Fix twofa returning profile instead of redirect_url

Following the connect/login redirect chain overwrites kf_session with a plain web session, stripping the OAuth context. Stop at the first 302 so kf_session retains the api_key OAuth context through the twofa step. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 21:39:18 +05:30 · 2026-05-26 21:39:18 +05:30 · e447a39912
commit e447a39912
parent dc663a129c
1 changed files with 8 additions and 7 deletions
--- a/backend/app/services/auto_login_service.py
+++ b/backend/app/services/auto_login_service.py
@ -187,17 +187,18 @@ def _perform_zerodha_login(
        "Origin": "https://kite.zerodha.com",
    })

-    # Step 1: Initialize OAuth session so Zerodha associates this session with
-    # the api_key before we submit credentials.
-    connect_resp = session.get(
+    # Step 1: Initialize OAuth session.
+    # allow_redirects=False is CRITICAL: the first 302 response sets kf_session
+    # with the OAuth context (api_key). Following the redirect updates kf_session
+    # to a plain web session (no OAuth), which causes twofa to return profile:{}
+    # instead of redirect_url with request_token.
+    session.get(
        f"https://kite.zerodha.com/connect/login?v=3&api_key={api_key}",
        timeout=15,
-        allow_redirects=True,
+        allow_redirects=False,
    )
    print(
-        f"[AUTO-LOGIN-DEBUG] connect final_url={connect_resp.url} "
-        f"status={connect_resp.status_code} "
-        f"cookies={list(session.cookies.keys())}",
+        f"[AUTO-LOGIN-DEBUG] connect cookies={list(session.cookies.keys())}",
        flush=True,
    )