feat: add RunCasbinCommand() API

feat: add Casbin CLI API to Casdoor (#3351 )
feat: add Organization.PasswordExpireDays field
2025-07-14 16:13:24 +08:00 · 2024-11-15 17:44:57 +08:00 · 2024-11-15 16:10:22 +08:00 · 2024-11-15 11:33:28 +08:00 · 2024-11-14 18:05:56 +08:00 · 2024-11-13 17:06:09 +08:00
117 changed files with 3003 additions and 369 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -147,7 +147,7 @@ jobs:
      - name: Release
        run: yarn global add semantic-release@17.4.4 && semantic-release
        env:
-          GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Fetch Current version
        id: get-current-tag
--- a/README.md
+++ b/README.md
@ -13,7 +13,7 @@
  <a href="https://github.com/casdoor/casdoor/releases/latest">
    <img alt="GitHub Release" src="https://img.shields.io/github/v/release/casdoor/casdoor.svg">
  </a>
-  <a href="https://hub.docker.com/repository/docker/casbin/casdoor">
+  <a href="https://hub.docker.com/r/casbin/casdoor">
    <img alt="Docker Image Version (latest semver)" src="https://img.shields.io/badge/Docker%20Hub-latest-brightgreen">
  </a>
 </p>
--- a/authz/authz.go
+++ b/authz/authz.go
@ -77,6 +77,7 @@ p, *, *, POST, /api/verify-code, *, *
 p, *, *, POST, /api/reset-email-or-phone, *, *
 p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
+p, *, *, GET, /.well-known/webfinger, *, *
 p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
@ -97,6 +98,7 @@ p, *, *, GET, /api/get-organization-names, *, *
 p, *, *, GET, /api/get-all-objects, *, *
 p, *, *, GET, /api/get-all-actions, *, *
 p, *, *, GET, /api/get-all-roles, *, *
+p, *, *, GET, /api/run-casbin-command, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
 p, *, *, GET, /api/faceid-signin-begin, *, *
 `
--- a/captcha/provider.go
+++ b/captcha/provider.go
@ -24,6 +24,8 @@ func GetCaptchaProvider(captchaType string) CaptchaProvider {
 	switch captchaType {
 	case "Default":
 		return NewDefaultCaptchaProvider()
+	case "reCAPTCHA":
+		return NewReCaptchaProvider()
 	case "reCAPTCHA v2":
 		return NewReCaptchaProvider()
 	case "reCAPTCHA v3":
--- a/conf/app.conf
+++ b/conf/app.conf
@ -21,11 +21,14 @@ originFrontend =
 staticBaseUrl = "https://cdn.casbin.org"
 isDemoMode = false
 batchSize = 100
+enableErrorMask = false
 enableGzip = true
+inactiveTimeoutMinutes =
 ldapServerPort = 389
 radiusServerPort = 1812
 radiusSecret = "secret"
 quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
 logConfig = {"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
+initDataNewOnly = false
 initDataFile = "./init_data.json"
-frontendBaseDir = "../casdoor"
+frontendBaseDir = "../cc_0"
--- a/controllers/account.go
+++ b/controllers/account.go
@ -116,6 +116,13 @@ func (c *ApiController) Signup() {
 		return
 	}

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	err = object.CheckEntryIp(clientIp, nil, application, organization, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	msg := object.CheckUserSignup(application, organization, &authForm, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
@ -200,6 +207,10 @@ func (c *ApiController) Signup() {
 		Type:              userType,
 		Password:          authForm.Password,
 		DisplayName:       authForm.Name,
+		Gender:            authForm.Gender,
+		Bio:               authForm.Bio,
+		Tag:               authForm.Tag,
+		Education:         authForm.Education,
 		Avatar:            organization.DefaultAvatar,
 		Email:             authForm.Email,
 		Phone:             authForm.Phone,
@ -234,6 +245,10 @@ func (c *ApiController) Signup() {
 		}
 	}

+	if invitation != nil && invitation.SignupGroup != "" {
+		user.Groups = []string{invitation.SignupGroup}
+	}
+
 	affected, err := object.AddUser(user)
 	if err != nil {
 		c.ResponseError(err.Error())
--- a/controllers/application.go
+++ b/controllers/application.go
@ -110,6 +110,9 @@ func (c *ApiController) GetApplication() {
 		}
 	}

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	object.CheckEntryIp(clientIp, nil, application, nil, c.GetAcceptLanguage())
+
 	c.ResponseOk(object.GetMaskedApplication(application, userId))
 }

@ -229,6 +232,11 @@ func (c *ApiController) UpdateApplication() {
 		return
 	}

+	if err = object.CheckIpWhitelist(application.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.UpdateApplication(id, &application))
 	c.ServeJSON()
 }
@ -259,6 +267,11 @@ func (c *ApiController) AddApplication() {
 		return
 	}

+	if err = object.CheckIpWhitelist(application.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddApplication(&application))
 	c.ServeJSON()
 }
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -55,6 +55,13 @@ func tokenToResponse(token *object.Token) *Response {
 func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *form.AuthForm) (resp *Response) {
 	userId := user.GetId()

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	err := object.CheckEntryIp(clientIp, user, application, application.OrganizationObj, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	allowed, err := object.CheckLoginPermission(userId, application)
 	if err != nil {
 		c.ResponseError(err.Error(), nil)
@ -256,6 +263,9 @@ func (c *ApiController) GetApplicationLogin() {
 		}
 	}

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	object.CheckEntryIp(clientIp, nil, application, nil, c.GetAcceptLanguage())
+
 	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
@ -463,6 +473,15 @@ func (c *ApiController) Login() {
 			}

 			password := authForm.Password
+
+			if application.OrganizationObj != nil {
+				password, err = util.GetUnobfuscatedPassword(application.OrganizationObj.PasswordObfuscatorType, application.OrganizationObj.PasswordObfuscatorKey, authForm.Password)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
+			}
+
 			isSigninViaLdap := authForm.SigninMethod == "LDAP"
 			var isPasswordWithLdapEnabled bool
 			if authForm.SigninMethod == "Password" {
@ -835,6 +854,7 @@ func (c *ApiController) Login() {
 		}

 		if authForm.Passcode != "" {
+			user.CountryCode = user.GetCountryCode(user.CountryCode)
 			mfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferredMfaProps(false))
 			if mfaUtil == nil {
 				c.ResponseError("Invalid multi-factor authentication type")
--- a/controllers/casbin_cli_api.go
+++ b/controllers/casbin_cli_api.go
@ -0,0 +1,66 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+// RunCasbinCommand
+// @Title RunCasbinCommand
+// @Tag Enforcer API
+// @Description Call Casbin CLI commands
+// @Success 200 {object} controllers.Response The Response object
+// @router /run-casbin-command [get]
+func (c *ApiController) RunCasbinCommand() {
+	language := c.Input().Get("language")
+	argString := c.Input().Get("args")
+
+	if language == "" {
+		language = "go"
+	}
+	// use "casbin-go-cli" by default, can be also "casbin-java-cli", "casbin-node-cli", etc.
+	// the pre-built binary of "casbin-go-cli" can be found at: https://github.com/casbin/casbin-go-cli/releases
+	binaryName := fmt.Sprintf("casbin-%s-cli", language)
+
+	_, err := exec.LookPath(binaryName)
+	if err != nil {
+		c.ResponseError(fmt.Sprintf("executable file: %s not found in PATH", binaryName))
+		return
+	}
+
+	// argString's example:
+	// enforce -m "examples/rbac_model.conf" -p "examples/rbac_policy.csv" "alice" "data1" "read"
+	// see: https://github.com/jcasbin/casbin-java-cli?tab=readme-ov-file#get-started
+	args := strings.Split(argString, " ")
+
+	command := exec.Command(binaryName, args...)
+	outputBytes, err := command.CombinedOutput()
+	if outputBytes != nil {
+		output := string(outputBytes)
+		c.ResponseError(output)
+		return
+	}
+
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	output := string(outputBytes)
+	c.ResponseOk(output)
+}
--- a/controllers/oidc_discovery.go
+++ b/controllers/oidc_discovery.go
@ -14,7 +14,11 @@

 package controllers

-import "github.com/casdoor/casdoor/object"
+import (
+	"strings"
+
+	"github.com/casdoor/casdoor/object"
+)

 // GetOidcDiscovery
 // @Title GetOidcDiscovery
@ -42,3 +46,31 @@ func (c *RootController) GetJwks() {
 	c.Data["json"] = jwks
 	c.ServeJSON()
 }
+
+// GetWebFinger
+// @Title GetWebFinger
+// @Tag OIDC API
+// @Param resource query string true "resource"
+// @Success 200 {object} object.WebFinger
+// @router /.well-known/webfinger [get]
+func (c *RootController) GetWebFinger() {
+	resource := c.Input().Get("resource")
+	rels := []string{}
+	host := c.Ctx.Request.Host
+
+	for key, value := range c.Input() {
+		if strings.HasPrefix(key, "rel") {
+			rels = append(rels, value...)
+		}
+	}
+
+	webfinger, err := object.GetWebFinger(resource, rels, host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = webfinger
+	c.Ctx.Output.ContentType("application/jrd+json")
+	c.ServeJSON()
+}
--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -65,7 +65,7 @@ func (c *ApiController) GetOrganizations() {
 			c.ResponseOk(organizations)
 		} else {
 			limit := util.ParseInt(limit)
-			count, err := object.GetOrganizationCount(owner, field, value)
+			count, err := object.GetOrganizationCount(owner, organizationName, field, value)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -119,6 +119,11 @@ func (c *ApiController) UpdateOrganization() {
 		return
 	}

+	if err = object.CheckIpWhitelist(organization.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.UpdateOrganization(id, &organization))
 	c.ServeJSON()
 }
@ -138,7 +143,7 @@ func (c *ApiController) AddOrganization() {
 		return
 	}

-	count, err := object.GetOrganizationCount("", "", "")
+	count, err := object.GetOrganizationCount("", "", "", "")
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -149,6 +154,11 @@ func (c *ApiController) AddOrganization() {
 		return
 	}

+	if err = object.CheckIpWhitelist(organization.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddOrganization(&organization))
 	c.ServeJSON()
 }
--- a/controllers/product.go
+++ b/controllers/product.go
@ -182,6 +182,10 @@ func (c *ApiController) BuyProduct() {
 	paidUserName := c.Input().Get("userName")
 	owner, _ := util.GetOwnerAndNameFromId(id)
 	userId := util.GetId(owner, paidUserName)
+	if paidUserName != "" && !c.IsAdmin() {
+		c.ResponseError(c.T("general:Only admin user can specify user"))
+		return
+	}
 	if paidUserName == "" {
 		userId = c.GetSessionUsername()
 	}
--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -257,7 +257,7 @@ func (c *ApiController) UploadResource() {
 		fileType, _ = util.GetOwnerAndNameFromIdNoCheck(mimeType + "/")
 	}

