From 4a00a4dc4bbf21aa6f112036c644701968c7234b Mon Sep 17 00:00:00 2001 From: Mike GIllan Date: Mon, 23 Mar 2026 17:43:10 -0400 Subject: [PATCH] iclouddrive: lowercase Apple ID for SRP authentication Apple IDs are case-insensitive, but the SRP proof computation (M1) hashes the username client-side. The old plaintext signin let the server normalize the case, but with SRP the client must match. Lowercase the Apple ID before use so mixed-case IDs authenticate correctly. Reported-by: ArturKlauser --- backend/iclouddrive/api/session.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/backend/iclouddrive/api/session.go b/backend/iclouddrive/api/session.go index c4d188793..004faaa37 100644 --- a/backend/iclouddrive/api/session.go +++ b/backend/iclouddrive/api/session.go @@ -91,6 +91,11 @@ func (s *Session) Requires2FA() bool { // SignIn performs SRP-based authentication against Apple's idmsa endpoint. func (s *Session) SignIn(ctx context.Context, appleID, password string) error { + // Apple's SRP implementation expects a lowercase account name. + // The old plaintext flow didn't need this because the server normalized + // it, but SRP uses the username in client-side proof computation (M1). + appleID = strings.ToLower(appleID) + // Step 1: Initialize the auth session if err := s.authStart(ctx); err != nil { return fmt.Errorf("authStart: %w", err)