feat: make token_type_hint optional (#3397 )

feat: support most popular currencies (#3388 )
feat: update go sms sender (#3386 )
2025-07-08 17:10:27 +08:00 · 2024-12-04 20:10:15 +08:00 · 2024-12-01 21:46:44 +08:00 · 2024-11-29 23:00:34 +08:00 · 2024-11-29 21:46:06 +08:00 · 2024-11-29 19:59:30 +08:00
158 changed files with 5021 additions and 1894 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -114,12 +114,12 @@ jobs:
          wait-on-timeout: 210
          working-directory: ./web
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: cypress-screenshots
          path: ./web/cypress/screenshots
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
        if: always()
        with:
          name: cypress-videos
@ -147,7 +147,7 @@ jobs:
      - name: Release
        run: yarn global add semantic-release@17.4.4 && semantic-release
        env:
-          GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Fetch Current version
        id: get-current-tag
--- a/README.md
+++ b/README.md
@ -13,7 +13,7 @@
  <a href="https://github.com/casdoor/casdoor/releases/latest">
    <img alt="GitHub Release" src="https://img.shields.io/github/v/release/casdoor/casdoor.svg">
  </a>
-  <a href="https://hub.docker.com/repository/docker/casbin/casdoor">
+  <a href="https://hub.docker.com/r/casbin/casdoor">
    <img alt="Docker Image Version (latest semver)" src="https://img.shields.io/badge/Docker%20Hub-latest-brightgreen">
  </a>
 </p>
--- a/authz/authz.go
+++ b/authz/authz.go
@ -77,6 +77,7 @@ p, *, *, POST, /api/verify-code, *, *
 p, *, *, POST, /api/reset-email-or-phone, *, *
 p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
 p, *, *, GET, /.well-known/webfinger, *, *
 p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
@ -97,6 +98,7 @@ p, *, *, GET, /api/get-organization-names, *, *
 p, *, *, GET, /api/get-all-objects, *, *
 p, *, *, GET, /api/get-all-actions, *, *
 p, *, *, GET, /api/get-all-roles, *, *
 p, *, *, GET, /api/run-casbin-command, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
 p, *, *, GET, /api/faceid-signin-begin, *, *
 `
--- a/captcha/provider.go
+++ b/captcha/provider.go
@ -26,6 +26,10 @@ func GetCaptchaProvider(captchaType string) CaptchaProvider {
 		return NewDefaultCaptchaProvider()
 	case "reCAPTCHA":
 		return NewReCaptchaProvider()
 	case "reCAPTCHA v2":
 		return NewReCaptchaProvider()
 	case "reCAPTCHA v3":
 		return NewReCaptchaProvider()
 	case "Aliyun Captcha":
 		return NewAliyunCaptchaProvider()
 	case "hCaptcha":
--- a/conf/app.conf
+++ b/conf/app.conf
@ -21,11 +21,14 @@ originFrontend =
 staticBaseUrl = "https://cdn.casbin.org"
 isDemoMode = false
 batchSize = 100
 enableErrorMask = false
 enableGzip = true
 inactiveTimeoutMinutes =
 ldapServerPort = 389
 radiusServerPort = 1812
 radiusSecret = "secret"
 quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
 logConfig = {"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
 initDataNewOnly = false
 initDataFile = "./init_data.json"
-frontendBaseDir = "../casdoor"
+frontendBaseDir = "../cc_0"
--- a/controllers/account.go
+++ b/controllers/account.go
@ -116,6 +116,13 @@ func (c *ApiController) Signup() {
 		return
 	}
 	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
 	err = object.CheckEntryIp(clientIp, nil, application, organization, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	msg := object.CheckUserSignup(application, organization, &authForm, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
@ -200,6 +207,10 @@ func (c *ApiController) Signup() {
 		Type:              userType,
 		Password:          authForm.Password,
 		DisplayName:       authForm.Name,
 		Gender:            authForm.Gender,
 		Bio:               authForm.Bio,
 		Tag:               authForm.Tag,
 		Education:         authForm.Education,
 		Avatar:            organization.DefaultAvatar,
 		Email:             authForm.Email,
 		Phone:             authForm.Phone,
@ -234,6 +245,10 @@ func (c *ApiController) Signup() {
 		}
 	}
 	if invitation != nil && invitation.SignupGroup != "" {
 		user.Groups = []string{invitation.SignupGroup}
 	}
 	affected, err := object.AddUser(user)
 	if err != nil {
 		c.ResponseError(err.Error())
--- a/controllers/application.go
+++ b/controllers/application.go
@ -110,6 +110,9 @@ func (c *ApiController) GetApplication() {
 		}
 	}
 	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
 	object.CheckEntryIp(clientIp, nil, application, nil, c.GetAcceptLanguage())
 	c.ResponseOk(object.GetMaskedApplication(application, userId))
 }
@ -229,6 +232,11 @@ func (c *ApiController) UpdateApplication() {
 		return
 	}
 	if err = object.CheckIpWhitelist(application.IpWhitelist, c.GetAcceptLanguage()); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	c.Data["json"] = wrapActionResponse(object.UpdateApplication(id, &application))
 	c.ServeJSON()
 }
@ -259,6 +267,11 @@ func (c *ApiController) AddApplication() {
 		return
 	}
 	if err = object.CheckIpWhitelist(application.IpWhitelist, c.GetAcceptLanguage()); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	c.Data["json"] = wrapActionResponse(object.AddApplication(&application))
 	c.ServeJSON()
 }
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -55,6 +55,13 @@ func tokenToResponse(token *object.Token) *Response {
 func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *form.AuthForm) (resp *Response) {
 	userId := user.GetId()
 	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
 	err := object.CheckEntryIp(clientIp, user, application, application.OrganizationObj, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	allowed, err := object.CheckLoginPermission(userId, application)
 	if err != nil {
 		c.ResponseError(err.Error(), nil)
@ -256,6 +263,9 @@ func (c *ApiController) GetApplicationLogin() {
 		}
 	}
 	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
 	object.CheckEntryIp(clientIp, nil, application, nil, c.GetAcceptLanguage())
 	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
@ -463,6 +473,15 @@ func (c *ApiController) Login() {
 			}
 			password := authForm.Password
 			if application.OrganizationObj != nil {
 				password, err = util.GetUnobfuscatedPassword(application.OrganizationObj.PasswordObfuscatorType, application.OrganizationObj.PasswordObfuscatorKey, authForm.Password)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
 				}
 			}
 			isSigninViaLdap := authForm.SigninMethod == "LDAP"
 			var isPasswordWithLdapEnabled bool
 			if authForm.SigninMethod == "Password" {
@ -835,6 +854,7 @@ func (c *ApiController) Login() {
 		}
 		if authForm.Passcode != "" {
 			user.CountryCode = user.GetCountryCode(user.CountryCode)
 			mfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferredMfaProps(false))
 			if mfaUtil == nil {
 				c.ResponseError("Invalid multi-factor authentication type")
--- a/controllers/casbin_cli_api.go
+++ b/controllers/casbin_cli_api.go
@ -0,0 +1,114 @@
 // Copyright 2024 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package controllers
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"os/exec"
 	"strings"
 )
 func processArgsToTempFiles(args []string) ([]string, []string, error) {
 	tempFiles := []string{}
 	newArgs := []string{}
 	for i := 0; i < len(args); i++ {
 		if (args[i] == "-m" || args[i] == "-p") && i+1 < len(args) {
 			pattern := fmt.Sprintf("casbin_temp_%s_*.conf", args[i])
 			tempFile, err := os.CreateTemp("", pattern)
 			if err != nil {
 				return nil, nil, fmt.Errorf("failed to create temp file: %v", err)
 			}
 			_, err = tempFile.WriteString(args[i+1])
 			if err != nil {
 				tempFile.Close()
 				return nil, nil, fmt.Errorf("failed to write to temp file: %v", err)
 			}
 			tempFile.Close()
 			tempFiles = append(tempFiles, tempFile.Name())
 			newArgs = append(newArgs, args[i], tempFile.Name())
 			i++
 		} else {
 			newArgs = append(newArgs, args[i])
 		}
 	}
 	return tempFiles, newArgs, nil
 }
 // RunCasbinCommand
 // @Title RunCasbinCommand
 // @Tag Enforcer API
 // @Description Call Casbin CLI commands
 // @Success 200 {object} controllers.Response The Response object
 // @router /run-casbin-command [get]
 func (c *ApiController) RunCasbinCommand() {
 	language := c.Input().Get("language")
 	argString := c.Input().Get("args")
 	if language == "" {
 		language = "go"
 	}
 	// use "casbin-go-cli" by default, can be also "casbin-java-cli", "casbin-node-cli", etc.
 	// the pre-built binary of "casbin-go-cli" can be found at: https://github.com/casbin/casbin-go-cli/releases
 	binaryName := fmt.Sprintf("casbin-%s-cli", language)
 	_, err := exec.LookPath(binaryName)
 	if err != nil {
 		c.ResponseError(fmt.Sprintf("executable file: %s not found in PATH", binaryName))
 		return
 	}
 	// RBAC model & policy example:
 	// https://door.casdoor.com/api/run-casbin-command?language=go&args=["enforce", "-m", "[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act\n\n[role_definition]\ng = _, _\n\n[policy_effect]\ne = some(where (p.eft == allow))\n\n[matchers]\nm = g(r.sub, p.sub) %26%26 r.obj == p.obj %26%26 r.act == p.act", "-p", "p, alice, data1, read\np, bob, data2, write\np, data2_admin, data2, read\np, data2_admin, data2, write\ng, alice, data2_admin", "alice", "data1", "read"]
 	// Casbin CLI usage:
 	// https://github.com/jcasbin/casbin-java-cli?tab=readme-ov-file#get-started
 	var args []string
 	err = json.Unmarshal([]byte(argString), &args)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	tempFiles, processedArgs, err := processArgsToTempFiles(args)
 	defer func() {
 		for _, file := range tempFiles {
 			os.Remove(file)
 		}
 	}()
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	command := exec.Command(binaryName, processedArgs...)
 	outputBytes, err := command.CombinedOutput()
 	if err != nil {
 		errorString := err.Error()
 		if outputBytes != nil {
 			output := string(outputBytes)
 			errorString = fmt.Sprintf("%s, error: %s", output, err.Error())
 		}
 		c.ResponseError(errorString)
 		return
 	}
 	output := string(outputBytes)
 	output = strings.TrimSuffix(output, "\n")
 	c.ResponseOk(output)
 }
--- a/controllers/link.go
+++ b/controllers/link.go
@ -60,7 +60,6 @@ func (c *ApiController) Unlink() {
 			c.ResponseError(err.Error())
 			return
 		}
 		if application == nil {
 			c.ResponseError(c.T("link:You can't unlink yourself, you are not a member of any application"))
 			return
--- a/controllers/mfa.go
+++ b/controllers/mfa.go
@ -22,13 +22,6 @@ import (
 	"github.com/google/uuid"
 )
 const (
 	MfaRecoveryCodesSession = "mfa_recovery_codes"
 	MfaCountryCodeSession   = "mfa_country_code"
 	MfaDestSession          = "mfa_dest"
 	MfaTotpSecretSession    = "mfa_totp_secret"
 )
 // MfaSetupInitiate
 // @Title MfaSetupInitiate
 // @Tag MFA API
@ -72,11 +65,6 @@ func (c *ApiController) MfaSetupInitiate() {
 	}
 	recoveryCode := uuid.NewString()
 	c.SetSession(MfaRecoveryCodesSession, recoveryCode)
 	if mfaType == object.TotpType {
 		c.SetSession(MfaTotpSecretSession, mfaProps.Secret)
 	}
 	mfaProps.RecoveryCodes = []string{recoveryCode}
 	resp := mfaProps
@ -94,6 +82,9 @@ func (c *ApiController) MfaSetupInitiate() {
 func (c *ApiController) MfaSetupVerify() {
 	mfaType := c.Ctx.Request.Form.Get("mfaType")
 	passcode := c.Ctx.Request.Form.Get("passcode")
 	secret := c.Ctx.Request.Form.Get("secret")
 	dest := c.Ctx.Request.Form.Get("dest")
 	countryCode := c.Ctx.Request.Form.Get("countryCode")
 	if mfaType == "" || passcode == "" {
 		c.ResponseError("missing auth type or passcode")
@ -104,32 +95,28 @@ func (c *ApiController) MfaSetupVerify() {
 		MfaType: mfaType,
 	}
 	if mfaType == object.TotpType {
-		secret := c.GetSession(MfaTotpSecretSession)
+		if secret == "" {
 		if secret == nil {
 			c.ResponseError("totp secret is missing")
 			return
 		}
-		config.Secret = secret.(string)
+		config.Secret = secret
 	} else if mfaType == object.SmsType {
-		dest := c.GetSession(MfaDestSession)
+		if dest == "" {
 		if dest == nil {
 			c.ResponseError("destination is missing")
 			return
 		}
-		config.Secret = dest.(string)
+		config.Secret = dest
-		countryCode := c.GetSession(MfaCountryCodeSession)
+		if countryCode == "" {
 		if countryCode == nil {
 			c.ResponseError("country code is missing")
 			return
 		}
-		config.CountryCode = countryCode.(string)
+		config.CountryCode = countryCode
 	} else if mfaType == object.EmailType {
-		dest := c.GetSession(MfaDestSession)
+		if dest == "" {
 		if dest == nil {
 			c.ResponseError("destination is missing")
 			return
 		}
-		config.Secret = dest.(string)
+		config.Secret = dest
 	}
 	mfaUtil := object.GetMfaUtil(mfaType, config)
@ -159,6 +146,10 @@ func (c *ApiController) MfaSetupEnable() {
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
 	mfaType := c.Ctx.Request.Form.Get("mfaType")
 	secret := c.Ctx.Request.Form.Get("secret")
 	dest := c.Ctx.Request.Form.Get("dest")
 	countryCode := c.Ctx.Request.Form.Get("secret")
 	recoveryCodes := c.Ctx.Request.Form.Get("recoveryCodes")
 	user, err := object.GetUser(util.GetId(owner, name))
 	if err != nil {
@ -176,43 +167,39 @@ func (c *ApiController) MfaSetupEnable() {
 	}
 	if mfaType == object.TotpType {
-		secret := c.GetSession(MfaTotpSecretSession)
+		if secret == "" {
 		if secret == nil {
 			c.ResponseError("totp secret is missing")
 			return
 		}
-		config.Secret = secret.(string)
+		config.Secret = secret
 	} else if mfaType == object.EmailType {
 		if user.Email == "" {
-			dest := c.GetSession(MfaDestSession)
+			if dest == "" {
 			if dest == nil {
 				c.ResponseError("destination is missing")
 				return
 			}
-			user.Email = dest.(string)
+			user.Email = dest
 		}
 	} else if mfaType == object.SmsType {
 		if user.Phone == "" {
-			dest := c.GetSession(MfaDestSession)
+			if dest == "" {
 			if dest == nil {
 				c.ResponseError("destination is missing")
 				return
 			}
-			user.Phone = dest.(string)
+			user.Phone = dest
-			countryCode := c.GetSession(MfaCountryCodeSession)
+			if countryCode == "" {
 			if countryCode == nil {
 				c.ResponseError("country code is missing")
 				return
 			}
-			user.CountryCode = countryCode.(string)
+			user.CountryCode = countryCode
 		}
 	}
-	recoveryCodes := c.GetSession(MfaRecoveryCodesSession)
+
-	if recoveryCodes == nil {
+	if recoveryCodes == "" {
 		c.ResponseError("recovery codes is missing")
 		return
 	}
-	config.RecoveryCodes = []string{recoveryCodes.(string)}
+	config.RecoveryCodes = []string{recoveryCodes}
 	mfaUtil := object.GetMfaUtil(mfaType, config)
 	if mfaUtil == nil {
@ -226,14 +213,6 @@ func (c *ApiController) MfaSetupEnable() {
 		return
 	}
 	c.DelSession(MfaRecoveryCodesSession)
 	if mfaType == object.TotpType {
 		c.DelSession(MfaTotpSecretSession)
 	} else {
 		c.DelSession(MfaCountryCodeSession)
 		c.DelSession(MfaDestSession)
 	}
 	c.ResponseOk(http.StatusText(http.StatusOK))
 }
--- a/controllers/oidc_discovery.go
+++ b/controllers/oidc_discovery.go
@ -14,7 +14,11 @@
 package controllers
-import "github.com/casdoor/casdoor/object"
+import (
 	"strings"
 	"github.com/casdoor/casdoor/object"
 )
 // GetOidcDiscovery
 // @Title GetOidcDiscovery
@ -42,3 +46,31 @@ func (c *RootController) GetJwks() {
 	c.Data["json"] = jwks
 	c.ServeJSON()
 }
 // GetWebFinger
 // @Title GetWebFinger
 // @Tag OIDC API
 // @Param resource query string true "resource"
 // @Success 200 {object} object.WebFinger
 // @router /.well-known/webfinger [get]
 func (c *RootController) GetWebFinger() {
 	resource := c.Input().Get("resource")
 	rels := []string{}
 	host := c.Ctx.Request.Host
 	for key, value := range c.Input() {
 		if strings.HasPrefix(key, "rel") {
 			rels = append(rels, value...)
 		}
 	}
 	webfinger, err := object.GetWebFinger(resource, rels, host)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	c.Data["json"] = webfinger
 	c.Ctx.Output.ContentType("application/jrd+json")
 	c.ServeJSON()
 }
--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -65,7 +65,7 @@ func (c *ApiController) GetOrganizations() {
 			c.ResponseOk(organizations)
 		} else {
 			limit := util.ParseInt(limit)
-			count, err := object.GetOrganizationCount(owner, field, value)
+			count, err := object.GetOrganizationCount(owner, organizationName, field, value)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -119,6 +119,11 @@ func (c *ApiController) UpdateOrganization() {
 		return
 	}
 	if err = object.CheckIpWhitelist(organization.IpWhitelist, c.GetAcceptLanguage()); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	c.Data["json"] = wrapActionResponse(object.UpdateOrganization(id, &organization))
 	c.ServeJSON()
 }
@ -138,7 +143,7 @@ func (c *ApiController) AddOrganization() {
 		return
 	}
-	count, err := object.GetOrganizationCount("", "", "")
+	count, err := object.GetOrganizationCount("", "", "", "")
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -149,6 +154,11 @@ func (c *ApiController) AddOrganization() {
 		return
 	}
 	if err = object.CheckIpWhitelist(organization.IpWhitelist, c.GetAcceptLanguage()); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	c.Data["json"] = wrapActionResponse(object.AddOrganization(&organization))
 	c.ServeJSON()
 }
--- a/controllers/product.go
+++ b/controllers/product.go
@ -182,6 +182,10 @@ func (c *ApiController) BuyProduct() {
 	paidUserName := c.Input().Get("userName")
 	owner, _ := util.GetOwnerAndNameFromId(id)
 	userId := util.GetId(owner, paidUserName)
 	if paidUserName != "" && !c.IsAdmin() {
 		c.ResponseError(c.T("general:Only admin user can specify user"))
 		return
 	}
 	if paidUserName == "" {
 		userId = c.GetSessionUsername()
 	}
--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -257,7 +257,7 @@ func (c *ApiController) UploadResource() {
 		fileType, _ = util.GetOwnerAndNameFromIdNoCheck(mimeType + "/")
 	}
-	fullFilePath = object.GetTruncatedPath(provider, fullFilePath, 175)
+	fullFilePath = object.GetTruncatedPath(provider, fullFilePath, 450)
 	if tag != "avatar" && tag != "termsOfUse" && !strings.HasPrefix(tag, "idCard") {
 		ext := filepath.Ext(filepath.Base(fullFilePath))
 		index := len(fullFilePath) - len(ext)
--- a/controllers/token.go
+++ b/controllers/token.go
@ -322,17 +322,22 @@ func (c *ApiController) IntrospectToken() {
 	}
 	tokenTypeHint := c.Input().Get("token_type_hint")
-	token, err := object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
+	var token *object.Token
-	if err != nil {
+	if tokenTypeHint != "" {
-		c.ResponseTokenError(err.Error())
+		token, err = object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
-		return
+		if err != nil {
-	}
+			c.ResponseTokenError(err.Error())
-	if token == nil {
+			return
-		c.Data["json"] = &object.IntrospectionResponse{Active: false}
+		}
-		c.ServeJSON()
+		if token == nil {
-		return
+			c.Data["json"] = &object.IntrospectionResponse{Active: false}
 			c.ServeJSON()
 			return
 		}
 	}
 	var introspectionResponse object.IntrospectionResponse
 	if application.TokenFormat == "JWT-Standard" {
 		jwtToken, err := object.ParseStandardJwtTokenByApplication(tokenValue, application)
 		if err != nil || jwtToken.Valid() != nil {
@ -344,12 +349,37 @@ func (c *ApiController) IntrospectToken() {
 			return
 		}
-		c.Data["json"] = &object.IntrospectionResponse{
+		introspectionResponse = object.IntrospectionResponse{
 			Active:    true,
 			Scope:     jwtToken.Scope,
 			ClientId:  clientId,
-			Username:  token.User,
+			Username:  jwtToken.Name,
-			TokenType: token.TokenType,
+			TokenType: jwtToken.TokenType,
 			Exp:       jwtToken.ExpiresAt.Unix(),
 			Iat:       jwtToken.IssuedAt.Unix(),
 			Nbf:       jwtToken.NotBefore.Unix(),
 			Sub:       jwtToken.Subject,
 			Aud:       jwtToken.Audience,
 			Iss:       jwtToken.Issuer,
 			Jti:       jwtToken.ID,
 		}
 	} else {
 		jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
 		if err != nil || jwtToken.Valid() != nil {
 			// and token revoked case. but we not implement
 			// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
 			// refs: https://tools.ietf.org/html/rfc7009
 			c.Data["json"] = &object.IntrospectionResponse{Active: false}
 			c.ServeJSON()
 			return
 		}
 		introspectionResponse = object.IntrospectionResponse{
 			Active:    true,
 			Scope:     jwtToken.Scope,
 			ClientId:  clientId,
 			Username:  jwtToken.Name,
 			TokenType: jwtToken.TokenType,
 			Exp:       jwtToken.ExpiresAt.Unix(),
 			Iat:       jwtToken.IssuedAt.Unix(),
 			Nbf:       jwtToken.NotBefore.Unix(),
@ -358,33 +388,21 @@ func (c *ApiController) IntrospectToken() {
 			Iss:       jwtToken.Issuer,
 			Jti:       jwtToken.ID,
 		}
 		c.ServeJSON()
 		return
 	}
-	jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
+	if tokenTypeHint == "" {
-	if err != nil || jwtToken.Valid() != nil {
+		token, err = object.GetTokenByTokenValue(tokenValue, introspectionResponse.TokenType)
-		// and token revoked case. but we not implement
+		if err != nil {
-		// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
+			c.ResponseTokenError(err.Error())
-		// refs: https://tools.ietf.org/html/rfc7009
+			return
-		c.Data["json"] = &object.IntrospectionResponse{Active: false}
+		}
-		c.ServeJSON()
+		if token == nil {
-		return
+			c.Data["json"] = &object.IntrospectionResponse{Active: false}
 			c.ServeJSON()
 			return
 		}
 	}
-	c.Data["json"] = &object.IntrospectionResponse{
+	c.Data["json"] = introspectionResponse
 		Active:    true,
 		Scope:     jwtToken.Scope,
 		ClientId:  clientId,
 		Username:  token.User,
 		TokenType: token.TokenType,
 		Exp:       jwtToken.ExpiresAt.Unix(),
 		Iat:       jwtToken.IssuedAt.Unix(),
 		Nbf:       jwtToken.NotBefore.Unix(),
 		Sub:       jwtToken.Subject,
 		Aud:       jwtToken.Audience,
 		Iss:       jwtToken.Issuer,
 		Jti:       jwtToken.ID,
 	}
 	c.ServeJSON()
 }
--- a/controllers/user.go
+++ b/controllers/user.go
@ -289,6 +289,16 @@ func (c *ApiController) UpdateUser() {
 		}
 	}
 	if user.MfaEmailEnabled && user.Email == "" {
 		c.ResponseError(c.T("user:MFA email is enabled but email is empty"))
 		return
 	}
 	if user.MfaPhoneEnabled && user.Phone == "" {
 		c.ResponseError(c.T("user:MFA phone is enabled but phone number is empty"))
 		return
 	}
 	if msg := object.CheckUpdateUser(oldUser, &user, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
 		return
@ -354,7 +364,8 @@ func (c *ApiController) AddUser() {
 		return
 	}
-	msg := object.CheckUsername(user.Name, c.GetAcceptLanguage())
+	emptyUser := object.User{}
 	msg := object.CheckUpdateUser(&emptyUser, &user, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
@ -400,6 +411,12 @@ func (c *ApiController) GetEmailAndPhone() {
 	organization := c.Ctx.Request.Form.Get("organization")
 	username := c.Ctx.Request.Form.Get("username")
 	enableErrorMask2 := conf.GetConfigBool("enableErrorMask2")
 	if enableErrorMask2 {
 		c.ResponseError("Error")
 		return
 	}
 	user, err := object.GetUserByFields(organization, username)
 	if err != nil {
 		c.ResponseError(err.Error())
@ -473,7 +490,12 @@ func (c *ApiController) SetPassword() {
 			c.ResponseError(c.T("general:Missing parameter"))
 			return
 		}
 		if userId != c.GetSession("verifiedUserId") {
 			c.ResponseError(c.T("general:Wrong userId"))
 			return
 		}
 		c.SetSession("verifiedCode", "")
 		c.SetSession("verifiedUserId", "")
 	}
 	targetUser, err := object.GetUser(userId)
@ -519,11 +541,29 @@ func (c *ApiController) SetPassword() {
 		return
 	}
 	application, err := object.GetApplicationByUser(targetUser)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	if application == nil {
 		c.ResponseError(fmt.Sprintf(c.T("auth:the application for user %s is not found"), userId))
 		return
 	}
 	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
 	err = object.CheckEntryIp(clientIp, targetUser, application, organization, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 	targetUser.Password = newPassword
 	targetUser.UpdateUserPassword(organization)
 	targetUser.NeedUpdatePassword = false
 	targetUser.LastChangePasswordTime = util.GetCurrentTime()
-	_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type"}, false)
+	_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type", "last_change_password_time"}, false)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/util.go
+++ b/controllers/util.go
@ -45,6 +45,22 @@ func (c *ApiController) ResponseOk(data ...interface{}) {
 // ResponseError ...
