az2aws 1.1.3 → 1.3.0

package/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "1.1.3"
+  ".": "1.3.0"
 }

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## [1.3.0](https://github.com/kuma0128/az2aws/compare/v1.2.0...v1.3.0) (2026-01-27)
+
+
+### Features
+
+* Add Comprehensive Loginstate Tests and Implementation ([#110](https://github.com/kuma0128/az2aws/issues/110)) ([09fce50](https://github.com/kuma0128/az2aws/commit/09fce501050731e2b0e5063ef8d2d5e4076827a1))
+
+
+### Bug Fixes
+
+* Apply Prettier formatting and add region logging to login functions ([#109](https://github.com/kuma0128/az2aws/issues/109)) ([26a5ef6](https://github.com/kuma0128/az2aws/commit/26a5ef636014f56ad77813f42e866a25b08be2f3))
+* clarify session duration validation message ([#91](https://github.com/kuma0128/az2aws/issues/91)) ([22d87ec](https://github.com/kuma0128/az2aws/commit/22d87ec57318c6dc69d09e098d7e123d07df882e))
+* correct typo 'occured' to 'occurred' in error message ([#86](https://github.com/kuma0128/az2aws/issues/86)) ([b0a75d2](https://github.com/kuma0128/az2aws/commit/b0a75d2c7cecaef7888d17a9880bcd63000713b8))
+* enforce defaults for no-prompt role selection ([#90](https://github.com/kuma0128/az2aws/issues/90)) ([bea40f6](https://github.com/kuma0128/az2aws/commit/bea40f64a9dc6851b34a396fdd315752669c1d9d))
+
+## [1.2.0](https://github.com/kuma0128/az2aws/compare/v1.1.3...v1.2.0) (2026-01-22)
+
+
+### Features
+
+* Add version flag to CLI command ([#67](https://github.com/kuma0128/az2aws/issues/67)) ([b89290f](https://github.com/kuma0128/az2aws/commit/b89290fe16d554f6a8a1bf09df0194a64d692b55))
+
+
+### Bug Fixes
+
+* Add default duration of 1 hour if parsing fails ([#70](https://github.com/kuma0128/az2aws/issues/70)) ([337d12c](https://github.com/kuma0128/az2aws/commit/337d12c90ab0eccf4034bd438ecfb2f0ad98db47))
+* Fix SAML assertion decoding to use UTF-8 encoding ([#72](https://github.com/kuma0128/az2aws/issues/72)) ([14e44a7](https://github.com/kuma0128/az2aws/commit/14e44a7ffe19e48177078aa6d87feb7e8ecf0c94))
+* resolve --no-verify-ssl and proxy settings conflict ([#73](https://github.com/kuma0128/az2aws/issues/73)) ([3fd9adf](https://github.com/kuma0128/az2aws/commit/3fd9adf6dd39109bb428b56215200ad1df3752a9))
+
 ## [1.1.3](https://github.com/kuma0128/az2aws/compare/v1.1.2...v1.1.3) (2026-01-19)
 
 

package/README.md

@@ -5,13 +5,13 @@
 
 # az2aws
 
-If your organization uses [Azure Active Directory](https://azure.microsoft.com) to provide SSO login to the AWS console, then there is no easy way to log in on the command line or to use the [AWS CLI](https://aws.amazon.com/cli/). This tool fixes that. It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.
+Log in to AWS CLI using [Azure Active Directory](https://azure.microsoft.com) SSO. Supports MFA and places temporary credentials in the proper location for AWS CLI and SDKs.
 
 ## Installation
 
 ### mise (Recommended)
 
-[mise](https://mise.jdx.dev/) is a polyglot version manager that can install az2aws directly.
+[mise](https://mise.jdx.dev/) is a version manager that can install az2aws directly.
 
 Install mise:
 
@@ -66,12 +66,10 @@ Run az2aws with a volume mounted to your AWS configuration directory:
 
     docker run --rm -it -v ~/.aws:/root/.aws az2aws/az2aws
 
-The Docker image is configured with an entrypoint so you can just feed any arguments in at the end.
-
-You can also put the docker-launch.sh script into your bin directory for the az2aws command to function as usual:
+You can also install the docker-launch.sh script to your PATH:
 
     # Download the script (replace VERSION with a specific release tag, e.g., v1.0.0)
-    curl -o /tmp/az2aws https://raw.githubusercontent.com/az2aws/az2aws/VERSION/docker-launch.sh -L
+    curl -o /tmp/az2aws https://raw.githubusercontent.com/kuma0128/az2aws/VERSION/docker-launch.sh -L
 
