor authentication (2FA) codes. It introduces a new error for invalid or expired 2FA codes, enhances the logic for parsing login responses, and adds comprehensive test coverage for these scenarios.

Error handling improvements:

• Added a new error ErrInvalidAuthCode to represent invalid or expired 2FA codes in appstore_login.go.
• Updated the login response parser to return ErrInvalidAuthCode for various failure types and customer messages related to invalid 2FA codes.
• Included the FailureTypeInvalidAuthCode constant ("5005") to identify invalid auth code errors from the API.
• Improved generic error reporting by including the failure type in error messages for easier debugging.

Test coverage enhancements:

• Added new tests to ensure that invalid or expired 2FA codes return the correct error, and that error messages include the failure type when appropriate. [1] [2] [3]

fixing #392 and #387

need to reference @pradeepvizz for suggesting one request a 2FA code on the website and then utilizing that through the auth-code parameter.

[AkimioJR]

hi, could you tell how can I use this tool?
I try to build binary exe file and run

✦3 ❯ ./ipatool auth login -e axxxxxx@xxxxxmail.com -p xxxxxxxxx  --verbose                 
[4] 18822
zsh: command not found: 8c

ipatool on  fix/invalid-auth-code [?] via 🐹 v1.24.1 
✦4 ❯ 8:05AM INF enter 2FA code:

[4]  + suspended (tty input)  ./ipatool auth login -e axxxxxx@xxxxxmail.com -p xxxxxxxxx

but the process was already terminated before I had a chance to enter the 2FA code.

[coleleavitt]

hi, could you tell how can I use this tool? I try to build binary exe file and run

✦3 ❯ ./ipatool auth login -e axxxxxx@xxxxxmail.com -p xxxxxxxxx  --verbose                 
[4] 18822
zsh: command not found: 8c

ipatool on  fix/invalid-auth-code [?] via 🐹 v1.24.1 
✦4 ❯ 8:05AM INF enter 2FA code:

[4]  + suspended (tty input)  ./ipatool auth login -e axxxxxx@xxxxxmail.com -p xxxxxxxxx

but the process was already terminated before I had a chance to enter the 2FA code.

you need to escape like wrap your email in double quotes it looks like "youremail@mail.com" and also you need to request a 2fa code from the official apple site when you login and use that 2fa code when you're trying to login

[AkimioJR]

hi, could you tell how can I use this tool? I try to build binary exe file and run

✦3 ❯ ./ipatool auth login -e axxxxxx@xxxxxmail.com -p xxxxxxxxx  --verbose                 
[4] 18822
zsh: command not found: 8c

ipatool on  fix/invalid-auth-code [?] via 🐹 v1.24.1 
✦4 ❯ 8:05AM INF enter 2FA code:

[4]  + suspended (tty input)  ./ipatool auth login -e axxxxxx@xxxxxmail.com -p xxxxxxxxx

but the process was already terminated before I had a chance to enter the 2FA code.

you need to escape like wrap your email in double quotes it looks like "youremail@mail.com" and also you need to request a 2fa code from the official apple site when you login and use that 2fa code when you're trying to login

thanks for your help, I login successfully

[Copilot]

Pull request overview

This PR enhances error handling for App Store login failures related to two-factor authentication (2FA), addressing issues #392 and #387 where users received unhelpful "something went wrong" error messages when 2FA codes were invalid or expired.

Key Changes:

• Introduces a new ErrInvalidAuthCode error to specifically identify invalid or expired 2FA codes
• Adds the FailureTypeInvalidAuthCode constant ("5005") to recognize this error condition from Apple's API
• Improves generic error messages by including the failure type for easier debugging

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
pkg/appstore/constants.go	Adds the FailureTypeInvalidAuthCode constant ("5005") to identify invalid auth code responses from Apple's API
pkg/appstore/appstore_login.go	Introduces ErrInvalidAuthCode error and enhances parseLoginResponse logic to detect and return this error for three scenarios: explicit "5005" failure type, invalid credentials with auth code, and bad login message with auth code; also improves generic error messages to include failure type
pkg/appstore/appstore_login_test.go	Adds comprehensive test coverage for invalid auth code scenarios and verifies that error messages now include the failure type for debugging

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This logic handles the case where Apple's API returns FailureTypeInvalidCredentials ("-5000") when an auth code is provided. Consider adding a code comment explaining why "-5000" (typically indicating invalid username/password) is treated as an invalid auth code error when an auth code is present. This would help future maintainers understand that Apple's API can return "-5000" for both invalid credentials and invalid 2FA codes depending on context.

Suggested change

	} else if res.Data.FailureType == FailureTypeInvalidCredentials && authCode != "" {
	} else if res.Data.FailureType == FailureTypeInvalidCredentials && authCode != "" {
	// Apple's API may return FailureTypeInvalidCredentials ("-5000") both for invalid
	// username/password and invalid 2FA codes. When an auth code is present, treat this
	// response as an invalid/expired 2FA code to reflect the actual error context.

[Copilot]

Missing test coverage for the scenario where FailureTypeInvalidCredentials is returned with an auth code provided (lines 139-140 of appstore_login.go). This test case would verify the behavior when Apple's API returns "-5000" with an auth code present.