add support for fahipay transfer history

docs/fahipayapi/01-login.md

@@ -25,7 +25,7 @@ POST https://fahipay.mv/api/app/login/
 | `grant_type` | `auth_id` | Always `auth_id` |
 | `lang` | `en` | Always `en` |
 | `version` | `2.0.0` | App version string |
-| `platform` | `BasedBank` | Client identifier (original app sends `app`) |
+| `platform` | `BasedBank` | Client identifier (`app` in the original Fahipay app) |
 | `device[available]` | `true` | See [common device fields](README.md#common-form-fields-device-info) |
 | `device[platform]` | `Android` | |
 | `device[uuid]` | `a1b2c3d4e5f60718` | Persistent 16-char hex UUID, generated once per install |
@@ -87,7 +87,7 @@ The user has TOTP two-factor authentication enabled. Proceed to the [OTP step](0
 | `two_factor_method` | `string` | `"totp"` — standard TOTP (RFC 6238) |
 | `type` | `string` | `"success"` on success, `"error"` on failure |
 
-The server sets the `__Secure-sess` session cookie on this response. It must be included in all subsequent requests.
+The `__Secure-sess` session cookie is obtained from the session initialisation step (see [Session Cookie](#session-cookie) below), not from this response.
 
 ---
 
@@ -128,7 +128,14 @@ The user does not have 2FA enabled. The `authID` is returned directly — no OTP
 
 ## Session Cookie
 
-The `__Secure-sess` cookie is set by the server on the first response and must be sent on every subsequent request. It is a standard HTTP cookie with the `Secure` flag.
+Before calling `/api/app/login/`, the client must make an initialisation request to obtain the `__Secure-sess` cookie:
+
+```
+GET https://fahipay.mv/api/app/lang/data/
+User-Agent: <webview UA>
+```
+
+The server sets the `__Secure-sess` cookie on this response. It must be sent with every subsequent request (login, OTP, and all authenticated calls). It is a standard HTTP cookie with the `Secure` flag:
 
 ```
 Set-Cookie: __Secure-sess=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; Path=/; Secure; HttpOnly; SameSite=Strict

docs/fahipayapi/02-otp.md

@@ -34,7 +34,7 @@ POST https://fahipay.mv/api/app/otp/
 | `grant_type` | `auth_id` | Always `auth_id` |
 | `lang` | `en` | Always `en` |
 | `version` | `2.0.0` | App version string |
-| `platform` | `BasedBank` | Client identifier |
+| `platform` | `BasedBank` | Client identifier (`app` in the original Fahipay app) |
 | `device[available]` | `true` | Same device fields as login — must match |
 | `device[platform]` | `Android` | |
 | `device[uuid]` | `a1b2c3d4e5f60718` | Must be the **same UUID** used in the login request |

docs/fahipayapi/README.md

@@ -77,6 +77,11 @@ The `device[uuid]` must be consistent across all requests from the same install.
 
 ```
 Client                              Server
+  |                                   |
+  |  GET /api/app/lang/data/          |  ← session init (obtains __Secure-sess cookie)
+  |---------------------------------->|
+  |  Set-Cookie: __Secure-sess=...    |
+  |<----------------------------------|
   |                                   |
   |  POST /api/app/login/             |
   |  { email=IDCARD, password, ... }  |