-	fullFilePath = object.GetTruncatedPath(provider, fullFilePath, 175)
+	fullFilePath = object.GetTruncatedPath(provider, fullFilePath, 450)
 	if tag != "avatar" && tag != "termsOfUse" && !strings.HasPrefix(tag, "idCard") {
 		ext := filepath.Ext(filepath.Base(fullFilePath))
 		index := len(fullFilePath) - len(ext)
--- a/controllers/user.go
+++ b/controllers/user.go
@ -289,6 +289,16 @@ func (c *ApiController) UpdateUser() {
 		}
 	}

+	if user.MfaEmailEnabled && user.Email == "" {
+		c.ResponseError(c.T("user:MFA email is enabled but email is empty"))
+		return
+	}
+
+	if user.MfaPhoneEnabled && user.Phone == "" {
+		c.ResponseError(c.T("user:MFA phone is enabled but phone number is empty"))
+		return
+	}
+
 	if msg := object.CheckUpdateUser(oldUser, &user, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
 		return
@ -354,7 +364,8 @@ func (c *ApiController) AddUser() {
 		return
 	}

-	msg := object.CheckUsername(user.Name, c.GetAcceptLanguage())
+	emptyUser := object.User{}
+	msg := object.CheckUpdateUser(&emptyUser, &user, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
@ -400,6 +411,12 @@ func (c *ApiController) GetEmailAndPhone() {
 	organization := c.Ctx.Request.Form.Get("organization")
 	username := c.Ctx.Request.Form.Get("username")

+	enableErrorMask2 := conf.GetConfigBool("enableErrorMask2")
+	if enableErrorMask2 {
+		c.ResponseError("Error")
+		return
+	}
+
 	user, err := object.GetUserByFields(organization, username)
 	if err != nil {
 		c.ResponseError(err.Error())
@ -473,7 +490,12 @@ func (c *ApiController) SetPassword() {
 			c.ResponseError(c.T("general:Missing parameter"))
 			return
 		}
+		if userId != c.GetSession("verifiedUserId") {
+			c.ResponseError(c.T("general:Wrong userId"))
+			return
+		}
 		c.SetSession("verifiedCode", "")
+		c.SetSession("verifiedUserId", "")
 	}

 	targetUser, err := object.GetUser(userId)
@ -519,6 +541,23 @@ func (c *ApiController) SetPassword() {
 		return
 	}

+	application, err := object.GetApplicationByUser(targetUser)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:the application for user %s is not found"), userId))
+		return
+	}
+
+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	err = object.CheckEntryIp(clientIp, targetUser, application, organization, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	targetUser.Password = newPassword
 	targetUser.UpdateUserPassword(organization)
 	targetUser.NeedUpdatePassword = false
--- a/controllers/util.go
+++ b/controllers/util.go
@ -45,6 +45,22 @@ func (c *ApiController) ResponseOk(data ...interface{}) {

 // ResponseError ...
 func (c *ApiController) ResponseError(error string, data ...interface{}) {
+	enableErrorMask2 := conf.GetConfigBool("enableErrorMask2")
+	if enableErrorMask2 {
+		error = c.T("subscription:Error")
+
+		resp := &Response{Status: "error", Msg: error}
+		c.ResponseJsonData(resp, data...)
+		return
+	}
+
+	enableErrorMask := conf.GetConfigBool("enableErrorMask")
+	if enableErrorMask {
+		if strings.HasPrefix(error, "The user: ") && strings.HasSuffix(error, " doesn't exist") || strings.HasPrefix(error, "用户: ") && strings.HasSuffix(error, "不存在") {
+			error = c.T("check:password or code is incorrect")
+		}
+	}
+
 	resp := &Response{Status: "error", Msg: error}
 	c.ResponseJsonData(resp, data...)
 }
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -132,7 +132,8 @@ func (c *ApiController) SendVerificationCode() {
 		c.ResponseError(err.Error())
 		return
 	}
-	remoteAddr := util.GetIPFromRequest(c.Ctx.Request)
+
+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)

 	if msg := vform.CheckParameter(form.SendVerifyCode, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
@ -259,7 +260,7 @@ func (c *ApiController) SendVerificationCode() {
 			return
 		}

-		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, vform.Dest)
+		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, clientIp, vform.Dest)
 	case object.VerifyTypePhone:
 		if vform.Method == LoginVerification || vform.Method == ForgetVerification {
 			if user != nil && util.GetMaskedPhone(user.Phone) == vform.Dest {
@ -293,6 +294,7 @@ func (c *ApiController) SendVerificationCode() {
 			}

 			vform.CountryCode = mfaProps.CountryCode
+			vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 		}

 		provider, err = application.GetSmsProvider(vform.Method, vform.CountryCode)
@ -309,7 +311,7 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), vform.CountryCode))
 			return
 		} else {
-			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, remoteAddr, phone)
+			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, clientIp, phone)
 		}
 	}

@ -532,5 +534,6 @@ func (c *ApiController) VerifyCode() {
 	}

 	c.SetSession("verifiedCode", authForm.Code)
+	c.SetSession("verifiedUserId", user.GetId())
 	c.ResponseOk()
 }
--- a/deployment/deploy.go
+++ b/deployment/deploy.go
@ -27,7 +27,18 @@ import (
 )

