Fix Consorsbank compatibility (3 issues found via hbci4j comparison)#210
Open
ArlindNocaj wants to merge 2 commits intoraphaelm:masterfrom
Open
Fix Consorsbank compatibility (3 issues found via hbci4j comparison)#210ArlindNocaj wants to merge 2 commits intoraphaelm:masterfrom
ArlindNocaj wants to merge 2 commits intoraphaelm:masterfrom
Conversation
These three issues were discovered by comparing mitmdump traces of the working hbci4j Java library against python-fints when connecting to Consorsbank (BLZ 76030080). After applying all three fixes, transactions are fetched successfully, matching the Java output exactly. 1. security.py: Use security_method_version=2 for two-step TAN auth Per the ZKA FinTS spec (page 58), two-step TAN methods (security_function != '999') require version 2 in the SecurityProfile of the HNSHK signature header. The previous hardcoded value of 1 caused Consorsbank to reject the request. Ref: raphaelm#99 2. formals.py: Include full account details in KTI1.from_sepa_account KTI1.from_sepa_account only populated iban and bic, but Consorsbank requires the full account details (account_number, subaccount_number, bank_identifier). Other classes like KTZ1 already include these fields — KTI1 was the only one missing them. 3. client.py: Add force_twostep_tan parameter for banks that require HKTAN despite HIPINS saying otherwise Some banks (Consorsbank) report HKKAZ:N in HIPINS yet reject requests without HKTAN (error 9075). The new opt-in force_twostep_tan parameter (set of segment types) allows users to override HIPINS for specific segments. Defaults to empty set, so existing behavior is unchanged. All three fixes are backwards-compatible and all existing tests pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Some banks (e.g. Consorsbank) attach the 0030/3955 response code to the original command segment (HKCCS) rather than to the HKTAN segment. This caused _send_pay_with_possible_retry() to miss the TAN challenge and return a plain TransactionResponse instead of NeedTANResponse. Added fallback: after checking tan_seg responses, also check command_seg responses for 0030/3955 codes. Also: - Add photoTAN QR code handling to transfers.rst full example - Fix typo (result.decoupled → res.decoupled) in transfers.rst - Add Consorsbank to tested.rst (Transactions + Transfer) - Add security function 900 (photoTAN / SecurePlus) - Add sample_consorsbank.py showing photoTAN transfer flow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ArlindNocaj
pushed a commit
to ArlindNocaj/python-fints
that referenced
this pull request
Mar 19, 2026
…sponse 1. Implement VoP polling (FinTS spec E.8.3.1): when the bank returns HIVPP with a polling_id but no vop_id, re-send HKVPP with polling_id + aufsetzpunkt (from HIRMS 3040) until the VoP check resolves and a vop_id is returned. 2. Broaden 3945 response code detection in VoP flow: check all HIRMG/HIRMS segments, not just tan_seg responses, since some banks attach it to different segments. 3. Add TAN fallback in approve_vop_response: after VoP approval, check command_seg and global HIRMG/HIRMS segments for 0030/3955 TAN-required codes (mirrors Fix 4 from PR raphaelm#210 but in the VoP approval path). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
These three issues were discovered by comparing mitmdump traces of the
working hbci4j Java library against python-fints when connecting to
Consorsbank (BLZ 76030080). After applying all three fixes, transactions
are fetched successfully, matching the Java output exactly.
security.py: Use security_method_version=2 for two-step TAN auth
Per the ZKA FinTS spec (page 58), two-step TAN methods
(security_function != '999') require version 2 in the
SecurityProfile of the HNSHK signature header. The previous
hardcoded value of 1 caused Consorsbank to reject the request.
Ref: Consorsbank: Error during dialog initialization, could not fetch BPD. #99
formals.py: Include full account details in KTI1.from_sepa_account
KTI1.from_sepa_account only populated iban and bic, but Consorsbank
requires the full account details (account_number, subaccount_number,
bank_identifier). Other classes like KTZ1 already include these
fields — KTI1 was the only one missing them.
client.py: Add force_twostep_tan parameter for banks that require
HKTAN despite HIPINS saying otherwise
Some banks (Consorsbank) report HKKAZ:N in HIPINS yet reject
requests without HKTAN (error 9075). The new opt-in
force_twostep_tan parameter (set of segment types) allows users
to override HIPINS for specific segments. Defaults to empty set,
so existing behavior is unchanged.
All three fixes are backwards-compatible and all existing tests pass.
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com