fix: prevent secondary OTP from hanging

tests/test_registration_otp_phase.py

@@ -71,7 +71,7 @@ def test_phase_otp_secondary_returns_dedicated_timeout_error_code(monkeypatch):
     assert engine.phase_history[0].error_code == ERROR_OTP_TIMEOUT_SECONDARY
 
 
-def test_advance_login_authorization_refreshes_otp_anchor_after_password_submit(monkeypatch):
+def test_advance_login_authorization_sets_otp_anchor_before_password_submit(monkeypatch):
     email_service = FakeEmailService(code=None)
     engine = _build_engine(monkeypatch, email_service)
     engine.oauth_start = object()
@@ -82,14 +82,15 @@ def test_advance_login_authorization_refreshes_otp_anchor_after_password_submit(
     monkeypatch.setattr(engine, "_start_oauth", lambda: True)
     monkeypatch.setattr(engine, "_get_device_id", lambda: True)
     monkeypatch.setattr(engine, "_try_reenter_login_flow", lambda: True)
-    monkeypatch.setattr(
-        engine,
-        "_submit_login_password_step_and_get_continue_url",
-        lambda: (True, "https://continue.example.test"),
-    )
 
     seen_anchors = []
 
+    def fake_submit_login_password_step():
+        seen_anchors.append(engine._otp_sent_at)
+        return True
+
+    monkeypatch.setattr(engine, "_submit_login_password_step", fake_submit_login_password_step)
+
     def fake_get_verification_code():
         seen_anchors.append(engine._otp_sent_at)
         return None
@@ -101,4 +102,4 @@ def test_advance_login_authorization_refreshes_otp_anchor_after_password_submit(
     assert workspace_id is None
     assert callback_url is None
     assert engine._otp_sent_at == 456.0
-    assert seen_anchors == [456.0]
+    assert seen_anchors == [456.0, 456.0]

tests/test_tempmail_service.py

@@ -23,7 +23,7 @@ class FakeHTTPClient:
         return self.responses.pop(0)
 
 
-def test_get_verification_code_ignores_messages_not_newer_than_otp_anchor(monkeypatch):
+def test_get_verification_code_ignores_messages_older_than_tolerance_window(monkeypatch):
     service = TempmailService({
         "base_url": "https://api.tempmail.test/v2",
         "timeout": 1,
@@ -43,7 +43,7 @@ def test_get_verification_code_ignores_messages_not_newer_than_otp_anchor(monkey
                         "from": "noreply@openai.com",
                         "subject": "Old verification code",
                         "body": "111111",
-                        "received_at": 1999,
+                        "received_at": 1998,
                     },
                     {
                         "id": "new-mail",
@@ -74,3 +74,47 @@ def test_get_verification_code_ignores_messages_not_newer_than_otp_anchor(monkey
             },
         }
     ]
+
+
+def test_get_verification_code_allows_two_second_anchor_tolerance(monkeypatch):
+    service = TempmailService({
+        "base_url": "https://api.tempmail.test/v2",
+        "timeout": 1,
+        "max_retries": 1,
+    })
+    service._email_cache["tester@example.com"] = {
+        "email": "tester@example.com",
+        "token": "token-1",
+    }
+    service.http_client = FakeHTTPClient([
+        FakeResponse(
+            status_code=200,
+            payload={
+                "emails": [
+                    {
+                        "id": "too-old-mail",
+                        "from": "noreply@openai.com",
+                        "subject": "Too old verification code",
+                        "body": "111111",
+                        "received_at": 1998,
+                    },
+                    {
+                        "id": "tolerated-mail",
+                        "from": "noreply@openai.com",
+                        "subject": "Tolerated verification code",
+                        "body": "654321",
+                        "received_at": 1999,
+                    },
+                ]
+            },
+        )
+    ])
+    monkeypatch.setattr(tempmail_module.time, "sleep", lambda _: None)
+
+    code = service.get_verification_code(
+        email="tester@example.com",
+        timeout=1,
+        otp_sent_at=2000,
+    )
+
+    assert code == "654321"