fix(auth): resolve MFA option by label, type, or display string (#128)

rgarcia · claude · web-flow · commit 43fc638aa7dd · 2026-03-02T11:45:17.000-05:00
## Summary - `--mfa-option-id` now accepts the MFA option **label** (e.g. `"Get a text"`), **type** (e.g. `"sms"`), or the **display string** (e.g. `"Get a text (sms)"`) — all resolve to the correct type before hitting the API - Unknown MFA options now produce a clear error listing available choices instead of silently looping ## Problem When PayPal presented MFA options like `"Get a text (sms)"`, users naturally passed `--mfa-option-id "Get a text"` (the label). The CLI sent this directly to the API, which expects the type (`"sms"`). The backend didn't recognize the label, causing the flow to silently loop back to the MFA selection screen with no error. ## Fix Before submitting, the CLI now fetches the connection's available MFA options and resolves the user's input (case-insensitive) against label, type, or combined display string. The resolved type is always sent to the API. ## Test plan - [x] `TestSubmit_MfaOptionResolvesType` — passing type directly still works - [x] `TestSubmit_MfaOptionResolvesLabel` — passing label resolves to type - [x] `TestSubmit_MfaOptionResolvesDisplayString` — passing `"Label (type)"` resolves to type - [x] `TestSubmit_MfaOptionResolvesLabelCaseInsensitive` — case-insensitive matching - [x] `TestSubmit_MfaOptionRejectsUnknown` — unknown option returns error with available options - [x] Full `go test ./cmd/` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code)  --- > [!NOTE] > **Medium Risk** > Changes the `auth connections submit` MFA selection path by adding an extra `Get` call and transforming user input before sending it to the API, which could affect login flows if option resolution mismatches or the prefetch fails. > > **Overview** > `auth connections submit` now resolves `--mfa-option-id` case-insensitively against the connection’s available MFA options, accepting a **type**, **label**, or **"Label (type)"** display string and always submitting the resolved option *type* to the API. > > If the provided MFA option doesn’t match any available option, submission now fails fast with a clear error listing the valid choices, and new unit tests cover the supported inputs plus fetch/error handling. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3c45ed6. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/cmd/auth_connections.go b/cmd/auth_connections.go
@@ -450,6 +450,37 @@ func (c AuthConnectionCmd) Submit(ctx context.Context, in AuthConnectionSubmitIn
 		return fmt.Errorf("must provide at least one of: --field, --mfa-option-id, or --sso-button-selector")
 	}
 
+	// Resolve MFA option: the user may pass the label (e.g. "Get a text"), the
+	// type (e.g. "sms"), or the display string ("Get a text (sms)"). The API
+	// expects the type, so look up the connection's available options and map
+	// whatever the user provided to the correct type value.
+	if hasMfaOption {
+		conn, err := c.svc.Get(ctx, in.ID)
+		if err != nil {
+			return util.CleanedUpSdkError{Err: fmt.Errorf("failed to fetch connection for MFA option resolution: %w", err)}
+		}
+		if len(conn.MfaOptions) > 0 {
+			resolved := false
+			for _, opt := range conn.MfaOptions {
+				displayName := fmt.Sprintf("%s (%s)", opt.Label, opt.Type)
+				if strings.EqualFold(in.MfaOptionID, opt.Type) ||
+					strings.EqualFold(in.MfaOptionID, opt.Label) ||
+					strings.EqualFold(in.MfaOptionID, displayName) {
+					in.MfaOptionID = opt.Type
+					resolved = true
+					break
+				}
+			}
+			if !resolved {
+				available := make([]string, 0, len(conn.MfaOptions))
+				for _, opt := range conn.MfaOptions {
+					available = append(available, fmt.Sprintf("%s (%s)", opt.Label, opt.Type))
+				}
+				return fmt.Errorf("unknown MFA option %q; available: %s", in.MfaOptionID, strings.Join(available, ", "))
+			}
+		}
+	}
+
 	params := kernel.AuthConnectionSubmitParams{
 		SubmitFieldsRequest: kernel.SubmitFieldsRequestParam{
 			Fields: in.FieldValues,
diff --git a/cmd/auth_connections_test.go b/cmd/auth_connections_test.go
@@ -196,3 +196,138 @@ func TestAuthConnectionsList_JSONOutput_PrintsRawResponse(t *testing.T) {
 	assert.Contains(t, out, "\"profile_name\"")
 	assert.Contains(t, out, "\"raf-leaseweb\"")
 }
+
+func newFakeWithMfaOptions(options []kernel.ManagedAuthMfaOption) *FakeAuthConnectionService {
+	return &FakeAuthConnectionService{
+		GetFunc: func(ctx context.Context, id string, opts ...option.RequestOption) (*kernel.ManagedAuth, error) {