     # IMPORTANT: Review the script before installing
     cat /tmp/az2aws
@@ -80,9 +78,7 @@ You can also put the docker-launch.sh script into your bin directory for the az2
     sudo mv /tmp/az2aws /usr/local/bin/az2aws
     sudo chmod +x /usr/local/bin/az2aws
 
-> **Security Note:** Always download from a specific release tag (not `main`) and review the script contents before installing. Downloading and executing scripts directly from mutable branch heads poses a supply chain risk.
-
-Now just run `az2aws`.
+> **Security Note:** Always download from a specific release tag (not `main`) and review the script before installing.
 
 ### Snap
 
@@ -104,13 +100,12 @@ https://snapcraft.io/az2aws
 | `--enable-chrome-seamless-sso` | Enable Azure AD Seamless SSO |
 | `--no-disable-extensions` | Keep browser extensions enabled |
 | `--disable-gpu` | Disable GPU acceleration |
+| `--version (-v)` | Show version number |
 
 ## Usage
 
 ### Configuration
 
-#### AWS
-
 To configure the az2aws client run:
 
     az2aws --configure
@@ -119,22 +114,16 @@ You'll need your [Azure Tenant ID and the App ID URI](#getting-your-tenant-id-an
 
     az2aws --configure --profile foo
 
-##### GovCloud Support
-
-To use az2aws with AWS GovCloud, set the `region` profile property in your ~/.aws/config to the one of the GovCloud regions:
+#### GovCloud / China Region Support
 
-- us-gov-west-1
-- us-gov-east-1
+Set the `region` in your ~/.aws/config to use non-standard AWS partitions:
 
-##### China Region Support
-
-To use az2aws with AWS China Cloud, set the `region` profile property in your ~/.aws/config to the China region:
-
-- cn-north-1
+- **GovCloud**: us-gov-west-1, us-gov-east-1
+- **China**: cn-north-1, cn-northwest-1
 
 #### Stay Logged In
 
-During configuration, you can enable "Stay logged in" to skip username/password/MFA on subsequent logins. Session cookies will remember your identity, allowing you to use `--no-prompt` without storing passwords:
+Enable "Stay logged in" during configuration to use `--no-prompt` without storing passwords:
 
     az2aws --no-prompt
     az2aws --profile foo --no-prompt
@@ -147,6 +136,10 @@ You can set defaults via environment variables (use with `--no-prompt`):
 - `AZURE_DEFAULT_USERNAME` / `AZURE_DEFAULT_PASSWORD` - Credentials
 - `AZURE_DEFAULT_ROLE_ARN` / `AZURE_DEFAULT_DURATION_HOURS` - AWS role settings
 
+When using `--no-prompt` with multiple available roles, you must set
+`AZURE_DEFAULT_ROLE_ARN` (or configure `azure_default_role_arn`) so the CLI can
+select a role without prompting.
+
 To avoid storing passwords in bash history, use a leading space:
 
     HISTCONTROL=ignoreboth
@@ -154,28 +147,26 @@ To avoid storing passwords in bash history, use a leading space:
 
 #### Use an Existing Chrome Install and Profile
 
-Instead of using the bundled Chromium, you can use an existing Chrome installation with your own user profile by setting the following environment variables:
+Use your own Chrome installation by setting these environment variables:
 
 - `BROWSER_CHROME_BIN` - Path to Chrome executable
 - `BROWSER_USER_DATA_DIR` - Chrome user data directory
 - `BROWSER_PROFILE_DIR` - Chrome profile name (e.g., "Default")
 
-Example (macOS):
+Example:
 
+    # macOS
     export BROWSER_CHROME_BIN="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
-    export BROWSER_USER_DATA_DIR="/Users/<user>/Library/Application Support/Google/Chrome"
-    export BROWSER_PROFILE_DIR="Default"
-    az2aws --mode gui --no-disable-extensions --no-sandbox
-
-Example (Linux):
+    export BROWSER_USER_DATA_DIR="$HOME/Library/Application Support/Google/Chrome"
 
+    # Linux
     export BROWSER_CHROME_BIN="/usr/bin/google-chrome"
-    export BROWSER_USER_DATA_DIR="/home/<user>/.config/google-chrome"
+    export BROWSER_USER_DATA_DIR="$HOME/.config/google-chrome"
+
+    # Common
     export BROWSER_PROFILE_DIR="Default"
     az2aws --mode gui --no-disable-extensions --no-sandbox
 
