feat(cli): add interactive login prompt with provider selection (#16093)

* feat(cli): add interactive login prompt with provider selection

When running `fern login` without an active Auth0 session, the CLI now
presents an interactive menu to choose a login provider:

  - Continue with GitHub
  - Continue with Google
  - Continue with Postman
  - Continue with SSO (prompts for email, resolves enterprise connection)

If an active Auth0 session exists, authentication completes silently as
before (via prompt=none silent auth check).

Non-TTY environments and --device-code / --email flags are unaffected.

Co-Authored-By: rishabh <rishabh@buildwithfern.com>

* fix: use local token check instead of browser-based silent auth

Replace prompt=none browser-based silent auth with isLoggedIn() check.
Previously, the CLI would open a browser tab with prompt=none to detect
an existing Auth0 session, causing a brief browser flash for users
without a session. Now the CLI checks the locally stored token instead:
- If a valid token exists → open browser directly (Auth0 session handles it)
- If no token → show the interactive prompt without touching the browser

Also removes the now-unused trySilentAuth(), NoSessionError, and
parseAuthResponse() from doAuth0LoginFlow.ts.

Co-Authored-By: rishabh <rishabh@buildwithfern.com>

* fix: add device-code fallback to interactive prompt path

Extract loginWithDeviceCodeFallback() helper that wraps doAuth0LoginFlow
with a try/catch falling back to doAuth0DeviceAuthorizationFlow. Both
the main login path and the interactive prompt path (promptAndLogin) now
use this helper, ensuring transient failures (port conflicts, browser
launch failures, Auth0 errors) fall back to device-code flow instead of
surfacing as hard errors.

Co-Authored-By: rishabh <rishabh@buildwithfern.com>

* fix(cli): address Claude review - forward connection to device-code fallback, validate email, fix Wizard message

Co-Authored-By: rishabh <rishabh@buildwithfern.com>

* fix(cli): trim email input in promptForEmail

Co-Authored-By: rishabh <rishabh@buildwithfern.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: rishabh <rishabh@buildwithfern.com>

Author: devin-ai-integration[bot]

packages/cli/cli-v2/src/init/Wizard.ts

@@ -198,7 +198,6 @@ export class Wizard {
                 return undefined;
             }
 
-            this.context.stderr.info(`  ${Icons.info} Opening browser to log in to Fern...`);
             const taskContext = new TaskContextAdapter({ context: this.context, logLevel: LogLevel.Info });
             const { accessToken, idToken } = await getTokenFromAuth0(taskContext, {
                 useDeviceCodeFlow: false,

packages/cli/cli/changes/unreleased/interactive-login-prompt.yml

@@ -0,0 +1,7 @@
+- summary: |
+    Add interactive login prompt to `fern login`. When no active Auth0 session
+    exists, the CLI now presents a menu to choose a login provider (GitHub,
+    Google, Postman, or SSO). Selecting SSO prompts for an email address and
+    routes directly to the organization's identity provider. If an active
+    session already exists, authentication completes silently as before.
+  type: feat

packages/cli/login/src/auth0-login/doAuth0DeviceAuthorizationFlow.ts

@@ -28,12 +28,14 @@ export async function doAuth0DeviceAuthorizationFlow({
     auth0Domain,
     auth0ClientId,
     audience,
-    context
+    context,
+    connection
 }: {
     auth0Domain: string;
     auth0ClientId: string;
     audience: string;
     context: TaskContext;
+    connection?: string;
 }): Promise<Auth0TokenResponse> {
     const deviceCodeResponse = await axios.request<DeviceCodeResponse>({
         method: "POST",
@@ -42,7 +44,8 @@ export async function doAuth0DeviceAuthorizationFlow({
         data: qs.stringify({
             client_id: auth0ClientId,
             audience,
-            scope: "openid profile email offline_access"
+            scope: "openid profile email offline_access",
+            ...(connection != null ? { connection } : {})
         }),
         validateStatus: () => true
     });

packages/cli/login/src/auth0-login/doAuth0LoginFlow.ts

@@ -165,7 +165,6 @@ function constructAuth0Url({
         queryParams.set("connection", connection);
     }
 