+			return &kernel.ManagedAuth{
+				ID:         id,
+				MfaOptions: options,
+			}, nil
+		},
+		SubmitFunc: func(ctx context.Context, id string, body kernel.AuthConnectionSubmitParams, opts ...option.RequestOption) (*kernel.SubmitFieldsResponse, error) {
+			return &kernel.SubmitFieldsResponse{Accepted: true}, nil
+		},
+	}
+}
+
+func TestSubmit_MfaOptionResolvesType(t *testing.T) {
+	fake := newFakeWithMfaOptions([]kernel.ManagedAuthMfaOption{
+		{Label: "Get a text", Type: "sms"},
+		{Label: "Have us call you", Type: "call"},
+	})
+
+	var submittedID string
+	fake.SubmitFunc = func(ctx context.Context, id string, body kernel.AuthConnectionSubmitParams, opts ...option.RequestOption) (*kernel.SubmitFieldsResponse, error) {
+		submittedID = body.SubmitFieldsRequest.MfaOptionID.Value
+		return &kernel.SubmitFieldsResponse{Accepted: true}, nil
+	}
+
+	c := AuthConnectionCmd{svc: fake}
+	err := c.Submit(context.Background(), AuthConnectionSubmitInput{
+		ID:          "conn-1",
+		MfaOptionID: "sms",
+		Output:      "json",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "sms", submittedID)
+}
+
+func TestSubmit_MfaOptionResolvesLabel(t *testing.T) {
+	fake := newFakeWithMfaOptions([]kernel.ManagedAuthMfaOption{
+		{Label: "Get a text", Type: "sms"},
+		{Label: "Have us call you", Type: "call"},
+	})
+
+	var submittedID string
+	fake.SubmitFunc = func(ctx context.Context, id string, body kernel.AuthConnectionSubmitParams, opts ...option.RequestOption) (*kernel.SubmitFieldsResponse, error) {
+		submittedID = body.SubmitFieldsRequest.MfaOptionID.Value
+		return &kernel.SubmitFieldsResponse{Accepted: true}, nil
+	}
+
+	c := AuthConnectionCmd{svc: fake}
+	err := c.Submit(context.Background(), AuthConnectionSubmitInput{
+		ID:          "conn-1",
+		MfaOptionID: "Get a text",
+		Output:      "json",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "sms", submittedID)
+}
+
+func TestSubmit_MfaOptionResolvesDisplayString(t *testing.T) {
+	fake := newFakeWithMfaOptions([]kernel.ManagedAuthMfaOption{
+		{Label: "Get a text", Type: "sms"},
+	})
+
+	var submittedID string
+	fake.SubmitFunc = func(ctx context.Context, id string, body kernel.AuthConnectionSubmitParams, opts ...option.RequestOption) (*kernel.SubmitFieldsResponse, error) {
+		submittedID = body.SubmitFieldsRequest.MfaOptionID.Value
+		return &kernel.SubmitFieldsResponse{Accepted: true}, nil
+	}
+
+	c := AuthConnectionCmd{svc: fake}
+	err := c.Submit(context.Background(), AuthConnectionSubmitInput{
+		ID:          "conn-1",
+		MfaOptionID: "Get a text (sms)",
+		Output:      "json",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "sms", submittedID)
+}
+
+func TestSubmit_MfaOptionResolvesLabelCaseInsensitive(t *testing.T) {
+	fake := newFakeWithMfaOptions([]kernel.ManagedAuthMfaOption{
+		{Label: "Get a text", Type: "sms"},
+	})
+
+	var submittedID string
+	fake.SubmitFunc = func(ctx context.Context, id string, body kernel.AuthConnectionSubmitParams, opts ...option.RequestOption) (*kernel.SubmitFieldsResponse, error) {
+		submittedID = body.SubmitFieldsRequest.MfaOptionID.Value
+		return &kernel.SubmitFieldsResponse{Accepted: true}, nil
+	}
+
+	c := AuthConnectionCmd{svc: fake}
+	err := c.Submit(context.Background(), AuthConnectionSubmitInput{
+		ID:          "conn-1",
+		MfaOptionID: "get a TEXT",
+		Output:      "json",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "sms", submittedID)
+}
+
+func TestSubmit_MfaOptionGetErrorSurfaced(t *testing.T) {
+	fake := &FakeAuthConnectionService{
+		GetFunc: func(ctx context.Context, id string, opts ...option.RequestOption) (*kernel.ManagedAuth, error) {
+			return nil, errors.New("connection not found")
+		},
+	}
+
+	c := AuthConnectionCmd{svc: fake}
+	err := c.Submit(context.Background(), AuthConnectionSubmitInput{
+		ID:          "conn-1",
+		MfaOptionID: "sms",
+		Output:      "json",
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "connection not found")
+}
+
+func TestSubmit_MfaOptionRejectsUnknown(t *testing.T) {
+	fake := newFakeWithMfaOptions([]kernel.ManagedAuthMfaOption{
+		{Label: "Get a text", Type: "sms"},
+		{Label: "Have us call you", Type: "call"},
+	})
+
+	c := AuthConnectionCmd{svc: fake}
+	err := c.Submit(context.Background(), AuthConnectionSubmitInput{
+		ID:          "conn-1",
+		MfaOptionID: "carrier pigeon",
+		Output:      "json",
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "unknown MFA option")
+	assert.Contains(t, err.Error(), "carrier pigeon")
+	assert.Contains(t, err.Error(), "Get a text (sms)")
+}
