Fix MFA resolution priority: credential TOTP over webhook (#SKY-7980) (#4800)

Co-authored-by: Suchintan Singh <suchintan@skyvern.com>

skyvern/core/script_generations/real_skyvern_page_ai.py

@@ -19,7 +19,7 @@ from skyvern.forge.sdk.core import skyvern_context
 from skyvern.forge.sdk.schemas.totp_codes import OTPType
 from skyvern.schemas.workflows import BlockStatus
 from skyvern.services import script_service
-from skyvern.services.otp_service import poll_otp_value
+from skyvern.services.otp_service import poll_otp_value, try_generate_totp_from_credential
 from skyvern.utils.prompt_engine import load_prompt_with_elements
 from skyvern.webeye.actions import handler_utils
 from skyvern.webeye.actions.actions import (
@@ -245,7 +245,10 @@ class RealSkyvernPageAi(SkyvernPageAi):
                 if value and isinstance(data, dict) and "value" not in data:
                     data["value"] = value
 
-                if (totp_identifier or totp_url) and context and organization_id and task_id:
+                # Try credential TOTP first (highest priority, doesn't need totp_url/totp_identifier)
+                otp_value = try_generate_totp_from_credential(workflow_run_id)
+                # Fall back to webhook/totp_identifier
+                if not otp_value and (totp_identifier or totp_url) and context and organization_id and task_id:
                     if totp_identifier:
                         totp_identifier = _render_template_with_label(totp_identifier, label=self.current_label)
                     if totp_url:
@@ -257,16 +260,16 @@ class RealSkyvernPageAi(SkyvernPageAi):
                         totp_identifier=totp_identifier,
                         totp_verification_url=totp_url,
                     )
-                    if otp_value and otp_value.get_otp_type() == OTPType.TOTP:
-                        verification_code = otp_value.value
-                        if isinstance(data, dict) and SPECIAL_FIELD_VERIFICATION_CODE not in data:
-                            data[SPECIAL_FIELD_VERIFICATION_CODE] = verification_code
-                        elif isinstance(data, str) and SPECIAL_FIELD_VERIFICATION_CODE not in data:
-                            data = f"{data}\n" + str({SPECIAL_FIELD_VERIFICATION_CODE: verification_code})
-                        elif isinstance(data, list):
-                            data.append({SPECIAL_FIELD_VERIFICATION_CODE: verification_code})
-                        else:
-                            data = {SPECIAL_FIELD_VERIFICATION_CODE: verification_code}
+                if otp_value and otp_value.get_otp_type() == OTPType.TOTP:
+                    verification_code = otp_value.value
+                    if isinstance(data, dict) and SPECIAL_FIELD_VERIFICATION_CODE not in data:
+                        data[SPECIAL_FIELD_VERIFICATION_CODE] = verification_code
+                    elif isinstance(data, str) and SPECIAL_FIELD_VERIFICATION_CODE not in data:
+                        data = f"{data}\n" + str({SPECIAL_FIELD_VERIFICATION_CODE: verification_code})
+                    elif isinstance(data, list):
+                        data.append({SPECIAL_FIELD_VERIFICATION_CODE: verification_code})
+                    else:
+                        data = {SPECIAL_FIELD_VERIFICATION_CODE: verification_code}
 
                 await self._refresh_scraped_page(take_screenshots=False)
 

skyvern/core/script_generations/script_skyvern_page.py

@@ -27,7 +27,7 @@ from skyvern.forge.sdk.api.files import (
 from skyvern.forge.sdk.artifact.models import ArtifactType
 from skyvern.forge.sdk.core import skyvern_context
 from skyvern.schemas.steps import AgentStepOutput
-from skyvern.services.otp_service import poll_otp_value
+from skyvern.services.otp_service import poll_otp_value, try_generate_totp_from_credential
 from skyvern.utils.url_validators import prepend_scheme_and_validate_url
 from skyvern.webeye.actions.action_types import ActionType
 from skyvern.webeye.actions.actions import (
@@ -615,16 +615,21 @@ class ScriptSkyvernPage(SkyvernPage):
             if is_totp_value:
                 value = generate_totp_value(context.workflow_run_id, original_value)
             elif (totp_identifier or totp_url) and organization_id:
-                totp_value = await poll_otp_value(
-                    organization_id=organization_id,
-                    task_id=task_id,
-                    workflow_run_id=workflow_run_id,
-                    totp_verification_url=totp_url,
-                    totp_identifier=totp_identifier,
-                )
-                if totp_value:
-                    # use the totp verification code
-                    value = totp_value.value
+                # Try credential TOTP first (higher priority than webhook/totp_identifier)
+                credential_totp = try_generate_totp_from_credential(workflow_run_id)
+                if credential_totp:
+                    value = credential_totp.value
+                else:
+                    totp_value = await poll_otp_value(
+                        organization_id=organization_id,
+                        task_id=task_id,
+                        workflow_run_id=workflow_run_id,
+                        totp_verification_url=totp_url,
+                        totp_identifier=totp_identifier,
+                    )
+                    if totp_value:
+                        # use the totp verification code
+                        value = totp_value.value
 
         return value