-Using Chrome instead of Chromium allows you to use browser extensions such as password managers.
-
 ### Logging In
 
     az2aws                    # Default profile
@@ -187,12 +178,23 @@ You'll be prompted for username, password, and MFA if required. After login, use
 **Tips:**
 - Set `AWS_PROFILE` env var instead of using `--profile`
 - Use `--mode gui --disable-gpu` on VMs or if rendering fails
-- Use `--no-sandbox` on Linux
 - Set `https_proxy` env var for corporate proxy
 
+#### Troubleshooting
+
+If you see device compliance errors (e.g., "Device UnSecured Or Non-Compliant"),
+Try:
+ `--mode gui` and use your system Chrome via `BROWSER_CHROME_BIN`.
+
+If you see "Unable to recognize page state!", Azure's login pages may have
+changed. Try:
+
+- `--mode gui` or `--mode debug`
+- Filing an issue with the screenshot (`az2aws-unrecognized-state.png`) to help maintainers update selectors
+
 ## Automation
 
-Renew all profiles at once (useful for short session limits):
+Renew all profiles at once:
 
     az2aws --all-profiles
     az2aws --all-profiles --no-prompt    # With "Stay logged in" enabled
@@ -201,21 +203,21 @@ Credentials are only refreshed if expiring within 11 minutes - safe to run as a
 
 ## Getting Your Tenant ID and App ID URI
 
-Your Azure AD system admin should be able to provide you with your Tenant ID and App ID URI. If you can't get it from them, you can scrape it from a login page from the myapps.microsoft.com page.
+Ask your Azure AD admin for these values, or extract them from myapps.microsoft.com:
 
 1. Load the myapps.microsoft.com page.
-2. Click the chicklet for the login you want.
-3. In the window the pops open quickly copy the login.microsoftonline.com URL. (If you miss it just try again. You can also open the developer console with nagivation preservation to capture the URL.)
+2. Click the app tile for the login you want.
+3. In the window that pops open, quickly copy the login.microsoftonline.com URL. (You can also use browser DevTools with "Preserve log" enabled to capture it.)
 4. The GUID right after login.microsoftonline.com/ is the tenant ID.
 5. Copy the SAMLRequest URL param.
 6. Paste it into a URL decoder ([like this one](https://www.samltool.com/url.php)) and decode.
-7. Paste the decoded output into the a SAML deflated and encoded XML decoder ([like this one](https://www.samltool.com/decode.php)).
+7. Paste the decoded output into a SAML deflated and encoded XML decoder ([like this one](https://www.samltool.com/decode.php)).
 8. In the decoded XML output the value of the `Audience` tag is the App ID URI.
-9. You may double-check tenant ID using `Attribute` tag named `tenantid` provided in XML.
+9. Verify the tenant ID using the `tenantid` attribute in the XML.
 
 ## How It Works
 
-The Azure login page uses JavaScript, which requires a real web browser. To automate this from a command line, az2aws uses [Puppeteer](https://github.com/GoogleChrome/puppeteer), which automates a real Chromium browser. It loads the Azure login page behind the scenes, populates your username and password (and MFA token), parses the SAML assertion, uses the [AWS STS AssumeRoleWithSAML API](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) to get temporary credentials, and saves these in the CLI credentials file.
+az2aws uses [Puppeteer](https://github.com/GoogleChrome/puppeteer) to automate a Chromium browser for Azure AD login. It parses the SAML response and calls [AWS STS AssumeRoleWithSAML](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) to get temporary credentials.
 
 ## Troubleshooting
 
@@ -227,7 +229,7 @@ If login fails, try these in order:
 
 ## Support for Other Authentication Providers
 
-Obviously, this tool only supports Azure AD as an identity provider. However, there is a lot of similarity with how other logins with other providers would work (especially if they are SAML providers). If you are interested in building support for a different provider let me know. It would be great to build a more generic AWS CLI login tool with plugins for the various providers.
+This tool only supports Azure AD. Contributions for other SAML providers are welcome - open an issue on GitHub to discuss.
 
