From e447a3991232b3d3b9675c70131e3bc8f37ae738 Mon Sep 17 00:00:00 2001 From: Thigazhezhilan J Date: Tue, 26 May 2026 21:39:18 +0530 Subject: [PATCH] Fix twofa returning profile instead of redirect_url Following the connect/login redirect chain overwrites kf_session with a plain web session, stripping the OAuth context. Stop at the first 302 so kf_session retains the api_key OAuth context through the twofa step. Co-Authored-By: Claude Sonnet 4.6 --- backend/app/services/auto_login_service.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/backend/app/services/auto_login_service.py b/backend/app/services/auto_login_service.py index 28b31b6..16ed7aa 100644 --- a/backend/app/services/auto_login_service.py +++ b/backend/app/services/auto_login_service.py @@ -187,17 +187,18 @@ def _perform_zerodha_login( "Origin": "https://kite.zerodha.com", }) - # Step 1: Initialize OAuth session so Zerodha associates this session with - # the api_key before we submit credentials. - connect_resp = session.get( + # Step 1: Initialize OAuth session. + # allow_redirects=False is CRITICAL: the first 302 response sets kf_session + # with the OAuth context (api_key). Following the redirect updates kf_session + # to a plain web session (no OAuth), which causes twofa to return profile:{} + # instead of redirect_url with request_token. + session.get( f"https://kite.zerodha.com/connect/login?v=3&api_key={api_key}", timeout=15, - allow_redirects=True, + allow_redirects=False, ) print( - f"[AUTO-LOGIN-DEBUG] connect final_url={connect_resp.url} " - f"status={connect_resp.status_code} " - f"cookies={list(session.cookies.keys())}", + f"[AUTO-LOGIN-DEBUG] connect cookies={list(session.cookies.keys())}", flush=True, )