Two bugs in the sign-in UI's TOTP MFA enrollment flow:
1. Auth app displayed the PC hostname and "Platform Owner" instead of
"Cameleer" and the user's email. The sign-in UI was rendering Logto's
pre-generated QR code which uses the ENDPOINT hostname as issuer.
Now generates our own otpauth:// URI with proper branding, rendered
client-side via qrcode.react.
2. TOTP code verification returned 400 "Invalid TOTP code". The
verifyTotpSetup() call was missing the required verificationId
parameter — Logto's Experience API needs it to locate the pending
secret during enrollment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fcb25778e1