 ## Acknowledgements
 

package/issue/issues.md

@@ -726,4 +726,444 @@ Created an issues documentation file (`issue/issues.md`) to track and document a
 **Benefits:**
 - Centralized documentation of all project issues
 - Easier onboarding for new contributors
-- Clear tracking of issue status and priorities
+- Clear tracking of issue status and priorities
+
+---
+
+## Performance Improvements
+
+---
+
+### Issue #57: Optimize keyboard input loop for clearing input fields
+
+**Labels:** `performance`, `priority: high`
+
+**Description:**
+The current implementation sends 100 individual keyboard backspace events to clear input fields, causing unnecessary delay.
+
+**Location:** `src/login.ts:97-99`, `src/login.ts:377-379`
+
+**Current Code:**
+```typescript
+for (let i = 0; i < 100; i++) {
+  await page.keyboard.press("Backspace");
+}
+```
+
+**Problem:**
+- Sends 100 individual keyboard events causing unnecessary delay
+- Each `press` call is an async operation executed serially
+
+**Proposed Fix:**
+Use `page.evaluate()` to clear input via DOM directly, or use `Ctrl+A` to select all then delete:
+```typescript
+// Option 1: Select all and delete
+await page.keyboard.down('Control');
+await page.keyboard.press('a');
+await page.keyboard.up('Control');
+await page.keyboard.press('Backspace');
+
+// Option 2: Clear via DOM
+await page.evaluate((selector) => {
+  const input = document.querySelector(selector) as HTMLInputElement;
+  if (input) input.value = '';
+}, inputSelector);
+```
+
+**Expected Impact:** 100ms - 500ms reduction per input field
+
+---
+
+### Issue #58: Optimize page state polling loop
+
+**Labels:** `performance`, `priority: high`
+
+**Description:**
+The state detection loop checks all 9 states from the beginning on every iteration, which is inefficient.
+
+**Location:** `src/login.ts:814-874`
+
+**Current Code:**
+```typescript
+while (true) {
+  if (samlResponseData) break;
+
+  let foundState = false;
+  for (let i = 0; i < states.length; i++) {
+    const state = states[i];
+    let selected;
+    try {
+      selected = await page.$(state.selector);
+    } catch (err) {
+      break;
+    }
+
+    if (selected) {
+      foundState = true;
+      // ...
+      break;
+    }
+  }
+
+  if (!foundState) {
+    totalUnrecognizedDelay += DELAY_ON_UNRECOGNIZED_PAGE;
+    await Bluebird.delay(DELAY_ON_UNRECOGNIZED_PAGE);  // 1 second wait
+  }
+}
+```
+
+**Problem:**
+- Checks all 9 states from the beginning on every iteration
+- Frequently occurring patterns may be at the end of the array
+- Maximum 30 seconds polling with 1-second intervals
+- Repeats all DOM operations when no state is found
+
+**Proposed Fix:**
+- Place frequently occurring states at the front of the array
+- Cache the last matched state and prioritize it in the next check
+- Consider combining multiple selectors with `waitForSelector`
+
+**Expected Impact:** Potentially up to 30 seconds reduction in worst case scenarios
+
+---
+
+### Issue #59: Eliminate duplicate profile loading in loginAll
+
+**Labels:** `performance`, `priority: medium`
+
+**Description:**
+In `loginAll()`, profile information is loaded from disk for each profile in the loop, causing redundant file I/O and INI parsing.
+
+**Location:** `src/login.ts:527-556`, `src/login.ts:589-610`
+
+**Current Code:**
+```typescript
+async loginAll(...) {
+  const profiles = await awsConfig.getAllProfileNames();  // Load 1
+
+  for (const profile of profiles) {
+    if (!forceRefresh && !(await awsConfig.isProfileAboutToExpireAsync(profile))) {
+      continue;
+    }
+
+    await this.loginAsync(profile, ...);  // Calls _loadProfileAsync internally
+  }
+}
+```
+
+**Problem:**
+- Profile information is loaded from disk for each profile in the loop
+- INI parsing is repeated multiple times
+
+**Proposed Fix:**
+- Cache profile information when `getAllProfileNames()` is called
+- Or create a separate method to load all profiles at once
+
+---
+
+### Issue #60: Replace Lodash with native array methods
+
+**Labels:** `performance`, `priority: low`
+
+**Description:**
+Lodash is used for small-scale operations where native array methods would be more efficient.
+
+**Location:** `src/login.ts:175`, `src/login.ts:968`, `src/login.ts:979`, `src/login.ts:1005`
