Fix MFA resolution priority: credential TOTP over webhook (#SKY-7980) (#4800)

Co-authored-by: Suchintan Singh <suchintan@skyvern.com>
2026-02-18 23:01:59 -05:00
parent 0437286323
commit 8714f15f1d
6 changed files with 274 additions and 58 deletions
--- a/skyvern/webeye/actions/parse_actions.py
+++ b/skyvern/webeye/actions/parse_actions.py
@@ -14,7 +14,7 @@ from skyvern.forge.sdk.core import skyvern_context
 from skyvern.forge.sdk.models import Step
 from skyvern.forge.sdk.schemas.tasks import Task
 from skyvern.forge.sdk.schemas.totp_codes import OTPType
-from skyvern.services.otp_service import poll_otp_value
+from skyvern.services.otp_service import poll_otp_value, try_generate_totp_from_credential
 from skyvern.utils.image_resizer import Resolution, scale_coordinates
 from skyvern.webeye.actions.action_types import ActionType
 from skyvern.webeye.actions.actions import (
@@ -913,7 +913,10 @@ async def generate_cua_fallback_actions(
            )

    elif skyvern_action_type == "get_verification_code":
-        if (task.totp_verification_url or task.totp_identifier) and task.organization_id:
+        # Try credential TOTP first (highest priority, doesn't need totp_url/totp_identifier)
+        otp_value = try_generate_totp_from_credential(task.workflow_run_id)
+        # Fall back to webhook/totp_identifier
+        if not otp_value and (task.totp_verification_url or task.totp_identifier) and task.organization_id:
            LOG.info(
                "Getting verification code for CUA",
                task_id=task.task_id,
@@ -930,29 +933,21 @@ async def generate_cua_fallback_actions(
                    totp_verification_url=task.totp_verification_url,
                    totp_identifier=task.totp_identifier,
                )
-                if not otp_value or otp_value.get_otp_type() != OTPType.TOTP:
-                    raise NoTOTPVerificationCodeFound()
-                verification_code = otp_value.value
-                reasoning = reasoning or f"Received verification code: {verification_code}"
-                action = VerificationCodeAction(
-                    verification_code=verification_code,
-                    reasoning=reasoning,
-                    intention=reasoning,
-                )
            except NoTOTPVerificationCodeFound:
                reasoning_suffix = "No verification code found"
                reasoning = f"{reasoning}. {reasoning_suffix}" if reasoning else reasoning_suffix
-                action = TerminateAction(
-                    reasoning=reasoning,
-                    intention=reasoning,
-                )
            except FailedToGetTOTPVerificationCode as e:
                reasoning_suffix = f"Failed to get verification code. Reason: {e.reason}"
                reasoning = f"{reasoning}. {reasoning_suffix}" if reasoning else reasoning_suffix
-                action = TerminateAction(
-                    reasoning=reasoning,
-                    intention=reasoning,
-                )
+
+        if otp_value and otp_value.get_otp_type() == OTPType.TOTP:
+            verification_code = otp_value.value
+            reasoning = reasoning or f"Received verification code: {verification_code}"
+            action = VerificationCodeAction(
+                verification_code=verification_code,
+                reasoning=reasoning,
+                intention=reasoning,
+            )
        else:
            action = TerminateAction(
                reasoning=reasoning,