From 2610beb18d165c2b0ecde7099754b3e6d5f4ecbb Mon Sep 17 00:00:00 2001 From: Xiangzhe Date: Tue, 3 Mar 2026 15:59:59 +0800 Subject: [PATCH] iclouddrive: use dynamic origin for SRP auth headers This fixes China mainland iCloud authentication by deriving the Origin and Referer headers from authEndpoint instead of hardcoding idmsa.apple.com. Fixes compatibility with PR #8818 (China region support) and PR #9209 (SRP authentication). Signed-off-by: Xiangzhe --- backend/iclouddrive/api/session.go | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/backend/iclouddrive/api/session.go b/backend/iclouddrive/api/session.go index 8c352c961..c4d188793 100644 --- a/backend/iclouddrive/api/session.go +++ b/backend/iclouddrive/api/session.go @@ -346,15 +346,22 @@ func (s *Session) authSRPComplete(ctx context.Context, accountName, m1Base64, m2 } } -// getSRPAuthHeaders returns headers needed for SRP auth requests to idmsa.apple.com. +// getAuthOrigin returns the origin URL for auth requests. +// Supports both global (idmsa.apple.com) and China (idmsa.apple.com.cn) endpoints. +func getAuthOrigin() string { + return strings.TrimSuffix(authEndpoint, "/appleauth/auth") +} + +// getSRPAuthHeaders returns headers needed for SRP auth requests. func (s *Session) getSRPAuthHeaders() map[string]string { frameTag := "auth-" + s.FrameID + authOrigin := getAuthOrigin() headers := map[string]string{ "Accept": "application/json", "Content-Type": "application/json", "User-Agent": iCloudUserAgent, - "Origin": "https://idmsa.apple.com", - "Referer": "https://idmsa.apple.com/", + "Origin": authOrigin, + "Referer": authOrigin + "/", "X-Apple-Widget-Key": s.ClientID, "X-Apple-OAuth-Client-Id": s.ClientID, "X-Apple-OAuth-Client-Type": "firstPartyAuth",