Support IBKR second-factor device selection and manual 2FA fallback

[onurserce]

Summary

This PR solves issue #271 by improving the IBKR login flow for accounts that do not go directly from username/password to a standard 2FA screen.

It adds support for:

• an intermediate Select Second Factor Device dropdown
• OTP/code inputs that appear on the same page after device selection
• a manual 2FA fallback for users who do not have an automatable 2FA handler
• redaction of sensitive values from config logging

It also updates the docs and provides a tracked env.list.example template for compose-based setups.

Problem

Some IBKR accounts now show an extra device-selection step after submitting credentials. The existing flow did not expect this intermediate screen, and the default selector for TWO_FA_SELECT was incorrect for that page.

A second issue is that some variants do not navigate to a separate OTP page after device selection. Instead, they stay on the same login form and reveal a code input such as Mobile Authenticator App Code.

Finally, users with device-bound authenticators may have no usable automated IBEAM_TWO_FA_HANDLER, so the current behavior shuts IBeam down at the 2FA step even though the login could still be completed manually.

Changes

Login flow

• add support for TAG@@select targets so the second-factor device dropdown can be identified reliably
• make device selection opt-in via IBEAM_TWO_FA_SELECT
• improve device option selection logic to support exact match, substring match, and single-option fallback
• add a generic code-input fallback using placeholder text matching (PLACEHOLDER@@Code) for same-page OTP variants
• support manual 2FA fallback when IBEAM_MANUAL_TWO_FA=true and no automated 2FA handler is configured
• wait for gateway authentication by polling the gateway session instead of failing immediately

Config and safety

• add IBEAM_MANUAL_TWO_FA
• add IBEAM_MANUAL_TWO_FA_TIMEOUT
• strip quotes from IBEAM_TWO_FA_SELECT_EL_ID and IBEAM_TWO_FA_SELECT_TARGET (in case the user enters the environment variables in quotes)
• redact sensitive config values from runtime logging

Docs

• add env.list.example for clarity, keep local env.list ignored
• document the second-factor device-selection flow
• document the manual 2FA fallback

Example runtime output

The following log sequence shows the intended behavior for the Mobile Authenticator App flow with manual fallback enabled:

ibeam  | 2026-03-12 22:15:34,091|I| Gateway auth webpage loaded
ibeam  | 2026-03-12 22:15:34,091|I| Login attempt number 1
ibeam  | 2026-03-12 22:15:34,297|D| target: Target(NAME@@username)
ibeam  | 2026-03-12 22:15:39,508|I| Submitting the form
ibeam  | 2026-03-12 22:15:40,579|D| target: Target(TAG@@select)
ibeam  | 2026-03-12 22:15:40,579|I| Required to select a 2FA method.
ibeam  | 2026-03-12 22:15:40,802|I| Available 2FA methods: ['IB Key', 'Mobile Authenticator App']
ibeam  | 2026-03-12 22:15:41,662|D| target: Target(PLACEHOLDER@@Code)
ibeam  | 2026-03-12 22:15:41,662|I| 2FA method "Mobile Authenticator App" selected successfully.
ibeam  | 2026-03-12 22:15:41,662|I| Credentials correct, but Gateway requires two-factor authentication.
ibeam  | 2026-03-12 22:15:41,662|W| ######## ATTENTION! ######## No 2FA handler found. Waiting up to 300 seconds for manual 2FA completion.
ibeam  | 2026-03-12 22:15:41,662|W| Open https://localhost:5000 in your browser, complete the IBKR login manually, and keep IBeam running while it waits for the gateway session to become authenticated.
ibeam  | 2026-03-12 22:15:41,897|I| Saving screenshot to /srv/outputs/ibeam__0.5.10__2026-03-12_22-15-41__manual-two-fa.png. Make sure to cover your credentials if you share it with others.

Configuration example

For accounts that show the extra device-selection step and require manual completion of 2FA:

IBEAM_TWO_FA_SELECT=true
IBEAM_TWO_FA_SELECT_TARGET=Mobile Authenticator App
IBEAM_MANUAL_TWO_FA=true
IBEAM_MANUAL_TWO_FA_TIMEOUT=300

Verification

Tested locally by rebuilding the Docker image and exercising the login flow against an IBKR account that shows:

• Select Second Factor Device
• Mobile Authenticator App
• a same-page OTP input with placeholder text ending in Code