 func deployStaticFiles(provider *object.Provider) {
-	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, provider.Endpoint)
+	certificate := ""
+	if provider.Category == "Storage" && provider.Type == "Casdoor" {
+		cert, err := object.GetCert(util.GetId(provider.Owner, provider.Cert))
+		if err != nil {
+			panic(err)
+		}
+		if cert == nil {
+			panic(err)
+		}
+		certificate = cert.Certificate
+	}
+	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, provider.Endpoint, certificate, provider.Content)
 	if err != nil {
 		panic(err)
 	}
--- a/form/auth.go
+++ b/form/auth.go
@ -26,6 +26,10 @@ type AuthForm struct {
 	Name           string `json:"name"`
 	FirstName      string `json:"firstName"`
 	LastName       string `json:"lastName"`
+	Gender         string `json:"gender"`
+	Bio            string `json:"bio"`
+	Tag            string `json:"tag"`
+	Education      string `json:"education"`
 	Email          string `json:"email"`
 	Phone          string `json:"phone"`
 	Affiliation    string `json:"affiliation"`
--- a/go.mod
+++ b/go.mod
@ -11,8 +11,9 @@ require (
 	github.com/casbin/casbin/v2 v2.77.2
 	github.com/casdoor/go-sms-sender v0.24.0
 	github.com/casdoor/gomail/v2 v2.0.1
+	github.com/casdoor/ldapserver v1.2.0
 	github.com/casdoor/notify v0.45.0
-	github.com/casdoor/oss v1.7.0
+	github.com/casdoor/oss v1.8.0
 	github.com/casdoor/xorm-adapter/v3 v3.1.0
 	github.com/casvisor/casvisor-go-sdk v1.4.0
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
@ -20,7 +21,6 @@ require (
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
 	github.com/elimity-com/scim v0.0.0-20230426070224-941a5eac92f3
 	github.com/fogleman/gg v1.3.0
-	github.com/forestmgy/ldapserver v1.1.0
 	github.com/go-asn1-ber/asn1-ber v1.5.5
 	github.com/go-git/go-git/v5 v5.11.0
 	github.com/go-ldap/ldap/v3 v3.4.6
@ -30,7 +30,7 @@ require (
 	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.6.0
 	github.com/json-iterator/go v1.1.12
 	github.com/lestrrat-go/jwx v1.2.29
 	github.com/lib/pq v1.10.9
--- a/go.sum
+++ b/go.sum
@ -1083,16 +1083,20 @@ github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRt
 github.com/casbin/casbin/v2 v2.37.0/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
 github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
+github.com/casdoor/casdoor-go-sdk v0.50.0 h1:bUYbz/MzJuWfLKJbJM0+U0YpYewAur+THp5TKnufWZM=
+github.com/casdoor/casdoor-go-sdk v0.50.0/go.mod h1:cMnkCQJgMYpgAlgEx8reSt1AVaDIQLcJ1zk5pzBaz+4=
 github.com/casdoor/go-reddit/v2 v2.1.0 h1:kIbfdJ7AA7H0uTQ8s0q4GGZqSS5V9wVE74RrXyD9XPs=
 github.com/casdoor/go-reddit/v2 v2.1.0/go.mod h1:eagkvwlZ4Hcsuc/uQsLHYEulz5jN65SVSwV/AIE7zsc=
 github.com/casdoor/go-sms-sender v0.24.0 h1:LNLsce3EG/87I3JS6UiajF3LlQmdIiCgebEu0IE4wSM=
 github.com/casdoor/go-sms-sender v0.24.0/go.mod h1:bOm4H8/YfJmEHjBatEVQFOnAf0OOn1B0Wi5B7zDhws0=
 github.com/casdoor/gomail/v2 v2.0.1 h1:J+FG6x80s9e5lBHUn8Sv0Y56mud34KiWih5YdmudR/w=
 github.com/casdoor/gomail/v2 v2.0.1/go.mod h1:VnGPslEAtpix5FjHisR/WKB1qvZDBaujbikxDe9d+2Q=
+github.com/casdoor/ldapserver v1.2.0 h1:HdSYe+ULU6z9K+2BqgTrJKQRR4//ERAXB64ttOun6Ow=
+github.com/casdoor/ldapserver v1.2.0/go.mod h1:VwYU2vqQ2pA8sa00PRekH71R2XmgfzMKhmp1XrrDu2s=
 github.com/casdoor/notify v0.45.0 h1:OlaFvcQFjGOgA4mRx07M8AH1gvb5xNo21mcqrVGlLgk=
 github.com/casdoor/notify v0.45.0/go.mod h1:wNHQu0tiDROMBIvz0j3Om3Lhd5yZ+AIfnFb8MYb8OLQ=
-github.com/casdoor/oss v1.7.0 h1:VCOuD+CcD0MAA99p6JTyUak14bVR6UsaeyuTaVg0Mrs=
-github.com/casdoor/oss v1.7.0/go.mod h1:rJAWA0hLhtu94t6IRpotLUkXO1NWMASirywQYaGizJE=
+github.com/casdoor/oss v1.8.0 h1:uuyKhDIp7ydOtV4lpqhAY23Ban2Ln8La8+QT36CwylM=
+github.com/casdoor/oss v1.8.0/go.mod h1:uaqO7KBI2lnZcnB8rF7O6C2bN7llIbfC5Ql8ex1yR1U=
 github.com/casdoor/xorm-adapter/v3 v3.1.0 h1:NodWayRtSLVSeCvL9H3Hc61k0G17KhV9IymTCNfh3kk=
 github.com/casdoor/xorm-adapter/v3 v3.1.0/go.mod h1:4WTcUw+bTgBylGHeGHzTtBvuTXRS23dtwzFLl9tsgFM=
 github.com/casvisor/casvisor-go-sdk v1.4.0 h1:hbZEGGJ1cwdHFAxeXrMoNw6yha6Oyg2F0qQhBNCN/dg=
@ -1235,8 +1239,6 @@ github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
 github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/forestmgy/ldapserver v1.1.0 h1:gvil4nuLhqPEL8SugCkFhRyA0/lIvRdwZSqlrw63ll4=
-github.com/forestmgy/ldapserver v1.1.0/go.mod h1:1RZ8lox1QSY7rmbjdmy+sYQXY4Lp7SpGzpdE3+j3IyM=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
@ -1460,8 +1462,9 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@ -15,10 +15,10 @@
    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Аккаунт для провайдера: %s и имя пользователя: %s (%s) не существует и не может быть зарегистрирован как новый аккаунт. Пожалуйста, обратитесь в службу поддержки IT",
    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Аккаунт поставщика: %s и имя пользователя: %s (%s) уже связаны с другим аккаунтом: %s (%s)",
    "The application: %s does not exist": "Приложение: %s не существует",
-    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
-    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
-    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
-    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
+    "The login method: login with LDAP is not enabled for the application": "Метод входа в систему: вход с помощью LDAP не включен для приложения",
+    "The login method: login with SMS is not enabled for the application": "Метод входа: вход с помощью SMS не включен для приложения",
+    "The login method: login with email is not enabled for the application": "Метод входа: вход с помощью электронной почты не включен для приложения",
+    "The login method: login with face is not enabled for the application": "Метод входа: вход с помощью лица не включен для приложения",
    "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
@ -53,16 +53,16 @@
    "Phone already exists": "Телефон уже существует",
    "Phone cannot be empty": "Телефон не может быть пустым",
    "Phone number is invalid": "Номер телефона является недействительным",
-    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
-    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
-    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
+    "Please register using the email corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя электронную почту, соответствующую коду приглашения",
+    "Please register using the phone  corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь по телефону, соответствующему коду приглашения",
+    "Please register using the username corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя имя пользователя, соответствующее коду приглашения",
    "Session outdated, please login again": "Сессия устарела, пожалуйста, войдите снова",
    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
    "The user: %s doesn't exist in LDAP server": "Пользователь %s не существует на LDAP сервере",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Имя пользователя может состоять только из буквенно-цифровых символов, нижних подчеркиваний или дефисов, не может содержать последовательные дефисы или подчеркивания, а также не может начинаться или заканчиваться на дефис или подчеркивание.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Значение \\\"%s\\\" для поля аккаунта \\\"%s\\\" не соответствует регулярному значению",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Значение \\\"%s\\\" поля регистрации \\\"%s\\\" не соответствует регулярному выражению приложения \\\"%s\\\"",
    "Username already exists": "Имя пользователя уже существует",
    "Username cannot be an email address": "Имя пользователя не может быть адресом электронной почты",
    "Username cannot contain white spaces": "Имя пользователя не может содержать пробелы",
@ -78,11 +78,11 @@
  "general": {
    "Missing parameter": "Отсутствующий параметр",
    "Please login first": "Пожалуйста, сначала войдите в систему",
-    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
+    "The organization: %s should have one application at least": "Организация: %s должна иметь хотя бы одно приложение",
    "The user: %s doesn't exist": "Пользователь %s не существует",
    "don't support captchaProvider: ": "неподдерживаемый captchaProvider: ",
    "this operation is not allowed in demo mode": "эта операция не разрешена в демо-режиме",
-    "this operation requires administrator to perform": "this operation requires administrator to perform"
+    "this operation requires administrator to perform": "для выполнения этой операции требуется администратор"
  },
  "ldap": {
    "Ldap server exist": "LDAP-сервер существует"
@ -101,11 +101,11 @@
    "Unknown modify rule %s.": "Неизвестное изменение правила %s."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \\\"%s\\\" doesn't exist": "Разрешение: \\\"%s\\\" не существует"
  },
  "provider": {
    "Invalid application id": "Неверный идентификатор приложения",
-    "the provider: %s does not exist": "провайдер: %s не существует"
+    "the provider: %s does not exist": "Провайдер: %s не существует"
  },
  "resource": {
    "User is nil for tag: avatar": "Пользователь равен нулю для тега: аватар",
@ -115,7 +115,7 @@
    "Application %s not found": "Приложение %s не найдено"
  },
  "saml_sp": {
-    "provider %s's category is not SAML": "категория провайдера %s не является SAML"
+    "provider %s's category is not SAML": "Категория провайдера %s не является SAML"
  },
  "service": {
    "Empty parameters for emailForm: %v": "Пустые параметры для emailForm: %v",
@ -148,7 +148,7 @@
  "verification": {
    "Invalid captcha provider.": "Недействительный поставщик CAPTCHA.",
    "Phone number is invalid in your region %s": "Номер телефона недействителен в вашем регионе %s",
-    "The verification code has not been sent yet!": "The verification code has not been sent yet!",
+    "The verification code has not been sent yet!": "Код проверки еще не отправлен!",
    "The verification code has not been sent yet, or has already been used!": "The verification code has not been sent yet, or has already been used!",
    "Turing test failed.": "Тест Тьюринга не удался.",
    "Unable to get the email modify rule.": "Невозможно получить правило изменения электронной почты.",
@ -156,8 +156,8 @@
    "Unknown type": "Неизвестный тип",
    "Wrong verification code!": "Неправильный код подтверждения!",
    "You should verify your code in %d min!": "Вы должны проверить свой код через %d минут!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика SMS в список \\\"Провайдеры\\\" для приложения: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика электронной почты в список \\\"Провайдеры\\\" для приложения: %s",
    "the user does not exist, please sign up first": "Пользователь не существует, пожалуйста, сначала зарегистрируйтесь"
  },
  "webauthn": {
--- a/idp/alipay.go
+++ b/idp/alipay.go
@ -200,7 +200,7 @@ func (idp *AlipayIdProvider) postWithBody(body interface{}, targetUrl string) ([

 	formData.Set("sign", sign)

-	resp, err := idp.Client.PostForm(targetUrl, formData)
+	resp, err := idp.Client.Post(targetUrl, "application/x-www-form-urlencoded;charset=utf-8", strings.NewReader(formData.Encode()))
 	if err != nil {
 		return nil, err
 	}
--- a/ldap/server.go
+++ b/ldap/server.go
@ -21,7 +21,7 @@ import (

 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
-	ldap "github.com/forestmgy/ldapserver"
+	ldap "github.com/casdoor/ldapserver"
 	"github.com/lor00x/goldap/message"
 )

--- a/ldap/util.go
+++ b/ldap/util.go
@ -23,7 +23,7 @@ import (
 	"github.com/casdoor/casdoor/util"
 	"github.com/lor00x/goldap/message"

-	ldap "github.com/forestmgy/ldapserver"
+	ldap "github.com/casdoor/ldapserver"

 	"github.com/xorm-io/builder"
 )
--- a/main.go
+++ b/main.go
@ -56,6 +56,7 @@ func main() {
 	beego.InsertFilter("*", beego.BeforeRouter, routers.StaticFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.AutoSigninFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.CorsFilter)
+	beego.InsertFilter("*", beego.BeforeRouter, routers.TimeoutFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)
@ -71,6 +72,7 @@ func main() {
 		beego.BConfig.WebConfig.Session.SessionProviderConfig = conf.GetConfigString("redisEndpoint")
 	}
 	beego.BConfig.WebConfig.Session.SessionCookieLifeTime = 3600 * 24 * 30
+	beego.BConfig.WebConfig.Session.SessionGCMaxLifetime = 3600 * 24 * 30
 	// beego.BConfig.WebConfig.Session.SessionCookieSameSite = http.SameSiteNoneMode

 	err := logs.SetLogger(logs.AdapterFile, conf.GetConfigString("logConfig"))
--- a/object/application.go
+++ b/object/application.go
@ -31,15 +31,17 @@ type SigninMethod struct {
 }

 type SignupItem struct {
-	Name        string `json:"name"`
-	Visible     bool   `json:"visible"`
-	Required    bool   `json:"required"`
-	Prompted    bool   `json:"prompted"`
-	CustomCss   string `json:"customCss"`
-	Label       string `json:"label"`
-	Placeholder string `json:"placeholder"`
-	Regex       string `json:"regex"`
-	Rule        string `json:"rule"`
+	Name        string   `json:"name"`
+	Visible     bool     `json:"visible"`
+	Required    bool     `json:"required"`
+	Prompted    bool     `json:"prompted"`
+	Type        string   `json:"type"`
+	CustomCss   string   `json:"customCss"`
+	Label       string   `json:"label"`
+	Placeholder string   `json:"placeholder"`
+	Options     []string `json:"options"`
+	Regex       string   `json:"regex"`
+	Rule        string   `json:"rule"`
 }

 type SigninItem struct {
@ -78,13 +80,14 @@ type Application struct {
 	EnableSamlCompress    bool            `json:"enableSamlCompress"`
 	EnableSamlC14n10      bool            `json:"enableSamlC14n10"`
 	EnableSamlPostBinding bool            `json:"enableSamlPostBinding"`
+	UseEmailAsSamlNameId  bool            `json:"useEmailAsSamlNameId"`
 	EnableWebAuthn        bool            `json:"enableWebAuthn"`
 	EnableLinkWithEmail   bool            `json:"enableLinkWithEmail"`
 	OrgChoiceMode         string          `json:"orgChoiceMode"`
 	SamlReplyUrl          string          `xorm:"varchar(100)" json:"samlReplyUrl"`
 	Providers             []*ProviderItem `xorm:"mediumtext" json:"providers"`
 	SigninMethods         []*SigninMethod `xorm:"varchar(2000)" json:"signinMethods"`
-	SignupItems           []*SignupItem   `xorm:"varchar(2000)" json:"signupItems"`
+	SignupItems           []*SignupItem   `xorm:"varchar(3000)" json:"signupItems"`
 	SigninItems           []*SigninItem   `xorm:"mediumtext" json:"signinItems"`
 	GrantTypes            []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj       *Organization   `xorm:"-" json:"organizationObj"`
@ -92,11 +95,13 @@ type Application struct {
 	Tags                  []string        `xorm:"mediumtext" json:"tags"`
 	SamlAttributes        []*SamlItem     `xorm:"varchar(1000)" json:"samlAttributes"`
 	IsShared              bool            `json:"isShared"`
+	IpRestriction         string          `json:"ipRestriction"`

