fix(aws): use survey for AWS login code input (#2070)

* use survey

* test(aws): extract collectAuthCode and add unit tests

Extract the browser-open + prompt retry loop from CrossDeviceLogin into
a testable collectAuthCode helper with injectable askFn and openBrowser
params, then cover all branches with table-driven unit tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* delete now-unused OpenBrowserWithInputOnEnter

* Apply suggestion from @coderabbitai[bot]

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Lio李歐 <lionello@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: 4 people

src/pkg/clouds/aws/login.go

@@ -19,6 +19,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/AlecAivazis/survey/v2"
 	"github.com/DefangLabs/defang/src/pkg/auth"
 	"github.com/DefangLabs/defang/src/pkg/term"
 	"github.com/DefangLabs/defang/src/pkg/tokenstore"
@@ -30,6 +31,7 @@ import (
 	awssts "github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
+	"github.com/pkg/browser"
 )
 
 const (
@@ -353,6 +355,29 @@ func (a *Aws) InteractiveLogin(ctx context.Context) (*awsTokenCache, error) {
 	return RetrieveToken(ctx, tokenURL, clientIDSameDevice, code, pkce.Verifier, redirectURI)
 }
 
+// collectAuthCode prompts the user for an authorization code, opening the browser
+// on the first empty submission. askFn is called repeatedly until a non-empty
+// trimmed value is returned; openBrowser is called at most once.
+func collectAuthCode(askFn func() (string, error), openBrowser func(string) error, authURL string) (string, error) {
+	browserOpened := false
+	for {
+		raw, err := askFn()
+		if err != nil {
+			return "", fmt.Errorf("reading authorization code: %w", err)
+		}
+		code := strings.TrimSpace(raw)
+		if code != "" {
+			return code, nil
+		}
+		if !browserOpened {
+			if err := openBrowser(authURL); err != nil {
+				term.Warn("failed to open browser automatically, please open the URL above manually")
+			}
+			browserOpened = true
+		}
+	}
+}
+
 // CrossDeviceLogin runs the cross-device flow for remote/SSH sessions where the
 // browser runs on a different machine. It prints the auth URL and prompts the user
 // to paste the base64-encoded verification code displayed in their browser.
@@ -368,18 +393,21 @@ func (a *Aws) CrossDeviceLogin(ctx context.Context) (*awsTokenCache, error) {
 	term.Println("Please visit the following URL to log in to AWS: (Right click the URL or press ENTER to open browser)")
 	term.Printf("  %s\n", authURL)
 	term.Print("Enter the authorization code displayed in your browser: ")
-	ctx, inputCh, done := term.OpenBrowserWithInputOnEnter(ctx, authURL)
-	defer done()
-
-	var input string
-	select {
-	case input = <-inputCh:
-		input = strings.TrimSpace(input)
-	case <-ctx.Done():
-		return nil, ctx.Err()
+	askFn := func() (string, error) {
+		var code string
+		err := survey.AskOne(
+			&survey.Input{Message: "Code"},
+			&code,
+			survey.WithStdio(term.DefaultTerm.Stdio()),
+		)
+		return code, err
+	}
+	code, err := collectAuthCode(askFn, browser.OpenURL, authURL)
+	if err != nil {
+		return nil, err
 	}
 
-	authCode, gotState, err := parseVerificationCode(input)
+	authCode, gotState, err := parseVerificationCode(code)
 	if err != nil {
 		return nil, err
 	}