 func (c *ApiController) ResponseError(error string, data ...interface{}) {
 	enableErrorMask2 := conf.GetConfigBool("enableErrorMask2")
 	if enableErrorMask2 {
 		error = c.T("subscription:Error")
 		resp := &Response{Status: "error", Msg: error}
 		c.ResponseJsonData(resp, data...)
 		return
 	}
 	enableErrorMask := conf.GetConfigBool("enableErrorMask")
 	if enableErrorMask {
 		if strings.HasPrefix(error, "The user: ") && strings.HasSuffix(error, " doesn't exist") || strings.HasPrefix(error, "用户: ") && strings.HasSuffix(error, "不存在") {
 			error = c.T("check:password or code is incorrect")
 		}
 	}
 	resp := &Response{Status: "error", Msg: error}
 	c.ResponseJsonData(resp, data...)
 }
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -132,7 +132,8 @@ func (c *ApiController) SendVerificationCode() {
 		c.ResponseError(err.Error())
 		return
 	}
-	remoteAddr := util.GetIPFromRequest(c.Ctx.Request)
+
 	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
 	if msg := vform.CheckParameter(form.SendVerifyCode, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
@ -245,8 +246,6 @@ func (c *ApiController) SendVerificationCode() {
 			if user != nil && util.GetMaskedEmail(mfaProps.Secret) == vform.Dest {
 				vform.Dest = mfaProps.Secret
 			}
 		} else if vform.Method == MfaSetupVerification {
 			c.SetSession(MfaDestSession, vform.Dest)
 		}
 		provider, err = application.GetEmailProvider(vform.Method)
@ -259,7 +258,7 @@ func (c *ApiController) SendVerificationCode() {
 			return
 		}
-		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, vform.Dest)
+		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, clientIp, vform.Dest)
 	case object.VerifyTypePhone:
 		if vform.Method == LoginVerification || vform.Method == ForgetVerification {
 			if user != nil && util.GetMaskedPhone(user.Phone) == vform.Dest {
@ -281,11 +280,6 @@ func (c *ApiController) SendVerificationCode() {
 					vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 				}
 			}
 			if vform.Method == MfaSetupVerification {
 				c.SetSession(MfaCountryCodeSession, vform.CountryCode)
 				c.SetSession(MfaDestSession, vform.Dest)
 			}
 		} else if vform.Method == MfaAuthVerification {
 			mfaProps := user.GetPreferredMfaProps(false)
 			if user != nil && util.GetMaskedPhone(mfaProps.Secret) == vform.Dest {
@ -293,6 +287,7 @@ func (c *ApiController) SendVerificationCode() {
 			}
 			vform.CountryCode = mfaProps.CountryCode
 			vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 		}
 		provider, err = application.GetSmsProvider(vform.Method, vform.CountryCode)
@ -309,7 +304,7 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), vform.CountryCode))
 			return
 		} else {
-			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, remoteAddr, phone)
+			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, clientIp, phone)
 		}
 	}
@ -532,5 +527,6 @@ func (c *ApiController) VerifyCode() {
 	}
 	c.SetSession("verifiedCode", authForm.Code)
 	c.SetSession("verifiedUserId", user.GetId())
 	c.ResponseOk()
 }
--- a/deployment/deploy.go
+++ b/deployment/deploy.go
@ -27,7 +27,18 @@ import (
 )
 func deployStaticFiles(provider *object.Provider) {
-	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, provider.Endpoint)
+	certificate := ""
 	if provider.Category == "Storage" && provider.Type == "Casdoor" {
 		cert, err := object.GetCert(util.GetId(provider.Owner, provider.Cert))
 		if err != nil {
 			panic(err)
 		}
 		if cert == nil {
 			panic(err)
 		}
 		certificate = cert.Certificate
 	}
 	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, provider.Endpoint, certificate, provider.Content)
 	if err != nil {
 		panic(err)
 	}
--- a/form/auth.go
+++ b/form/auth.go
@ -26,6 +26,10 @@ type AuthForm struct {
 	Name           string `json:"name"`
 	FirstName      string `json:"firstName"`
 	LastName       string `json:"lastName"`
 	Gender         string `json:"gender"`
 	Bio            string `json:"bio"`
 	Tag            string `json:"tag"`
 	Education      string `json:"education"`
 	Email          string `json:"email"`
 	Phone          string `json:"phone"`
 	Affiliation    string `json:"affiliation"`
--- a/go.mod
+++ b/go.mod
@ -6,13 +6,14 @@ require (
 	github.com/Masterminds/squirrel v1.5.3
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
 	github.com/aws/aws-sdk-go v1.45.5
-	github.com/beego/beego v1.12.13
+	github.com/beego/beego v1.12.12
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.77.2
-	github.com/casdoor/go-sms-sender v0.24.0
+	github.com/casdoor/go-sms-sender v0.25.0
 	github.com/casdoor/gomail/v2 v2.0.1
 	github.com/casdoor/ldapserver v1.2.0
 	github.com/casdoor/notify v0.45.0
-	github.com/casdoor/oss v1.6.0
+	github.com/casdoor/oss v1.8.0
 	github.com/casdoor/xorm-adapter/v3 v3.1.0
 	github.com/casvisor/casvisor-go-sdk v1.4.0
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
@ -20,7 +21,6 @@ require (
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
 	github.com/elimity-com/scim v0.0.0-20230426070224-941a5eac92f3
 	github.com/fogleman/gg v1.3.0
 	github.com/forestmgy/ldapserver v1.1.0
 	github.com/go-asn1-ber/asn1-ber v1.5.5
 	github.com/go-git/go-git/v5 v5.11.0
 	github.com/go-ldap/ldap/v3 v3.4.6
@ -30,7 +30,7 @@ require (
 	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.6.0
 	github.com/json-iterator/go v1.1.12
 	github.com/lestrrat-go/jwx v1.2.29
 	github.com/lib/pq v1.10.9
--- a/go.sum
+++ b/go.sum
@ -1052,8 +1052,8 @@ github.com/baidubce/bce-sdk-go v0.9.156 h1:f++WfptxGmSp5acsjl4kUxHpWDDccoFqkIrQK
 github.com/baidubce/bce-sdk-go v0.9.156/go.mod h1:zbYJMQwE4IZuyrJiFO8tO8NbtYiKTFTbwh4eIsqjVdg=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f h1:ZNv7On9kyUzm7fvRZumSyy/IUiSC7AzL0I1jKKtwooA=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
-github.com/beego/beego v1.12.13 h1:g39O1LGLTiPejWVqQKK/TFGrroW9BCZQz6/pf4S8IRM=
+github.com/beego/beego v1.12.12 h1:ARY1sNVSS23N0mEQIhSqRDTyyDlx95JY0V3GogBbZbQ=
-github.com/beego/beego v1.12.13/go.mod h1:QURFL1HldOcCZAxnc1cZ7wrplsYR5dKPHFjmk6WkLAs=
+github.com/beego/beego v1.12.12/go.mod h1:QURFL1HldOcCZAxnc1cZ7wrplsYR5dKPHFjmk6WkLAs=
 github.com/beego/goyaml2 v0.0.0-20130207012346-5545475820dd/go.mod h1:1b+Y/CofkYwXMUU0OhQqGvsY2Bvgr4j6jfT699wyZKQ=
 github.com/beego/x2j v0.0.0-20131220205130-a0352aadc542/go.mod h1:kSeGC/p1AbBiEp5kat81+DSQrZenVBZXklMLaELspWU=
 github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
@ -1083,16 +1083,20 @@ github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRt
 github.com/casbin/casbin/v2 v2.37.0/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
 github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
 github.com/casdoor/casdoor-go-sdk v0.50.0 h1:bUYbz/MzJuWfLKJbJM0+U0YpYewAur+THp5TKnufWZM=
 github.com/casdoor/casdoor-go-sdk v0.50.0/go.mod h1:cMnkCQJgMYpgAlgEx8reSt1AVaDIQLcJ1zk5pzBaz+4=
 github.com/casdoor/go-reddit/v2 v2.1.0 h1:kIbfdJ7AA7H0uTQ8s0q4GGZqSS5V9wVE74RrXyD9XPs=
 github.com/casdoor/go-reddit/v2 v2.1.0/go.mod h1:eagkvwlZ4Hcsuc/uQsLHYEulz5jN65SVSwV/AIE7zsc=
-github.com/casdoor/go-sms-sender v0.24.0 h1:LNLsce3EG/87I3JS6UiajF3LlQmdIiCgebEu0IE4wSM=
+github.com/casdoor/go-sms-sender v0.25.0 h1:eF4cOCSbjVg7+0uLlJQnna/FQ0BWW+Fp/x4cXhzQu1Y=
-github.com/casdoor/go-sms-sender v0.24.0/go.mod h1:bOm4H8/YfJmEHjBatEVQFOnAf0OOn1B0Wi5B7zDhws0=
+github.com/casdoor/go-sms-sender v0.25.0/go.mod h1:bOm4H8/YfJmEHjBatEVQFOnAf0OOn1B0Wi5B7zDhws0=
 github.com/casdoor/gomail/v2 v2.0.1 h1:J+FG6x80s9e5lBHUn8Sv0Y56mud34KiWih5YdmudR/w=
 github.com/casdoor/gomail/v2 v2.0.1/go.mod h1:VnGPslEAtpix5FjHisR/WKB1qvZDBaujbikxDe9d+2Q=
 github.com/casdoor/ldapserver v1.2.0 h1:HdSYe+ULU6z9K+2BqgTrJKQRR4//ERAXB64ttOun6Ow=
 github.com/casdoor/ldapserver v1.2.0/go.mod h1:VwYU2vqQ2pA8sa00PRekH71R2XmgfzMKhmp1XrrDu2s=
 github.com/casdoor/notify v0.45.0 h1:OlaFvcQFjGOgA4mRx07M8AH1gvb5xNo21mcqrVGlLgk=
 github.com/casdoor/notify v0.45.0/go.mod h1:wNHQu0tiDROMBIvz0j3Om3Lhd5yZ+AIfnFb8MYb8OLQ=
-github.com/casdoor/oss v1.6.0 h1:IOWrGLJ+VO82qS796eaRnzFPPA1Sn3cotYTi7O/VIlQ=
+github.com/casdoor/oss v1.8.0 h1:uuyKhDIp7ydOtV4lpqhAY23Ban2Ln8La8+QT36CwylM=
-github.com/casdoor/oss v1.6.0/go.mod h1:rJAWA0hLhtu94t6IRpotLUkXO1NWMASirywQYaGizJE=
+github.com/casdoor/oss v1.8.0/go.mod h1:uaqO7KBI2lnZcnB8rF7O6C2bN7llIbfC5Ql8ex1yR1U=
 github.com/casdoor/xorm-adapter/v3 v3.1.0 h1:NodWayRtSLVSeCvL9H3Hc61k0G17KhV9IymTCNfh3kk=
 github.com/casdoor/xorm-adapter/v3 v3.1.0/go.mod h1:4WTcUw+bTgBylGHeGHzTtBvuTXRS23dtwzFLl9tsgFM=
 github.com/casvisor/casvisor-go-sdk v1.4.0 h1:hbZEGGJ1cwdHFAxeXrMoNw6yha6Oyg2F0qQhBNCN/dg=
@ -1235,8 +1239,6 @@ github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
 github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/forestmgy/ldapserver v1.1.0 h1:gvil4nuLhqPEL8SugCkFhRyA0/lIvRdwZSqlrw63ll4=
 github.com/forestmgy/ldapserver v1.1.0/go.mod h1:1RZ8lox1QSY7rmbjdmy+sYQXY4Lp7SpGzpdE3+j3IyM=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
@ -1460,8 +1462,9 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
--- a/i18n/locales/fa/data.json
+++ b/i18n/locales/fa/data.json
@ -1,167 +1,167 @@
 {
  "account": {
-    "Failed to add user": "Failed to add user",
+    "Failed to add user": "عدم موفقیت در افزودن کاربر",
-    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Get init score failed, error: %w": "عدم موفقیت در دریافت امتیاز اولیه، خطا: %w",
-    "Please sign out first": "Please sign out first",
+    "Please sign out first": "لطفاً ابتدا خارج شوید",
-    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+    "The application does not allow to sign up new account": "برنامه اجازه ثبت‌نام حساب جدید را نمی‌دهد"
  },
  "auth": {
-    "Challenge method should be S256": "Challenge method should be S256",
+    "Challenge method should be S256": "روش چالش باید S256 باشد",
-    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to create user, user information is invalid: %s": "عدم موفقیت در ایجاد کاربر، اطلاعات کاربر نامعتبر است: %s",
-    "Failed to login in: %s": "Failed to login in: %s",
+    "Failed to login in: %s": "عدم موفقیت در ورود: %s",
-    "Invalid token": "Invalid token",
+    "Invalid token": "توکن نامعتبر",
-    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "State expected: %s, but got: %s": "وضعیت مورد انتظار: %s، اما دریافت شد: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) وجود ندارد و مجاز به ثبت‌نام به‌عنوان حساب جدید از طریق %%s نیست، لطفاً از روش دیگری برای ثبت‌نام استفاده کنید",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) وجود ندارد و مجاز به ثبت‌نام به‌عنوان حساب جدید نیست، لطفاً با پشتیبانی IT خود تماس بگیرید",
-    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) در حال حاضر به حساب دیگری مرتبط است: %s (%s)",
-    "The application: %s does not exist": "The application: %s does not exist",
+    "The application: %s does not exist": "برنامه: %s وجود ندارد",
-    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
+    "The login method: login with LDAP is not enabled for the application": "روش ورود: ورود با LDAP برای برنامه فعال نیست",
-    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
+    "The login method: login with SMS is not enabled for the application": "روش ورود: ورود با پیامک برای برنامه فعال نیست",
-    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with email is not enabled for the application": "روش ورود: ورود با ایمیل برای برنامه فعال نیست",
-    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "روش ورود: ورود با چهره برای برنامه فعال نیست",
-    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The login method: login with password is not enabled for the application": "روش ورود: ورود با رمز عبور برای برنامه فعال نیست",
-    "The organization: %s does not exist": "The organization: %s does not exist",
+    "The organization: %s does not exist": "سازمان: %s وجود ندارد",
-    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "The provider: %s is not enabled for the application": "ارائه‌دهنده: %s برای برنامه فعال نیست",
-    "Unauthorized operation": "Unauthorized operation",
+    "Unauthorized operation": "عملیات غیرمجاز",
-    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "Unknown authentication type (not password or provider), form = %s": "نوع احراز هویت ناشناخته (نه رمز عبور و نه ارائه‌دهنده)، فرم = %s",
-    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags",
+    "User's tag: %s is not listed in the application's tags": "برچسب کاربر: %s در برچسب‌های برنامه فهرست نشده است",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "کاربر پرداختی %s اشتراک فعال یا در انتظار ندارد و برنامه: %s قیمت‌گذاری پیش‌فرض ندارد"
  },
  "cas": {
-    "Service %s and %s do not match": "Service %s and %s do not match"
+    "Service %s and %s do not match": "سرویس %s و %s مطابقت ندارند"
  },
  "check": {
-    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "Affiliation cannot be blank": "وابستگی نمی‌تواند خالی باشد",
-    "Default code does not match the code's matching rules": "Default code does not match the code's matching rules",
+    "Default code does not match the code's matching rules": "کد پیش‌فرض با قوانین تطبیق کد مطابقت ندارد",
-    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName cannot be blank": "نام نمایشی نمی‌تواند خالی باشد",
-    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "DisplayName is not valid real name": "نام نمایشی یک نام واقعی معتبر نیست",
-    "Email already exists": "Email already exists",
+    "Email already exists": "ایمیل قبلاً وجود دارد",
-    "Email cannot be empty": "Email cannot be empty",
+    "Email cannot be empty": "ایمیل نمی‌تواند خالی باشد",
-    "Email is invalid": "Email is invalid",
+    "Email is invalid": "ایمیل نامعتبر است",
-    "Empty username.": "Empty username.",
+    "Empty username.": "نام کاربری خالی است.",
-    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data does not exist, cannot log in": "داده‌های چهره وجود ندارد، نمی‌توان وارد شد",
-    "Face data mismatch": "Face data mismatch",
+    "Face data mismatch": "عدم تطابق داده‌های چهره",
-    "FirstName cannot be blank": "FirstName cannot be blank",
+    "FirstName cannot be blank": "نام نمی‌تواند خالی باشد",
-    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code cannot be blank": "کد دعوت نمی‌تواند خالی باشد",
-    "Invitation code exhausted": "Invitation code exhausted",
+    "Invitation code exhausted": "کد دعوت استفاده شده است",
-    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code is invalid": "کد دعوت نامعتبر است",
-    "Invitation code suspended": "Invitation code suspended",
+    "Invitation code suspended": "کد دعوت معلق است",
-    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LDAP user name or password incorrect": "نام کاربری یا رمز عبور LDAP نادرست است",
-    "LastName cannot be blank": "LastName cannot be blank",
+    "LastName cannot be blank": "نام خانوادگی نمی‌تواند خالی باشد",
-    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Multiple accounts with same uid, please check your ldap server": "چندین حساب با uid یکسان، لطفاً سرور LDAP خود را بررسی کنید",
-    "Organization does not exist": "Organization does not exist",
+    "Organization does not exist": "سازمان وجود ندارد",
-    "Phone already exists": "Phone already exists",
+    "Phone already exists": "تلفن قبلاً وجود دارد",
-    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone cannot be empty": "تلفن نمی‌تواند خالی باشد",
-    "Phone number is invalid": "Phone number is invalid",
+    "Phone number is invalid": "شماره تلفن نامعتبر است",
-    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the email corresponding to the invitation code": "لطفاً با استفاده از ایمیل مربوط به کد دعوت ثبت‌نام کنید",
-    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "لطفاً با استفاده از تلفن مربوط به کد دعوت ثبت‌نام کنید",
-    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "لطفاً با استفاده از نام کاربری مربوط به کد دعوت ثبت‌نام کنید",
-    "Session outdated, please login again": "Session outdated, please login again",
+    "Session outdated, please login again": "جلسه منقضی شده است، لطفاً دوباره وارد شوید",
-    "The invitation code has already been used": "The invitation code has already been used",
+    "The invitation code has already been used": "کد دعوت قبلاً استفاده شده است",
-    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user is forbidden to sign in, please contact the administrator": "ورود کاربر ممنوع است، لطفاً با مدیر تماس بگیرید",
-    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The user: %s doesn't exist in LDAP server": "کاربر: %s در سرور LDAP وجود ندارد",
-    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "نام کاربری فقط می‌تواند حاوی کاراکترهای الفبایی عددی، زیرخط یا خط تیره باشد، نمی‌تواند خط تیره یا زیرخط متوالی داشته باشد، و نمی‌تواند با خط تیره یا زیرخط شروع یا پایان یابد.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "مقدار \"%s\" برای فیلد حساب \"%s\" با عبارت منظم مورد حساب مطابقت ندارد",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "مقدار \"%s\" برای فیلد ثبت‌نام \"%s\" با عبارت منظم مورد ثبت‌نام برنامه \"%s\" مطابقت ندارد",
-    "Username already exists": "Username already exists",
+    "Username already exists": "نام کاربری قبلاً وجود دارد",
-    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot be an email address": "نام کاربری نمی‌تواند یک آدرس ایمیل باشد",
-    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot contain white spaces": "نام کاربری نمی‌تواند حاوی فاصله باشد",
-    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username cannot start with a digit": "نام کاربری نمی‌تواند با یک رقم شروع شود",
-    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username is too long (maximum is 39 characters).": "نام کاربری بیش از حد طولانی است (حداکثر ۳۹ کاراکتر).",
-    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "Username must have at least 2 characters": "نام کاربری باید حداقل ۲ کاراکتر داشته باشد",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "شما رمز عبور یا کد اشتباه را بیش از حد وارد کرده‌اید، لطفاً %d دقیقه صبر کنید و دوباره تلاش کنید",
-    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "Your region is not allow to signup by phone": "منطقه شما اجازه ثبت‌نام با تلفن را ندارد",
-    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect": "رمز عبور یا کد نادرست است",
-    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "password or code is incorrect, you have %d remaining chances": "رمز عبور یا کد نادرست است، شما %d فرصت باقی‌مانده دارید",
-    "unsupported password type: %s": "unsupported password type: %s"
+    "unsupported password type: %s": "نوع رمز عبور پشتیبانی نشده: %s"
  },
  "general": {
-    "Missing parameter": "Missing parameter",
+    "Missing parameter": "پارامتر گمشده",
-    "Please login first": "Please login first",
+    "Please login first": "لطفاً ابتدا وارد شوید",
-    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
+    "The organization: %s should have one application at least": "سازمان: %s باید حداقل یک برنامه داشته باشد",
-    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "The user: %s doesn't exist": "کاربر: %s وجود ندارد",
-    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "don't support captchaProvider: ": "از captchaProvider پشتیبانی نمی‌شود: ",
-    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode",
+    "this operation is not allowed in demo mode": "این عملیات در حالت دمو مجاز نیست",
-    "this operation requires administrator to perform": "this operation requires administrator to perform"
+    "this operation requires administrator to perform": "این عملیات نیاز به مدیر برای انجام دارد"
  },
  "ldap": {
-    "Ldap server exist": "Ldap server exist"
+    "Ldap server exist": "سرور LDAP وجود دارد"
  },
  "link": {
-    "Please link first": "Please link first",
+    "Please link first": "لطفاً ابتدا پیوند دهید",
-    "This application has no providers": "This application has no providers",
+    "This application has no providers": "این برنامه ارائه‌دهنده‌ای ندارد",
-    "This application has no providers of type": "This application has no providers of type",
+    "This application has no providers of type": "این برنامه ارائه‌دهنده‌ای از نوع ندارد",
-    "This provider can't be unlinked": "This provider can't be unlinked",
+    "This provider can't be unlinked": "این ارائه‌دهنده نمی‌تواند لغو پیوند شود",
-    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You are not the global admin, you can't unlink other users": "شما مدیر جهانی نیستید، نمی‌توانید کاربران دیگر را لغو پیوند کنید",
-    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+    "You can't unlink yourself, you are not a member of any application": "شما نمی‌توانید خودتان را لغو پیوند کنید، شما عضو هیچ برنامه‌ای نیستید"
  },
  "organization": {
-    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "Only admin can modify the %s.": "فقط مدیر می‌تواند %s را تغییر دهد.",
-    "The %s is immutable.": "The %s is immutable.",
+    "The %s is immutable.": "%s غیرقابل تغییر است.",
-    "Unknown modify rule %s.": "Unknown modify rule %s."