 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
 	RedirectUris         []string   `xorm:"varchar(1000)" json:"redirectUris"`
 	TokenFormat          string     `xorm:"varchar(100)" json:"tokenFormat"`
+	TokenSigningMethod   string     `xorm:"varchar(100)" json:"tokenSigningMethod"`
 	TokenFields          []string   `xorm:"varchar(1000)" json:"tokenFields"`
 	ExpireInHours        int        `json:"expireInHours"`
 	RefreshExpireInHours int        `json:"refreshExpireInHours"`
@ -104,6 +109,7 @@ type Application struct {
 	SigninUrl            string     `xorm:"varchar(200)" json:"signinUrl"`
 	ForgetUrl            string     `xorm:"varchar(200)" json:"forgetUrl"`
 	AffiliationUrl       string     `xorm:"varchar(100)" json:"affiliationUrl"`
+	IpWhitelist          string     `xorm:"varchar(200)" json:"ipWhitelist"`
 	TermsOfUse           string     `xorm:"varchar(100)" json:"termsOfUse"`
 	SignupHtml           string     `xorm:"mediumtext" json:"signupHtml"`
 	SigninHtml           string     `xorm:"mediumtext" json:"signinHtml"`
@ -530,7 +536,7 @@ func GetMaskedApplication(application *Application, userId string) *Application

 	providerItems := []*ProviderItem{}
 	for _, providerItem := range application.Providers {
-		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha") {
+		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha" || providerItem.Provider.Category == "SAML") {
 			providerItems = append(providerItems, providerItem)
 		}
 	}
@ -717,8 +723,15 @@ func (application *Application) GetId() string {
 }

 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app", ".chromiumapp.org"}, application.RedirectUris...)
-	for _, targetUri := range redirectUris {
+	isValid, err := util.IsValidOrigin(redirectUri)
+	if err != nil {
+		panic(err)
+	}
+	if isValid {
+		return true
+	}
+
+	for _, targetUri := range application.RedirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
 			return true
--- a/object/check.go
+++ b/object/check.go
@ -520,11 +520,46 @@ func CheckUsername(username string, lang string) string {
 	return ""
 }

+func CheckUsernameWithEmail(username string, lang string) string {
+	if username == "" {
+		return i18n.Translate(lang, "check:Empty username.")
+	} else if len(username) > 39 {
+		return i18n.Translate(lang, "check:Username is too long (maximum is 39 characters).")
+	}
+
+	// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
+
+	if !util.ReUserNameWithEmail.MatchString(username) {
+		return i18n.Translate(lang, "check:Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.")
+	}
+	return ""
+}
+
 func CheckUpdateUser(oldUser, user *User, lang string) string {
 	if oldUser.Name != user.Name {
-		if msg := CheckUsername(user.Name, lang); msg != "" {
-			return msg
+		organizationName := oldUser.Owner
+		if organizationName == "" {
+			organizationName = user.Owner
 		}
+
+		organization, err := getOrganization("admin", organizationName)
+		if err != nil {
+			return err.Error()
+		}
+		if organization == nil {
+			return fmt.Sprintf(i18n.Translate(lang, "auth:The organization: %s does not exist"), organizationName)
+		}
+
+		if organization.UseEmailAsUsername {
+			if msg := CheckUsernameWithEmail(user.Name, lang); msg != "" {
+				return msg
+			}
+		} else {
+			if msg := CheckUsername(user.Name, lang); msg != "" {
+				return msg
+			}
+		}
+
 		if HasUserByField(user.Owner, "name", user.Name) {
 			return i18n.Translate(lang, "check:Username already exists")
 		}
@ -539,6 +574,11 @@ func CheckUpdateUser(oldUser, user *User, lang string) string {
 			return i18n.Translate(lang, "check:Phone already exists")
 		}
 	}
+	if oldUser.IpWhitelist != user.IpWhitelist {
+		if err := CheckIpWhitelist(user.IpWhitelist, lang); err != nil {
+			return err.Error()
+		}
+	}

 	return ""
 }
--- a/object/check_ip.go
+++ b/object/check_ip.go
@ -0,0 +1,104 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/casdoor/casdoor/i18n"
+)
+
+func CheckEntryIp(clientIp string, user *User, application *Application, organization *Organization, lang string) error {
+	entryIp := net.ParseIP(clientIp)
+	if entryIp == nil {
+		return fmt.Errorf(i18n.Translate(lang, "check:Failed to parse client IP: %s"), clientIp)
+	} else if entryIp.IsLoopback() {
+		return nil
+	}
+
+	var err error
+	if user != nil {
+		err = isEntryIpAllowd(user.IpWhitelist, entryIp, lang)
+		if err != nil {
+			return fmt.Errorf(err.Error() + user.Name)
+		}
+	}
+
+	if application != nil {
+		err = isEntryIpAllowd(application.IpWhitelist, entryIp, lang)
+		if err != nil {
+			application.IpRestriction = err.Error() + application.Name
+			return fmt.Errorf(err.Error() + application.Name)
+		} else {
+			application.IpRestriction = ""
+		}
+
+		if organization == nil && application.OrganizationObj != nil {
+			organization = application.OrganizationObj
+		}
+	}
+
+	if organization != nil {
+		err = isEntryIpAllowd(organization.IpWhitelist, entryIp, lang)
+		if err != nil {
+			organization.IpRestriction = err.Error() + organization.Name
+			return fmt.Errorf(err.Error() + organization.Name)
+		} else {
+			organization.IpRestriction = ""
+		}
+	}
+
+	return nil
+}
+
+func isEntryIpAllowd(ipWhitelistStr string, entryIp net.IP, lang string) error {
+	if ipWhitelistStr == "" {
+		return nil
+	}
+
+	ipWhitelist := strings.Split(ipWhitelistStr, ",")
+	for _, ip := range ipWhitelist {
+		_, ipNet, err := net.ParseCIDR(ip)
+		if err != nil {
+			return err
+		}
+		if ipNet == nil {
+			return fmt.Errorf(i18n.Translate(lang, "check:CIDR for IP: %s should not be empty"), entryIp.String())
+		}
+
+		if ipNet.Contains(entryIp) {
+			return nil
+		}
+	}
+
+	return fmt.Errorf(i18n.Translate(lang, "check:Your IP address: %s has been banned according to the configuration of: "), entryIp.String())
+}
+
+func CheckIpWhitelist(ipWhitelistStr string, lang string) error {
+	if ipWhitelistStr == "" {
+		return nil
+	}
+
+	ipWhiteList := strings.Split(ipWhitelistStr, ",")
+	for _, ip := range ipWhiteList {
+		if _, _, err := net.ParseCIDR(ip); err != nil {
+			return fmt.Errorf(i18n.Translate(lang, "check:%s does not meet the CIDR format requirements: %s"), ip, err.Error())
+		}
+	}
+
+	return nil
+}
--- a/object/init_data.go
+++ b/object/init_data.go
@ -48,12 +48,16 @@ type InitData struct {
 	Transactions  []*Transaction        `json:"transactions"`
 }

+var initDataNewOnly bool
+
 func InitFromFile() {
 	initDataFile := conf.GetConfigString("initDataFile")
 	if initDataFile == "" {
 		return
 	}

+	initDataNewOnly = conf.GetConfigBool("initDataNewOnly")
+
 	initData, err := readInitDataFromFile(initDataFile)
 	if err != nil {
 		panic(err)
@ -182,6 +186,9 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 		if organization.Tags == nil {
 			organization.Tags = []string{}
 		}
+		if organization.AccountItems == nil {
+			organization.AccountItems = []*AccountItem{}
+		}
 	}
 	for _, application := range data.Applications {
 		if application.Providers == nil {
@ -266,6 +273,9 @@ func initDefinedOrganization(organization *Organization) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteOrganization(organization)
 		if err != nil {
 			panic(err)
@ -275,7 +285,9 @@ func initDefinedOrganization(organization *Organization) {
 		}
 	}
 	organization.CreatedTime = util.GetCurrentTime()
-	organization.AccountItems = getBuiltInAccountItems()
+	if len(organization.AccountItems) == 0 {
+		organization.AccountItems = getBuiltInAccountItems()
+	}

 	_, err = AddOrganization(organization)
 	if err != nil {
@ -290,6 +302,9 @@ func initDefinedApplication(application *Application) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteApplication(application)
 		if err != nil {
 			panic(err)
@ -311,6 +326,9 @@ func initDefinedUser(user *User) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteUser(user)
 		if err != nil {
 			panic(err)
@ -337,6 +355,9 @@ func initDefinedCert(cert *Cert) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteCert(cert)
 		if err != nil {
 			panic(err)
@ -359,6 +380,9 @@ func initDefinedLdap(ldap *Ldap) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteLdap(ldap)
 		if err != nil {
 			panic(err)
@ -380,6 +404,9 @@ func initDefinedProvider(provider *Provider) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteProvider(provider)
 		if err != nil {
 			panic(err)
@ -401,6 +428,9 @@ func initDefinedModel(model *Model) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteModel(model)
 		if err != nil {
 			panic(err)
@ -423,6 +453,9 @@ func initDefinedPermission(permission *Permission) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deletePermission(permission)
 		if err != nil {
 			panic(err)
@ -445,6 +478,9 @@ func initDefinedPayment(payment *Payment) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeletePayment(payment)
 		if err != nil {
 			panic(err)
@ -467,6 +503,9 @@ func initDefinedProduct(product *Product) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteProduct(product)
 		if err != nil {
 			panic(err)
@ -489,6 +528,9 @@ func initDefinedResource(resource *Resource) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteResource(resource)
 		if err != nil {
 			panic(err)
@ -511,6 +553,9 @@ func initDefinedRole(role *Role) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteRole(role)
 		if err != nil {
 			panic(err)
@ -533,6 +578,9 @@ func initDefinedSyncer(syncer *Syncer) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteSyncer(syncer)
 		if err != nil {
 			panic(err)
@ -555,6 +603,9 @@ func initDefinedToken(token *Token) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteToken(token)
 		if err != nil {
 			panic(err)
@ -577,6 +628,9 @@ func initDefinedWebhook(webhook *Webhook) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteWebhook(webhook)
 		if err != nil {
 			panic(err)
@ -598,6 +652,9 @@ func initDefinedGroup(group *Group) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteGroup(group)
 		if err != nil {
 			panic(err)
@ -619,6 +676,9 @@ func initDefinedAdapter(adapter *Adapter) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteAdapter(adapter)
 		if err != nil {
 			panic(err)
@ -640,6 +700,9 @@ func initDefinedEnforcer(enforcer *Enforcer) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteEnforcer(enforcer)
 		if err != nil {
 			panic(err)
@ -661,6 +724,9 @@ func initDefinedPlan(plan *Plan) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeletePlan(plan)
 		if err != nil {
 			panic(err)
@ -682,6 +748,9 @@ func initDefinedPricing(pricing *Pricing) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeletePricing(pricing)
 		if err != nil {
 			panic(err)
@ -703,6 +772,9 @@ func initDefinedInvitation(invitation *Invitation) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteInvitation(invitation)
 		if err != nil {
 			panic(err)
@ -738,6 +810,9 @@ func initDefinedSubscription(subscription *Subscription) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteSubscription(subscription)
 		if err != nil {
 			panic(err)
@ -759,6 +834,9 @@ func initDefinedTransaction(transaction *Transaction) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteTransaction(transaction)
 		if err != nil {
 			panic(err)
--- a/object/ldap.go
+++ b/object/ldap.go
@ -32,6 +32,7 @@ type Ldap struct {
 	BaseDn       string   `xorm:"varchar(100)" json:"baseDn"`
 	Filter       string   `xorm:"varchar(200)" json:"filter"`
 	FilterFields []string `xorm:"varchar(100)" json:"filterFields"`
+	DefaultGroup string   `xorm:"varchar(100)" json:"defaultGroup"`

