quantfortune/SIP_GoldBees_Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix auto-login OAuth context not being established

Browse Source 
Root cause: X-Kite-Version header on web login endpoints caused Zerodha
to return plain profile response instead of OAuth redirect_url.

Changes:
- Remove X-Kite-Version from session headers (only valid for Kite Connect API)
- Use allow_redirects=False on connect/login GET to preserve OAuth cookie
- Add Referer header to login/twofa POSTs
- Check data.redirect_url in twofa JSON body (modern Zerodha SPA behavior)
- Keep Location header fallback for legacy behavior

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Thigazhezhilan J 2026-05-25 21:42:25 +05:30
parent a1b19b7431
commit 4922ea69e8
1 changed files with 51 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backend/app/services/auto_login_service.py
View File

@ -176,22 +176,42 @@ def _perform_zerodha_login(
) -> dict: ) -> dict:
"""Automates Zerodha login and returns session data with access_token.""" """Automates Zerodha login and returns session data with access_token."""
session = requests.Session() session = requests.Session()
# Use a real browser UA; do NOT set X-Kite-Version here — that header is
# for the Kite Connect REST API, not the web login endpoints, and confuses
# Zerodha's routing so it returns a plain profile response instead of an
# OAuth redirect_url.
session.headers.update({ session.headers.update({
"X-Kite-Version": "3", "User-Agent": (
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
"AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/124.0.0.0 Safari/537.36"
),
}) })
# Step 1: Initialize OAuth session with api_key so Zerodha knows # Step 1: Initialize OAuth session.
# which app is logging in and returns request_token after TOTP. # Use allow_redirects=False so we capture the Set-Cookie from the first
session.get( # response before any redirect overwrites/clears the OAuth context cookie.
f"https://kite.zerodha.com/connect/login?api_key={api_key}&v=3", connect_resp = session.get(
f"https://kite.zerodha.com/connect/login?v=3&api_key={api_key}",
timeout=15, timeout=15,
allow_redirects=False,
) )
print(
f"[AUTO-LOGIN-DEBUG] connect status={connect_resp.status_code} "
f"location={connect_resp.headers.get('Location', 'NONE')} "
f"cookies={list(session.cookies.keys())}",
flush=True,
)
# Follow the redirect to the login page so the full OAuth init completes
redirect_to = connect_resp.headers.get("Location", "")
if connect_resp.status_code in (301, 302, 303, 307, 308) and redirect_to:
session.get(redirect_to, timeout=15, allow_redirects=True)
# Step 2: Username + password # Step 2: Username + password
login_resp = session.post( login_resp = session.post(
KITE_LOGIN_ENDPOINT, KITE_LOGIN_ENDPOINT,
data={"user_id": zerodha_login_id, "password": password}, data={"user_id": zerodha_login_id, "password": password},
headers={"Referer": "https://kite.zerodha.com/login"},
timeout=15, timeout=15,
) )
try: try:
@ -204,7 +224,7 @@ def _perform_zerodha_login(
request_id = login_data["data"]["request_id"] request_id = login_data["data"]["request_id"]
# Step 3: TOTP — don't follow redirect automatically # Step 3: TOTP
try: try:
import pyotp import pyotp
except ImportError: except ImportError:
@ -218,20 +238,34 @@ def _perform_zerodha_login(
"twofa_value": totp_value, "twofa_value": totp_value,
"twofa_type": "totp", "twofa_type": "totp",
}, },
headers={"Referer": "https://kite.zerodha.com/login"},
timeout=15, timeout=15,
allow_redirects=False, allow_redirects=False,
) )
print( print(
f"[AUTO-LOGIN-DEBUG] twofa status={twofa_resp.status_code} " f"[AUTO-LOGIN-DEBUG] twofa status={twofa_resp.status_code} "
f"location={twofa_resp.headers.get('Location', 'NONE')} " f"location={twofa_resp.headers.get('Location', 'NONE')} "
f"body={twofa_resp.text[:300]}", f"body={twofa_resp.text[:400]}",
flush=True, flush=True,
) )
# Step 4: Follow redirects manually to intercept request_token # Step 4: Extract request_token.
# Modern Zerodha (SPA): returns 200 JSON with data.redirect_url containing request_token.
# Older behavior: 302 Location header redirect.
request_token = None request_token = None
location = twofa_resp.headers.get("Location", "")
try:
twofa_json = twofa_resp.json()
redirect_url_body = twofa_json.get("data", {}).get("redirect_url", "")
if redirect_url_body and "request_token" in redirect_url_body:
parsed = urlparse(redirect_url_body)
params = parse_qs(parsed.query)
request_token = params.get("request_token", [None])[0]
except Exception:
pass
if not request_token:
location = twofa_resp.headers.get("Location", "")
for _ in range(10): for _ in range(10):
if "request_token" in location: if "request_token" in location:
parsed = urlparse(location) parsed = urlparse(location)