+    "Unknown modify rule %s.": "قانون تغییر ناشناخته %s."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \"%s\" doesn't exist": "مجوز: \"%s\" وجود ندارد"
  },
  "provider": {
-    "Invalid application id": "Invalid application id",
+    "Invalid application id": "شناسه برنامه نامعتبر",
-    "the provider: %s does not exist": "the provider: %s does not exist"
+    "the provider: %s does not exist": "ارائه‌دهنده: %s وجود ندارد"
  },
  "resource": {
-    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "User is nil for tag: avatar": "کاربر برای برچسب: آواتار تهی است",
-    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "نام کاربری یا مسیر کامل فایل خالی است: نام کاربری = %s، مسیر کامل فایل = %s"
  },
  "saml": {
-    "Application %s not found": "Application %s not found"
+    "Application %s not found": "برنامه %s یافت نشد"
  },
  "saml_sp": {
-    "provider %s's category is not SAML": "provider %s's category is not SAML"
+    "provider %s's category is not SAML": "دسته‌بندی ارائه‌دهنده %s SAML نیست"
  },
  "service": {
-    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Empty parameters for emailForm: %v": "پارامترهای خالی برای emailForm: %v",
-    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid Email receivers: %s": "گیرندگان ایمیل نامعتبر: %s",
-    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+    "Invalid phone receivers: %s": "گیرندگان تلفن نامعتبر: %s"
  },
  "storage": {
-    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The objectKey: %s is not allowed": "objectKey: %s مجاز نیست",
-    "The provider type: %s is not supported": "The provider type: %s is not supported"
+    "The provider type: %s is not supported": "نوع ارائه‌دهنده: %s پشتیبانی نمی‌شود"
  },
  "token": {
-    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Grant_type: %s is not supported in this application": "grant_type: %s در این برنامه پشتیبانی نمی‌شود",
-    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid application or wrong clientSecret": "برنامه نامعتبر یا clientSecret نادرست",
-    "Invalid client_id": "Invalid client_id",
+    "Invalid client_id": "client_id نامعتبر",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "آدرس بازگشت: %s در لیست آدرس‌های بازگشت مجاز وجود ندارد",
-    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+    "Token not found, invalid accessToken": "توکن یافت نشد، accessToken نامعتبر"
  },
  "user": {
-    "Display name cannot be empty": "Display name cannot be empty",
+    "Display name cannot be empty": "نام نمایشی نمی‌تواند خالی باشد",
-    "New password cannot contain blank space.": "New password cannot contain blank space."
+    "New password cannot contain blank space.": "رمز عبور جدید نمی‌تواند حاوی فاصله خالی باشد."
  },
  "user_upload": {
-    "Failed to import users": "Failed to import users"
+    "Failed to import users": "عدم موفقیت در وارد کردن کاربران"
  },
  "util": {
-    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No application is found for userId: %s": "هیچ برنامه‌ای برای userId: %s یافت نشد",
-    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "No provider for category: %s is found for application: %s": "هیچ ارائه‌دهنده‌ای برای دسته‌بندی: %s برای برنامه: %s یافت نشد",
-    "The provider: %s is not found": "The provider: %s is not found"
+    "The provider: %s is not found": "ارائه‌دهنده: %s یافت نشد"
  },
  "verification": {
-    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Invalid captcha provider.": "ارائه‌دهنده کپچا نامعتبر.",
-    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Phone number is invalid in your region %s": "شماره تلفن در منطقه شما نامعتبر است %s",
-    "The verification code has not been sent yet!": "The verification code has not been sent yet!",
+    "The verification code has not been sent yet!": "کد تأیید هنوز ارسال نشده است!",
-    "The verification code has not been sent yet, or has already been used!": "The verification code has not been sent yet, or has already been used!",
+    "The verification code has not been sent yet, or has already been used!": "کد تأیید هنوز ارسال نشده است، یا قبلاً استفاده شده است!",
-    "Turing test failed.": "Turing test failed.",
+    "Turing test failed.": "تست تورینگ ناموفق بود.",
-    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the email modify rule.": "عدم توانایی در دریافت قانون تغییر ایمیل.",
-    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unable to get the phone modify rule.": "عدم توانایی در دریافت قانون تغییر تلفن.",
-    "Unknown type": "Unknown type",
+    "Unknown type": "نوع ناشناخته",
-    "Wrong verification code!": "Wrong verification code!",
+    "Wrong verification code!": "کد تأیید اشتباه!",
-    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "You should verify your code in %d min!": "شما باید کد خود را در %d دقیقه تأیید کنید!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "لطفاً یک ارائه‌دهنده پیامک به لیست \"ارائه‌دهندگان\" برای برنامه: %s اضافه کنید",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "لطفاً یک ارائه‌دهنده ایمیل به لیست \"ارائه‌دهندگان\" برای برنامه: %s اضافه کنید",
-    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+    "the user does not exist, please sign up first": "کاربر وجود ندارد، لطفاً ابتدا ثبت‌نام کنید"
  },
  "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
+    "Found no credentials for this user": "هیچ اعتباری برای این کاربر یافت نشد",
-    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+    "Please call WebAuthnSigninBegin first": "لطفاً ابتدا WebAuthnSigninBegin را فراخوانی کنید"
  }
 }
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@ -15,10 +15,10 @@
    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Аккаунт для провайдера: %s и имя пользователя: %s (%s) не существует и не может быть зарегистрирован как новый аккаунт. Пожалуйста, обратитесь в службу поддержки IT",
    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Аккаунт поставщика: %s и имя пользователя: %s (%s) уже связаны с другим аккаунтом: %s (%s)",
    "The application: %s does not exist": "Приложение: %s не существует",
-    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
+    "The login method: login with LDAP is not enabled for the application": "Метод входа в систему: вход с помощью LDAP не включен для приложения",
-    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
+    "The login method: login with SMS is not enabled for the application": "Метод входа: вход с помощью SMS не включен для приложения",
-    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with email is not enabled for the application": "Метод входа: вход с помощью электронной почты не включен для приложения",
-    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "Метод входа: вход с помощью лица не включен для приложения",
    "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
@ -53,16 +53,16 @@
    "Phone already exists": "Телефон уже существует",
    "Phone cannot be empty": "Телефон не может быть пустым",
    "Phone number is invalid": "Номер телефона является недействительным",
-    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the email corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя электронную почту, соответствующую коду приглашения",
-    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь по телефону, соответствующему коду приглашения",
-    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя имя пользователя, соответствующее коду приглашения",
    "Session outdated, please login again": "Сессия устарела, пожалуйста, войдите снова",
    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
    "The user: %s doesn't exist in LDAP server": "Пользователь %s не существует на LDAP сервере",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Имя пользователя может состоять только из буквенно-цифровых символов, нижних подчеркиваний или дефисов, не может содержать последовательные дефисы или подчеркивания, а также не может начинаться или заканчиваться на дефис или подчеркивание.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Значение \\\"%s\\\" для поля аккаунта \\\"%s\\\" не соответствует регулярному значению",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Значение \\\"%s\\\" поля регистрации \\\"%s\\\" не соответствует регулярному выражению приложения \\\"%s\\\"",
    "Username already exists": "Имя пользователя уже существует",
    "Username cannot be an email address": "Имя пользователя не может быть адресом электронной почты",
    "Username cannot contain white spaces": "Имя пользователя не может содержать пробелы",
@ -78,11 +78,11 @@
  "general": {
    "Missing parameter": "Отсутствующий параметр",
    "Please login first": "Пожалуйста, сначала войдите в систему",
-    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
+    "The organization: %s should have one application at least": "Организация: %s должна иметь хотя бы одно приложение",
    "The user: %s doesn't exist": "Пользователь %s не существует",
    "don't support captchaProvider: ": "неподдерживаемый captchaProvider: ",
    "this operation is not allowed in demo mode": "эта операция не разрешена в демо-режиме",
-    "this operation requires administrator to perform": "this operation requires administrator to perform"
+    "this operation requires administrator to perform": "для выполнения этой операции требуется администратор"
  },
  "ldap": {
    "Ldap server exist": "LDAP-сервер существует"
@ -101,11 +101,11 @@
    "Unknown modify rule %s.": "Неизвестное изменение правила %s."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \\\"%s\\\" doesn't exist": "Разрешение: \\\"%s\\\" не существует"
  },
  "provider": {
    "Invalid application id": "Неверный идентификатор приложения",
-    "the provider: %s does not exist": "провайдер: %s не существует"
+    "the provider: %s does not exist": "Провайдер: %s не существует"
  },
  "resource": {
    "User is nil for tag: avatar": "Пользователь равен нулю для тега: аватар",
@ -115,7 +115,7 @@
    "Application %s not found": "Приложение %s не найдено"
  },
  "saml_sp": {
-    "provider %s's category is not SAML": "категория провайдера %s не является SAML"
+    "provider %s's category is not SAML": "Категория провайдера %s не является SAML"
  },
  "service": {
    "Empty parameters for emailForm: %v": "Пустые параметры для emailForm: %v",
@ -148,7 +148,7 @@
  "verification": {
    "Invalid captcha provider.": "Недействительный поставщик CAPTCHA.",
    "Phone number is invalid in your region %s": "Номер телефона недействителен в вашем регионе %s",
-    "The verification code has not been sent yet!": "The verification code has not been sent yet!",
+    "The verification code has not been sent yet!": "Код проверки еще не отправлен!",
    "The verification code has not been sent yet, or has already been used!": "The verification code has not been sent yet, or has already been used!",
    "Turing test failed.": "Тест Тьюринга не удался.",
    "Unable to get the email modify rule.": "Невозможно получить правило изменения электронной почты.",
@ -156,8 +156,8 @@
    "Unknown type": "Неизвестный тип",
    "Wrong verification code!": "Неправильный код подтверждения!",
    "You should verify your code in %d min!": "Вы должны проверить свой код через %d минут!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика SMS в список \\\"Провайдеры\\\" для приложения: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика электронной почты в список \\\"Провайдеры\\\" для приложения: %s",
    "the user does not exist, please sign up first": "Пользователь не существует, пожалуйста, сначала зарегистрируйтесь"
  },
  "webauthn": {
--- a/idp/alipay.go
+++ b/idp/alipay.go
@ -200,7 +200,7 @@ func (idp *AlipayIdProvider) postWithBody(body interface{}, targetUrl string) ([
 	formData.Set("sign", sign)
-	resp, err := idp.Client.PostForm(targetUrl, formData)
+	resp, err := idp.Client.Post(targetUrl, "application/x-www-form-urlencoded;charset=utf-8", strings.NewReader(formData.Encode()))
 	if err != nil {
 		return nil, err
 	}
--- a/ldap/server.go
+++ b/ldap/server.go
@ -21,7 +21,7 @@ import (
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
-	ldap "github.com/forestmgy/ldapserver"
+	ldap "github.com/casdoor/ldapserver"
 	"github.com/lor00x/goldap/message"
 )
@ -142,7 +142,7 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 		}
 		for _, attr := range attrs {
 			e.AddAttribute(message.AttributeDescription(attr), getAttribute(string(attr), user))
-			if string(attr) == "cn" {
+			if string(attr) == "title" {
 				e.AddAttribute(message.AttributeDescription(attr), getAttribute("title", user))
 			}
 		}
--- a/ldap/util.go
+++ b/ldap/util.go
@ -23,7 +23,7 @@ import (
 	"github.com/casdoor/casdoor/util"
 	"github.com/lor00x/goldap/message"
-	ldap "github.com/forestmgy/ldapserver"
+	ldap "github.com/casdoor/ldapserver"
 	"github.com/xorm-io/builder"
 )
--- a/main.go
+++ b/main.go
@ -56,6 +56,7 @@ func main() {
 	beego.InsertFilter("*", beego.BeforeRouter, routers.StaticFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.AutoSigninFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.CorsFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.TimeoutFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)
@ -71,6 +72,7 @@ func main() {
 		beego.BConfig.WebConfig.Session.SessionProviderConfig = conf.GetConfigString("redisEndpoint")
 	}
 	beego.BConfig.WebConfig.Session.SessionCookieLifeTime = 3600 * 24 * 30
 	beego.BConfig.WebConfig.Session.SessionGCMaxLifetime = 3600 * 24 * 30
 	// beego.BConfig.WebConfig.Session.SessionCookieSameSite = http.SameSiteNoneMode
 	err := logs.SetLogger(logs.AdapterFile, conf.GetConfigString("logConfig"))
--- a/object/application.go
+++ b/object/application.go
@ -31,15 +31,17 @@ type SigninMethod struct {
 }
 type SignupItem struct {
-	Name        string `json:"name"`
+	Name        string   `json:"name"`
-	Visible     bool   `json:"visible"`
+	Visible     bool     `json:"visible"`
-	Required    bool   `json:"required"`
+	Required    bool     `json:"required"`
-	Prompted    bool   `json:"prompted"`
+	Prompted    bool     `json:"prompted"`
-	CustomCss   string `json:"customCss"`
+	Type        string   `json:"type"`
-	Label       string `json:"label"`
+	CustomCss   string   `json:"customCss"`
-	Placeholder string `json:"placeholder"`
+	Label       string   `json:"label"`
-	Regex       string `json:"regex"`
+	Placeholder string   `json:"placeholder"`
-	Rule        string `json:"rule"`
+	Options     []string `json:"options"`
 	Regex       string   `json:"regex"`
 	Rule        string   `json:"rule"`
 }
 type SigninItem struct {
@ -78,24 +80,28 @@ type Application struct {
 	EnableSamlCompress    bool            `json:"enableSamlCompress"`
 	EnableSamlC14n10      bool            `json:"enableSamlC14n10"`
 	EnableSamlPostBinding bool            `json:"enableSamlPostBinding"`
 	UseEmailAsSamlNameId  bool            `json:"useEmailAsSamlNameId"`
 	EnableWebAuthn        bool            `json:"enableWebAuthn"`
 	EnableLinkWithEmail   bool            `json:"enableLinkWithEmail"`
 	OrgChoiceMode         string          `json:"orgChoiceMode"`
 	SamlReplyUrl          string          `xorm:"varchar(100)" json:"samlReplyUrl"`
 	Providers             []*ProviderItem `xorm:"mediumtext" json:"providers"`
 	SigninMethods         []*SigninMethod `xorm:"varchar(2000)" json:"signinMethods"`
-	SignupItems           []*SignupItem   `xorm:"varchar(2000)" json:"signupItems"`
+	SignupItems           []*SignupItem   `xorm:"varchar(3000)" json:"signupItems"`
 	SigninItems           []*SigninItem   `xorm:"mediumtext" json:"signinItems"`
 	GrantTypes            []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj       *Organization   `xorm:"-" json:"organizationObj"`
 	CertPublicKey         string          `xorm:"-" json:"certPublicKey"`
 	Tags                  []string        `xorm:"mediumtext" json:"tags"`
 	SamlAttributes        []*SamlItem     `xorm:"varchar(1000)" json:"samlAttributes"`
 	IsShared              bool            `json:"isShared"`
 	IpRestriction         string          `json:"ipRestriction"`
 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
 	RedirectUris         []string   `xorm:"varchar(1000)" json:"redirectUris"`
 	TokenFormat          string     `xorm:"varchar(100)" json:"tokenFormat"`
 	TokenSigningMethod   string     `xorm:"varchar(100)" json:"tokenSigningMethod"`
 	TokenFields          []string   `xorm:"varchar(1000)" json:"tokenFields"`
 	ExpireInHours        int        `json:"expireInHours"`
 	RefreshExpireInHours int        `json:"refreshExpireInHours"`
@ -103,6 +109,7 @@ type Application struct {
 	SigninUrl            string     `xorm:"varchar(200)" json:"signinUrl"`
 	ForgetUrl            string     `xorm:"varchar(200)" json:"forgetUrl"`
 	AffiliationUrl       string     `xorm:"varchar(100)" json:"affiliationUrl"`
 	IpWhitelist          string     `xorm:"varchar(200)" json:"ipWhitelist"`
 	TermsOfUse           string     `xorm:"varchar(100)" json:"termsOfUse"`
 	SignupHtml           string     `xorm:"mediumtext" json:"signupHtml"`
 	SigninHtml           string     `xorm:"mediumtext" json:"signinHtml"`
@ -123,9 +130,9 @@ func GetApplicationCount(owner, field, value string) (int64, error) {
 	return session.Count(&Application{})
 }
-func GetOrganizationApplicationCount(owner, Organization, field, value string) (int64, error) {
+func GetOrganizationApplicationCount(owner, organization, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&Application{Organization: Organization})
+	return session.Where("organization = ? or is_shared = ? ", organization, true).Count(&Application{})
 }
 func GetApplications(owner string) ([]*Application, error) {
@ -140,7 +147,7 @@ func GetApplications(owner string) ([]*Application, error) {
 func GetOrganizationApplications(owner string, organization string) ([]*Application, error) {
 	applications := []*Application{}
-	err := ormer.Engine.Desc("created_time").Find(&applications, &Application{Organization: organization})
+	err := ormer.Engine.Desc("created_time").Where("organization = ? or is_shared = ? ", organization, true).Find(&applications, &Application{})
 	if err != nil {
 		return applications, err
 	}
@ -162,7 +169,7 @@ func GetPaginationApplications(owner string, offset, limit int, field, value, so
 func GetPaginationOrganizationApplications(owner, organization string, offset, limit int, field, value, sortField, sortOrder string) ([]*Application, error) {
 	applications := []*Application{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&applications, &Application{Organization: organization})
+	err := session.Where("organization = ? or is_shared = ? ", organization, true).Find(&applications, &Application{})
 	if err != nil {
 		return applications, err
 	}
@ -337,12 +344,18 @@ func getApplication(owner string, name string) (*Application, error) {
 		return nil, nil
 	}
-	application := Application{Owner: owner, Name: name}
+	realApplicationName, sharedOrg := util.GetSharedOrgFromApp(name)
 	application := Application{Owner: owner, Name: realApplicationName}
 	existed, err := ormer.Engine.Get(&application)
 	if err != nil {
 		return nil, err
 	}
 	if application.IsShared && sharedOrg != "" {
 		application.Organization = sharedOrg
 	}
 	if existed {
 		err = extendApplicationWithProviders(&application)
 		if err != nil {
@ -428,11 +441,18 @@ func GetApplicationByUserId(userId string) (application *Application, err error)
 func GetApplicationByClientId(clientId string) (*Application, error) {
 	application := Application{}
-	existed, err := ormer.Engine.Where("client_id=?", clientId).Get(&application)
+
 	realClientId, sharedOrg := util.GetSharedOrgFromApp(clientId)
 	existed, err := ormer.Engine.Where("client_id=?", realClientId).Get(&application)
 	if err != nil {
 		return nil, err
 	}
 	if application.IsShared && sharedOrg != "" {
 		application.Organization = sharedOrg
 	}
 	if existed {
 		err = extendApplicationWithProviders(&application)
 		if err != nil {
@ -516,7 +536,7 @@ func GetMaskedApplication(application *Application, userId string) *Application
 	providerItems := []*ProviderItem{}
 	for _, providerItem := range application.Providers {
-		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha") {
+		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha" || providerItem.Provider.Category == "SAML") {
 			providerItems = append(providerItems, providerItem)
 		}
 	}
@ -626,6 +646,10 @@ func UpdateApplication(id string, application *Application) (bool, error) {
 		return false, err
 	}
 	if application.IsShared == true && application.Organization != "built-in" {
 		return false, fmt.Errorf("only applications belonging to built-in organization can be shared")
 	}
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}
@ -699,8 +723,15 @@ func (application *Application) GetId() string {
 }
 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app", ".chromiumapp.org"}, application.RedirectUris...)
+	isValid, err := util.IsValidOrigin(redirectUri)
-	for _, targetUri := range redirectUris {
+	if err != nil {
 		panic(err)
 	}
 	if isValid {
 		return true
 	}
 	for _, targetUri := range application.RedirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
 			return true
--- a/object/check.go
+++ b/object/check.go
@ -381,7 +381,13 @@ func CheckUserPassword(organization string, username string, password string, la
 		if err != nil {
 			return nil, err
 		}
 		err = checkPasswordExpired(user, lang)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return user, nil
 }
@ -520,11 +526,46 @@ func CheckUsername(username string, lang string) string {
 	return ""
 }
 func CheckUsernameWithEmail(username string, lang string) string {
 	if username == "" {
 		return i18n.Translate(lang, "check:Empty username.")
 	} else if len(username) > 39 {
 		return i18n.Translate(lang, "check:Username is too long (maximum is 39 characters).")
 	}
 	// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
 	if !util.ReUserNameWithEmail.MatchString(username) {
 		return i18n.Translate(lang, "check:Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.")