+
+**Current Usage:**
+```typescript
+_.map(accounts, "message")
+_.sortBy(_.map(roles, "roleArn"))
+_.find(roles, ["roleArn", defaultRoleArn])
+```
+
+**Problem:**
+- Lodash dependency for small-scale operations (typically <10 items)
+- Native array methods are more efficient for these cases
+
+**Proposed Fix:**
+```typescript
+// Replace _.map(accounts, "message")
+accounts.map(a => a.message)
+
+// Replace _.sortBy(_.map(roles, "roleArn"))
+roles.map(r => r.roleArn).sort()
+
+// Replace _.find(roles, ["roleArn", defaultRoleArn])
+roles.find(r => r.roleArn === defaultRoleArn)
+```
+
+Consider removing Lodash from package.json if no longer needed elsewhere.
+
+---
+
+## Additional Bug Reports
+
+---
+
+### Issue #61: Incomplete error handling in page navigation
+
+**Labels:** `bug`, `priority: high`
+
+**Description:**
+Page navigation errors are logged but not properly handled, allowing the process to continue in an undefined state.
+
+**Location:** `src/login.ts:803-809`
+
+**Current Code:**
+```typescript
+try {
+  if (headless || (!headless && cliProxy)) {
+    await page.goto(url, { waitUntil: "domcontentloaded" });
+  } else {
+    await page.waitForNavigation({ waitUntil: "networkidle0" });
+  }
+} catch (err) {
+  if (err instanceof Error) {
+    debug(`Error occured during loading the first page: ${err.message}`);
+    // Error is swallowed, logic continues
+  }
+}
+```
+
+**Problem:**
+- Error is only logged, not thrown or handled
+- May continue in an undefined state when redirect fails
+- Typo: "occured" should be "occurred"
+
+**Proposed Fix:**
+```typescript
+try {
+  if (headless || (!headless && cliProxy)) {
+    await page.goto(url, { waitUntil: "domcontentloaded" });
+  } else {
+    await page.waitForNavigation({ waitUntil: "networkidle0" });
+  }
+} catch (err) {
+  if (err instanceof Error) {
+    debug(`Error occurred during loading the first page: ${err.message}`);
+    throw new CLIError(`Failed to load login page: ${err.message}`);
+  }
+  throw err;
+}
+```
+
+---
+
+### Issue #62: Missing NaN validation in duration hours input
+
+**Labels:** `bug`, `priority: medium`
+
+**Description:**
+The duration hours input validation does not check for NaN values when converting string input to number.
+
+**Location:** `src/configureProfileAsync.ts:50-56`
+
+**Current Code:**
+```typescript
+validate: (input): boolean | string => {
+  input = Number(input);
+  if (input > 0 && input <= 12) return true;
+  return "Duration hours must be between 0 and 12";
+},
+```
+
+**Problem:**
+- Only validates after String to Number conversion
+- No NaN check - `Number("abc")` returns NaN which fails the condition silently
+- Error message says "between 0 and 12" but code checks `> 0` (exclusive)
+
+**Proposed Fix:**
+```typescript
+validate: (input): boolean | string => {
+  const num = Number(input);
+  if (Number.isNaN(num)) return "Please enter a valid number";
+  if (num > 0 && num <= 12) return true;
+  return "Duration hours must be greater than 0 and at most 12";
+},
+```
+
+---
+
+### Issue #63: Fixed delay for browser initialization is environment-dependent
+
+**Labels:** `bug`, `priority: medium`
+
+**Description:**
+A fixed 200ms delay is used to wait for browser initialization, which may be insufficient in slower environments.
+
+**Location:** `src/login.ts:750`
+
+**Current Code:**
+```typescript
+browser = await puppeteer.launch(launchParams);
+
+// Wait for a bit as sometimes the browser isn't ready.
+await Bluebird.delay(200);
+
+const pages = await browser.pages();
+```
+
+**Problem:**
+- 200ms fixed delay is environment-dependent
+- May cause instability in CI environments or slower machines
+- May cause unnecessary delay in faster environments
+
+**Proposed Fix:**
+Use a more reliable wait mechanism for browser initialization:
+```typescript
+browser = await puppeteer.launch(launchParams);
+
+// Wait for browser to be ready
+const pages = await browser.pages();
+if (pages.length === 0) {
+  // Wait for default page to be created
+  await browser.waitForTarget(target => target.type() === 'page');
+}
+```
+
+---
+
+### Issue #64: Event listener memory leak risk in SAML response handling
+
+**Labels:** `bug`, `priority: medium`
+
+**Description:**
