Fix MFA resolution priority: credential TOTP over webhook (#SKY-7980) (#4800)

Co-authored-by: Suchintan Singh <suchintan@skyvern.com>
2026-02-18 23:01:59 -05:00
parent 0437286323
commit 8714f15f1d
6 changed files with 274 additions and 58 deletions
--- a/skyvern/forge/agent.py
+++ b/skyvern/forge/agent.py
@@ -104,7 +104,7 @@ from skyvern.schemas.runs import CUA_ENGINES, RunEngine
 from skyvern.schemas.steps import AgentStepOutput
 from skyvern.services import run_service, service_utils
 from skyvern.services.action_service import get_action_history
-from skyvern.services.otp_service import poll_otp_value
+from skyvern.services.otp_service import poll_otp_value, try_generate_totp_from_credential
 from skyvern.utils.image_resizer import Resolution
 from skyvern.utils.prompt_engine import MaxStepsReasonResponse, load_prompt_with_elements
 from skyvern.webeye.actions.action_types import ActionType
@@ -4526,21 +4526,25 @@ class ForgeAgent:
        should_enter_verification_code = json_response.get("should_enter_verification_code")
        if place_to_enter_verification_code and should_enter_verification_code and task.organization_id:
            LOG.info("Need verification code")
-            workflow_id = workflow_permanent_id = None
-            if task.workflow_run_id:
-                workflow_run = await app.DATABASE.get_workflow_run(task.workflow_run_id)
-                if workflow_run:
-                    workflow_id = workflow_run.workflow_id
-                    workflow_permanent_id = workflow_run.workflow_permanent_id
-            otp_value = await poll_otp_value(
-                organization_id=task.organization_id,
-                task_id=task.task_id,
-                workflow_id=workflow_id,
-                workflow_run_id=task.workflow_run_id,
-                workflow_permanent_id=workflow_permanent_id,
-                totp_verification_url=task.totp_verification_url,
-                totp_identifier=task.totp_identifier,
-            )
+            # Try credential TOTP first (highest priority, doesn't need totp_url/totp_identifier)
+            otp_value = try_generate_totp_from_credential(task.workflow_run_id)
+            # Fall back to webhook/totp_identifier
+            if not otp_value and (task.totp_verification_url or task.totp_identifier):
+                workflow_id = workflow_permanent_id = None
+                if task.workflow_run_id:
+                    workflow_run = await app.DATABASE.get_workflow_run(task.workflow_run_id)
+                    if workflow_run:
+                        workflow_id = workflow_run.workflow_id
+                        workflow_permanent_id = workflow_run.workflow_permanent_id
+                otp_value = await poll_otp_value(
+                    organization_id=task.organization_id,
+                    task_id=task.task_id,
+                    workflow_id=workflow_id,
+                    workflow_run_id=task.workflow_run_id,
+                    workflow_permanent_id=workflow_permanent_id,
+                    totp_verification_url=task.totp_verification_url,
+                    totp_identifier=task.totp_identifier,
+                )
            if not otp_value or otp_value.get_otp_type() != OTPType.TOTP:
                return json_response