 	}
 	return ""
 }
 func CheckUpdateUser(oldUser, user *User, lang string) string {
 	if oldUser.Name != user.Name {
-		if msg := CheckUsername(user.Name, lang); msg != "" {
+		organizationName := oldUser.Owner
-			return msg
+		if organizationName == "" {
 			organizationName = user.Owner
 		}
 		organization, err := getOrganization("admin", organizationName)
 		if err != nil {
 			return err.Error()
 		}
 		if organization == nil {
 			return fmt.Sprintf(i18n.Translate(lang, "auth:The organization: %s does not exist"), organizationName)
 		}
 		if organization.UseEmailAsUsername {
 			if msg := CheckUsernameWithEmail(user.Name, lang); msg != "" {
 				return msg
 			}
 		} else {
 			if msg := CheckUsername(user.Name, lang); msg != "" {
 				return msg
 			}
 		}
 		if HasUserByField(user.Owner, "name", user.Name) {
 			return i18n.Translate(lang, "check:Username already exists")
 		}
@ -539,6 +580,11 @@ func CheckUpdateUser(oldUser, user *User, lang string) string {
 			return i18n.Translate(lang, "check:Phone already exists")
 		}
 	}
 	if oldUser.IpWhitelist != user.IpWhitelist {
 		if err := CheckIpWhitelist(user.IpWhitelist, lang); err != nil {
 			return err.Error()
 		}
 	}
 	return ""
 }
--- a/object/check_ip.go
+++ b/object/check_ip.go
@ -0,0 +1,104 @@
 // Copyright 2024 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package object
 import (
 	"fmt"
 	"net"
 	"strings"
 	"github.com/casdoor/casdoor/i18n"
 )
 func CheckEntryIp(clientIp string, user *User, application *Application, organization *Organization, lang string) error {
 	entryIp := net.ParseIP(clientIp)
 	if entryIp == nil {
 		return fmt.Errorf(i18n.Translate(lang, "check:Failed to parse client IP: %s"), clientIp)
 	} else if entryIp.IsLoopback() {
 		return nil
 	}
 	var err error
 	if user != nil {
 		err = isEntryIpAllowd(user.IpWhitelist, entryIp, lang)
 		if err != nil {
 			return fmt.Errorf(err.Error() + user.Name)
 		}
 	}
 	if application != nil {
 		err = isEntryIpAllowd(application.IpWhitelist, entryIp, lang)
 		if err != nil {
 			application.IpRestriction = err.Error() + application.Name
 			return fmt.Errorf(err.Error() + application.Name)
 		} else {
 			application.IpRestriction = ""
 		}
 		if organization == nil && application.OrganizationObj != nil {
 			organization = application.OrganizationObj
 		}
 	}
 	if organization != nil {
 		err = isEntryIpAllowd(organization.IpWhitelist, entryIp, lang)
 		if err != nil {
 			organization.IpRestriction = err.Error() + organization.Name
 			return fmt.Errorf(err.Error() + organization.Name)
 		} else {
 			organization.IpRestriction = ""
 		}
 	}
 	return nil
 }
 func isEntryIpAllowd(ipWhitelistStr string, entryIp net.IP, lang string) error {
 	if ipWhitelistStr == "" {
 		return nil
 	}
 	ipWhitelist := strings.Split(ipWhitelistStr, ",")
 	for _, ip := range ipWhitelist {
 		_, ipNet, err := net.ParseCIDR(ip)
 		if err != nil {
 			return err
 		}
 		if ipNet == nil {
 			return fmt.Errorf(i18n.Translate(lang, "check:CIDR for IP: %s should not be empty"), entryIp.String())
 		}
 		if ipNet.Contains(entryIp) {
 			return nil
 		}
 	}
 	return fmt.Errorf(i18n.Translate(lang, "check:Your IP address: %s has been banned according to the configuration of: "), entryIp.String())
 }
 func CheckIpWhitelist(ipWhitelistStr string, lang string) error {
 	if ipWhitelistStr == "" {
 		return nil
 	}
 	ipWhiteList := strings.Split(ipWhitelistStr, ",")
 	for _, ip := range ipWhiteList {
 		if _, _, err := net.ParseCIDR(ip); err != nil {
 			return fmt.Errorf(i18n.Translate(lang, "check:%s does not meet the CIDR format requirements: %s"), ip, err.Error())
 		}
 	}
 	return nil
 }
--- a/object/check_password_expired.go
+++ b/object/check_password_expired.go
@ -0,0 +1,53 @@
 // Copyright 2024 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package object
 import (
 	"fmt"
 	"time"
 	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 )
 func checkPasswordExpired(user *User, lang string) error {
 	organization, err := GetOrganizationByUser(user)
 	if err != nil {
 		return err
 	}
 	if organization == nil {
 		return fmt.Errorf(i18n.Translate(lang, "check:Organization does not exist"))
 	}
 	passwordExpireDays := organization.PasswordExpireDays
 	if passwordExpireDays <= 0 {
 		return nil
 	}
 	lastChangePasswordTime := user.LastChangePasswordTime
 	if lastChangePasswordTime == "" {
 		if user.CreatedTime == "" {
 			return fmt.Errorf(i18n.Translate(lang, "check:Your password has expired. Please reset your password by clicking \"Forgot password\""))
 		}
 		lastChangePasswordTime = user.CreatedTime
 	}
 	lastTime := util.String2Time(lastChangePasswordTime)
 	expireTime := lastTime.AddDate(0, 0, passwordExpireDays)
 	if time.Now().After(expireTime) {
 		return fmt.Errorf(i18n.Translate(lang, "check:Your password has expired. Please reset your password by clicking \"Forgot password\""))
 	}
 	return nil
 }
--- a/object/check_util.go
+++ b/object/check_util.go
@ -52,6 +52,9 @@ func GetFailedSigninConfigByUser(user *User) (int, int, error) {
 	if err != nil {
 		return 0, 0, err
 	}
 	if application == nil {
 		return 0, 0, fmt.Errorf("the application for user %s is not found", user.GetId())
 	}
 	failedSigninLimit := application.FailedSigninLimit
 	if failedSigninLimit == 0 {
--- a/object/get-dashboard.go
+++ b/object/get-dashboard.go
@ -25,6 +25,12 @@ type Dashboard struct {
 	ProviderCounts     []int `json:"providerCounts"`
 	ApplicationCounts  []int `json:"applicationCounts"`
 	SubscriptionCounts []int `json:"subscriptionCounts"`
 	RoleCounts         []int `json:"roleCounts"`
 	GroupCounts        []int `json:"groupCounts"`
 	ResourceCounts     []int `json:"resourceCounts"`
 	CertCounts         []int `json:"certCounts"`
 	PermissionCounts   []int `json:"permissionCounts"`
 	TransactionCounts  []int `json:"transactionCounts"`
 }
 func GetDashboard(owner string) (*Dashboard, error) {
@ -38,6 +44,12 @@ func GetDashboard(owner string) (*Dashboard, error) {
 		ProviderCounts:     make([]int, 31),
 		ApplicationCounts:  make([]int, 31),
 		SubscriptionCounts: make([]int, 31),
 		RoleCounts:         make([]int, 31),
 		GroupCounts:        make([]int, 31),
 		ResourceCounts:     make([]int, 31),
 		CertCounts:         make([]int, 31),
 		PermissionCounts:   make([]int, 31),
 		TransactionCounts:  make([]int, 31),
 	}
 	organizations := []Organization{}
@ -45,9 +57,15 @@ func GetDashboard(owner string) (*Dashboard, error) {
 	providers := []Provider{}
 	applications := []Application{}
 	subscriptions := []Subscription{}
 	roles := []Role{}
 	groups := []Group{}
 	resources := []Resource{}
 	certs := []Cert{}
 	permissions := []Permission{}
 	transactions := []Transaction{}
 	var wg sync.WaitGroup
-	wg.Add(5)
+	wg.Add(11)
 	go func() {
 		defer wg.Done()
 		if err := ormer.Engine.Find(&organizations, &Organization{Owner: owner}); err != nil {
@ -86,6 +104,50 @@ func GetDashboard(owner string) (*Dashboard, error) {
 			panic(err)
 		}
 	}()
 	go func() {
 		defer wg.Done()
 		if err := ormer.Engine.Find(&roles, &Role{Owner: owner}); err != nil {
 			panic(err)
 		}
 	}()
 	go func() {
 		defer wg.Done()
 		if err := ormer.Engine.Find(&groups, &Group{Owner: owner}); err != nil {
 			panic(err)
 		}
 	}()
 	go func() {
 		defer wg.Done()
 		if err := ormer.Engine.Find(&resources, &Resource{Owner: owner}); err != nil {
 			panic(err)
 		}
 	}()
 	go func() {
 		defer wg.Done()
 		if err := ormer.Engine.Find(&certs, &Cert{Owner: owner}); err != nil {
 			panic(err)
 		}
 	}()
 	go func() {
 		defer wg.Done()
 		if err := ormer.Engine.Find(&permissions, &Permission{Owner: owner}); err != nil {
 			panic(err)
 		}
 	}()
 	go func() {
 		defer wg.Done()
 		if err := ormer.Engine.Find(&transactions, &Transaction{Owner: owner}); err != nil {
 			panic(err)
 		}
 	}()
 	wg.Wait()
 	nowTime := time.Now()
@ -96,6 +158,12 @@ func GetDashboard(owner string) (*Dashboard, error) {
 		dashboard.ProviderCounts[30-i] = countCreatedBefore(providers, cutTime)
 		dashboard.ApplicationCounts[30-i] = countCreatedBefore(applications, cutTime)
 		dashboard.SubscriptionCounts[30-i] = countCreatedBefore(subscriptions, cutTime)
 		dashboard.RoleCounts[30-i] = countCreatedBefore(roles, cutTime)
 		dashboard.GroupCounts[30-i] = countCreatedBefore(groups, cutTime)
 		dashboard.ResourceCounts[30-i] = countCreatedBefore(resources, cutTime)
 		dashboard.CertCounts[30-i] = countCreatedBefore(certs, cutTime)
 		dashboard.PermissionCounts[30-i] = countCreatedBefore(permissions, cutTime)
 		dashboard.TransactionCounts[30-i] = countCreatedBefore(transactions, cutTime)
 	}
 	return dashboard, nil
 }
@ -138,6 +206,48 @@ func countCreatedBefore(objects interface{}, before time.Time) int {
 				count++
 			}
 		}
 	case []Role:
 		for _, r := range obj {
 			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", r.CreatedTime)
 			if createdTime.Before(before) {
 				count++
 			}
 		}
 	case []Group:
 		for _, g := range obj {
 			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", g.CreatedTime)
 			if createdTime.Before(before) {
 				count++
 			}
 		}
 	case []Resource:
 		for _, r := range obj {
 			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", r.CreatedTime)
 			if createdTime.Before(before) {
 				count++
 			}
 		}
 	case []Cert:
 		for _, c := range obj {
 			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", c.CreatedTime)
 			if createdTime.Before(before) {
 				count++
 			}
 		}
 	case []Permission:
 		for _, p := range obj {
 			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", p.CreatedTime)
 			if createdTime.Before(before) {
 				count++
 			}
 		}
 	case []Transaction:
 		for _, t := range obj {
 			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", t.CreatedTime)
 			if createdTime.Before(before) {
 				count++
 			}
 		}
 	}
 	return count
 }
--- a/object/init_data.go
+++ b/object/init_data.go
@ -48,12 +48,16 @@ type InitData struct {
 	Transactions  []*Transaction        `json:"transactions"`
 }
 var initDataNewOnly bool
 func InitFromFile() {
 	initDataFile := conf.GetConfigString("initDataFile")
 	if initDataFile == "" {
 		return
 	}
 	initDataNewOnly = conf.GetConfigBool("initDataNewOnly")
 	initData, err := readInitDataFromFile(initDataFile)
 	if err != nil {
 		panic(err)
@ -182,6 +186,9 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 		if organization.Tags == nil {
 			organization.Tags = []string{}
 		}
 		if organization.AccountItems == nil {
 			organization.AccountItems = []*AccountItem{}
 		}
 	}
 	for _, application := range data.Applications {
 		if application.Providers == nil {
@ -266,6 +273,9 @@ func initDefinedOrganization(organization *Organization) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := deleteOrganization(organization)
 		if err != nil {
 			panic(err)
@ -275,7 +285,9 @@ func initDefinedOrganization(organization *Organization) {
 		}
 	}
 	organization.CreatedTime = util.GetCurrentTime()
-	organization.AccountItems = getBuiltInAccountItems()
+	if len(organization.AccountItems) == 0 {
 		organization.AccountItems = getBuiltInAccountItems()
 	}
 	_, err = AddOrganization(organization)
 	if err != nil {
@ -290,6 +302,9 @@ func initDefinedApplication(application *Application) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := deleteApplication(application)
 		if err != nil {
 			panic(err)
@ -311,6 +326,9 @@ func initDefinedUser(user *User) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := deleteUser(user)
 		if err != nil {
 			panic(err)
@ -337,6 +355,9 @@ func initDefinedCert(cert *Cert) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteCert(cert)
 		if err != nil {
 			panic(err)
@ -359,6 +380,9 @@ func initDefinedLdap(ldap *Ldap) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteLdap(ldap)
 		if err != nil {
 			panic(err)
@ -380,6 +404,9 @@ func initDefinedProvider(provider *Provider) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteProvider(provider)
 		if err != nil {
 			panic(err)
@ -401,6 +428,9 @@ func initDefinedModel(model *Model) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteModel(model)
 		if err != nil {
 			panic(err)
@ -423,6 +453,9 @@ func initDefinedPermission(permission *Permission) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := deletePermission(permission)
 		if err != nil {
 			panic(err)
@ -445,6 +478,9 @@ func initDefinedPayment(payment *Payment) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeletePayment(payment)
 		if err != nil {
 			panic(err)
@ -467,6 +503,9 @@ func initDefinedProduct(product *Product) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteProduct(product)
 		if err != nil {
 			panic(err)
@ -489,6 +528,9 @@ func initDefinedResource(resource *Resource) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteResource(resource)
 		if err != nil {
 			panic(err)
@ -511,6 +553,9 @@ func initDefinedRole(role *Role) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := deleteRole(role)
 		if err != nil {
 			panic(err)
@ -533,6 +578,9 @@ func initDefinedSyncer(syncer *Syncer) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteSyncer(syncer)
 		if err != nil {
 			panic(err)
@ -555,6 +603,9 @@ func initDefinedToken(token *Token) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteToken(token)
 		if err != nil {
 			panic(err)
@ -577,6 +628,9 @@ func initDefinedWebhook(webhook *Webhook) {
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteWebhook(webhook)
 		if err != nil {
 			panic(err)
@ -598,6 +652,9 @@ func initDefinedGroup(group *Group) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := deleteGroup(group)
 		if err != nil {
 			panic(err)
@ -619,6 +676,9 @@ func initDefinedAdapter(adapter *Adapter) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteAdapter(adapter)
 		if err != nil {
 			panic(err)
@ -640,6 +700,9 @@ func initDefinedEnforcer(enforcer *Enforcer) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteEnforcer(enforcer)
 		if err != nil {
 			panic(err)
@ -661,6 +724,9 @@ func initDefinedPlan(plan *Plan) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeletePlan(plan)
 		if err != nil {
 			panic(err)
@ -682,6 +748,9 @@ func initDefinedPricing(pricing *Pricing) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeletePricing(pricing)
 		if err != nil {
 			panic(err)
@ -703,6 +772,9 @@ func initDefinedInvitation(invitation *Invitation) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteInvitation(invitation)
 		if err != nil {
 			panic(err)
@ -738,6 +810,9 @@ func initDefinedSubscription(subscription *Subscription) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteSubscription(subscription)
 		if err != nil {
 			panic(err)
@ -759,6 +834,9 @@ func initDefinedTransaction(transaction *Transaction) {
 		panic(err)
 	}
 	if existed != nil {
 		if initDataNewOnly {
 			return
 		}
 		affected, err := DeleteTransaction(transaction)
 		if err != nil {
 			panic(err)
--- a/object/ldap.go
+++ b/object/ldap.go
@ -32,6 +32,7 @@ type Ldap struct {
 	BaseDn       string   `xorm:"varchar(100)" json:"baseDn"`
 	Filter       string   `xorm:"varchar(200)" json:"filter"`
 	FilterFields []string `xorm:"varchar(100)" json:"filterFields"`
 	DefaultGroup string   `xorm:"varchar(100)" json:"defaultGroup"`
 	AutoSync int    `json:"autoSync"`
 	LastSync string `xorm:"varchar(100)" json:"lastSync"`
@ -148,7 +149,7 @@ func UpdateLdap(ldap *Ldap) (bool, error) {
 	}
 	affected, err := ormer.Engine.ID(ldap.Id).Cols("owner", "server_name", "host",
-		"port", "enable_ssl", "username", "password", "base_dn", "filter", "filter_fields", "auto_sync").Update(ldap)
+		"port", "enable_ssl", "username", "password", "base_dn", "filter", "filter_fields", "auto_sync", "default_group").Update(ldap)
 	if err != nil {
 		return false, nil
 	}
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@ -339,6 +339,10 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 				Ldap:              syncUser.Uuid,
 			}
 			if ldap.DefaultGroup != "" {
 				newUser.Groups = []string{ldap.DefaultGroup}
 			}
 			affected, err := AddUser(newUser)
 			if err != nil {
 				return nil, nil, err
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@ -44,6 +44,18 @@ type OidcDiscovery struct {
 	EndSessionEndpoint                     string   `json:"end_session_endpoint"`
 }
 type WebFinger struct {
 	Subject    string             `json:"subject"`
 	Links      []WebFingerLink    `json:"links"`
 	Aliases    *[]string          `json:"aliases,omitempty"`
 	Properties *map[string]string `json:"properties,omitempty"`
 }
 type WebFingerLink struct {
 	Rel  string `json:"rel"`
 	Href string `json:"href"`
 }
 func isIpAddress(host string) bool {
 	// Attempt to split the host and port, ignoring the error
 	hostWithoutPort, _, err := net.SplitHostPort(host)
@ -112,7 +124,7 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 		ResponseModesSupported:                 []string{"query", "fragment", "login", "code", "link"},
 		GrantTypesSupported:                    []string{"password", "authorization_code"},
 		SubjectTypesSupported:                  []string{"public"},
-		IdTokenSigningAlgValuesSupported:       []string{"RS256"},
+		IdTokenSigningAlgValuesSupported:       []string{"RS256", "RS512", "ES256", "ES384", "ES512"},
 		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},
 		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isForbidden", "signupApplication", "ldap"},
 		RequestParameterSupported:              true,
@ -160,3 +172,43 @@ func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {
 	return jwks, nil
 }
 func GetWebFinger(resource string, rels []string, host string) (WebFinger, error) {
 	wf := WebFinger{}
 	resourceSplit := strings.Split(resource, ":")
 	if len(resourceSplit) != 2 {
 		return wf, fmt.Errorf("invalid resource")
 	}
 	resourceType := resourceSplit[0]
 	resourceValue := resourceSplit[1]
 	oidcDiscovery := GetOidcDiscovery(host)
 	switch resourceType {
 	case "acct":
 		user, err := GetUserByEmailOnly(resourceValue)
 		if err != nil {
 			return wf, err
 		}
 		if user == nil {
 			return wf, fmt.Errorf("user not found")
 		}
 		wf.Subject = resource
 		for _, rel := range rels {
 			if rel == "http://openid.net/specs/connect/1.0/issuer" {
 				wf.Links = append(wf.Links, WebFingerLink{
 					Rel:  "http://openid.net/specs/connect/1.0/issuer",
 					Href: oidcDiscovery.Issuer,
 				})
 			}
 		}
 	}
 	return wf, nil
 }
--- a/object/organization.go
+++ b/object/organization.go
@ -56,10 +56,13 @@ type Organization struct {
 	WebsiteUrl             string     `xorm:"varchar(100)" json:"websiteUrl"`
 	Logo                   string     `xorm:"varchar(200)" json:"logo"`
 	LogoDark               string     `xorm:"varchar(200)" json:"logoDark"`
-	Favicon                string     `xorm:"varchar(100)" json:"favicon"`
+	Favicon                string     `xorm:"varchar(200)" json:"favicon"`
 	PasswordType           string     `xorm:"varchar(100)" json:"passwordType"`
 	PasswordSalt           string     `xorm:"varchar(100)" json:"passwordSalt"`
 	PasswordOptions        []string   `xorm:"varchar(100)" json:"passwordOptions"`
 	PasswordObfuscatorType string     `xorm:"varchar(100)" json:"passwordObfuscatorType"`
 	PasswordObfuscatorKey  string     `xorm:"varchar(100)" json:"passwordObfuscatorKey"`
 	PasswordExpireDays     int        `json:"passwordExpireDays"`
 	CountryCodes           []string   `xorm:"varchar(200)"  json:"countryCodes"`
 	DefaultAvatar          string     `xorm:"varchar(200)" json:"defaultAvatar"`
 	DefaultApplication     string     `xorm:"varchar(100)" json:"defaultApplication"`
@ -69,19 +72,21 @@ type Organization struct {
 	MasterPassword         string     `xorm:"varchar(100)" json:"masterPassword"`
 	DefaultPassword        string     `xorm:"varchar(100)" json:"defaultPassword"`
 	MasterVerificationCode string     `xorm:"varchar(100)" json:"masterVerificationCode"`
 	IpWhitelist            string     `xorm:"varchar(200)" json:"ipWhitelist"`
 	InitScore              int        `json:"initScore"`
 	EnableSoftDeletion     bool       `json:"enableSoftDeletion"`
 	IsProfilePublic        bool       `json:"isProfilePublic"`
 	UseEmailAsUsername     bool       `json:"useEmailAsUsername"`
 	EnableTour             bool       `json:"enableTour"`
 	IpRestriction          string     `json:"ipRestriction"`
 	MfaItems     []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
 	AccountItems []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
 }
-func GetOrganizationCount(owner, field, value string) (int64, error) {
+func GetOrganizationCount(owner, name, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&Organization{})
+	return session.Count(&Organization{Name: name})
 }
 func GetOrganizations(owner string, name ...string) ([]*Organization, error) {
@ -319,6 +324,7 @@ func GetDefaultApplication(id string) (*Application, error) {
 		if defaultApplication == nil {
 			return nil, fmt.Errorf("The default application: %s does not exist", organization.DefaultApplication)
 		} else {
 			defaultApplication.Organization = organization.Name
 			return defaultApplication, nil
 		}
 	}
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@ -364,7 +364,7 @@ func GetAllActions(userId string) ([]string, error) {
 	res := []string{}
 	for _, enforcer := range enforcers {
-		items := enforcer.GetAllObjects()
+		items := enforcer.GetAllActions()
 		res = append(res, items...)