+The request event listener for capturing SAML responses is not explicitly cleaned up after use.
+
+**Location:** `src/login.ts:761-790`
+
+**Current Code:**
+```typescript
+const samlResponsePromise = new Promise((resolve) => {
+  page.on("request", (req: HTTPRequest) => {
+    // Event listener may remain registered
+    const reqUrl = req.url();
+    if (reqUrl === AWS_SAML_ENDPOINT || reqUrl === AWS_GOV_SAML_ENDPOINT || reqUrl === AWS_CN_SAML_ENDPOINT) {
+      // ...
+      resolve(samlResponse);
+    }
+  });
+});
+```
+
+**Problem:**
+- Event listener is not explicitly cleaned up
+- Potential memory leak if page is reused or not properly closed
+
+**Proposed Fix:**
+```typescript
+const samlResponsePromise = new Promise((resolve) => {
+  const requestHandler = (req: HTTPRequest) => {
+    const reqUrl = req.url();
+    if (reqUrl === AWS_SAML_ENDPOINT || reqUrl === AWS_GOV_SAML_ENDPOINT || reqUrl === AWS_CN_SAML_ENDPOINT) {
+      // ...
+      page.off("request", requestHandler);  // Clean up listener
+      resolve(samlResponse);
+    }
+  };
+  page.on("request", requestHandler);
+});
+```
+
+Or use `page.once()` if appropriate for the use case.
+
+---
+
+### Issue #65: Typo in error message
+
+**Labels:** `bug`, `priority: low`
+
+**Description:**
+There is a typo in the error debug message.
+
+**Location:** `src/login.ts:806`
+
+**Current:** `"Error occured during loading the first page"`
+**Should be:** `"Error occurred during loading the first page"`
+
+**Proposed Fix:**
+```typescript
+debug(`Error occurred during loading the first page: ${err.message}`);
+```
+
+---
+
+## Code Quality Improvements
+
+---
+
+### Issue #66: Reduce `any` type usage and eslint-disable comments
+
+**Labels:** `code-quality`, `priority: medium`
+
+**Description:**
+There are several places where `any` type and `eslint-disable` comments are used, reducing type safety.
+
+**Locations:**
+- `src/awsConfig.ts:149` - `any` type for parsed INI
+- `src/login.ts:141-144` - eslint-disable comment
+
+**Current Code:**
+```typescript
+// awsConfig.ts:149
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const parsedIni: any = ini.parse(data);
+
+// login.ts:141-144
+const aadTileMessage: string = await page.evaluate(
+  // eslint-disable-next-line
+  (a) => a?.textContent ?? "",
+  aadTile
+);
+```
+
+**Proposed Fix:**
+- Define proper TypeScript interfaces for INI parsing results
+- Use type guards instead of eslint-disable comments
+- Consider using a typed INI parser or create proper type definitions
+
+---
+
+### Issue #67: Add missing test coverage for critical functions
+
+**Labels:** `testing`, `priority: medium`
+
+**Description:**
+Several critical functions lack test coverage.
+
+**Location:** `src/login.test.ts`
+
+**Missing Tests:**
+- `_performLoginAsync()` - the most complex function with browser automation
+- `_parseRolesFromSamlResponse()` - SAML parsing logic
+- Edge cases: empty SAML response, zero roles, malformed XML, etc.
+
+**Proposed Tests:**
+```typescript
+describe("login._performLoginAsync", () => {
+  // Mock puppeteer browser behavior
+  // Test SAML session completion sequence
+});
+
+describe("login._parseRolesFromSamlResponse", () => {
+  it("should parse valid SAML response with multiple roles", () => {});
+  it("should handle empty SAML response", () => {});
+  it("should handle special characters in role names", () => {});
+  it("should handle UTF-8 encoded content", () => {});
+});
+```
+
+---
+
+### [RESOLVED] Issue #68: Prettier formatting issues in login files
+
+**Labels:** `code-quality`, `priority: low`
+
+**Description:**
+Prettier detected code style issues in `src/login.ts` and `src/login.test.ts` that caused `yarn lint` to fail.
+
+**Location:** `src/login.ts`, `src/login.test.ts`
+
+**Resolution:**
+Fixed by running `yarn prettier --write` on the affected files.

package/lib/configureProfileAsync.js

@@ -53,7 +53,7 @@ async function configureProfileAsync(profileName) {
                 input = Number(input);
                 if (input > 0 && input <= 12)
                     return true;
-                return "Duration hours must be between 0 and 12";
+                return "Duration hours must be between 1 and 12";
             },
         },
         {