Fix twofa returning profile instead of redirect_url

Following the connect/login redirect chain overwrites kf_session with a
plain web session, stripping the OAuth context. Stop at the first 302
so kf_session retains the api_key OAuth context through the twofa step.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/services/auto_login_service.py

@@ -187,17 +187,18 @@ def _perform_zerodha_login(
         "Origin": "https://kite.zerodha.com",
     })
 
-    # Step 1: Initialize OAuth session so Zerodha associates this session with
+    # Step 1: Initialize OAuth session.
-    # the api_key before we submit credentials.
+    # allow_redirects=False is CRITICAL: the first 302 response sets kf_session
-    connect_resp = session.get(
+    # with the OAuth context (api_key). Following the redirect updates kf_session
+    # to a plain web session (no OAuth), which causes twofa to return profile:{}
+    # instead of redirect_url with request_token.
+    session.get(
         f"https://kite.zerodha.com/connect/login?v=3&api_key={api_key}",
         timeout=15,
-        allow_redirects=True,
+        allow_redirects=False,
     )
     print(
-        f"[AUTO-LOGIN-DEBUG] connect final_url={connect_resp.url} "
+        f"[AUTO-LOGIN-DEBUG] connect cookies={list(session.cookies.keys())}",
-        f"status={connect_resp.status_code} "
-        f"cookies={list(session.cookies.keys())}",
         flush=True,
     )