Files
thijooree/docs/thijooree/03-login.md
T
shihaam a8cd22cbe1
Auto Tag on Version Change / check-version (push) Failing after 13m32s
update docs
2026-06-13 21:30:12 +05:00

4.2 KiB

Login

LoginActivity handles adding bank accounts. It is shown on first launch (after onboarding) and also opened from Settings → Logins → Add Account.


Fragment Flow

LoginActivity
  └─ BankSelectionFragment   ← pick a bank
       └─ CredentialsFragment ← enter credentials for that bank

Bank Selection — BankSelectionFragment

A scrollable list of supported banks presented as selectable cards:

Bank Notes
MIB (Maldives Islamic Bank) Username + password
BML (Bank of Maldives) Username + password
Fahipay Mobile number + password

Tapping a card navigates to CredentialsFragment with the selected bank pre-set.


Credentials — CredentialsFragment

Shared Fields

For MIB and BML the form also includes an OTP seed field. The user can:

  • Paste the raw base32 / otpauth:// seed directly into etOtpSeed
  • Tap the QR scan button (btnScanOtpSeed) to launch the QR scanner; the result is parsed by util/OtpauthParser and written to etOtpSeed. If the QR contains multiple entries the user picks one via a dialog (CredentialsFragment.kt:67-84).

A live TOTP preview card under the field updates every second so the user can confirm the seed is correct before submitting. The seed is required for MIB and BML login button activation (updateLoginButtonState()).

MIB Login

Fields: Username, Password, OTP seed.

Flow on submit:

  1. MibLoginFlow.login(username, passwordHash, otpSeed) — Diffie-Hellman key exchange, then Blowfish/ECB-encrypted credentials
  2. On success, fetches operatingProfiles — the list of CIF profiles
  3. Each profile is stored as a BankAccount with bank = "MIB" and cifType from the API
  4. MibProfileClient().fetchPersonalProfile(session) is called post-login to retrieve and persist the full account-holder name (used by the OTP screen and elsewhere)
  5. Sessions are stored in BasedBankApp.mibSessions

BML Login

Fields: Username (customer ID), Password, OTP seed.

Flow on submit (CredentialsFragment.kt:272-326):

  1. BmlLoginFlow.login(username, password, otpSeed) — returns a list of BmlProfile
  2. For each non-business profile, flow.activateProfile(profile, loginTag) runs; BmlActivationResult.Success populates bmlAccounts and stores a per-profile session
  3. Business profiles are skipped at login (user can enable them later via Settings → Logins; that path returns BmlActivationResult.NeedsBusinessOtp and runs the OTP-channel flow)
  4. Credentials saved via store.saveBmlCredentials(loginId, username, password, otpSeed)
  5. Tokens stored per profile in BasedBankApp.bmlSessions

Fahipay Login

Fields: Mobile / ID-card, Password. Two-step TOTP — after the password is accepted the same screen re-uses itself to collect the TOTP, with fahipayAwaitingTotp = true (CredentialsFragment.kt:60) controlling the UI state.

Flow on submit:

  1. FahipayLoginFlow.login() — authenticates against Fahipay API
  2. Server responds with a TOTP challenge; user enters the code
  3. On success, stores authID + __Secure-sess cookie
  4. Single wallet account stored with bank = "FAHIPAY"

Multi-Profile Support

Each MIB login can have multiple CIF profiles (e.g., an individual and a business account under the same username). Each profile appears as a separate entry in the accounts list and can be toggled independently in Settings → Logins.

BML can yield multiple profiles per login (personal + business). Fahipay yields a single profile.

Adding the same bank login a second time merges its profiles into the existing login rather than creating a duplicate.


Credential Storage

All credentials (username, password, tokens, session cookies) are encrypted via CredentialStore, which uses Android EncryptedSharedPreferences backed by a hardware-keystore key where available.


After Login

CredentialsFragment calls app.autoRefresh() after a successful login, then navigates back to LoginActivity's result which routes to HomeActivity (or back to Settings if called from there).


 


← Lock Screen     Next → Accounts