 	}
 	return res, nil
--- a/object/record.go
+++ b/object/record.go
@ -50,7 +50,7 @@ func maskPassword(recordString string) string {
 }
 func NewRecord(ctx *context.Context) (*casvisorsdk.Record, error) {
-	ip := strings.Replace(util.GetIPFromRequest(ctx.Request), ": ", "", -1)
+	clientIp := strings.Replace(util.GetClientIpFromRequest(ctx.Request), ": ", "", -1)
 	action := strings.Replace(ctx.Request.URL.Path, "/api/", "", -1)
 	requestUri := util.FilterQuery(ctx.Request.RequestURI, []string{"accessToken"})
 	if len(requestUri) > 1000 {
@ -83,7 +83,7 @@ func NewRecord(ctx *context.Context) (*casvisorsdk.Record, error) {
 	record := casvisorsdk.Record{
 		Name:        util.GenerateId(),
 		CreatedTime: util.GetCurrentTime(),
-		ClientIp:    ip,
+		ClientIp:    clientIp,
 		User:        "",
 		Method:      ctx.Request.Method,
 		RequestUri:  requestUri,
--- a/object/resource.go
+++ b/object/resource.go
@ -36,7 +36,7 @@ type Resource struct {
 	FileType    string `xorm:"varchar(100)" json:"fileType"`
 	FileFormat  string `xorm:"varchar(100)" json:"fileFormat"`
 	FileSize    int    `json:"fileSize"`
-	Url         string `xorm:"varchar(255)" json:"url"`
+	Url         string `xorm:"varchar(500)" json:"url"`
 	Description string `xorm:"varchar(255)" json:"description"`
 }
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -26,6 +26,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"strings"
 	"time"
 	"github.com/beevik/etree"
@ -65,7 +66,11 @@ func NewSamlResponse(application *Application, user *User, host string, certific
 	assertion.CreateAttr("IssueInstant", now)
 	assertion.CreateElement("saml:Issuer").SetText(host)
 	subject := assertion.CreateElement("saml:Subject")
-	subject.CreateElement("saml:NameID").SetText(user.Name)
+	nameIDValue := user.Name
 	if application.UseEmailAsSamlNameId {
 		nameIDValue = user.Email
 	}
 	subject.CreateElement("saml:NameID").SetText(nameIDValue)
 	subjectConfirmation := subject.CreateElement("saml:SubjectConfirmation")
 	subjectConfirmation.CreateAttr("Method", "urn:oasis:names:tc:SAML:2.0:cm:bearer")
 	subjectConfirmationData := subjectConfirmation.CreateElement("saml:SubjectConfirmationData")
@ -184,17 +189,17 @@ type NameIDFormat struct {
 }
 type SingleSignOnService struct {
-	XMLName  xml.Name
+	// XMLName  xml.Name
 	Binding  string `xml:"Binding,attr"`
 	Location string `xml:"Location,attr"`
 }
 type Attribute struct {
 	// XMLName      xml.Name
 	Xmlns        string   `xml:"xmlns,attr"`
 	Name         string   `xml:"Name,attr"`
 	NameFormat   string   `xml:"NameFormat,attr"`
 	FriendlyName string   `xml:"FriendlyName,attr"`
 	Xmlns        string   `xml:"xmlns,attr"`
 	Values       []string `xml:"AttributeValue"`
 }
@ -218,10 +223,13 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 	originFrontend, originBackend := getOriginFromHost(host)
 	idpLocation := ""
 	idpBinding := ""
 	if enablePostBinding {
 		idpLocation = fmt.Sprintf("%s/api/saml/redirect/%s/%s", originBackend, application.Owner, application.Name)
 		idpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 	} else {
 		idpLocation = fmt.Sprintf("%s/login/saml/authorize/%s/%s", originFrontend, application.Owner, application.Name)
 		idpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 	}
 	d := IdpEntityDescriptor{
@ -254,7 +262,7 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 				{Xmlns: "urn:oasis:names:tc:SAML:2.0:assertion", Name: "Name", NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", FriendlyName: "Name"},
 			},
 			SingleSignOnService: SingleSignOnService{
-				Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+				Binding:  idpBinding,
 				Location: idpLocation,
 			},
 			ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
@ -269,29 +277,38 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 func GetSamlResponse(application *Application, user *User, samlRequest string, host string) (string, string, string, error) {
 	// request type
 	method := "GET"
-
+	samlRequest = strings.ReplaceAll(samlRequest, " ", "+")
 	// base64 decode
 	defated, err := base64.StdEncoding.DecodeString(samlRequest)
 	if err != nil {
 		return "", "", "", fmt.Errorf("err: Failed to decode SAML request, %s", err.Error())
 	}
-	// decompress
+	var requestByte []byte
 	var buffer bytes.Buffer
 	rdr := flate.NewReader(bytes.NewReader(defated))
-	for {
+	if strings.Contains(string(defated), "xmlns:") {
-		_, err = io.CopyN(&buffer, rdr, 1024)
+		requestByte = defated
-		if err != nil {
+	} else {
-			if err == io.EOF {
+		// decompress
-				break
+		var buffer bytes.Buffer
 		rdr := flate.NewReader(bytes.NewReader(defated))
 		for {
 			_, err = io.CopyN(&buffer, rdr, 1024)
 			if err != nil {
 				if err == io.EOF {
 					break
 				}
 				return "", "", "", err
 			}
 			return "", "", "", err
 		}
 		requestByte = buffer.Bytes()
 	}
 	var authnRequest saml.AuthNRequest
-	err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
+	err = xml.Unmarshal(requestByte, &authnRequest)
 	if err != nil {
 		return "", "", "", fmt.Errorf("err: Failed to unmarshal AuthnRequest, please check the SAML request, %s", err.Error())
 	}
@ -386,7 +403,7 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 }
 // NewSamlResponse11 return a saml1.1 response(not 2.0)
-func NewSamlResponse11(user *User, requestID string, host string) (*etree.Element, error) {
+func NewSamlResponse11(application *Application, user *User, requestID string, host string) (*etree.Element, error) {
 	samlResponse := &etree.Element{
 		Space: "samlp",
 		Tag:   "Response",
@ -430,7 +447,11 @@ func NewSamlResponse11(user *User, requestID string, host string) (*etree.Elemen
 	// nameIdentifier inside subject
 	nameIdentifier := subject.CreateElement("saml:NameIdentifier")
 	// nameIdentifier.CreateAttr("Format", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
-	nameIdentifier.SetText(user.Name)
+	if application.UseEmailAsSamlNameId {
 		nameIdentifier.SetText(user.Email)
 	} else {
 		nameIdentifier.SetText(user.Name)
 	}
 	// subjectConfirmation inside subject
 	subjectConfirmation := subject.CreateElement("saml:SubjectConfirmation")
@ -439,7 +460,11 @@ func NewSamlResponse11(user *User, requestID string, host string) (*etree.Elemen
 	attributeStatement := assertion.CreateElement("saml:AttributeStatement")
 	subjectInAttribute := attributeStatement.CreateElement("saml:Subject")
 	nameIdentifierInAttribute := subjectInAttribute.CreateElement("saml:NameIdentifier")
-	nameIdentifierInAttribute.SetText(user.Name)
+	if application.UseEmailAsSamlNameId {
 		nameIdentifierInAttribute.SetText(user.Email)
 	} else {
 		nameIdentifierInAttribute.SetText(user.Name)
 	}
 	subjectConfirmationInAttribute := subjectInAttribute.CreateElement("saml:SubjectConfirmation")
 	subjectConfirmationInAttribute.CreateElement("saml:ConfirmationMethod").SetText("urn:oasis:names:tc:SAML:1.0:cm:artifact")
--- a/object/storage.go
+++ b/object/storage.go
@ -30,6 +30,13 @@ import (
 var isCloudIntranet bool
 const (
 	ProviderTypeGoogleCloudStorage = "Google Cloud Storage"
 	ProviderTypeTencentCloudCOS    = "Tencent Cloud COS"
 	ProviderTypeAzureBlob          = "Azure Blob"
 	ProviderTypeLocalFileSystem    = "Local File System"
 )
 func init() {
 	isCloudIntranet = conf.GetConfigBool("isCloudIntranet")
 }
@ -80,27 +87,28 @@ func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool
 	objectKey := util.UrlJoin(util.GetUrlPath(provider.Domain), escapedPath)
 	host := ""
-	if provider.Type != "Local File System" {
+	if provider.Type != ProviderTypeLocalFileSystem {
 		// provider.Domain = "https://cdn.casbin.com/casdoor/"
 		host = util.GetUrlHost(provider.Domain)
 	} else {
 		// provider.Domain = "http://localhost:8000" or "https://door.casdoor.com"
 		host = util.UrlJoin(provider.Domain, "/files")
 	}
-	if provider.Type == "Azure Blob" {
+	if provider.Type == ProviderTypeAzureBlob || provider.Type == ProviderTypeGoogleCloudStorage {
 		host = util.UrlJoin(host, provider.Bucket)
 	}
 	fileUrl := ""
 	if host != "" {
-		fileUrl = util.UrlJoin(host, escapePath(objectKey))
+		// fileUrl = util.UrlJoin(host, escapePath(objectKey))
 		fileUrl = util.UrlJoin(host, objectKey)
 	}
-	if fileUrl != "" && hasTimestamp {
+	// if fileUrl != "" && hasTimestamp {
-		fileUrl = fmt.Sprintf("%s?t=%s", fileUrl, util.GetCurrentUnixTime())
+	//	fileUrl = fmt.Sprintf("%s?t=%s", fileUrl, util.GetCurrentUnixTime())
-	}
+	// }
-	if provider.Type == "Tencent Cloud COS" {
+	if provider.Type == ProviderTypeTencentCloudCOS {
 		objectKey = escapePath(objectKey)
 	}
@ -109,7 +117,18 @@ func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool
 func getStorageProvider(provider *Provider, lang string) (oss.StorageInterface, error) {
 	endpoint := getProviderEndpoint(provider)
-	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint)
+	certificate := ""
 	if provider.Category == "Storage" && provider.Type == "Casdoor" {
 		cert, err := GetCert(util.GetId(provider.Owner, provider.Cert))
 		if err != nil {
 			return nil, err
 		}
 		if cert == nil {
 			return nil, fmt.Errorf("no cert for %s", provider.Cert)
 		}
 		certificate = cert.Certificate
 	}
 	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint, certificate, provider.Content)
 	if err != nil {
 		return nil, err
 	}
@ -135,17 +154,17 @@ func uploadFile(provider *Provider, fullFilePath string, fileBuffer *bytes.Buffe
 	}
 	fileUrl, objectKey := GetUploadFileUrl(provider, fullFilePath, true)
 	objectKeyRefined := refineObjectKey(provider, objectKey)
-	objectKeyRefined := objectKey
+	object, err := storageProvider.Put(objectKeyRefined, fileBuffer)
 	if provider.Type == "Google Cloud Storage" {
 		objectKeyRefined = strings.TrimPrefix(objectKeyRefined, "/")
 	}
 	_, err = storageProvider.Put(objectKeyRefined, fileBuffer)
 	if err != nil {
 		return "", "", err
 	}
 	if provider.Type == "Casdoor" {
 		fileUrl = object.Path
 	}
 	return fileUrl, objectKey, nil
 }
@ -184,5 +203,13 @@ func DeleteFile(provider *Provider, objectKey string, lang string) error {
 		return err
 	}
-	return storageProvider.Delete(objectKey)
+	objectKeyRefined := refineObjectKey(provider, objectKey)
 	return storageProvider.Delete(objectKeyRefined)
 }
 func refineObjectKey(provider *Provider, objectKey string) string {
 	if provider.Type == ProviderTypeGoogleCloudStorage {
 		return strings.TrimPrefix(objectKey, "/")
 	}
 	return objectKey
 }
--- a/object/token.go
+++ b/object/token.go
@ -102,14 +102,6 @@ func GetTokenByAccessToken(accessToken string) (*Token, error) {
 		return nil, err
 	}
 	if !existed {
 		token = Token{AccessToken: accessToken}
 		existed, err = ormer.Engine.Get(&token)
 		if err != nil {
 			return nil, err
 		}
 	}
 	if !existed {
 		return nil, nil
 	}
@ -123,14 +115,6 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 		return nil, err
 	}
 	if !existed {
 		token = Token{RefreshToken: refreshToken}
 		existed, err = ormer.Engine.Get(&token)
 		if err != nil {
 			return nil, err
 		}
 	}
 	if !existed {
 		return nil, nil
 	}
@ -140,6 +124,7 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
 	switch tokenTypeHint {
 	case "access_token":
 	case "access-token":
 		token, err := GetTokenByAccessToken(tokenValue)
 		if err != nil {
 			return nil, err
@ -148,6 +133,7 @@ func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
 			return token, nil
 		}
 	case "refresh_token":
 	case "refresh-token":
 		token, err := GetTokenByRefreshToken(tokenValue)
 		if err != nil {
 			return nil, err
--- a/object/token_cas.go
+++ b/object/token_cas.go
@ -277,12 +277,11 @@ func GetValidationBySaml(samlRequest string, host string) (string, string, error
 	if err != nil {
 		return "", "", err
 	}
 	if application == nil {
 		return "", "", fmt.Errorf("the application for user %s is not found", userId)
 	}
-	samlResponse, err := NewSamlResponse11(user, request.RequestID, host)
+	samlResponse, err := NewSamlResponse11(application, user, request.RequestID, host)
 	if err != nil {
 		return "", "", err
 	}
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@ -17,6 +17,7 @@ package object
 import (
 	"fmt"
 	"reflect"
 	"strings"
 	"time"
 	"github.com/casdoor/casdoor/util"
@ -128,7 +129,7 @@ type UserWithoutThirdIdp struct {
 	LastSigninWrongTime string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
 	SigninWrongTimes    int    `json:"signinWrongTimes"`
-	// ManagedAccounts []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
+	ManagedAccounts []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
 }
 type ClaimsShort struct {
@ -254,6 +255,8 @@ func getUserWithoutThirdIdp(user *User) *UserWithoutThirdIdp {
 		LastSigninWrongTime: user.LastSigninWrongTime,
 		SigninWrongTimes:    user.SigninWrongTimes,
 		ManagedAccounts: user.ManagedAccounts,
 	}
 	return res
@ -365,6 +368,10 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		},
 	}
 	if application.IsShared {
 		claims.Audience = []string{application.ClientId + "-org-" + user.Owner}
 	}
 	var token *jwt.Token
 	var refreshToken *jwt.Token
@ -372,36 +379,52 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		application.TokenFormat = "JWT"
 	}
 	var jwtMethod jwt.SigningMethod
 	if application.TokenSigningMethod == "RS256" {
 		jwtMethod = jwt.SigningMethodRS256
 	} else if application.TokenSigningMethod == "RS512" {
 		jwtMethod = jwt.SigningMethodRS512
 	} else if application.TokenSigningMethod == "ES256" {
 		jwtMethod = jwt.SigningMethodES256
 	} else if application.TokenSigningMethod == "ES512" {
 		jwtMethod = jwt.SigningMethodES512
 	} else if application.TokenSigningMethod == "ES384" {
 		jwtMethod = jwt.SigningMethodES384
 	} else {
 		jwtMethod = jwt.SigningMethodRS256
 	}
 	// the JWT token length in "JWT-Empty" mode will be very short, as User object only has two properties: owner and name
 	if application.TokenFormat == "JWT" {
 		claimsWithoutThirdIdp := getClaimsWithoutThirdIdp(claims)
-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithoutThirdIdp)
+		token = jwt.NewWithClaims(jwtMethod, claimsWithoutThirdIdp)
 		claimsWithoutThirdIdp.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
 		claimsWithoutThirdIdp.TokenType = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithoutThirdIdp)
+		refreshToken = jwt.NewWithClaims(jwtMethod, claimsWithoutThirdIdp)
 	} else if application.TokenFormat == "JWT-Empty" {
 		claimsShort := getShortClaims(claims)
-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
+		token = jwt.NewWithClaims(jwtMethod, claimsShort)
 		claimsShort.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
 		claimsShort.TokenType = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
+		refreshToken = jwt.NewWithClaims(jwtMethod, claimsShort)
 	} else if application.TokenFormat == "JWT-Custom" {
 		claimsCustom := getClaimsCustom(claims, application.TokenFields)
-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsCustom)
+		token = jwt.NewWithClaims(jwtMethod, claimsCustom)
 		refreshClaims := getClaimsCustom(claims, application.TokenFields)
 		refreshClaims["exp"] = jwt.NewNumericDate(refreshExpireTime)
 		refreshClaims["TokenType"] = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, refreshClaims)
+		refreshToken = jwt.NewWithClaims(jwtMethod, refreshClaims)
 	} else if application.TokenFormat == "JWT-Standard" {
 		claimsStandard := getStandardClaims(claims)
-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsStandard)
+		token = jwt.NewWithClaims(jwtMethod, claimsStandard)
 		claimsStandard.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
 		claimsStandard.TokenType = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsStandard)
+		refreshToken = jwt.NewWithClaims(jwtMethod, claimsStandard)
 	} else {
 		return "", "", "", fmt.Errorf("unknown application TokenFormat: %s", application.TokenFormat)
 	}
@ -419,34 +442,57 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		}
 	}
-	// RSA private key
+	var (
-	key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(cert.PrivateKey))
+		tokenString        string
 		refreshTokenString string
 		key                interface{}
 	)
 	if strings.Contains(application.TokenSigningMethod, "RS") || application.TokenSigningMethod == "" {
 		// RSA private key
 		key, err = jwt.ParseRSAPrivateKeyFromPEM([]byte(cert.PrivateKey))
 	} else if strings.Contains(application.TokenSigningMethod, "ES") {
 		// ES private key
 		key, err = jwt.ParseECPrivateKeyFromPEM([]byte(cert.PrivateKey))
 	} else if strings.Contains(application.TokenSigningMethod, "Ed") {
 		// Ed private key
 		key, err = jwt.ParseEdPrivateKeyFromPEM([]byte(cert.PrivateKey))
 	}
 	if err != nil {
 		return "", "", "", err
 	}
 	token.Header["kid"] = cert.Name
-	tokenString, err := token.SignedString(key)
+	tokenString, err = token.SignedString(key)
 	if err != nil {
 		return "", "", "", err
 	}
-	refreshTokenString, err := refreshToken.SignedString(key)
+	refreshTokenString, err = refreshToken.SignedString(key)
 	return tokenString, refreshTokenString, name, err
 }
 func ParseJwtToken(token string, cert *Cert) (*Claims, error) {
 	t, err := jwt.ParseWithClaims(token, &Claims{}, func(token *jwt.Token) (interface{}, error) {
-		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+		var (
-			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+			certificate interface{}
-		}
+			err         error
 		)
 		if cert.Certificate == "" {
 			return nil, fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
 		}
-		// RSA certificate
+		if _, ok := token.Method.(*jwt.SigningMethodRSA); ok {
-		certificate, err := jwt.ParseRSAPublicKeyFromPEM([]byte(cert.Certificate))
+			// RSA certificate
 			certificate, err = jwt.ParseRSAPublicKeyFromPEM([]byte(cert.Certificate))
 		} else if _, ok := token.Method.(*jwt.SigningMethodECDSA); ok {
 			// ES certificate
 			certificate, err = jwt.ParseECPublicKeyFromPEM([]byte(cert.Certificate))
 		} else {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
 		if err != nil {
 			return nil, err
 		}
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@ -332,6 +332,9 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 	if err != nil {
 		return nil, err
 	}
 	if user == nil {
 		return "", fmt.Errorf("The user: %s doesn't exist", util.GetId(application.Organization, token.User))
 	}
 	if user.IsForbidden {
 		return &TokenError{
@ -428,22 +431,26 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 	if token == nil {
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "authorization code is invalid",
+			ErrorDescription: fmt.Sprintf("authorization code: [%s] is invalid", code),
 		}, nil
 	}
 	if token.CodeIsUsed {
 		// anti replay attacks
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "authorization code has been used",
+			ErrorDescription: fmt.Sprintf("authorization code has been used for token: [%s]", token.GetId()),
 		}, nil
 	}
-	if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
+	if token.CodeChallenge != "" {
-		return nil, &TokenError{
+		challengeAnswer := pkceChallenge(verifier)
-			Error:            InvalidGrant,
+		if challengeAnswer != token.CodeChallenge {
-			ErrorDescription: "verifier is invalid",
+			return nil, &TokenError{
-		}, nil
+				Error:            InvalidGrant,
 				ErrorDescription: fmt.Sprintf("verifier is invalid, challengeAnswer: [%s], token.CodeChallenge: [%s]", challengeAnswer, token.CodeChallenge),
 			}, nil
 		}
 	}
 	if application.ClientSecret != clientSecret {
@ -452,13 +459,13 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 		if token.CodeChallenge == "" {
 			return nil, &TokenError{
 				Error:            InvalidClient,
-				ErrorDescription: "client_secret is invalid",
+				ErrorDescription: fmt.Sprintf("client_secret is invalid for application: [%s], token.CodeChallenge: empty", application.GetId()),
 			}, nil
 		} else {
 			if clientSecret != "" {
 				return nil, &TokenError{
 					Error:            InvalidClient,
-					ErrorDescription: "client_secret is invalid",
+					ErrorDescription: fmt.Sprintf("client_secret is invalid for application: [%s], token.CodeChallenge: [%s]", application.GetId(), token.CodeChallenge),
 				}, nil
 			}
 		}
@ -467,15 +474,16 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 	if application.Name != token.Application {
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "the token is for wrong application (client_id)",
+			ErrorDescription: fmt.Sprintf("the token is for wrong application (client_id), application.Name: [%s], token.Application: [%s]", application.Name, token.Application),
 		}, nil
 	}
-	if time.Now().Unix() > token.CodeExpireIn {
+	nowUnix := time.Now().Unix()
 	if nowUnix > token.CodeExpireIn {
 		// code must be used within 5 minutes
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "authorization code has expired",
+			ErrorDescription: fmt.Sprintf("authorization code has expired, nowUnix: [%s], token.CodeExpireIn: [%s]", time.Unix(nowUnix, 0).Format(time.RFC3339), time.Unix(token.CodeExpireIn, 0).Format(time.RFC3339)),
 		}, nil
 	}
 	return token, nil, nil
--- a/object/token_standard_jwt.go
+++ b/object/token_standard_jwt.go
@ -18,16 +18,20 @@ import (
 	"fmt"
 	"strings"
 	"github.com/casdoor/casdoor/util"
 	"github.com/golang-jwt/jwt/v4"
 )
 type ClaimsStandard struct {
 	*UserShort
-	Gender    string      `json:"gender,omitempty"`
+	EmailVerified       bool        `json:"email_verified,omitempty"`
-	TokenType string      `json:"tokenType,omitempty"`
+	PhoneNumber         string      `json:"phone_number,omitempty"`
-	Nonce     string      `json:"nonce,omitempty"`
+	PhoneNumberVerified bool        `json:"phone_number_verified,omitempty"`
-	Scope     string      `json:"scope,omitempty"`
+	Gender              string      `json:"gender,omitempty"`
-	Address   OIDCAddress `json:"address,omitempty"`
+	TokenType           string      `json:"tokenType,omitempty"`
 	Nonce               string      `json:"nonce,omitempty"`
 	Scope               string      `json:"scope,omitempty"`
 	Address             OIDCAddress `json:"address,omitempty"`
 	jwt.RegisteredClaims
 }
@ -43,12 +47,14 @@ func getStreetAddress(user *User) string {
 func getStandardClaims(claims Claims) ClaimsStandard {
 	res := ClaimsStandard{
 		UserShort:        getShortUser(claims.User),
 		EmailVerified:    claims.User.EmailVerified,
 		TokenType:        claims.TokenType,
 		Nonce:            claims.Nonce,
 		Scope:            claims.Scope,
 		RegisteredClaims: claims.RegisteredClaims,
 	}
 	res.Phone = ""
 	var scopes []string
 	if strings.Contains(claims.Scope, ",") {
@ -62,6 +68,15 @@ func getStandardClaims(claims Claims) ClaimsStandard {
 			res.Address = OIDCAddress{StreetAddress: getStreetAddress(claims.User)}
 		} else if scope == "profile" {
 			res.Gender = claims.User.Gender
 		} else if scope == "phone" && claims.User.Phone != "" {
 			res.PhoneNumberVerified = true
 			phoneNumber, ok := util.GetE164Number(claims.User.Phone, claims.User.CountryCode)
 			if !ok {
 				res.PhoneNumberVerified = false
 			} else {
 				res.PhoneNumber = phoneNumber
 			}
 		}
 	}
--- a/object/user.go
+++ b/object/user.go
@ -200,12 +200,14 @@ type User struct {
 	Permissions []*Permission `json:"permissions"`
 	Groups      []string      `xorm:"groups varchar(1000)" json:"groups"`
-	LastSigninWrongTime string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
+	LastChangePasswordTime string `xorm:"varchar(100)" json:"lastChangePasswordTime"`
-	SigninWrongTimes    int    `json:"signinWrongTimes"`
+	LastSigninWrongTime    string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
 	SigninWrongTimes       int    `json:"signinWrongTimes"`
 	ManagedAccounts    []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
 	MfaAccounts        []MfaAccount     `xorm:"mfaAccounts blob" json:"mfaAccounts"`
 	NeedUpdatePassword bool             `json:"needUpdatePassword"`
 	IpWhitelist        string           `xorm:"varchar(200)" json:"ipWhitelist"`
 }
 type Userinfo struct {
@ -689,14 +691,14 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 			"owner", "display_name", "avatar", "first_name", "last_name",
 			"location", "address", "country_code", "region", "language", "affiliation", "title", "id_card_type", "id_card", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application",
 			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "managedAccounts", "face_ids", "mfaAccounts",
-			"signin_wrong_times", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled",
+			"signin_wrong_times", "last_change_password_time", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled",
 			"github", "google", "qq", "wechat", "facebook", "dingtalk", "weibo", "gitee", "linkedin", "wecom", "lark", "gitlab", "adfs",
 			"baidu", "alipay", "casdoor", "infoflow", "apple", "azuread", "azureadb2c", "slack", "steam", "bilibili", "okta", "douyin", "line", "amazon",
 			"auth0", "battlenet", "bitbucket", "box", "cloudfoundry", "dailymotion", "deezer", "digitalocean", "discord", "dropbox",
 			"eveonline", "fitbit", "gitea", "heroku", "influxcloud", "instagram", "intercom", "kakao", "lastfm", "mailru", "meetup",
 			"microsoftonline", "naver", "nextcloud", "onedrive", "oura", "patreon", "paypal", "salesforce", "shopify", "soundcloud",