 	AutoSync int    `json:"autoSync"`
 	LastSync string `xorm:"varchar(100)" json:"lastSync"`
@ -148,7 +149,7 @@ func UpdateLdap(ldap *Ldap) (bool, error) {
 	}

 	affected, err := ormer.Engine.ID(ldap.Id).Cols("owner", "server_name", "host",
-		"port", "enable_ssl", "username", "password", "base_dn", "filter", "filter_fields", "auto_sync").Update(ldap)
+		"port", "enable_ssl", "username", "password", "base_dn", "filter", "filter_fields", "auto_sync", "default_group").Update(ldap)
 	if err != nil {
 		return false, nil
 	}
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@ -339,6 +339,10 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 				Ldap:              syncUser.Uuid,
 			}

+			if ldap.DefaultGroup != "" {
+				newUser.Groups = []string{ldap.DefaultGroup}
+			}
+
 			affected, err := AddUser(newUser)
 			if err != nil {
 				return nil, nil, err
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@ -44,6 +44,18 @@ type OidcDiscovery struct {
 	EndSessionEndpoint                     string   `json:"end_session_endpoint"`
 }

+type WebFinger struct {
+	Subject    string             `json:"subject"`
+	Links      []WebFingerLink    `json:"links"`
+	Aliases    *[]string          `json:"aliases,omitempty"`
+	Properties *map[string]string `json:"properties,omitempty"`
+}
+
+type WebFingerLink struct {
+	Rel  string `json:"rel"`
+	Href string `json:"href"`
+}
+
 func isIpAddress(host string) bool {
 	// Attempt to split the host and port, ignoring the error
 	hostWithoutPort, _, err := net.SplitHostPort(host)
@ -112,7 +124,7 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 		ResponseModesSupported:                 []string{"query", "fragment", "login", "code", "link"},
 		GrantTypesSupported:                    []string{"password", "authorization_code"},
 		SubjectTypesSupported:                  []string{"public"},
-		IdTokenSigningAlgValuesSupported:       []string{"RS256"},
+		IdTokenSigningAlgValuesSupported:       []string{"RS256", "RS512", "ES256", "ES384", "ES512"},
 		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},
 		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isForbidden", "signupApplication", "ldap"},
 		RequestParameterSupported:              true,
@ -160,3 +172,43 @@ func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {

 	return jwks, nil
 }
+
+func GetWebFinger(resource string, rels []string, host string) (WebFinger, error) {
+	wf := WebFinger{}
+
+	resourceSplit := strings.Split(resource, ":")
+
+	if len(resourceSplit) != 2 {
+		return wf, fmt.Errorf("invalid resource")
+	}
+
+	resourceType := resourceSplit[0]
+	resourceValue := resourceSplit[1]
+
+	oidcDiscovery := GetOidcDiscovery(host)
+
+	switch resourceType {
+	case "acct":
+		user, err := GetUserByEmailOnly(resourceValue)
+		if err != nil {
+			return wf, err
+		}
+
+		if user == nil {
+			return wf, fmt.Errorf("user not found")
+		}
+
+		wf.Subject = resource
+
+		for _, rel := range rels {
+			if rel == "http://openid.net/specs/connect/1.0/issuer" {
+				wf.Links = append(wf.Links, WebFingerLink{
+					Rel:  "http://openid.net/specs/connect/1.0/issuer",
+					Href: oidcDiscovery.Issuer,
+				})
+			}
+		}
+	}
+
+	return wf, nil
+}
--- a/object/organization.go
+++ b/object/organization.go
@ -56,10 +56,13 @@ type Organization struct {
 	WebsiteUrl             string     `xorm:"varchar(100)" json:"websiteUrl"`
 	Logo                   string     `xorm:"varchar(200)" json:"logo"`
 	LogoDark               string     `xorm:"varchar(200)" json:"logoDark"`
-	Favicon                string     `xorm:"varchar(100)" json:"favicon"`
+	Favicon                string     `xorm:"varchar(200)" json:"favicon"`
 	PasswordType           string     `xorm:"varchar(100)" json:"passwordType"`
 	PasswordSalt           string     `xorm:"varchar(100)" json:"passwordSalt"`
 	PasswordOptions        []string   `xorm:"varchar(100)" json:"passwordOptions"`
+	PasswordObfuscatorType string     `xorm:"varchar(100)" json:"passwordObfuscatorType"`
+	PasswordObfuscatorKey  string     `xorm:"varchar(100)" json:"passwordObfuscatorKey"`
+	PasswordExpireDays     int        `json:"passwordExpireDays"`
 	CountryCodes           []string   `xorm:"varchar(200)"  json:"countryCodes"`
 	DefaultAvatar          string     `xorm:"varchar(200)" json:"defaultAvatar"`
 	DefaultApplication     string     `xorm:"varchar(100)" json:"defaultApplication"`
@ -69,19 +72,21 @@ type Organization struct {
 	MasterPassword         string     `xorm:"varchar(100)" json:"masterPassword"`
 	DefaultPassword        string     `xorm:"varchar(100)" json:"defaultPassword"`
 	MasterVerificationCode string     `xorm:"varchar(100)" json:"masterVerificationCode"`
+	IpWhitelist            string     `xorm:"varchar(200)" json:"ipWhitelist"`
 	InitScore              int        `json:"initScore"`
 	EnableSoftDeletion     bool       `json:"enableSoftDeletion"`
 	IsProfilePublic        bool       `json:"isProfilePublic"`
 	UseEmailAsUsername     bool       `json:"useEmailAsUsername"`
 	EnableTour             bool       `json:"enableTour"`
+	IpRestriction          string     `json:"ipRestriction"`

 	MfaItems     []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
 	AccountItems []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
 }

-func GetOrganizationCount(owner, field, value string) (int64, error) {
+func GetOrganizationCount(owner, name, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&Organization{})
+	return session.Count(&Organization{Name: name})
 }

 func GetOrganizations(owner string, name ...string) ([]*Organization, error) {
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@ -364,7 +364,7 @@ func GetAllActions(userId string) ([]string, error) {

 	res := []string{}
 	for _, enforcer := range enforcers {
-		items := enforcer.GetAllObjects()
+		items := enforcer.GetAllActions()
 		res = append(res, items...)
 	}
 	return res, nil
--- a/object/record.go
+++ b/object/record.go
@ -50,7 +50,7 @@ func maskPassword(recordString string) string {
 }

 func NewRecord(ctx *context.Context) (*casvisorsdk.Record, error) {
-	ip := strings.Replace(util.GetIPFromRequest(ctx.Request), ": ", "", -1)
+	clientIp := strings.Replace(util.GetClientIpFromRequest(ctx.Request), ": ", "", -1)
 	action := strings.Replace(ctx.Request.URL.Path, "/api/", "", -1)
 	requestUri := util.FilterQuery(ctx.Request.RequestURI, []string{"accessToken"})
 	if len(requestUri) > 1000 {
@ -83,7 +83,7 @@ func NewRecord(ctx *context.Context) (*casvisorsdk.Record, error) {
 	record := casvisorsdk.Record{
 		Name:        util.GenerateId(),
 		CreatedTime: util.GetCurrentTime(),
-		ClientIp:    ip,
+		ClientIp:    clientIp,
 		User:        "",
 		Method:      ctx.Request.Method,
 		RequestUri:  requestUri,
--- a/object/resource.go
+++ b/object/resource.go
@ -36,7 +36,7 @@ type Resource struct {
 	FileType    string `xorm:"varchar(100)" json:"fileType"`
 	FileFormat  string `xorm:"varchar(100)" json:"fileFormat"`
 	FileSize    int    `json:"fileSize"`
-	Url         string `xorm:"varchar(255)" json:"url"`
+	Url         string `xorm:"varchar(500)" json:"url"`
 	Description string `xorm:"varchar(255)" json:"description"`
 }

--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -65,7 +65,11 @@ func NewSamlResponse(application *Application, user *User, host string, certific
 	assertion.CreateAttr("IssueInstant", now)
 	assertion.CreateElement("saml:Issuer").SetText(host)
 	subject := assertion.CreateElement("saml:Subject")
-	subject.CreateElement("saml:NameID").SetText(user.Name)
+	nameIDValue := user.Name
+	if application.UseEmailAsSamlNameId {
+		nameIDValue = user.Email
+	}
+	subject.CreateElement("saml:NameID").SetText(nameIDValue)
 	subjectConfirmation := subject.CreateElement("saml:SubjectConfirmation")
 	subjectConfirmation.CreateAttr("Method", "urn:oasis:names:tc:SAML:2.0:cm:bearer")
 	subjectConfirmationData := subjectConfirmation.CreateElement("saml:SubjectConfirmationData")
@ -184,17 +188,17 @@ type NameIDFormat struct {
 }

 type SingleSignOnService struct {
-	XMLName  xml.Name
+	// XMLName  xml.Name
 	Binding  string `xml:"Binding,attr"`
 	Location string `xml:"Location,attr"`
 }

 type Attribute struct {
 	// XMLName      xml.Name
+	Xmlns        string   `xml:"xmlns,attr"`
 	Name         string   `xml:"Name,attr"`
 	NameFormat   string   `xml:"NameFormat,attr"`
 	FriendlyName string   `xml:"FriendlyName,attr"`
-	Xmlns        string   `xml:"xmlns,attr"`
 	Values       []string `xml:"AttributeValue"`
 }

@ -386,7 +390,7 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 }

 // NewSamlResponse11 return a saml1.1 response(not 2.0)
-func NewSamlResponse11(user *User, requestID string, host string) (*etree.Element, error) {
+func NewSamlResponse11(application *Application, user *User, requestID string, host string) (*etree.Element, error) {
 	samlResponse := &etree.Element{
 		Space: "samlp",
 		Tag:   "Response",
@ -430,7 +434,11 @@ func NewSamlResponse11(user *User, requestID string, host string) (*etree.Elemen
 	// nameIdentifier inside subject
 	nameIdentifier := subject.CreateElement("saml:NameIdentifier")
 	// nameIdentifier.CreateAttr("Format", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
-	nameIdentifier.SetText(user.Name)
+	if application.UseEmailAsSamlNameId {
+		nameIdentifier.SetText(user.Email)
+	} else {
+		nameIdentifier.SetText(user.Name)
+	}

