From 15d6c7abc1d8180820bd6cf573b9b87bec98129d Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 27 Apr 2026 15:40:05 +0200
Subject: [PATCH 1/2] fix: remove explicit pagination from Logto role API calls

Logto's /api/roles/{id}/users endpoint rejects page=1 with
guard.invalid_pagination. Remove explicit pagination params and
let Logto use its defaults.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../siegeln/cameleer/saas/identity/LogtoManagementClient.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/net/siegeln/cameleer/saas/identity/LogtoManagementClient.java b/src/main/java/net/siegeln/cameleer/saas/identity/LogtoManagementClient.java
index 0f0ba49..f870d80 100644
--- a/src/main/java/net/siegeln/cameleer/saas/identity/LogtoManagementClient.java
+++ b/src/main/java/net/siegeln/cameleer/saas/identity/LogtoManagementClient.java
@@ -704,7 +704,7 @@ public class LogtoManagementClient {
     public List<Map<String, Object>> listRoleUsers(String roleId) {
         var token = getAccessToken();
         var response = restClient.get()
-                .uri(config.getLogtoEndpoint() + "/api/roles/" + roleId + "/users?page=1&page_size=200")
+                .uri(config.getLogtoEndpoint() + "/api/roles/" + roleId + "/users")
                 .header("Authorization", "Bearer " + token)
                 .retrieve()
                 .body(List.class);
@@ -718,7 +718,7 @@ public class LogtoManagementClient {
         var response = restClient.get()
                 .uri(config.getLogtoEndpoint() + "/api/roles?search=" +
                         java.net.URLEncoder.encode(roleName, java.nio.charset.StandardCharsets.UTF_8) +
-                        "&page=1&page_size=20")
+                        "&page_size=20")
                 .header("Authorization", "Bearer " + token)
                 .retrieve()
                 .body(List.class);

From ab800bbef9563490b644c838eb1551a99b3f88c8 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 27 Apr 2026 15:43:39 +0200
Subject: [PATCH 2/2] fix: handle Logto data URI in MFA QR code display

Logto's secretQrCode is a data:image/png;base64 URI, not an otpauth://
string. QRCodeSVG crashes trying to encode it ("Data too long"). Now
renders data URIs as <img> and only uses QRCodeSVG for otpauth:// URIs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ui/src/components/account/MfaSection.tsx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ui/src/components/account/MfaSection.tsx b/ui/src/components/account/MfaSection.tsx
index fb50592..e9dde51 100644
--- a/ui/src/components/account/MfaSection.tsx
+++ b/ui/src/components/account/MfaSection.tsx
@@ -162,7 +162,11 @@ export function MfaSection() {
           Scan this QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.), then enter the 6-digit code below.
         </p>
         <div style={{ display: 'flex', justifyContent: 'center', padding: '16px 0' }}>
-          <QRCodeSVG value={setupData.secretQrCode} size={200} />
+          {setupData.secretQrCode.startsWith('data:') ? (
+            <img src={setupData.secretQrCode} alt="TOTP QR Code" width={200} height={200} />
+          ) : (
+            <QRCodeSVG value={setupData.secretQrCode} size={200} />
+          )}
         </div>
         <div style={{
           textAlign: 'center',