 			"spotify", "strava", "stripe", "type", "tiktok", "tumblr", "twitch", "twitter", "typetalk", "uber", "vk", "wepay", "xero", "yahoo",
-			"yammer", "yandex", "zoom", "custom", "need_update_password",
+			"yammer", "yandex", "zoom", "custom", "need_update_password", "ip_whitelist",
 		}
 	}
 	if isAdmin {
@ -815,6 +817,10 @@ func AddUser(user *User) (bool, error) {
 		user.UpdateUserPassword(organization)
 	}
 	if user.CreatedTime == "" {
 		user.CreatedTime = util.GetCurrentTime()
 	}
 	err = user.UpdateUserHash()
 	if err != nil {
 		return false, err
@ -950,7 +956,17 @@ func DeleteUser(user *User) (bool, error) {
 		return false, err
 	}
-	return deleteUser(user)
+	organization, err := GetOrganizationByUser(user)
 	if err != nil {
 		return false, err
 	}
 	if organization != nil && organization.EnableSoftDeletion {
 		user.IsDeleted = true
 		user.DeletedTime = util.GetCurrentTime()
 		return UpdateUser(user.GetId(), user, []string{"is_deleted", "deleted_time"}, false)
 	} else {
 		return deleteUser(user)
 	}
 }
 func GetUserInfo(user *User, scope string, aud string, host string) (*Userinfo, error) {
@ -1138,7 +1154,7 @@ func (user *User) IsApplicationAdmin(application *Application) bool {
 		return false
 	}
-	return (user.Owner == application.Organization && user.IsAdmin) || user.IsGlobalAdmin()
+	return (user.Owner == application.Organization && user.IsAdmin) || user.IsGlobalAdmin() || (user.IsAdmin && application.IsShared)
 }
 func (user *User) IsGlobalAdmin() bool {
--- a/object/user_util.go
+++ b/object/user_util.go
@ -271,113 +271,213 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 	if oldUser.Owner != newUser.Owner {
 		item := GetAccountItemByName("Organization", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Owner = oldUser.Owner
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Name != newUser.Name {
 		item := GetAccountItemByName("Name", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Name = oldUser.Name
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Id != newUser.Id {
 		item := GetAccountItemByName("ID", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Id = oldUser.Id
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.DisplayName != newUser.DisplayName {
 		item := GetAccountItemByName("Display name", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.DisplayName = oldUser.DisplayName
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Avatar != newUser.Avatar {
 		item := GetAccountItemByName("Avatar", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Avatar = oldUser.Avatar
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Type != newUser.Type {
 		item := GetAccountItemByName("User type", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Type = oldUser.Type
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	// The password is *** when not modified
 	if oldUser.Password != newUser.Password && newUser.Password != "***" {
 		item := GetAccountItemByName("Password", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Password = oldUser.Password
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Email != newUser.Email {
 		item := GetAccountItemByName("Email", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Email = oldUser.Email
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Phone != newUser.Phone {
 		item := GetAccountItemByName("Phone", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Phone = oldUser.Phone
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.CountryCode != newUser.CountryCode {
 		item := GetAccountItemByName("Country code", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.CountryCode = oldUser.CountryCode
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Region != newUser.Region {
 		item := GetAccountItemByName("Country/Region", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Region = oldUser.Region
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Location != newUser.Location {
 		item := GetAccountItemByName("Location", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Location = oldUser.Location
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Affiliation != newUser.Affiliation {
 		item := GetAccountItemByName("Affiliation", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Affiliation = oldUser.Affiliation
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Title != newUser.Title {
 		item := GetAccountItemByName("Title", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Title = oldUser.Title
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Homepage != newUser.Homepage {
 		item := GetAccountItemByName("Homepage", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Homepage = oldUser.Homepage
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Bio != newUser.Bio {
 		item := GetAccountItemByName("Bio", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Bio = oldUser.Bio
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Tag != newUser.Tag {
 		item := GetAccountItemByName("Tag", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Tag = oldUser.Tag
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.SignupApplication != newUser.SignupApplication {
 		item := GetAccountItemByName("Signup application", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.SignupApplication = oldUser.SignupApplication
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Gender != newUser.Gender {
 		item := GetAccountItemByName("Gender", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Gender = oldUser.Gender
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Birthday != newUser.Birthday {
 		item := GetAccountItemByName("Birthday", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Birthday = oldUser.Birthday
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Education != newUser.Education {
 		item := GetAccountItemByName("Education", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Education = oldUser.Education
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.IdCard != newUser.IdCard {
 		item := GetAccountItemByName("ID card", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.IdCard = oldUser.IdCard
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.IdCardType != newUser.IdCardType {
 		item := GetAccountItemByName("ID card type", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.IdCardType = oldUser.IdCardType
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	oldUserPropertiesJson, _ := json.Marshal(oldUser.Properties)
 	newUserPropertiesJson, _ := json.Marshal(newUser.Properties)
 	if string(oldUserPropertiesJson) != string(newUserPropertiesJson) {
 		item := GetAccountItemByName("Properties", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Properties = oldUser.Properties
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.PreferredMfaType != newUser.PreferredMfaType {
 		item := GetAccountItemByName("Multi-factor authentication", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.PreferredMfaType = oldUser.PreferredMfaType
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Groups == nil {
@ -390,7 +490,11 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 	newUserGroupsJson, _ := json.Marshal(newUser.Groups)
 	if string(oldUserGroupsJson) != string(newUserGroupsJson) {
 		item := GetAccountItemByName("Groups", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Groups = oldUser.Groups
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Address == nil {
@ -404,65 +508,125 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 	newUserAddressJson, _ := json.Marshal(newUser.Address)
 	if string(oldUserAddressJson) != string(newUserAddressJson) {
 		item := GetAccountItemByName("Address", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Address = oldUser.Address
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if newUser.FaceIds != nil {
 		item := GetAccountItemByName("Face ID", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.FaceIds = oldUser.FaceIds
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.IsAdmin != newUser.IsAdmin {
 		item := GetAccountItemByName("Is admin", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.IsAdmin = oldUser.IsAdmin
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.IsForbidden != newUser.IsForbidden {
 		item := GetAccountItemByName("Is forbidden", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.IsForbidden = oldUser.IsForbidden
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.IsDeleted != newUser.IsDeleted {
 		item := GetAccountItemByName("Is deleted", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.IsDeleted = oldUser.IsDeleted
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.NeedUpdatePassword != newUser.NeedUpdatePassword {
 		item := GetAccountItemByName("Need update password", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.NeedUpdatePassword = oldUser.NeedUpdatePassword
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.IpWhitelist != newUser.IpWhitelist {
 		item := GetAccountItemByName("IP whitelist", organization)
 		if item == nil {
 			newUser.IpWhitelist = oldUser.IpWhitelist
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Balance != newUser.Balance {
 		item := GetAccountItemByName("Balance", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Balance = oldUser.Balance
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Score != newUser.Score {
 		item := GetAccountItemByName("Score", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Score = oldUser.Score
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Karma != newUser.Karma {
 		item := GetAccountItemByName("Karma", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Karma = oldUser.Karma
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Language != newUser.Language {
 		item := GetAccountItemByName("Language", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Language = oldUser.Language
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Ranking != newUser.Ranking {
 		item := GetAccountItemByName("Ranking", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Ranking = oldUser.Ranking
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Currency != newUser.Currency {
 		item := GetAccountItemByName("Currency", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Currency = oldUser.Currency
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	if oldUser.Hash != newUser.Hash {
 		item := GetAccountItemByName("Hash", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
 			newUser.Hash = oldUser.Hash
 		} else {
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
 	for _, accountItem := range itemsChanged {
--- a/object/verification.go
+++ b/object/verification.go
@ -166,19 +166,76 @@ func AddToVerificationRecord(user *User, provider *Provider, remoteAddr, recordT
 	return nil
 }
 func filterRecordIn24Hours(record *VerificationRecord) *VerificationRecord {
 	if record == nil {
 		return nil
 	}
 	now := time.Now().Unix()
 	if now-record.Time > 60*60*24 {
 		return nil
 	}
 	return record
 }
 func getVerificationRecord(dest string) (*VerificationRecord, error) {
-	var record VerificationRecord
+	record := &VerificationRecord{}
 	record.Receiver = dest
-	has, err := ormer.Engine.Desc("time").Where("is_used = false").Get(&record)
+	has, err := ormer.Engine.Desc("time").Where("is_used = false").Get(record)
 	if err != nil {
 		return nil, err
 	}
 	record = filterRecordIn24Hours(record)
 	if record == nil {
 		has = false
 	}
 	if !has {
 		record = &VerificationRecord{}
 		record.Receiver = dest
 		has, err = ormer.Engine.Desc("time").Get(record)
 		if err != nil {
 			return nil, err
 		}
 		record = filterRecordIn24Hours(record)
 		if record == nil {
 			has = false
 		}
 		if !has {
 			return nil, nil
 		}
 		return record, nil
 	}
 	return record, nil
 }
 func getUnusedVerificationRecord(dest string) (*VerificationRecord, error) {
 	record := &VerificationRecord{}
 	record.Receiver = dest
 	has, err := ormer.Engine.Desc("time").Where("is_used = false").Get(record)
 	if err != nil {
 		return nil, err
 	}
 	record = filterRecordIn24Hours(record)
 	if record == nil {
 		has = false
 	}
 	if !has {
 		return nil, nil
 	}
-	return &record, nil
+	return record, nil
 }
 func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult, error) {
@ -187,7 +244,9 @@ func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult
 		return nil, err
 	}
 	if record == nil {
-		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has not been sent yet, or has already been used!")}, nil
+		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has not been sent yet!")}, nil
 	} else if record.IsUsed {
 		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has already been used!")}, nil
 	}
 	timeoutInMinutes, err := conf.GetConfigInt64("verificationCodeTimeout")
@ -196,9 +255,6 @@ func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult
 	}
 	now := time.Now().Unix()
 	if now-record.Time > timeoutInMinutes*60*10 {
 		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has not been sent yet!")}, nil
 	}
 	if now-record.Time > timeoutInMinutes*60 {
 		return &VerifyResult{timeoutError, fmt.Sprintf(i18n.Translate(lang, "verification:You should verify your code in %d min!"), timeoutInMinutes)}, nil
 	}
@ -211,7 +267,7 @@ func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult
 }
 func DisableVerificationCode(dest string) error {
-	record, err := getVerificationRecord(dest)
+	record, err := getUnusedVerificationRecord(dest)
 	if record == nil || err != nil {
 		return nil
 	}
--- a/routers/authz_filter.go
+++ b/routers/authz_filter.go
@ -56,7 +56,7 @@ func getSubject(ctx *context.Context) (string, string) {
 	return util.GetOwnerAndNameFromId(username)
 }
-func getObject(ctx *context.Context) (string, string) {
+func getObject(ctx *context.Context) (string, string, error) {
 	method := ctx.Request.Method
 	path := ctx.Request.URL.Path
@ -65,13 +65,13 @@ func getObject(ctx *context.Context) (string, string) {
 			if ctx.Input.Query("id") == "/" {
 				adapterId := ctx.Input.Query("adapterId")
 				if adapterId != "" {
-					return util.GetOwnerAndNameFromIdNoCheck(adapterId)
+					return util.GetOwnerAndNameFromIdWithError(adapterId)
 				}
 			} else {
 				// query == "?id=built-in/admin"
 				id := ctx.Input.Query("id")
 				if id != "" {
-					return util.GetOwnerAndNameFromIdNoCheck(id)
+					return util.GetOwnerAndNameFromIdWithError(id)
 				}
 			}
 		}
@ -80,34 +80,34 @@ func getObject(ctx *context.Context) (string, string) {
 			// query == "?id=built-in/admin"
 			id := ctx.Input.Query("id")
 			if id != "" {
-				return util.GetOwnerAndNameFromIdNoCheck(id)
+				return util.GetOwnerAndNameFromIdWithError(id)
 			}
 		}
 		owner := ctx.Input.Query("owner")
 		if owner != "" {
-			return owner, ""
+			return owner, "", nil
 		}
-		return "", ""
+		return "", "", nil
 	} else {
 		if path == "/api/add-policy" || path == "/api/remove-policy" || path == "/api/update-policy" {
 			id := ctx.Input.Query("id")
 			if id != "" {
-				return util.GetOwnerAndNameFromIdNoCheck(id)
+				return util.GetOwnerAndNameFromIdWithError(id)
 			}
 		}
 		body := ctx.Input.RequestBody
 		if len(body) == 0 {
-			return ctx.Request.Form.Get("owner"), ctx.Request.Form.Get("name")
+			return ctx.Request.Form.Get("owner"), ctx.Request.Form.Get("name"), nil
 		}
 		var obj Object
 		err := json.Unmarshal(body, &obj)
 		if err != nil {
-			// panic(err)
+			// this is not error
-			return "", ""
+			return "", "", nil
 		}
 		if path == "/api/delete-resource" {
@ -117,7 +117,7 @@ func getObject(ctx *context.Context) (string, string) {
 			}
 		}
-		return obj.Owner, obj.Name
+		return obj.Owner, obj.Name, nil
 	}
 }
@ -183,7 +183,12 @@ func ApiFilter(ctx *context.Context) {
 	objOwner, objName := "", ""
 	if urlPath != "/api/get-app-login" && urlPath != "/api/get-resource" {
-		objOwner, objName = getObject(ctx)
+		var err error
 		objOwner, objName, err = getObject(ctx)
 		if err != nil {
 			responseError(ctx, err.Error())
 			return
 		}
 	}
 	if strings.HasPrefix(urlPath, "/api/notify-payment") {
--- a/routers/auto_signin_filter.go
+++ b/routers/auto_signin_filter.go
@ -16,6 +16,7 @@ package routers
 import (
 	"fmt"
 	"strings"
 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/object"
@ -23,6 +24,10 @@ import (
 )
 func AutoSigninFilter(ctx *context.Context) {
 	urlPath := ctx.Request.URL.Path
 	if strings.HasPrefix(urlPath, "/api/login/oauth/access_token") {
 		return
 	}
 	//if getSessionUser(ctx) != "" {
 	//	return
 	//}
@ -67,6 +72,17 @@ func AutoSigninFilter(ctx *context.Context) {
 		return
 	}
 	accessKey := ctx.Input.Query("accessKey")
 	accessSecret := ctx.Input.Query("accessSecret")
 	if accessKey != "" && accessSecret != "" {
 		userId, err := getUsernameByKeys(ctx)
 		if err != nil {
 			responseError(ctx, err.Error())
 		}
 		setSessionUser(ctx, userId)
 	}
 	// "/page?clientId=123&clientSecret=456"
 	userId, err := getUsernameByClientIdSecret(ctx)
 	if err != nil {
--- a/routers/base.go
+++ b/routers/base.go
@ -21,7 +21,6 @@ import (
 	"strings"
 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/object"
@ -126,7 +125,7 @@ func setSessionUser(ctx *context.Context, user string) {
 	}
 	// https://github.com/beego/beego/issues/3445#issuecomment-455411915
-	ctx.Input.CruSession.SessionReleaseIfPresent(ctx.ResponseWriter)
+	ctx.Input.CruSession.SessionRelease(ctx.ResponseWriter)
 }
 func setSessionExpire(ctx *context.Context, ExpireTime int64) {
@ -135,7 +134,7 @@ func setSessionExpire(ctx *context.Context, ExpireTime int64) {
 	if err != nil {
 		panic(err)
 	}
-	ctx.Input.CruSession.SessionReleaseIfPresent(ctx.ResponseWriter)
+	ctx.Input.CruSession.SessionRelease(ctx.ResponseWriter)
 }
 func setSessionOidc(ctx *context.Context, scope string, aud string) {
@ -147,7 +146,7 @@ func setSessionOidc(ctx *context.Context, scope string, aud string) {
 	if err != nil {
 		panic(err)
 	}
-	ctx.Input.CruSession.SessionReleaseIfPresent(ctx.ResponseWriter)
+	ctx.Input.CruSession.SessionRelease(ctx.ResponseWriter)
 }
 func parseBearerToken(ctx *context.Context) string {
--- a/routers/cors_filter.go
+++ b/routers/cors_filter.go
@ -16,11 +16,11 @@ package routers
 import (
 	"net/http"
 	"strings"
 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
 const (
@ -48,7 +48,17 @@ func CorsFilter(ctx *context.Context) {
 	originHostname := getHostname(origin)
 	host := removePort(ctx.Request.Host)
-	if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "https://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") || strings.HasPrefix(origin, "http://casdoor-app") || strings.Contains(origin, ".chromiumapp.org") {
+	if origin == "null" {
 		origin = ""
 	}
 	isValid, err := util.IsValidOrigin(origin)
 	if err != nil {
 		ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
 		responseError(ctx, err.Error())
 		return
 	}
 	if isValid {
 		setCorsHeaders(ctx, origin)
 		return
 	}
--- a/routers/router.go
+++ b/routers/router.go
@ -174,6 +174,8 @@ func initAPI() {
 	beego.Router("/api/get-all-actions", &controllers.ApiController{}, "GET:GetAllActions")
 	beego.Router("/api/get-all-roles", &controllers.ApiController{}, "GET:GetAllRoles")
 	beego.Router("/api/run-casbin-command", &controllers.ApiController{}, "GET:RunCasbinCommand")
 	beego.Router("/api/get-sessions", &controllers.ApiController{}, "GET:GetSessions")
 	beego.Router("/api/get-session", &controllers.ApiController{}, "GET:GetSingleSession")
 	beego.Router("/api/update-session", &controllers.ApiController{}, "POST:UpdateSession")
@ -290,6 +292,7 @@ func initAPI() {
 	beego.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery")
 	beego.Router("/.well-known/jwks", &controllers.RootController{}, "*:GetJwks")
 	beego.Router("/.well-known/webfinger", &controllers.RootController{}, "GET:GetWebFinger")
 	beego.Router("/cas/:organization/:application/serviceValidate", &controllers.RootController{}, "GET:CasServiceValidate")
 	beego.Router("/cas/:organization/:application/proxyValidate", &controllers.RootController{}, "GET:CasProxyValidate")
--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@ -43,6 +43,10 @@ func getWebBuildFolder() string {
 		return path
 	}
 	if util.FileExist(filepath.Join(frontendBaseDir, "index.html")) {
 		return frontendBaseDir
 	}
 	path = filepath.Join(frontendBaseDir, "web/build")
 	return path
 }
@ -58,7 +62,7 @@ func fastAutoSignin(ctx *context.Context) (string, error) {
 	redirectUri := ctx.Input.Query("redirect_uri")
 	scope := ctx.Input.Query("scope")
 	state := ctx.Input.Query("state")
-	nonce := ""
+	nonce := ctx.Input.Query("nonce")
 	codeChallenge := ctx.Input.Query("code_challenge")
 	if clientId == "" || responseType != "code" || redirectUri == "" {
 		return "", nil
--- a/routers/timeout_filter.go
+++ b/routers/timeout_filter.go
@ -0,0 +1,64 @@
 // Copyright 2024 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package routers
 import (
 	"fmt"
 	"sync"
 	"time"
 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
 )
 var (
 	inactiveTimeoutMinutes int64
 	requestTimeMap         sync.Map
 )
 func init() {
 	var err error
 	inactiveTimeoutMinutes, err = conf.GetConfigInt64("inactiveTimeoutMinutes")
 	if err != nil {
 		inactiveTimeoutMinutes = 0
 	}
 }
 func timeoutLogout(ctx *context.Context, sessionId string) {
 	requestTimeMap.Delete(sessionId)
 	ctx.Input.CruSession.Set("username", "")
 	ctx.Input.CruSession.Set("accessToken", "")
 	ctx.Input.CruSession.Delete("SessionData")
 	responseError(ctx, fmt.Sprintf(T(ctx, "auth:Timeout for inactivity of %d minutes"), inactiveTimeoutMinutes))
 }
 func TimeoutFilter(ctx *context.Context) {
 	if inactiveTimeoutMinutes <= 0 {
 		return
 	}
 	owner, name := getSubject(ctx)
 	if owner == "anonymous" || name == "anonymous" {
 		return
 	}
 	sessionId := ctx.Input.CruSession.SessionID()
 	currentTime := time.Now()
 	preRequestTime, has := requestTimeMap.Load(sessionId)
 	requestTimeMap.Store(sessionId, currentTime)
 	if has && preRequestTime.(time.Time).Add(time.Minute*time.Duration(inactiveTimeoutMinutes)).Before(currentTime) {
 		timeoutLogout(ctx, sessionId)
 	}
 }
--- a/storage/casdoor.go
+++ b/storage/casdoor.go
@ -0,0 +1,19 @@
 package storage
 import (
 	"github.com/casdoor/oss"
 	"github.com/casdoor/oss/casdoor"
 )
 func NewCasdoorStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string, cert string, content string) oss.StorageInterface {
 	sp := casdoor.New(&casdoor.Config{
 		clientId,
 		clientSecret,
 		endpoint,
 		cert,
 		region,
 		content,
 		bucket,
 	})
 	return sp
 }
--- a/storage/storage.go
+++ b/storage/storage.go
@ -16,7 +16,7 @@ package storage
 import "github.com/casdoor/oss"
-func GetStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string) (oss.StorageInterface, error) {
+func GetStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string, cert string, content string) (oss.StorageInterface, error) {
 	switch providerType {
 	case "Local File System":
 		return NewLocalFileSystemStorageProvider(), nil
@ -36,6 +36,8 @@ func GetStorageProvider(providerType string, clientId string, clientSecret strin
 		return NewGoogleCloudStorageProvider(clientSecret, bucket, endpoint), nil
 	case "Synology":
 		return NewSynologyNasStorageProvider(clientId, clientSecret, endpoint), nil
 	case "Casdoor":
 		return NewCasdoorStorageProvider(providerType, clientId, clientSecret, region, bucket, endpoint, cert, content), nil
 	}
 	return nil, nil
--- a/util/log.go
+++ b/util/log.go
@ -23,50 +23,50 @@ import (
 	"github.com/beego/beego/logs"
 )
-func GetIPInfo(clientIP string) string {
+func getIpInfo(clientIp string) string {
-	if clientIP == "" {
+	if clientIp == "" {
 		return ""
 	}
-	ips := strings.Split(clientIP, ",")
+	ips := strings.Split(clientIp, ",")
-	res := ""
+	res := strings.TrimSpace(ips[0])
-	for i := range ips {
+	//res := ""
-		ip := strings.TrimSpace(ips[i])
+	//for i := range ips {
-		// desc := GetDescFromIP(ip)
+	//	ip := strings.TrimSpace(ips[i])
-		ipstr := fmt.Sprintf("%s: %s", ip, "")
+	//	ipstr := fmt.Sprintf("%s: %s", ip, "")
-		if i != len(ips)-1 {
+	//	if i != len(ips)-1 {
-			res += ipstr + " -> "
+	//		res += ipstr + " -> "
-		} else {
+	//	} else {
-			res += ipstr
+	//		res += ipstr
-		}
+	//	}
-	}
+	//}
 	return res
 }
-func GetIPFromRequest(req *http.Request) string {
+func GetClientIpFromRequest(req *http.Request) string {
-	clientIP := req.Header.Get("x-forwarded-for")
+	clientIp := req.Header.Get("x-forwarded-for")
-	if clientIP == "" {
+	if clientIp == "" {
 		ipPort := strings.Split(req.RemoteAddr, ":")
 		if len(ipPort) >= 1 && len(ipPort) <= 2 {
-			clientIP = ipPort[0]
+			clientIp = ipPort[0]
 		} else if len(ipPort) > 2 {
 			idx := strings.LastIndex(req.RemoteAddr, ":")
-			clientIP = req.RemoteAddr[0:idx]
+			clientIp = req.RemoteAddr[0:idx]
-			clientIP = strings.TrimLeft(clientIP, "[")
+			clientIp = strings.TrimLeft(clientIp, "[")
-			clientIP = strings.TrimRight(clientIP, "]")
+			clientIp = strings.TrimRight(clientIp, "]")
 		}
 	}
-	return GetIPInfo(clientIP)
+	return getIpInfo(clientIp)
 }
 func LogInfo(ctx *context.Context, f string, v ...interface{}) {
-	ipString := fmt.Sprintf("(%s) ", GetIPFromRequest(ctx.Request))
+	ipString := fmt.Sprintf("(%s) ", GetClientIpFromRequest(ctx.Request))
 	logs.Info(ipString+f, v...)