 	// subjectConfirmation inside subject
 	subjectConfirmation := subject.CreateElement("saml:SubjectConfirmation")
@ -439,7 +447,11 @@ func NewSamlResponse11(user *User, requestID string, host string) (*etree.Elemen
 	attributeStatement := assertion.CreateElement("saml:AttributeStatement")
 	subjectInAttribute := attributeStatement.CreateElement("saml:Subject")
 	nameIdentifierInAttribute := subjectInAttribute.CreateElement("saml:NameIdentifier")
-	nameIdentifierInAttribute.SetText(user.Name)
+	if application.UseEmailAsSamlNameId {
+		nameIdentifierInAttribute.SetText(user.Email)
+	} else {
+		nameIdentifierInAttribute.SetText(user.Name)
+	}

 	subjectConfirmationInAttribute := subjectInAttribute.CreateElement("saml:SubjectConfirmation")
 	subjectConfirmationInAttribute.CreateElement("saml:ConfirmationMethod").SetText("urn:oasis:names:tc:SAML:1.0:cm:artifact")
--- a/object/storage.go
+++ b/object/storage.go
@ -100,12 +100,13 @@ func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool

 	fileUrl := ""
 	if host != "" {
-		fileUrl = util.UrlJoin(host, escapePath(objectKey))
+		// fileUrl = util.UrlJoin(host, escapePath(objectKey))
+		fileUrl = util.UrlJoin(host, objectKey)
 	}

-	if fileUrl != "" && hasTimestamp {
-		fileUrl = fmt.Sprintf("%s?t=%s", fileUrl, util.GetCurrentUnixTime())
-	}
+	// if fileUrl != "" && hasTimestamp {
+	//	fileUrl = fmt.Sprintf("%s?t=%s", fileUrl, util.GetCurrentUnixTime())
+	// }

 	if provider.Type == ProviderTypeTencentCloudCOS {
 		objectKey = escapePath(objectKey)
@ -116,7 +117,18 @@ func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool

 func getStorageProvider(provider *Provider, lang string) (oss.StorageInterface, error) {
 	endpoint := getProviderEndpoint(provider)
-	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint)
+	certificate := ""
+	if provider.Category == "Storage" && provider.Type == "Casdoor" {
+		cert, err := GetCert(util.GetId(provider.Owner, provider.Cert))
+		if err != nil {
+			return nil, err
+		}
+		if cert == nil {
+			return nil, fmt.Errorf("no cert for %s", provider.Cert)
+		}
+		certificate = cert.Certificate
+	}
+	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint, certificate, provider.Content)
 	if err != nil {
 		return nil, err
 	}
@ -144,11 +156,15 @@ func uploadFile(provider *Provider, fullFilePath string, fileBuffer *bytes.Buffe
 	fileUrl, objectKey := GetUploadFileUrl(provider, fullFilePath, true)
 	objectKeyRefined := refineObjectKey(provider, objectKey)

-	_, err = storageProvider.Put(objectKeyRefined, fileBuffer)
+	object, err := storageProvider.Put(objectKeyRefined, fileBuffer)
 	if err != nil {
 		return "", "", err
 	}

+	if provider.Type == "Casdoor" {
+		fileUrl = object.Path
+	}
+
 	return fileUrl, objectKey, nil
 }

--- a/object/token.go
+++ b/object/token.go
@ -102,14 +102,6 @@ func GetTokenByAccessToken(accessToken string) (*Token, error) {
 		return nil, err
 	}

-	if !existed {
-		token = Token{AccessToken: accessToken}
-		existed, err = ormer.Engine.Get(&token)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	if !existed {
 		return nil, nil
 	}
@ -123,14 +115,6 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 		return nil, err
 	}

-	if !existed {
-		token = Token{RefreshToken: refreshToken}
-		existed, err = ormer.Engine.Get(&token)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	if !existed {
 		return nil, nil
 	}
--- a/object/token_cas.go
+++ b/object/token_cas.go
@ -281,7 +281,7 @@ func GetValidationBySaml(samlRequest string, host string) (string, string, error
 		return "", "", fmt.Errorf("the application for user %s is not found", userId)
 	}

-	samlResponse, err := NewSamlResponse11(user, request.RequestID, host)
+	samlResponse, err := NewSamlResponse11(application, user, request.RequestID, host)
 	if err != nil {
 		return "", "", err
 	}
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@ -17,6 +17,7 @@ package object
 import (
 	"fmt"
 	"reflect"
+	"strings"
 	"time"

 	"github.com/casdoor/casdoor/util"
@ -128,7 +129,7 @@ type UserWithoutThirdIdp struct {
 	LastSigninWrongTime string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
 	SigninWrongTimes    int    `json:"signinWrongTimes"`

-	// ManagedAccounts []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
+	ManagedAccounts []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
 }

 type ClaimsShort struct {
@ -254,6 +255,8 @@ func getUserWithoutThirdIdp(user *User) *UserWithoutThirdIdp {

 		LastSigninWrongTime: user.LastSigninWrongTime,
 		SigninWrongTimes:    user.SigninWrongTimes,
+
+		ManagedAccounts: user.ManagedAccounts,
 	}

 	return res
@ -376,36 +379,52 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		application.TokenFormat = "JWT"
 	}

+	var jwtMethod jwt.SigningMethod
+
+	if application.TokenSigningMethod == "RS256" {
+		jwtMethod = jwt.SigningMethodRS256
+	} else if application.TokenSigningMethod == "RS512" {
+		jwtMethod = jwt.SigningMethodRS512
+	} else if application.TokenSigningMethod == "ES256" {
+		jwtMethod = jwt.SigningMethodES256
+	} else if application.TokenSigningMethod == "ES512" {
+		jwtMethod = jwt.SigningMethodES512
+	} else if application.TokenSigningMethod == "ES384" {
+		jwtMethod = jwt.SigningMethodES384
+	} else {
+		jwtMethod = jwt.SigningMethodRS256
+	}
+
 	// the JWT token length in "JWT-Empty" mode will be very short, as User object only has two properties: owner and name
 	if application.TokenFormat == "JWT" {
 		claimsWithoutThirdIdp := getClaimsWithoutThirdIdp(claims)

-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithoutThirdIdp)
+		token = jwt.NewWithClaims(jwtMethod, claimsWithoutThirdIdp)
 		claimsWithoutThirdIdp.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
 		claimsWithoutThirdIdp.TokenType = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithoutThirdIdp)
+		refreshToken = jwt.NewWithClaims(jwtMethod, claimsWithoutThirdIdp)
 	} else if application.TokenFormat == "JWT-Empty" {
 		claimsShort := getShortClaims(claims)

-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
+		token = jwt.NewWithClaims(jwtMethod, claimsShort)
 		claimsShort.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
 		claimsShort.TokenType = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
+		refreshToken = jwt.NewWithClaims(jwtMethod, claimsShort)
 	} else if application.TokenFormat == "JWT-Custom" {
 		claimsCustom := getClaimsCustom(claims, application.TokenFields)

-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsCustom)
+		token = jwt.NewWithClaims(jwtMethod, claimsCustom)
 		refreshClaims := getClaimsCustom(claims, application.TokenFields)
 		refreshClaims["exp"] = jwt.NewNumericDate(refreshExpireTime)
 		refreshClaims["TokenType"] = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, refreshClaims)
+		refreshToken = jwt.NewWithClaims(jwtMethod, refreshClaims)
 	} else if application.TokenFormat == "JWT-Standard" {
 		claimsStandard := getStandardClaims(claims)

-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsStandard)
+		token = jwt.NewWithClaims(jwtMethod, claimsStandard)
 		claimsStandard.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
 		claimsStandard.TokenType = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsStandard)
+		refreshToken = jwt.NewWithClaims(jwtMethod, claimsStandard)
 	} else {
 		return "", "", "", fmt.Errorf("unknown application TokenFormat: %s", application.TokenFormat)
 	}
@ -423,34 +442,57 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		}
 	}

-	// RSA private key
-	key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(cert.PrivateKey))
+	var (
+		tokenString        string
+		refreshTokenString string
+		key                interface{}
+	)
+
+	if strings.Contains(application.TokenSigningMethod, "RS") || application.TokenSigningMethod == "" {
+		// RSA private key
+		key, err = jwt.ParseRSAPrivateKeyFromPEM([]byte(cert.PrivateKey))
+	} else if strings.Contains(application.TokenSigningMethod, "ES") {
+		// ES private key
+		key, err = jwt.ParseECPrivateKeyFromPEM([]byte(cert.PrivateKey))
+	} else if strings.Contains(application.TokenSigningMethod, "Ed") {
+		// Ed private key
+		key, err = jwt.ParseEdPrivateKeyFromPEM([]byte(cert.PrivateKey))
+	}
 	if err != nil {
 		return "", "", "", err
 	}

 	token.Header["kid"] = cert.Name
-	tokenString, err := token.SignedString(key)
+	tokenString, err = token.SignedString(key)
 	if err != nil {
 		return "", "", "", err
 	}
-	refreshTokenString, err := refreshToken.SignedString(key)
+	refreshTokenString, err = refreshToken.SignedString(key)

 	return tokenString, refreshTokenString, name, err
 }

 func ParseJwtToken(token string, cert *Cert) (*Claims, error) {
 	t, err := jwt.ParseWithClaims(token, &Claims{}, func(token *jwt.Token) (interface{}, error) {
-		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
-		}
+		var (
+			certificate interface{}
+			err         error
+		)

 		if cert.Certificate == "" {
 			return nil, fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
 		}

-		// RSA certificate
-		certificate, err := jwt.ParseRSAPublicKeyFromPEM([]byte(cert.Certificate))
+		if _, ok := token.Method.(*jwt.SigningMethodRSA); ok {
+			// RSA certificate
+			certificate, err = jwt.ParseRSAPublicKeyFromPEM([]byte(cert.Certificate))
+		} else if _, ok := token.Method.(*jwt.SigningMethodECDSA); ok {
+			// ES certificate
+			certificate, err = jwt.ParseECPublicKeyFromPEM([]byte(cert.Certificate))
+		} else {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+
 		if err != nil {
 			return nil, err
 		}
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@ -332,6 +332,9 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 	if err != nil {
 		return nil, err
 	}
+	if user == nil {
+		return "", fmt.Errorf("The user: %s doesn't exist", util.GetId(application.Organization, token.User))
+	}

 	if user.IsForbidden {
 		return &TokenError{
--- a/object/token_standard_jwt.go
+++ b/object/token_standard_jwt.go
@ -18,16 +18,20 @@ import (
 	"fmt"
 	"strings"

