HeyTap / OPPO — CORS + PKCE SSO → Account Takeover