 }
 func LogWarning(ctx *context.Context, f string, v ...interface{}) {
-	ipString := fmt.Sprintf("(%s) ", GetIPFromRequest(ctx.Request))
+	ipString := fmt.Sprintf("(%s) ", GetClientIpFromRequest(ctx.Request))
 	logs.Warning(ipString+f, v...)
 }
--- a/util/obfuscator.go
+++ b/util/obfuscator.go
@ -0,0 +1,76 @@
 // Copyright 2024 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package util
 import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
 	"encoding/hex"
 	"fmt"
 )
 func unPaddingPkcs7(s []byte) []byte {
 	length := len(s)
 	if length == 0 {
 		return s
 	}
 	unPadding := int(s[length-1])
 	return s[:(length - unPadding)]
 }
 func decryptDesOrAes(passwordCipher string, block cipher.Block) (string, error) {
 	passwordCipherBytes, err := hex.DecodeString(passwordCipher)
 	if err != nil {
 		return "", err
 	}
 	if len(passwordCipherBytes) < block.BlockSize() {
 		return "", fmt.Errorf("the password ciphertext should contain a random hexadecimal string of length %d at the beginning", block.BlockSize()*2)
 	}
 	iv := passwordCipherBytes[:block.BlockSize()]
 	password := make([]byte, len(passwordCipherBytes)-block.BlockSize())
 	mode := cipher.NewCBCDecrypter(block, iv)
 	mode.CryptBlocks(password, passwordCipherBytes[block.BlockSize():])
 	return string(unPaddingPkcs7(password)), nil
 }
 func GetUnobfuscatedPassword(passwordObfuscatorType string, passwordObfuscatorKey string, passwordCipher string) (string, error) {
 	if passwordObfuscatorType == "Plain" || passwordObfuscatorType == "" {
 		return passwordCipher, nil
 	} else if passwordObfuscatorType == "DES" || passwordObfuscatorType == "AES" {
 		key, err := hex.DecodeString(passwordObfuscatorKey)
 		if err != nil {
 			return "", err
 		}
 		var block cipher.Block
 		if passwordObfuscatorType == "DES" {
 			block, err = des.NewCipher(key)
 		} else {
 			block, err = aes.NewCipher(key)
 		}
 		if err != nil {
 			return "", err
 		}
 		return decryptDesOrAes(passwordCipher, block)
 	} else {
 		return "", fmt.Errorf("unsupported password obfuscator type: %s", passwordObfuscatorType)
 	}
 }
--- a/util/string.go
+++ b/util/string.go
@ -131,6 +131,15 @@ func GetOwnerAndNameFromId(id string) (string, string) {
 	return tokens[0], tokens[1]
 }
 func GetOwnerAndNameFromIdWithError(id string) (string, string, error) {
 	tokens := strings.Split(id, "/")
 	if len(tokens) != 2 {
 		return "", "", errors.New("GetOwnerAndNameFromId() error, wrong token count for ID: " + id)
 	}
 	return tokens[0], tokens[1], nil
 }
 func GetOwnerFromId(id string) string {
 	tokens := strings.Split(id, "/")
 	if len(tokens) != 2 {
@ -154,6 +163,16 @@ func GetOwnerAndNameAndOtherFromId(id string) (string, string, string) {
 	return tokens[0], tokens[1], tokens[2]
 }
 func GetSharedOrgFromApp(rawName string) (name string, organization string) {
 	name = rawName
 	splitName := strings.Split(rawName, "-org-")
 	if len(splitName) >= 2 {
 		organization = splitName[len(splitName)-1]
 		name = splitName[0]
 	}
 	return name, organization
 }
 func GenerateId() string {
 	return uuid.NewString()
 }
--- a/util/validation.go
+++ b/util/validation.go
@ -17,6 +17,7 @@ package util
 import (
 	"fmt"
 	"net/mail"
 	"net/url"
 	"regexp"
 	"strings"
@ -24,10 +25,11 @@ import (
 )
 var (
-	rePhone          *regexp.Regexp
+	rePhone             *regexp.Regexp
-	ReWhiteSpace     *regexp.Regexp
+	ReWhiteSpace        *regexp.Regexp
-	ReFieldWhiteList *regexp.Regexp
+	ReFieldWhiteList    *regexp.Regexp
-	ReUserName       *regexp.Regexp
+	ReUserName          *regexp.Regexp
 	ReUserNameWithEmail *regexp.Regexp
 )
 func init() {
@ -35,6 +37,7 @@ func init() {
 	ReWhiteSpace, _ = regexp.Compile(`\s`)
 	ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*$")
 	ReUserNameWithEmail, _ = regexp.Compile(`^([a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*)|([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$`) // Add support for email formats
 }
 func IsEmailValid(email string) bool {
@ -51,6 +54,9 @@ func IsPhoneValid(phone string, countryCode string) bool {
 }
 func IsPhoneAllowInRegin(countryCode string, allowRegions []string) bool {
 	if ContainsString(allowRegions, "All") {
 		return true
 	}
 	return ContainsString(allowRegions, countryCode)
 }
@ -97,3 +103,21 @@ func GetCountryCode(prefix string, phone string) (string, error) {
 func FilterField(field string) bool {
 	return ReFieldWhiteList.MatchString(field)
 }
 func IsValidOrigin(origin string) (bool, error) {
 	urlObj, err := url.Parse(origin)
 	if err != nil {
 		return false, err
 	}
 	if urlObj == nil {
 		return false, nil
 	}
 	originHostOnly := ""
 	if urlObj.Host != "" {
 		originHostOnly = fmt.Sprintf("%s://%s", urlObj.Scheme, urlObj.Hostname())
 	}
 	res := originHostOnly == "http://localhost" || originHostOnly == "https://localhost" || originHostOnly == "http://127.0.0.1" || originHostOnly == "http://casdoor-app" || strings.HasSuffix(originHostOnly, ".chromiumapp.org")
 	return res, nil
 }
--- a/web/package.json
+++ b/web/package.json
@ -27,6 +27,7 @@
    "copy-to-clipboard": "^3.3.1",
    "core-js": "^3.25.0",
    "craco-less": "^2.0.0",
    "crypto-js": "^4.2.0",
    "echarts": "^5.4.3",
    "ethers": "5.6.9",
    "face-api.js": "^0.22.2",
--- a/web/src/AdapterListPage.js
+++ b/web/src/AdapterListPage.js
@ -56,9 +56,11 @@ class AdapterListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/App.js
+++ b/web/src/App.js
@ -344,7 +344,8 @@ class App extends Component {
        window.location.pathname.startsWith("/cas") ||
        window.location.pathname.startsWith("/select-plan") ||
        window.location.pathname.startsWith("/buy-plan") ||
-        window.location.pathname.startsWith("/qrcode") ;
+        window.location.pathname.startsWith("/qrcode") ||
        window.location.pathname.startsWith("/captcha");
  }
  onClick = ({key}) => {
@ -361,7 +362,11 @@ class App extends Component {
    if (this.isDoorPages()) {
      return (
        <ConfigProvider theme={{
-          algorithm: Setting.getAlgorithm(["default"]),
+          token: {
            colorPrimary: this.state.themeData.colorPrimary,
            borderRadius: this.state.themeData.borderRadius,
          },
          algorithm: Setting.getAlgorithm(this.state.themeAlgorithm),
        }}>
          <StyleProvider hashPriority="high" transformers={[legacyLogicalPropertiesTransformer]}>
            <Layout id="parent-area">
@ -371,6 +376,7 @@ class App extends Component {
                    <EntryPage
                      account={this.state.account}
                      theme={this.state.themeData}
                      themeAlgorithm={this.state.themeAlgorithm}
                      updateApplication={(application) => {
                        this.setState({
                          application: application,
@ -445,7 +451,6 @@ class App extends Component {
                setLogoutState={() => {
                  this.setState({
                    account: null,
                    themeAlgorithm: ["default"],
                  });
                }}
              />
--- a/web/src/App.less
+++ b/web/src/App.less
@ -129,6 +129,15 @@ img {
  background-attachment: fixed;
 }
 .loginBackgroundDark {
  flex: auto;
  display: flex;
  align-items: center;
  background: #000 no-repeat;
  background-size: 100% 100%;
  background-attachment: fixed;
 }
 .ant-menu-horizontal {
  border-bottom: none !important;
 }
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@ -46,12 +46,18 @@ require("codemirror/mode/css/css");
 const {Option} = Select;
 const template = `<style>
-  .login-panel{
+  .login-panel {
    padding: 40px 70px 0 70px;
    border-radius: 10px;
    background-color: #ffffff;
    box-shadow: 0 0 30px 20px rgba(0, 0, 0, 0.20);
-}
+  }
  .login-panel-dark {
    padding: 40px 70px 0 70px;
    border-radius: 10px;
    background-color: #333333;
    box-shadow: 0 0 30px 20px rgba(255, 255, 255, 0.20);
  }
 </style>`;
 const previewGrid = Setting.isMobile() ? 22 : 11;
@ -116,7 +122,6 @@ class ApplicationEditPage extends React.Component {
  UNSAFE_componentWillMount() {
    this.getApplication();
    this.getOrganizations();
    this.getProviders();
  }
  getApplication() {
@ -145,7 +150,9 @@ class ApplicationEditPage extends React.Component {
          application: application,
        });
-        this.getCerts(application.organization);
+        this.getProviders(application);
        this.getCerts(application);
        this.getSamlMetadata(application.enableSamlPostBinding);
      });
@ -166,7 +173,11 @@ class ApplicationEditPage extends React.Component {
      });
  }
-  getCerts(owner) {
+  getCerts(application) {
    let owner = application.organization;
    if (application.isShared) {
      owner = this.props.owner;
    }
    CertBackend.getCerts(owner)
      .then((res) => {
        this.setState({
@ -175,8 +186,12 @@ class ApplicationEditPage extends React.Component {
      });
  }
-  getProviders() {
+  getProviders(application) {
-    ProviderBackend.getProviders(this.state.owner)
+    let owner = application.organization;
    if (application.isShared) {
      owner = this.props.account.owner;
    }
    ProviderBackend.getProviders(owner)
      .then((res) => {
        if (res.status === "ok") {
          this.setState({
@ -263,6 +278,16 @@ class ApplicationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:Is shared"), i18next.t("general:Is shared - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Switch disabled={Setting.isAdminUser()} checked={this.state.application.isShared} onChange={checked => {
              this.updateApplicationField("isShared", checked);
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:Logo"), i18next.t("general:Logo - Tooltip"))} :
@ -388,6 +413,16 @@ class ApplicationEditPage extends React.Component {
            />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("application:Token signing method"), i18next.t("application:Token signing method - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.application.tokenSigningMethod === "" ? "RS256" : this.state.application.tokenSigningMethod} onChange={(value => {this.updateApplicationField("tokenSigningMethod", value);})}
              options={["RS256", "RS512", "ES256", "ES512", "ES384"].map((item) => Setting.getOption(item, item))}
            />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("application:Token fields"), i18next.t("application:Token fields - Tooltip"))} :
@ -563,6 +598,16 @@ class ApplicationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Input placeholder = {this.state.application.organizationObj?.ipWhitelist} value={this.state.application.ipWhitelist} onChange={e => {
              this.updateApplicationField("ipWhitelist", e.target.value);
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("signup:Terms of Use"), i18next.t("signup:Terms of Use - Tooltip"))} :
@ -674,6 +719,16 @@ class ApplicationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}}>
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("application:Use Email as NameID"), i18next.t("application:Use Email as NameID - Tooltip"))} :
          </Col>
          <Col span={1}>
            <Switch checked={this.state.application.useEmailAsSamlNameId} onChange={checked => {
              this.updateApplicationField("useEmailAsSamlNameId", checked);
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("application:Enable SAML POST binding"), i18next.t("application:Enable SAML POST binding - Tooltip"))} :
@ -710,7 +765,7 @@ class ApplicationEditPage extends React.Component {
            />
            <br />
            <Button style={{marginBottom: "10px"}} type="primary" shape="round" icon={<CopyOutlined />} onClick={() => {
-              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}&post=${this.state.application.enableSamlPostBinding}`);
+              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}&enablePostBinding=${this.state.application.enableSamlPostBinding}`);
              Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
            }}
            >
@ -938,6 +993,7 @@ class ApplicationEditPage extends React.Component {
                <SigninTable
                  title={i18next.t("application:Signin items")}
                  table={this.state.application.signinItems}
                  themeAlgorithm={this.state.themeAlgorithm}
                  onUpdateTable={(value) => {
                    this.updateApplicationField("signinItems", value);
                  }}
@ -989,7 +1045,11 @@ class ApplicationEditPage extends React.Component {
      redirectUri = "\"ERROR: You must specify at least one Redirect URL in 'Redirect URLs'\"";
    }
-    const signInUrl = `/login/oauth/authorize?client_id=${this.state.application.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=read&state=casdoor`;
+    let clientId = this.state.application.clientId;
    if (this.state.application.isShared) {
      clientId += `-org-${this.props.account.owner}`;
    }
    const signInUrl = `/login/oauth/authorize?client_id=${clientId}&response_type=code&redirect_uri=${redirectUri}&scope=read&state=casdoor`;
    const maskStyle = {position: "absolute", top: "0px", left: "0px", zIndex: 10, height: "97%", width: "100%", background: "rgba(0,0,0,0.4)"};
    if (!Setting.isPasswordEnabled(this.state.application)) {
      signUpUrl = signInUrl.replace("/login/oauth/authorize", "/signup/oauth/authorize");
--- a/web/src/ApplicationListPage.js
+++ b/web/src/ApplicationListPage.js
@ -97,9 +97,11 @@ class ApplicationListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
@ -123,7 +125,7 @@ class ApplicationListPage extends BaseListPage {
        render: (text, record, index) => {
          return (
            <Link to={`/applications/${record.organization}/${text}`}>
-              {text}
+              {Setting.getApplicationDisplayName(record)}
            </Link>
          );
        },
--- a/web/src/CaptchaPage.js
+++ b/web/src/CaptchaPage.js
@ -0,0 +1,116 @@
 // Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 import React from "react";
 import {CaptchaModal} from "./common/modal/CaptchaModal";
 import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as Setting from "./Setting";
 class CaptchaPage extends React.Component {
  constructor(props) {
    super(props);
    const params = new URLSearchParams(this.props.location.search);
    this.state = {
      owner: "admin",
      application: null,
      clientId: params.get("client_id"),
      applicationName: params.get("state"),
      redirectUri: params.get("redirect_uri"),
    };
  }
  componentDidMount() {
    this.getApplication();
  }
  onUpdateApplication(application) {
    this.setState({
      application: application,
    });
  }
  getApplication() {
    if (this.state.applicationName === null) {
      return null;
    }
    ApplicationBackend.getApplication(this.state.owner, this.state.applicationName)
      .then((res) => {
        if (res.status === "error") {
          this.onUpdateApplication(null);
          this.setState({
            msg: res.msg,
          });
          return ;
        }
        this.onUpdateApplication(res.data);
      });
  }
  getCaptchaProviderItems(application) {
    const providers = application?.providers;
    if (providers === undefined || providers === null) {
      return null;
    }
    return providers.filter(providerItem => {
      if (providerItem.provider === undefined || providerItem.provider === null) {
        return false;
      }
      return providerItem.provider.category === "Captcha";
    });
  }
  callback(values) {
    Setting.goToLink(`${this.state.redirectUri}?code=${values.captchaToken}&type=${values.captchaType}&secret=${values.clientSecret}&applicationId=${values.applicationId}`);
  }
  renderCaptchaModal(application) {
    const captchaProviderItems = this.getCaptchaProviderItems(application);
    if (captchaProviderItems === null) {
      return null;
    }
    const alwaysProviderItems = captchaProviderItems.filter(providerItem => providerItem.rule === "Always");
    const dynamicProviderItems = captchaProviderItems.filter(providerItem => providerItem.rule === "Dynamic");
    const provider = alwaysProviderItems.length > 0
      ? alwaysProviderItems[0].provider
      : dynamicProviderItems[0].provider;
    return <CaptchaModal
      owner={provider.owner}
      name={provider.name}
      visible={true}
      onOk={(captchaType, captchaToken, clientSecret) => {
        const values = {
          captchaType: captchaType,
          captchaToken: captchaToken,
          clientSecret: clientSecret,
          applicationId: `${provider.owner}/${provider.name}`,
        };
        this.callback(values);
      }}
      onCancel={() => this.callback({captchaType: "none", captchaToken: "", clientSecret: ""})}
      isCurrentProvider={true}
    />;
  }
  render() {
    return (
      this.renderCaptchaModal(this.state.application)
    );
  }
 }
 export default CaptchaPage;
--- a/web/src/CasbinEditor.js
+++ b/web/src/CasbinEditor.js
@ -0,0 +1,97 @@
 // Copyright 2024 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 import React, {useCallback, useEffect, useRef, useState} from "react";
 import {Controlled as CodeMirror} from "react-codemirror2";
 import "codemirror/lib/codemirror.css";
 import "codemirror/mode/properties/properties";
 import * as Setting from "./Setting";
 import IframeEditor from "./IframeEditor";
 import {Tabs} from "antd";
 const {TabPane} = Tabs;
 const CasbinEditor = ({model, onModelTextChange}) => {
  const [activeKey, setActiveKey] = useState("advanced");
  const iframeRef = useRef(null);
  const [localModelText, setLocalModelText] = useState(model.modelText);
  const handleModelTextChange = useCallback((newModelText) => {
    if (!Setting.builtInObject(model)) {
      setLocalModelText(newModelText);
      onModelTextChange(newModelText);
    }
  }, [model, onModelTextChange]);
  const syncModelText = useCallback(() => {
    return new Promise((resolve) => {
      if (activeKey === "advanced" && iframeRef.current) {
        const handleSyncMessage = (event) => {
          if (event.data.type === "modelUpdate") {
            window.removeEventListener("message", handleSyncMessage);
            handleModelTextChange(event.data.modelText);
            resolve();
          }
        };
        window.addEventListener("message", handleSyncMessage);
        iframeRef.current.getModelText();
      } else {
        resolve();
      }
    });
  }, [activeKey, handleModelTextChange]);
  const handleTabChange = (key) => {
    syncModelText().then(() => {
      setActiveKey(key);
      if (key === "advanced" && iframeRef.current) {
        iframeRef.current.updateModelText(localModelText);
      }
    });
  };
  useEffect(() => {
    setLocalModelText(model.modelText);
  }, [model.modelText]);
  return (
    <div style={{height: "100%", width: "100%", display: "flex", flexDirection: "column"}}>
      <Tabs activeKey={activeKey} onChange={handleTabChange} style={{flex: "0 0 auto", marginTop: "-10px"}}>
        <TabPane tab="Basic Editor" key="basic" />
        <TabPane tab="Advanced Editor" key="advanced" />
      </Tabs>
      <div style={{flex: "1 1 auto", overflow: "hidden"}}>
        {activeKey === "advanced" ? (
          <IframeEditor
            ref={iframeRef}
            initialModelText={localModelText}
            onModelTextChange={handleModelTextChange}
            style={{width: "100%", height: "100%"}}
          />
        ) : (
          <CodeMirror
            value={localModelText}
            className="full-height-editor no-horizontal-scroll-editor"
            options={{mode: "properties", theme: "default"}}
            onBeforeChange={(editor, data, value) => {
              handleModelTextChange(value);
            }}
          />
        )}
      </div>
    </div>
  );
 };
 export default CasbinEditor;
--- a/web/src/CertEditPage.js
+++ b/web/src/CertEditPage.js
@ -288,14 +288,14 @@ class CertEditPage extends React.Component {
          Setting.showMessage("success", i18next.t("general:Successfully saved"));
          this.setState({
            certName: this.state.cert.name,
          }, () => {
            if (exitAfterSave) {
              this.props.history.push("/certs");
            } else {
              this.props.history.push(`/certs/${this.state.cert.owner}/${this.state.cert.name}`);
              this.getCert();
            }
          });
          if (exitAfterSave) {
            this.props.history.push("/certs");
          } else {
            this.props.history.push(`/certs/${this.state.cert.owner}/${this.state.cert.name}`);
            this.getCert();
          }
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to save")}: ${res.msg}`);
          this.updateCertField("name", this.state.certName);
--- a/web/src/CertListPage.js
+++ b/web/src/CertListPage.js
@ -73,9 +73,11 @@ class CertListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/EnforcerListPage.js
+++ b/web/src/EnforcerListPage.js
@ -55,9 +55,11 @@ class EnforcerListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/EntryPage.js
+++ b/web/src/EntryPage.js
@ -32,7 +32,9 @@ import {authConfig} from "./auth/Auth";
 import ProductBuyPage from "./ProductBuyPage";
 import PaymentResultPage from "./PaymentResultPage";
 import QrCodePage from "./QrCodePage";
 import CaptchaPage from "./CaptchaPage";
 import CustomHead from "./basic/CustomHead";
 import * as Util from "./auth/Util";
 class EntryPage extends React.Component {
  constructor(props) {
@ -93,10 +95,20 @@ class EntryPage extends React.Component {
        });
    };
    if (this.state.application?.ipRestriction) {
      return Util.renderMessageLarge(this, this.state.application.ipRestriction);
    }
    if (this.state.application?.organizationObj?.ipRestriction) {
      return Util.renderMessageLarge(this, this.state.application.organizationObj.ipRestriction);
    }
    const isDarkMode = this.props.themeAlgorithm.includes("dark");
    return (
      <React.Fragment>
        <CustomHead headerHtml={this.state.application?.headerHtml} />
-        <div className="loginBackground"
+        <div className={`${isDarkMode ? "loginBackgroundDark" : "loginBackground"}`}
          style={{backgroundImage: Setting.inIframe() || Setting.isMobile() ? null : `url(${this.state.application?.formBackgroundUrl})`}}>
          <Spin size="large" spinning={this.state.application === undefined && this.state.pricing === undefined} tip={i18next.t("login:Loading")}
            style={{margin: "0 auto"}} />
@ -120,8 +132,10 @@ class EntryPage extends React.Component {
            <Route exact path="/buy-plan/:owner/:pricingName" render={(props) => <ProductBuyPage {...this.props} pricing={this.state.pricing} onUpdatePricing={onUpdatePricing} {...props} />} />
            <Route exact path="/buy-plan/:owner/:pricingName/result" render={(props) => <PaymentResultPage {...this.props} pricing={this.state.pricing} onUpdatePricing={onUpdatePricing} {...props} />} />
            <Route exact path="/qrcode/:owner/:paymentName" render={(props) => <QrCodePage {...this.props} onUpdateApplication={onUpdateApplication} {...props} />} />
            <Route exact path="/captcha" render={(props) => <CaptchaPage {...props} />} />
          </Switch>
        </div>
      </React.Fragment>
    );
  }
--- a/web/src/GroupListPage.js
+++ b/web/src/GroupListPage.js
@ -84,9 +84,11 @@ class GroupListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/IframeEditor.js
+++ b/web/src/IframeEditor.js
@ -0,0 +1,66 @@
 // Copyright 2024 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 import React, {forwardRef, useEffect, useImperativeHandle, useRef, useState} from "react";
 const IframeEditor = forwardRef(({initialModelText, onModelTextChange}, ref) => {
  const iframeRef = useRef(null);
  const [iframeReady, setIframeReady] = useState(false);
  useEffect(() => {
    const handleMessage = (event) => {
      if (event.origin !== "https://editor.casbin.org") {return;}
      if (event.data.type === "modelUpdate") {
        onModelTextChange(event.data.modelText);
      } else if (event.data.type === "iframeReady") {
        setIframeReady(true);
        iframeRef.current?.contentWindow.postMessage({
          type: "initializeModel",
          modelText: initialModelText,
        }, "*");
      }
    };
    window.addEventListener("message", handleMessage);
    return () => window.removeEventListener("message", handleMessage);
  }, [onModelTextChange, initialModelText]);
  useImperativeHandle(ref, () => ({
    getModelText: () => {
      iframeRef.current?.contentWindow.postMessage({type: "getModelText"}, "*");
    },
    updateModelText: (newModelText) => {
      if (iframeReady) {
        iframeRef.current?.contentWindow.postMessage({
          type: "updateModelText",
          modelText: newModelText,
        }, "*");
      }
    },
  }));
  return (
    <iframe
      ref={iframeRef}
      src="https://editor.casbin.org/model-editor"
      frameBorder="0"
      width="100%"
      height="500px"
      title="Casbin Model Editor"
    />
  );
 });
 export default IframeEditor;
--- a/web/src/InvitationEditPage.js
+++ b/web/src/InvitationEditPage.js
@ -20,6 +20,7 @@ import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
 import copy from "copy-to-clipboard";
 import * as GroupBackend from "./backend/GroupBackend";
 const {Option} = Select;
@ -33,6 +34,7 @@ class InvitationEditPage extends React.Component {
      invitation: null,
      organizations: [],
      applications: [],
      groups: [],
      mode: props.location.mode !== undefined ? props.location.mode : "edit",
    };
  }
@ -41,6 +43,7 @@ class InvitationEditPage extends React.Component {
    this.getInvitation();
    this.getOrganizations();
    this.getApplicationsByOrganization(this.state.organizationName);
    this.getGroupsByOrganization(this.state.organizationName);
  }
  getInvitation() {
@ -75,6 +78,17 @@ class InvitationEditPage extends React.Component {
      });
  }
  getGroupsByOrganization(organizationName) {
    GroupBackend.getGroups(organizationName)
      .then((res) => {
        if (res.status === "ok") {
          this.setState({
            groups: res.data,
          });
        }
      });
  }
  parseInvitationField(key, value) {
    if ([""].includes(key)) {
      value = Setting.myParseInt(value);
@ -120,7 +134,7 @@ class InvitationEditPage extends React.Component {
            {Setting.getLabel(i18next.t("general:Organization"), i18next.t("general:Organization - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value); this.getApplicationsByOrganization(value);})}>
+            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value); this.getApplicationsByOrganization(value);this.getGroupsByOrganization(value);})}>
              {
                this.state.organizations.map((organization, index) => <Option key={index} value={organization.name}>{organization.name}</Option>)
              }
@ -204,6 +218,21 @@ class InvitationEditPage extends React.Component {
              ]} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("provider:Signup group"), i18next.t("provider:Signup group - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.invitation.signupGroup} onChange={(value => {this.updateInvitationField("signupGroup", value);})}>
              <Option key={""} value={""}>
                {i18next.t("general:Default")}
              </Option>
              {
                this.state.groups.map((group, index) => <Option key={index} value={`${group.owner}/${group.name}`}>{group.name}</Option>)
              }
            </Select>
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("signup:Username"), i18next.t("signup:Username - Tooltip"))} :
--- a/web/src/InvitationListPage.js
+++ b/web/src/InvitationListPage.js
@ -68,9 +68,11 @@ class InvitationListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/LdapEditPage.js
+++ b/web/src/LdapEditPage.js
@ -13,12 +13,13 @@
 // limitations under the License.
