fix(magic): use hex for DNS token (AdGuard rejects base64url '_')

AdGuard validates client IDs as DNS labels: 'invalid clientid: bad
hostname label rune'. base64url alphabet contains '_' which fails.
Switch to hex (a-f, 0-9) — 32 bytes hex = 64 chars, 256-bit entropy,
DNS-safe.

backend/server/api/magic/register.post.ts

@@ -78,8 +78,10 @@ export default defineEventHandler(async (event) => {
     }
   }
 
-  // 3. Generiere DNS-Token (48 char base64url-safe)
+  // 3. Generiere DNS-Token (64 char hex)
-  const dnsToken = randomBytes(36).toString("base64url");
+  // WICHTIG: hex statt base64url — AdGuard's clientid muss DNS-Label-konform sein,
+  // verbietet `_` (das base64url als Ersatz für `/` generiert) → 400 "bad hostname label rune".
+  const dnsToken = randomBytes(32).toString("hex");
 
   // 4. Provisioniere AdGuard Client
   const adguardClientName = `magic_${deviceId}`;