+	"github.com/casdoor/casdoor/util"
 	"github.com/golang-jwt/jwt/v4"
 )

 type ClaimsStandard struct {
 	*UserShort
-	Gender    string      `json:"gender,omitempty"`
-	TokenType string      `json:"tokenType,omitempty"`
-	Nonce     string      `json:"nonce,omitempty"`
-	Scope     string      `json:"scope,omitempty"`
-	Address   OIDCAddress `json:"address,omitempty"`
+	EmailVerified       bool        `json:"email_verified,omitempty"`
+	PhoneNumber         string      `json:"phone_number,omitempty"`
+	PhoneNumberVerified bool        `json:"phone_number_verified,omitempty"`
+	Gender              string      `json:"gender,omitempty"`
+	TokenType           string      `json:"tokenType,omitempty"`
+	Nonce               string      `json:"nonce,omitempty"`
+	Scope               string      `json:"scope,omitempty"`
+	Address             OIDCAddress `json:"address,omitempty"`

 	jwt.RegisteredClaims
 }
@ -43,12 +47,14 @@ func getStreetAddress(user *User) string {
 func getStandardClaims(claims Claims) ClaimsStandard {
 	res := ClaimsStandard{
 		UserShort:        getShortUser(claims.User),
+		EmailVerified:    claims.User.EmailVerified,
 		TokenType:        claims.TokenType,
 		Nonce:            claims.Nonce,
 		Scope:            claims.Scope,
 		RegisteredClaims: claims.RegisteredClaims,
 	}

+	res.Phone = ""
 	var scopes []string

 	if strings.Contains(claims.Scope, ",") {
@ -62,6 +68,15 @@ func getStandardClaims(claims Claims) ClaimsStandard {
 			res.Address = OIDCAddress{StreetAddress: getStreetAddress(claims.User)}
 		} else if scope == "profile" {
 			res.Gender = claims.User.Gender
+		} else if scope == "phone" && claims.User.Phone != "" {
+			res.PhoneNumberVerified = true
+			phoneNumber, ok := util.GetE164Number(claims.User.Phone, claims.User.CountryCode)
+			if !ok {
+				res.PhoneNumberVerified = false
+			} else {
+				res.PhoneNumber = phoneNumber
+			}
+
 		}
 	}

--- a/object/user.go
+++ b/object/user.go
@ -206,6 +206,7 @@ type User struct {
 	ManagedAccounts    []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
 	MfaAccounts        []MfaAccount     `xorm:"mfaAccounts blob" json:"mfaAccounts"`
 	NeedUpdatePassword bool             `json:"needUpdatePassword"`
+	IpWhitelist        string           `xorm:"varchar(200)" json:"ipWhitelist"`
 }

 type Userinfo struct {
@ -696,7 +697,7 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 			"eveonline", "fitbit", "gitea", "heroku", "influxcloud", "instagram", "intercom", "kakao", "lastfm", "mailru", "meetup",
 			"microsoftonline", "naver", "nextcloud", "onedrive", "oura", "patreon", "paypal", "salesforce", "shopify", "soundcloud",
 			"spotify", "strava", "stripe", "type", "tiktok", "tumblr", "twitch", "twitter", "typetalk", "uber", "vk", "wepay", "xero", "yahoo",
-			"yammer", "yandex", "zoom", "custom", "need_update_password",
+			"yammer", "yandex", "zoom", "custom", "need_update_password", "ip_whitelist",
 		}
 	}
 	if isAdmin {
@ -815,6 +816,10 @@ func AddUser(user *User) (bool, error) {
 		user.UpdateUserPassword(organization)
 	}

+	if user.CreatedTime == "" {
+		user.CreatedTime = util.GetCurrentTime()
+	}
+
 	err = user.UpdateUserHash()
 	if err != nil {
 		return false, err
@ -950,7 +955,17 @@ func DeleteUser(user *User) (bool, error) {
 		return false, err
 	}

-	return deleteUser(user)
+	organization, err := GetOrganizationByUser(user)
+	if err != nil {
+		return false, err
+	}
+	if organization != nil && organization.EnableSoftDeletion {
+		user.IsDeleted = true
+		user.DeletedTime = util.GetCurrentTime()
+		return UpdateUser(user.GetId(), user, []string{"is_deleted", "deleted_time"}, false)
+	} else {
+		return deleteUser(user)
+	}
 }

 func GetUserInfo(user *User, scope string, aud string, host string) (*Userinfo, error) {
--- a/object/user_util.go
+++ b/object/user_util.go
@ -271,113 +271,213 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str

 	if oldUser.Owner != newUser.Owner {
 		item := GetAccountItemByName("Organization", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Owner = oldUser.Owner
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Name != newUser.Name {
 		item := GetAccountItemByName("Name", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Name = oldUser.Name
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Id != newUser.Id {
 		item := GetAccountItemByName("ID", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Id = oldUser.Id
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.DisplayName != newUser.DisplayName {
 		item := GetAccountItemByName("Display name", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.DisplayName = oldUser.DisplayName
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Avatar != newUser.Avatar {
 		item := GetAccountItemByName("Avatar", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Avatar = oldUser.Avatar
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Type != newUser.Type {
 		item := GetAccountItemByName("User type", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Type = oldUser.Type
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	// The password is *** when not modified
 	if oldUser.Password != newUser.Password && newUser.Password != "***" {
 		item := GetAccountItemByName("Password", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Password = oldUser.Password
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Email != newUser.Email {
 		item := GetAccountItemByName("Email", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Email = oldUser.Email
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Phone != newUser.Phone {
 		item := GetAccountItemByName("Phone", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Phone = oldUser.Phone
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.CountryCode != newUser.CountryCode {
 		item := GetAccountItemByName("Country code", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.CountryCode = oldUser.CountryCode
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Region != newUser.Region {
 		item := GetAccountItemByName("Country/Region", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Region = oldUser.Region
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Location != newUser.Location {
 		item := GetAccountItemByName("Location", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Location = oldUser.Location
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Affiliation != newUser.Affiliation {
 		item := GetAccountItemByName("Affiliation", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Affiliation = oldUser.Affiliation
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Title != newUser.Title {
 		item := GetAccountItemByName("Title", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Title = oldUser.Title
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Homepage != newUser.Homepage {
 		item := GetAccountItemByName("Homepage", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Homepage = oldUser.Homepage
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Bio != newUser.Bio {
 		item := GetAccountItemByName("Bio", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Bio = oldUser.Bio
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.Tag != newUser.Tag {
 		item := GetAccountItemByName("Tag", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Tag = oldUser.Tag
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.SignupApplication != newUser.SignupApplication {
 		item := GetAccountItemByName("Signup application", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.SignupApplication = oldUser.SignupApplication
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Gender != newUser.Gender {
 		item := GetAccountItemByName("Gender", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Gender = oldUser.Gender
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Birthday != newUser.Birthday {
 		item := GetAccountItemByName("Birthday", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Birthday = oldUser.Birthday
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Education != newUser.Education {
 		item := GetAccountItemByName("Education", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Education = oldUser.Education
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.IdCard != newUser.IdCard {
 		item := GetAccountItemByName("ID card", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.IdCard = oldUser.IdCard
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.IdCardType != newUser.IdCardType {
 		item := GetAccountItemByName("ID card type", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.IdCardType = oldUser.IdCardType
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	oldUserPropertiesJson, _ := json.Marshal(oldUser.Properties)
 	newUserPropertiesJson, _ := json.Marshal(newUser.Properties)
 	if string(oldUserPropertiesJson) != string(newUserPropertiesJson) {
 		item := GetAccountItemByName("Properties", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Properties = oldUser.Properties
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.PreferredMfaType != newUser.PreferredMfaType {
 		item := GetAccountItemByName("Multi-factor authentication", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.PreferredMfaType = oldUser.PreferredMfaType
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Groups == nil {
@ -390,7 +490,11 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 	newUserGroupsJson, _ := json.Marshal(newUser.Groups)
 	if string(oldUserGroupsJson) != string(newUserGroupsJson) {
 		item := GetAccountItemByName("Groups", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Groups = oldUser.Groups
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Address == nil {
@ -404,65 +508,125 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 	newUserAddressJson, _ := json.Marshal(newUser.Address)
 	if string(oldUserAddressJson) != string(newUserAddressJson) {
 		item := GetAccountItemByName("Address", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Address = oldUser.Address
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if newUser.FaceIds != nil {
 		item := GetAccountItemByName("Face ID", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.FaceIds = oldUser.FaceIds
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.IsAdmin != newUser.IsAdmin {
 		item := GetAccountItemByName("Is admin", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.IsAdmin = oldUser.IsAdmin
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.IsForbidden != newUser.IsForbidden {
 		item := GetAccountItemByName("Is forbidden", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.IsForbidden = oldUser.IsForbidden
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.IsDeleted != newUser.IsDeleted {
 		item := GetAccountItemByName("Is deleted", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.IsDeleted = oldUser.IsDeleted
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}
 	if oldUser.NeedUpdatePassword != newUser.NeedUpdatePassword {
 		item := GetAccountItemByName("Need update password", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.NeedUpdatePassword = oldUser.NeedUpdatePassword
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
+	}
+	if oldUser.IpWhitelist != newUser.IpWhitelist {
+		item := GetAccountItemByName("IP whitelist", organization)
+		if item == nil {
+			newUser.IpWhitelist = oldUser.IpWhitelist
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Balance != newUser.Balance {
 		item := GetAccountItemByName("Balance", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Balance = oldUser.Balance
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Score != newUser.Score {
 		item := GetAccountItemByName("Score", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Score = oldUser.Score
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Karma != newUser.Karma {
 		item := GetAccountItemByName("Karma", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Karma = oldUser.Karma
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Language != newUser.Language {
 		item := GetAccountItemByName("Language", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Language = oldUser.Language
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Ranking != newUser.Ranking {
 		item := GetAccountItemByName("Ranking", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Ranking = oldUser.Ranking
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Currency != newUser.Currency {
 		item := GetAccountItemByName("Currency", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Currency = oldUser.Currency
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	if oldUser.Hash != newUser.Hash {
 		item := GetAccountItemByName("Hash", organization)
-		itemsChanged = append(itemsChanged, item)
+		if item == nil {
+			newUser.Hash = oldUser.Hash
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
 	}

 	for _, accountItem := range itemsChanged {
--- a/object/verification.go
+++ b/object/verification.go
@ -166,19 +166,76 @@ func AddToVerificationRecord(user *User, provider *Provider, remoteAddr, recordT
 	return nil
 }

+func filterRecordIn24Hours(record *VerificationRecord) *VerificationRecord {
+	if record == nil {
+		return nil
+	}
+
+	now := time.Now().Unix()
+	if now-record.Time > 60*60*24 {
+		return nil
+	}
+
+	return record
+}
+
 func getVerificationRecord(dest string) (*VerificationRecord, error) {
-	var record VerificationRecord
+	record := &VerificationRecord{}
 	record.Receiver = dest