 import React from "react";
-import {Button, Card, Col, Input, InputNumber, Row, Select, Switch} from "antd";
+import {Button, Card, Col, Input, InputNumber, Row, Select, Space, Switch} from "antd";
-import {EyeInvisibleOutlined, EyeTwoTone} from "@ant-design/icons";
+import {EyeInvisibleOutlined, EyeTwoTone, HolderOutlined, UsergroupAddOutlined} from "@ant-design/icons";
 import * as LddpBackend from "./backend/LdapBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
 import * as GroupBackend from "./backend/GroupBackend";
 const {Option} = Select;
@ -30,12 +31,14 @@ class LdapEditPage extends React.Component {
      organizationName: props.match.params.organizationName,
      ldap: null,
      organizations: [],
      groups: null,
    };
  }
  UNSAFE_componentWillMount() {
    this.getLdap();
    this.getOrganizations();
    this.getGroups();
  }
  getLdap() {
@ -60,6 +63,17 @@ class LdapEditPage extends React.Component {
      });
  }
  getGroups() {
    GroupBackend.getGroups(this.state.organizationName)
      .then((res) => {
        if (res.status === "ok") {
          this.setState({
            groups: res.data,
          });
        }
      });
  }
  updateLdapField(key, value) {
    this.setState((prevState) => {
      prevState.ldap[key] = value;
@ -214,6 +228,31 @@ class LdapEditPage extends React.Component {
            />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{lineHeight: "32px", textAlign: "right", paddingRight: "25px"}} span={3}>
            {Setting.getLabel(i18next.t("ldap:Default group"), i18next.t("ldap:Default group - Tooltip"))} :
          </Col>
          <Col span={21}>
            <Select virtual={false} style={{width: "100%"}} value={this.state.ldap.defaultGroup ?? []} onChange={(value => {
              this.updateLdapField("defaultGroup", value);
            })}
            >
              <Option key={""} value={""}>
                <Space>
                  {i18next.t("general:Default")}
                </Space>
              </Option>
              {
                this.state.groups?.map((group) => <Option key={group.name} value={`${group.owner}/${group.name}`}>
                  <Space>
                    {group.type === "Physical" ? <UsergroupAddOutlined /> : <HolderOutlined />}
                    {group.displayName}
                  </Space>
                </Option>)
              }
            </Select>
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}}>
          <Col style={{lineHeight: "32px", textAlign: "right", paddingRight: "25px"}} span={3}>
            {Setting.getLabel(i18next.t("ldap:Auto Sync"), i18next.t("ldap:Auto Sync - Tooltip"))} :
--- a/web/src/ManagementPage.js
+++ b/web/src/ManagementPage.js
@ -198,11 +198,11 @@ function ManagementPage(props) {
            </div>
          </Tooltip>
          <OpenTour />
-          {Setting.isAdminUser(props.account) && !Setting.isMobile() && (props.uri.indexOf("/trees") === -1) &&
+          {Setting.isAdminUser(props.account) && (props.uri.indexOf("/trees") === -1) &&
                        <OrganizationSelect
                          initValue={Setting.getOrganization()}
                          withAll={true}
-                          style={{marginRight: "20px", width: "180px", display: "flex"}}
+                          style={{marginRight: "20px", width: "180px", display: !Setting.isMobile() ? "flex" : "none"}}
                          onChange={(value) => {
                            Setting.setOrganization(value);
                          }}
--- a/web/src/ModelEditPage.js
+++ b/web/src/ModelEditPage.js
@ -18,11 +18,7 @@ import * as ModelBackend from "./backend/ModelBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
-
+import ModelEditor from "./CasbinEditor";
 import {Controlled as CodeMirror} from "react-codemirror2";
 import "codemirror/lib/codemirror.css";
 require("codemirror/mode/properties/properties");
 const {Option} = Select;
@ -147,16 +143,10 @@ class ModelEditPage extends React.Component {
            {Setting.getLabel(i18next.t("model:Model text"), i18next.t("model:Model text - Tooltip"))} :
          </Col>
          <Col span={22}>
-            <div style={{width: "100%"}} >
+            <div style={{position: "relative", height: "500px"}} >
-              <CodeMirror
+              <ModelEditor
-                value={this.state.model.modelText}
+                model={this.state.model}
-                options={{mode: "properties", theme: "default"}}
+                onModelTextChange={(value) => this.updateModelField("modelText", value)}
                onBeforeChange={(editor, data, value) => {
                  if (Setting.builtInObject(this.state.model)) {
                    return;
                  }
                  this.updateModelField("modelText", value);
                }}
              />
            </div>
          </Col>
--- a/web/src/ModelListPage.js
+++ b/web/src/ModelListPage.js
@ -72,9 +72,11 @@ class ModelListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/OrganizationEditPage.js
+++ b/web/src/OrganizationEditPage.js
@ -19,6 +19,7 @@ import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as LdapBackend from "./backend/LdapBackend";
 import * as Setting from "./Setting";
 import * as Conf from "./Conf";
 import * as Obfuscator from "./auth/Obfuscator";
 import i18next from "i18next";
 import {LinkOutlined} from "@ant-design/icons";
 import LdapTable from "./table/LdapTable";
@ -112,6 +113,22 @@ class OrganizationEditPage extends React.Component {
    });
  }
  updatePasswordObfuscator(key, value) {
    const organization = this.state.organization;
    if (organization.passwordObfuscatorType === "") {
      organization.passwordObfuscatorType = "Plain";
    }
    if (key === "type") {
      organization.passwordObfuscatorType = value;
      organization.passwordObfuscatorKey = Obfuscator.getRandomKeyForObfuscator(value);
    } else if (key === "key") {
      organization.passwordObfuscatorKey = value;
    }
    this.setState({
      organization: organization,
    });
  }
  renderOrganization() {
    return (
      <Card size="small" title={
@ -294,6 +311,44 @@ class OrganizationEditPage extends React.Component {
            />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:Password obfuscator"), i18next.t("general:Password obfuscator - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}}
              value={this.state.organization.passwordObfuscatorType}
              onChange={(value => {this.updatePasswordObfuscator("type", value);})}>
              {
                [
                  {id: "Plain", name: "Plain"},
                  {id: "AES", name: "AES"},
                  {id: "DES", name: "DES"},
                ].map((obfuscatorType, index) => <Option key={index} value={obfuscatorType.id}>{obfuscatorType.name}</Option>)
              }
            </Select>
          </Col>
        </Row>
        {
          (this.state.organization.passwordObfuscatorType === "Plain" || this.state.organization.passwordObfuscatorType === "") ? null : (<Row style={{marginTop: "20px"}} >
            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
              {Setting.getLabel(i18next.t("general:Password obf key"), i18next.t("general:Password obf key - Tooltip"))} :
            </Col>
            <Col span={22} >
              <Input value={this.state.organization.passwordObfuscatorKey} onChange={(e) => {this.updatePasswordObfuscator("key", e.target.value);}} />
            </Col>
          </Row>)
        }
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("organization:Password expire days"), i18next.t("organization:Password expire days - Tooltip"))} :
          </Col>
          <Col span={4} >
            <InputNumber value={this.state.organization.passwordExpireDays} onChange={value => {
              this.updateOrganizationField("passwordExpireDays", value);
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:Supported country codes"), i18next.t("general:Supported country codes - Tooltip"))} :
@ -305,6 +360,7 @@ class OrganizationEditPage extends React.Component {
              }}
              filterOption={(input, option) => (option?.text ?? "").toLowerCase().includes(input.toLowerCase())}
            >
              {Setting.getCountryCodeOption({name: i18next.t("organization:All"), code: "All", phone: 0})}
              {
                Setting.getCountryCodeData().map((country) => Setting.getCountryCodeOption(country))
              }
@ -360,7 +416,7 @@ class OrganizationEditPage extends React.Component {
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.organization.defaultApplication} onChange={(value => {this.updateOrganizationField("defaultApplication", value);})}
-              options={this.state.applications?.map((item) => Setting.getOption(item.name, item.name))
+              options={this.state.applications?.map((item) => Setting.getOption(Setting.getApplicationDisplayName(item.name), item.name))
              } />
          </Col>
        </Row>
@ -406,6 +462,16 @@ class OrganizationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Input value={this.state.organization.ipWhitelist} onChange={e => {
              this.updateOrganizationField("ipWhitelist", e.target.value);
            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("organization:Init score"), i18next.t("organization:Init score - Tooltip"))} :
@ -528,6 +594,12 @@ class OrganizationEditPage extends React.Component {
    const organization = Setting.deepCopy(this.state.organization);
    organization.accountItems = organization.accountItems?.filter(accountItem => accountItem.name !== "Please select an account item");
    const passwordObfuscatorErrorMessage = Obfuscator.checkPasswordObfuscator(organization.passwordObfuscatorType, organization.passwordObfuscatorKey);
    if (passwordObfuscatorErrorMessage.length > 0) {
      Setting.showMessage("error", passwordObfuscatorErrorMessage);
      return;
    }
    OrganizationBackend.updateOrganization(this.state.organization.owner, this.state.organizationName, organization)
      .then((res) => {
        if (res.status === "ok") {
--- a/web/src/OrganizationListPage.js
+++ b/web/src/OrganizationListPage.js
@ -35,6 +35,9 @@ class OrganizationListPage extends BaseListPage {
      passwordType: "plain",
      PasswordSalt: "",
      passwordOptions: [],
      passwordObfuscatorType: "Plain",
      passwordObfuscatorKey: "",
      passwordExpireDays: 0,
      countryCodes: ["US"],
      defaultAvatar: `${Setting.StaticBaseUrl}/img/casbin.svg`,
      defaultApplication: "",
@ -115,11 +118,11 @@ class OrganizationListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
            data: Setting.deleteRow(this.state.data, i),
            pagination: {
              ...this.state.pagination,
-              total: this.state.pagination.total - 1},
+              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
          window.dispatchEvent(new Event("storageOrganizationsChanged"));
        } else {
--- a/web/src/PaymentListPage.js
+++ b/web/src/PaymentListPage.js
@ -70,9 +70,11 @@ class PaymentListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/PermissionListPage.js
+++ b/web/src/PermissionListPage.js
@ -69,9 +69,11 @@ class PermissionListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/PlanListPage.js
+++ b/web/src/PlanListPage.js
@ -63,9 +63,11 @@ class PlanListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/PricingListPage.js
+++ b/web/src/PricingListPage.js
@ -59,9 +59,11 @@ class PricingListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/ProductBuyPage.js
+++ b/web/src/ProductBuyPage.js
@ -123,6 +123,22 @@ class ProductBuyPage extends React.Component {
      return "$";
    } else if (product?.currency === "CNY") {
      return "￥";
    } else if (product?.currency === "EUR") {
      return "€";
    } else if (product?.currency === "JPY") {
      return "¥";
    } else if (product?.currency === "GBP") {
      return "£";
    } else if (product?.currency === "AUD") {
      return "A$";
    } else if (product?.currency === "CAD") {
      return "C$";
    } else if (product?.currency === "CHF") {
      return "CHF";
    } else if (product?.currency === "HKD") {
      return "HK$";
    } else if (product?.currency === "SGD") {
      return "S$";
    } else {
      return "(Unknown currency)";
    }
--- a/web/src/ProductEditPage.js
+++ b/web/src/ProductEditPage.js
@ -209,6 +209,14 @@ class ProductEditPage extends React.Component {
                [
                  {id: "USD", name: "USD"},
                  {id: "CNY", name: "CNY"},
                  {id: "EUR", name: "EUR"},
                  {id: "JPY", name: "JPY"},
                  {id: "GBP", name: "GBP"},
                  {id: "AUD", name: "AUD"},
                  {id: "CAD", name: "CAD"},
                  {id: "CHF", name: "CHF"},
                  {id: "HKD", name: "HKD"},
                  {id: "SGD", name: "SGD"},
                ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
              }
            </Select>
--- a/web/src/ProductListPage.js
+++ b/web/src/ProductListPage.js
@ -65,9 +65,11 @@ class ProductListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@ -843,7 +843,7 @@ class ProviderEditPage extends React.Component {
          )
        }
        {
-          this.state.provider.type !== "ADFS" && this.state.provider.type !== "AzureAD" && this.state.provider.type !== "AzureADB2C" && this.state.provider.type !== "Casdoor" && this.state.provider.type !== "Okta" ? null : (
+          this.state.provider.type !== "ADFS" && this.state.provider.type !== "AzureAD" && this.state.provider.type !== "AzureADB2C" && (this.state.provider.type !== "Casdoor" && this.state.category !== "Storage") && this.state.provider.type !== "Okta" ? null : (
            <Row style={{marginTop: "20px"}} >
              <Col style={{marginTop: "5px"}} span={2}>
                {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
@ -870,7 +870,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["Custom HTTP SMS", "Local File System", "MinIO", "Tencent Cloud COS", "Google Cloud Storage", "Qiniu Cloud Kodo", "Synology"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "Local File System", "MinIO", "Tencent Cloud COS", "Google Cloud Storage", "Qiniu Cloud Kodo", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {Setting.getLabel(i18next.t("provider:Endpoint (Intranet)"), i18next.t("provider:Region endpoint for Intranet"))} :
@ -885,7 +885,9 @@ class ProviderEditPage extends React.Component {
            {["Custom HTTP SMS", "Local File System"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
-                  {Setting.getLabel(i18next.t("provider:Bucket"), i18next.t("provider:Bucket - Tooltip"))} :
+                  {["Casdoor"].includes(this.state.provider.type) ?
                    Setting.getLabel(i18next.t("general:Provider"), i18next.t("provider:Provider - Tooltip"))
                    : Setting.getLabel(i18next.t("provider:Bucket"), i18next.t("provider:Bucket - Tooltip"))} :
                </Col>
                <Col span={22} >
                  <Input value={this.state.provider.bucket} onChange={e => {
@ -906,7 +908,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["Custom HTTP SMS", "Google Cloud Storage", "Qiniu Cloud Kodo", "Synology"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
@ -918,10 +920,24 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo"].includes(this.state.provider.type) ? (
+            {["Casdoor"].includes(this.state.provider.type) ? (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
-                  {Setting.getLabel(i18next.t("provider:Region ID"), i18next.t("provider:Region ID - Tooltip"))} :
+                  {Setting.getLabel(i18next.t("general:Organization"), i18next.t("general:Organization - Tooltip"))} :
                </Col>
                <Col span={22} >
                  <Input value={this.state.provider.content} onChange={e => {
                    this.updateProviderField("content", e.target.value);
                  }} />
                </Col>
              </Row>
            ) : null}
            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo", "Casdoor"].includes(this.state.provider.type) ? (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {["Casdoor"].includes(this.state.provider.type) ?
                    Setting.getLabel(i18next.t("general:Application"), i18next.t("general:Application - Tooltip")) :
                    Setting.getLabel(i18next.t("provider:Region ID"), i18next.t("provider:Region ID - Tooltip"))} :
                </Col>
                <Col span={22} >
                  <Input value={this.state.provider.regionId} onChange={e => {
@ -1298,7 +1314,7 @@ class ProviderEditPage extends React.Component {
          ) : null
        }
        {
-          (this.state.provider.type === "Alipay" || this.state.provider.type === "WeChat Pay") ? (
+          (this.state.provider.type === "Alipay" || this.state.provider.type === "WeChat Pay" || this.state.provider.type === "Casdoor") ? (
            <Row style={{marginTop: "20px"}} >
              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                {Setting.getLabel(i18next.t("general:Cert"), i18next.t("general:Cert - Tooltip"))} :
--- a/web/src/ProviderListPage.js
+++ b/web/src/ProviderListPage.js
@ -76,9 +76,11 @@ class ProviderListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/ResourceListPage.js
+++ b/web/src/ResourceListPage.js
@ -40,9 +40,11 @@ class ResourceListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/web/src/RoleEditPage.js
+++ b/web/src/RoleEditPage.js
@ -187,7 +187,7 @@ class RoleEditPage extends React.Component {
            {Setting.getLabel(i18next.t("role:Sub users"), i18next.t("role:Sub users - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
+            <Select virtual={true} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
              onChange={(value => {this.updateRoleField("users", value);})}
              options={this.state.users.map((user) => Setting.getOption(`${user.owner}/${user.name}`, `${user.owner}/${user.name}`))}
            />
--- a/web/src/RoleListPage.js
+++ b/web/src/RoleListPage.js
@ -61,9 +61,11 @@ class RoleListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          Setting.showMessage("success", i18next.t("general:Successfully deleted"));
-          this.setState({
+          this.fetch({
-            data: Setting.deleteRow(this.state.data, i),
+            pagination: {
-            pagination: {total: this.state.pagination.total - 1},
+              ...this.state.pagination,
              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
            },
          });
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
--- a/Show More
+++ b/Show More