Decoupled/MFA banks (e.g. VR Bank in Holstein) were hard-blocked because the
authorize flow aborted whenever auth_methods[0] was DECOUPLED. Enable Banking's
hosted /auth page actually coordinates decoupled SCA and redirects back with a
code, so route these banks through it instead:
- Provider#start_authorization accepts and forwards an auth_method param
- EnableBankingItem#select_auth_method picks the best method
(REDIRECT > DECOUPLED > EMBEDDED), filtering by psu_type and skipping hidden
methods
- Shared begin_authorization! re-fetches ASPSP metadata on each authorize and
reauthorize, so the method is always re-derived (no persistence required)
- Remove the DECOUPLED block in the controller
Also stop the integration from constantly reporting "session expired":
- Only a session-level GET /sessions 401/404 flips the connection to
requires_update; per-account 401/404 are retried and no longer kill the
whole connection
- Reconcile session_expires_at from the API's access.valid_until on every sync
- Treat an expired session as a graceful requires_update state instead of
raising a bare error
No schema changes. Adds covering tests.
fe47c918bb