-    // Force re-authentication to allow switching accounts.
     if (forceReauth) {
         queryParams.set("prompt", "login");
     }

packages/cli/login/src/constants.ts

@@ -8,3 +8,15 @@ export function getDashboardBaseUrl(): string {
         "https://dashboard.buildwithfern.com"
     );
 }
+
+export interface LoginOption {
+    label: string;
+    connection: string;
+}
+
+export const LOGIN_OPTIONS: LoginOption[] = [
+    { label: "Continue with GitHub", connection: "github" },
+    { label: "Continue with Google", connection: "google-oauth2" },
+    { label: "Continue with Postman", connection: "postman" },
+    { label: "Continue with SSO", connection: "enterprise-sso" }
+];

packages/cli/login/src/login.ts

@@ -1,12 +1,12 @@
-import { FernUserToken, storeToken } from "@fern-api/auth";
+import { FernUserToken, isLoggedIn, storeToken } from "@fern-api/auth";
 import { getPosthogManager } from "@fern-api/posthog-manager";
 import { TaskContext } from "@fern-api/task-context";
 import chalk from "chalk";
-
+import inquirer from "inquirer";
 import { doAuth0DeviceAuthorizationFlow } from "./auth0-login/doAuth0DeviceAuthorizationFlow.js";
 import { type Auth0TokenResponse, doAuth0LoginFlow } from "./auth0-login/doAuth0LoginFlow.js";
 import { resolveSsoConnection } from "./auth0-login/resolveSsoConnection.js";
-import { AUTH0_CLIENT_ID, AUTH0_DOMAIN, getDashboardBaseUrl, VENUS_AUDIENCE } from "./constants.js";
+import { AUTH0_CLIENT_ID, AUTH0_DOMAIN, getDashboardBaseUrl, LOGIN_OPTIONS, VENUS_AUDIENCE } from "./constants.js";
 
 export type { Auth0TokenResponse } from "./auth0-login/doAuth0LoginFlow.js";
 
@@ -63,20 +63,97 @@ export async function getTokenFromAuth0(
         });
     }
 
+    // In TTY mode, check for a locally stored token to decide the flow:
+    // - If already logged in → open the browser directly (Auth0 session handles it)
+    // - If not logged in → show an interactive prompt so the user stays in the CLI
+    if (!forceReauth && process.stdout.isTTY && !(await isLoggedIn())) {
+        return await promptAndLogin(context);
+    }
+
+    return await loginWithDeviceCodeFallback(context, { forceReauth });
+}
+
+async function loginWithDeviceCodeFallback(
+    context: TaskContext,
+    { forceReauth = false, connection }: { forceReauth?: boolean; connection?: string } = {}
+): Promise<Auth0TokenResponse> {
     try {
         return await doAuth0LoginFlow({
             context,
             auth0Domain: AUTH0_DOMAIN,
             auth0ClientId: AUTH0_CLIENT_ID,
             audience: VENUS_AUDIENCE,
-            forceReauth
+            forceReauth,
+            connection
         });
     } catch {
         return await doAuth0DeviceAuthorizationFlow({
             auth0Domain: AUTH0_DOMAIN,
             auth0ClientId: AUTH0_CLIENT_ID,
             audience: VENUS_AUDIENCE,
-            context
+            context,
+            connection
+        });
+    }
+}
+
+async function promptAndLogin(context: TaskContext): Promise<Auth0TokenResponse> {
+    const choices = LOGIN_OPTIONS.map((opt) => ({ name: opt.label, value: opt.connection }));
+
+    const selectedConnection = await promptForConnection(context, choices);
+
+    // SSO requires resolving the enterprise connection from the user's email
+    if (selectedConnection === "enterprise-sso") {
+        const ssoEmail = await promptForEmail(context);
+
+        const resolvedConnection = await resolveSsoConnection({
+            dashboardBaseUrl: getDashboardBaseUrl(),
+            email: ssoEmail
         });
+
+        return await loginWithDeviceCodeFallback(context, { connection: resolvedConnection });
     }
+
+    return await loginWithDeviceCodeFallback(context, { connection: selectedConnection });
+}
+
+async function promptForConnection(
+    context: TaskContext,
+    choices: Array<{ name: string; value: string }>
+): Promise<string> {
+    let result = "";
+    await context.takeOverTerminal(async () => {
+        const { connection } = await inquirer.prompt<{ connection: string }>([
+            {
+                type: "list",
+                name: "connection",
+                message: "How would you like to log in?",
+                choices
+            }
+        ]);
+        result = connection;
+    });
+    return result;
+}
+
+async function promptForEmail(context: TaskContext): Promise<string> {
+    let result = "";
+    await context.takeOverTerminal(async () => {
+        const { email } = await inquirer.prompt<{ email: string }>([
+            {
+                type: "input",
+                name: "email",
+                message: "Enter your email address:",
+                validate: (input: string) => {
+                    const trimmed = input.trim();
+                    if (trimmed.length === 0 || !trimmed.includes("@")) {
+                        return "Please enter a valid email address.";
+                    }
+                    return true;
+                }
+            }
+        ]);
+        result = email.trim();
+    });
+    return result;
 }