Cookie domain mismatch in @expo/apple-utils pagination (developer-mdn.apple.com vs developer.apple.com) #3392
Description
Summary
The Cookie not in this host's domain. Cookie:developer-mdn.apple.com Request:developer.apple.com error continues to occur in eas-cli 16.32.0 with @expo/apple-utils v2.1.13. This is the same bug reported in #1672, #2224, and #2881 — all closed without a root-cause fix.
Root Cause Analysis
The bug is in ConnectResponse.fetchNextPageAsync() inside @expo/apple-utils.
How requests normally work:
ConnectClientAPI.requestAsync()setsbaseURL: await this.getHostnameAsync(u)which resolves tohttps://developer-mdn.apple.com- Cookies are stored for the
developer-mdn.apple.comdomain - Relative URL paths (e.g.,
devices,profiles) are resolved against this baseURL — works fine
How pagination breaks:
- Apple's JSON:API responses include
links.nextwith absolute URLs likehttps://developer.apple.com/services-account/v1/... ConnectResponse.getNextUrl()returns this raw absolute URL fromthis.data.links.nextfetchNextPageAsync()passes this absolute URL tothis.getRequestAsync(this.context, {method:"get", url: e})- Inside
requestAsync, axios sees the URL is already absolute and ignores thebaseURL(developer-mdn.apple.com) - The request goes to
developer.apple.cominstead ofdeveloper-mdn.apple.com tough-cookierejects thedeveloper-mdn.apple.comcookies for thedeveloper.apple.comdomain- Build fails with
Cookie not in this host's domain
Relevant code path (from minified build):
// ConnectResponse class
getNextUrl() {
return this.data?.links?.next ?? null; // Returns absolute Apple URL
}
async fetchNextPageAsync() {
const url = this.getNextUrl();
return url ? this.getRequestAsync(this.context, { method: "get", url }) : null;
// ^ Passes absolute URL directly — baseURL is ignored by axios
}
// ConnectClientAPI
async requestAsync(context, options, retryOptions) {
return await this.requestFromAPIAsync(context, {
baseURL: await this.getHostnameAsync(context), // developer-mdn.apple.com
...options, // options.url is absolute, so baseURL is ignored
}, retryOptions);
}Proposed Fix
In getNextUrl(), convert the absolute pagination URL to a relative path so baseURL handles domain resolution:
getNextUrl() {
const next = this.data?.links?.next ?? null;
if (!next) return null;
try {
const parsed = new URL(next);
return parsed.pathname + parsed.search; // Strip the domain, keep the path
} catch {
return next;
}
}This ensures pagination requests go through the same domain (developer-mdn.apple.com) as all other requests, respecting the baseURL set in requestAsync.
Environment
eas-cli/16.32.0 darwin-arm64 node-v25.2.1
@expo/apple-utils v2.1.13
macOS 15.4 (Darwin 25.2.0)
Error Output
✔ Logged in New session
Authentication with Apple Developer Portal failed!
Cookie not in this host's domain. Cookie:developer-mdn.apple.com Request:developer.apple.com
Error: build command failed.
This occurs during Handling Apple ad hoc provisioning profiles — authentication succeeds, but the subsequent paginated API call to list devices/profiles fails.
Steps to Reproduce
eas build --platform ios --profile developmentUsing Apple ID login (not ASC API key). The error occurs when EAS CLI successfully authenticates but then paginates through devices or provisioning profiles.
Why This Keeps Recurring
The underlying bug in ConnectResponse.fetchNextPageAsync() has never been fixed. Previous issues were resolved by:
- Apple temporarily changing their API to not redirect
- Users switching to ASC API keys as a workaround
- Stale bot closing issues
The @expo/apple-utils pagination code needs to normalize URLs to the working domain before making follow-up requests.