Fix auto-login: initialize Zerodha OAuth session before credentials

Without first GETting the connect/login URL with the api_key,
Zerodha doesn't know which app is logging in and never returns
a request_token after TOTP — causing the redirect loop to fail.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/services/auto_login_service.py

@@ -181,7 +181,14 @@ def _perform_zerodha_login(
         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
     })
 
-    # Step 1: Username + password
+    # Step 1: Initialize OAuth session with api_key so Zerodha knows
+    # which app is logging in and returns request_token after TOTP.
+    session.get(
+        f"https://kite.zerodha.com/connect/login?api_key={api_key}&v=3",
+        timeout=15,
+    )
+
+    # Step 2: Username + password
     login_resp = session.post(
         KITE_LOGIN_ENDPOINT,
         data={"user_id": zerodha_login_id, "password": password},
@@ -197,7 +204,7 @@ def _perform_zerodha_login(
 
     request_id = login_data["data"]["request_id"]
 
-    # Step 2: TOTP — don't follow redirect automatically
+    # Step 3: TOTP — don't follow redirect automatically
     try:
         import pyotp
     except ImportError:
@@ -215,7 +222,7 @@ def _perform_zerodha_login(
         allow_redirects=False,
     )
 
-    # Step 3: Follow redirects manually to intercept request_token
+    # Step 4: Follow redirects manually to intercept request_token
     request_token = None
     location = twofa_resp.headers.get("Location", "")
 
@@ -236,7 +243,7 @@ def _perform_zerodha_login(
             "Check TOTP secret and credentials."
         )
 
-    # Step 4: Exchange request_token for access_token using existing service
+    # Step 5: Exchange request_token for access_token using existing service
     session_data = exchange_request_token(api_key, api_secret, request_token)
     return {
         "api_key": api_key,