src/pkg/clouds/aws/login_test.go

@@ -366,6 +366,113 @@ func TestRefreshTokenSuccess(t *testing.T) {
 	}
 }
 
+func TestCollectAuthCode(t *testing.T) {
+	noopBrowser := func(string) error { return nil }
+
+	t.Run("non-empty first response returns immediately without opening browser", func(t *testing.T) {
+		browserOpened := false
+		code, err := collectAuthCode(
+			func() (string, error) { return "mycode", nil },
+			func(string) error { browserOpened = true; return nil },
+			"https://example.com",
+		)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if code != "mycode" {
+			t.Errorf("code = %q, want %q", code, "mycode")
+		}
+		if browserOpened {
+			t.Error("browser should not have been opened")
+		}
+	})
+
+	t.Run("whitespace-only response is treated as empty", func(t *testing.T) {
+		calls := 0
+		code, err := collectAuthCode(
+			func() (string, error) {
+				calls++
+				if calls == 1 {
+					return "   ", nil
+				}
+				return "realcode", nil
+			},
+			noopBrowser,
+			"https://example.com",
+		)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if code != "realcode" {
+			t.Errorf("code = %q, want %q", code, "realcode")
+		}
+	})
+
+	t.Run("empty response opens browser once then retries", func(t *testing.T) {
+		browserCalls := 0
+		calls := 0
+		_, err := collectAuthCode(
+			func() (string, error) {
+				calls++
+				if calls < 3 {
+					return "", nil
+				}
+				return "code", nil
+			},
+			func(string) error { browserCalls++; return nil },
+			"https://example.com",
+		)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if browserCalls != 1 {
+			t.Errorf("browser opened %d times, want 1", browserCalls)
+		}
+	})
+
+	t.Run("browser open error does not abort the loop", func(t *testing.T) {
+		calls := 0
+		browserCalls := 0
+		code, err := collectAuthCode(
+			func() (string, error) {
+				calls++
+				if calls == 1 {
+					return "", nil
+				}
+				return "code", nil
+			},
+			func(string) error {
+				browserCalls++
+				return errors.New("no browser")
+			},
+			"https://example.com",
+		)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if code != "code" {
+			t.Errorf("code = %q, want %q", code, "code")
+		}
+		if browserCalls != 1 {
+			t.Errorf("browser opened %d times, want 1", browserCalls)
+		}
+	})
+
+	t.Run("askFn error is returned", func(t *testing.T) {
+		_, err := collectAuthCode(
+			func() (string, error) { return "", errors.New("interrupted") },
+			noopBrowser,
+			"https://example.com",
+		)
+		if err == nil {
+			t.Fatal("expected error from askFn")
+		}
+		if !strings.Contains(err.Error(), "interrupted") {
+			t.Errorf("error = %q, want it to contain %q", err.Error(), "interrupted")
+		}
+	})
+}
+
 func TestSameRole(t *testing.T) {
 	tests := []struct {
 		name    string

src/pkg/term/browser.go

@@ -1,7 +1,6 @@
 package term
 
 import (
-	"bytes"
 	"context"
 	"io"
 
@@ -46,49 +45,3 @@ func OpenBrowserOnEnter(ctx context.Context, url string) (context.Context, func(
 	}()
 	return ctx, cancel
 }
-
-func OpenBrowserWithInputOnEnter(ctx context.Context, url string) (context.Context, <-chan string, func()) {
-	ctx, cancel := context.WithCancel(ctx)
-	input := NewNonBlockingStdin()
-	inputChan := make(chan string, 1) // Buffered channel to avoid blocking goroutine
-
-	// Handles context cancellation to ensure input is closed and goroutine exits when context is cancelled.
-	// In linux Ctrl-C is handled by the signal handler, and input will not get a byte
-	go func() {
-		<-ctx.Done()
-		input.Close()
-	}()
-
-	go func() {
-		var b [1]byte
-		var buf bytes.Buffer
-	inputloop:
-		for {
-			if _, err := input.Read(b[:]); err != nil {
-				break
-			}
-			switch b[0] {
-			case 3: // Ctrl-C
-				cancel()
-				break inputloop
-			case 10, 13: // Enter or Return
-				// If the user has already entered some input, we assume browser is already opened
-				// and we don't want to open the browser again.
-				if buf.Len() > 0 {
-					break inputloop
-				}
-				err := browser.OpenURL(url)
-				if err != nil {
-					Errorf("failed to open browser: %v", err)
-				}
-			default:
-				buf.WriteByte(b[0]) //nolint:gosec // G602 false positive: b is [1]byte, index 0 is always valid
-			}
-		}
-		if buf.Len() > 0 {
-			inputChan <- buf.String()
-		}
-		close(inputChan)
-	}()
-	return ctx, inputChan, cancel
-}