-	has, err := ormer.Engine.Desc("time").Where("is_used = false").Get(&record)
+	has, err := ormer.Engine.Desc("time").Where("is_used = false").Get(record)
 	if err != nil {
 		return nil, err
 	}
+
+	record = filterRecordIn24Hours(record)
+	if record == nil {
+		has = false
+	}
+
+	if !has {
+		record = &VerificationRecord{}
+		record.Receiver = dest
+
+		has, err = ormer.Engine.Desc("time").Get(record)
+		if err != nil {
+			return nil, err
+		}
+
+		record = filterRecordIn24Hours(record)
+		if record == nil {
+			has = false
+		}
+
+		if !has {
+			return nil, nil
+		}
+
+		return record, nil
+	}
+
+	return record, nil
+}
+
+func getUnusedVerificationRecord(dest string) (*VerificationRecord, error) {
+	record := &VerificationRecord{}
+	record.Receiver = dest
+
+	has, err := ormer.Engine.Desc("time").Where("is_used = false").Get(record)
+	if err != nil {
+		return nil, err
+	}
+
+	record = filterRecordIn24Hours(record)
+	if record == nil {
+		has = false
+	}
+
 	if !has {
 		return nil, nil
 	}

-	return &record, nil
+	return record, nil
 }

 func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult, error) {
@ -187,7 +244,9 @@ func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult
 		return nil, err
 	}
 	if record == nil {
-		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has not been sent yet, or has already been used!")}, nil
+		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has not been sent yet!")}, nil
+	} else if record.IsUsed {
+		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has already been used!")}, nil
 	}

 	timeoutInMinutes, err := conf.GetConfigInt64("verificationCodeTimeout")
@ -196,9 +255,6 @@ func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult
 	}

 	now := time.Now().Unix()
-	if now-record.Time > timeoutInMinutes*60*10 {
-		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has not been sent yet!")}, nil
-	}
 	if now-record.Time > timeoutInMinutes*60 {
 		return &VerifyResult{timeoutError, fmt.Sprintf(i18n.Translate(lang, "verification:You should verify your code in %d min!"), timeoutInMinutes)}, nil
 	}
@ -211,7 +267,7 @@ func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult
 }

 func DisableVerificationCode(dest string) error {
-	record, err := getVerificationRecord(dest)
+	record, err := getUnusedVerificationRecord(dest)
 	if record == nil || err != nil {
 		return nil
 	}
--- a/routers/authz_filter.go
+++ b/routers/authz_filter.go
@ -56,7 +56,7 @@ func getSubject(ctx *context.Context) (string, string) {
 	return util.GetOwnerAndNameFromId(username)
 }

-func getObject(ctx *context.Context) (string, string) {
+func getObject(ctx *context.Context) (string, string, error) {
 	method := ctx.Request.Method
 	path := ctx.Request.URL.Path

@ -65,13 +65,13 @@ func getObject(ctx *context.Context) (string, string) {
 			if ctx.Input.Query("id") == "/" {
 				adapterId := ctx.Input.Query("adapterId")
 				if adapterId != "" {
-					return util.GetOwnerAndNameFromIdNoCheck(adapterId)
+					return util.GetOwnerAndNameFromIdWithError(adapterId)
 				}
 			} else {
 				// query == "?id=built-in/admin"
 				id := ctx.Input.Query("id")
 				if id != "" {
-					return util.GetOwnerAndNameFromIdNoCheck(id)
+					return util.GetOwnerAndNameFromIdWithError(id)
 				}
 			}
 		}
@ -80,34 +80,34 @@ func getObject(ctx *context.Context) (string, string) {
 			// query == "?id=built-in/admin"
 			id := ctx.Input.Query("id")
 			if id != "" {
-				return util.GetOwnerAndNameFromIdNoCheck(id)
+				return util.GetOwnerAndNameFromIdWithError(id)
 			}
 		}

 		owner := ctx.Input.Query("owner")
 		if owner != "" {
-			return owner, ""
+			return owner, "", nil
 		}

-		return "", ""
+		return "", "", nil
 	} else {
 		if path == "/api/add-policy" || path == "/api/remove-policy" || path == "/api/update-policy" {
 			id := ctx.Input.Query("id")
 			if id != "" {
-				return util.GetOwnerAndNameFromIdNoCheck(id)
+				return util.GetOwnerAndNameFromIdWithError(id)
 			}
 		}

 		body := ctx.Input.RequestBody
 		if len(body) == 0 {
-			return ctx.Request.Form.Get("owner"), ctx.Request.Form.Get("name")
+			return ctx.Request.Form.Get("owner"), ctx.Request.Form.Get("name"), nil
 		}

 		var obj Object
 		err := json.Unmarshal(body, &obj)
 		if err != nil {
-			// panic(err)
-			return "", ""
+			// this is not error
+			return "", "", nil
 		}

 		if path == "/api/delete-resource" {
@ -117,7 +117,7 @@ func getObject(ctx *context.Context) (string, string) {
 			}
 		}

-		return obj.Owner, obj.Name
+		return obj.Owner, obj.Name, nil
 	}
 }

@ -183,7 +183,12 @@ func ApiFilter(ctx *context.Context) {

 	objOwner, objName := "", ""
 	if urlPath != "/api/get-app-login" && urlPath != "/api/get-resource" {
-		objOwner, objName = getObject(ctx)
+		var err error
+		objOwner, objName, err = getObject(ctx)
+		if err != nil {
+			responseError(ctx, err.Error())
+			return
+		}
 	}

 	if strings.HasPrefix(urlPath, "/api/notify-payment") {
--- a/routers/auto_signin_filter.go
+++ b/routers/auto_signin_filter.go
@ -16,6 +16,7 @@ package routers

 import (
 	"fmt"
+	"strings"

 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/object"
@ -23,6 +24,10 @@ import (
 )

 func AutoSigninFilter(ctx *context.Context) {
+	urlPath := ctx.Request.URL.Path
+	if strings.HasPrefix(urlPath, "/api/login/oauth/access_token") {
+		return
+	}
 	//if getSessionUser(ctx) != "" {
 	//	return
 	//}
--- a/routers/cors_filter.go
+++ b/routers/cors_filter.go
@ -16,11 +16,11 @@ package routers

 import (
 	"net/http"
-	"strings"

 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 const (
@ -48,7 +48,17 @@ func CorsFilter(ctx *context.Context) {
 	originHostname := getHostname(origin)
 	host := removePort(ctx.Request.Host)

-	if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "https://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") || strings.HasPrefix(origin, "http://casdoor-app") || strings.Contains(origin, ".chromiumapp.org") {
+	if origin == "null" {
+		origin = ""
+	}
+
+	isValid, err := util.IsValidOrigin(origin)
+	if err != nil {
+		ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
+		responseError(ctx, err.Error())
+		return
+	}
+	if isValid {
 		setCorsHeaders(ctx, origin)
 		return
 	}
--- a/routers/router.go
+++ b/routers/router.go
@ -174,6 +174,8 @@ func initAPI() {
 	beego.Router("/api/get-all-actions", &controllers.ApiController{}, "GET:GetAllActions")
 	beego.Router("/api/get-all-roles", &controllers.ApiController{}, "GET:GetAllRoles")

+	beego.Router("/api/run-casbin-command", &controllers.ApiController{}, "GET:RunCasbinCommand")
+
 	beego.Router("/api/get-sessions", &controllers.ApiController{}, "GET:GetSessions")
 	beego.Router("/api/get-session", &controllers.ApiController{}, "GET:GetSingleSession")
 	beego.Router("/api/update-session", &controllers.ApiController{}, "POST:UpdateSession")
@ -290,6 +292,7 @@ func initAPI() {

 	beego.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery")
 	beego.Router("/.well-known/jwks", &controllers.RootController{}, "*:GetJwks")
+	beego.Router("/.well-known/webfinger", &controllers.RootController{}, "GET:GetWebFinger")

 	beego.Router("/cas/:organization/:application/serviceValidate", &controllers.RootController{}, "GET:CasServiceValidate")
 	beego.Router("/cas/:organization/:application/proxyValidate", &controllers.RootController{}, "GET:CasProxyValidate")
--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@ -43,6 +43,10 @@ func getWebBuildFolder() string {
 		return path
 	}

+	if util.FileExist(filepath.Join(frontendBaseDir, "index.html")) {
+		return frontendBaseDir
+	}
+
 	path = filepath.Join(frontendBaseDir, "web/build")
 	return path
 }
@ -58,7 +62,7 @@ func fastAutoSignin(ctx *context.Context) (string, error) {
 	redirectUri := ctx.Input.Query("redirect_uri")
 	scope := ctx.Input.Query("scope")
 	state := ctx.Input.Query("state")
-	nonce := ""
+	nonce := ctx.Input.Query("nonce")
 	codeChallenge := ctx.Input.Query("code_challenge")
 	if clientId == "" || responseType != "code" || redirectUri == "" {
 		return "", nil
--- a/routers/timeout_filter.go
+++ b/routers/timeout_filter.go
@ -0,0 +1,64 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package routers
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/beego/beego/context"
+	"github.com/casdoor/casdoor/conf"
+)
+
+var (
+	inactiveTimeoutMinutes int64
+	requestTimeMap         sync.Map
+)
+
+func init() {
+	var err error
+	inactiveTimeoutMinutes, err = conf.GetConfigInt64("inactiveTimeoutMinutes")
+	if err != nil {
+		inactiveTimeoutMinutes = 0
+	}
+}
+
+func timeoutLogout(ctx *context.Context, sessionId string) {
+	requestTimeMap.Delete(sessionId)
+	ctx.Input.CruSession.Set("username", "")
+	ctx.Input.CruSession.Set("accessToken", "")
+	ctx.Input.CruSession.Delete("SessionData")
+	responseError(ctx, fmt.Sprintf(T(ctx, "auth:Timeout for inactivity of %d minutes"), inactiveTimeoutMinutes))
+}
+
+func TimeoutFilter(ctx *context.Context) {
+	if inactiveTimeoutMinutes <= 0 {
+		return
+	}
+
+	owner, name := getSubject(ctx)
+	if owner == "anonymous" || name == "anonymous" {
+		return
+	}
+
+	sessionId := ctx.Input.CruSession.SessionID()
+	currentTime := time.Now()
+	preRequestTime, has := requestTimeMap.Load(sessionId)
+	requestTimeMap.Store(sessionId, currentTime)
+	if has && preRequestTime.(time.Time).Add(time.Minute*time.Duration(inactiveTimeoutMinutes)).Before(currentTime) {
+		timeoutLogout(ctx, sessionId)
+	}
+}
--- a/storage/casdoor.go
+++ b/storage/casdoor.go
@ -0,0 +1,19 @@
+package storage
+
+import (
+	"github.com/casdoor/oss"
+	"github.com/casdoor/oss/casdoor"
+)
+
+func NewCasdoorStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string, cert string, content string) oss.StorageInterface {
+	sp := casdoor.New(&casdoor.Config{
+		clientId,
+		clientSecret,
+		endpoint,
+		cert,
+		region,
+		content,
+		bucket,
+	})
+	return sp
+}
--- a/storage/storage.go
+++ b/storage/storage.go
@ -16,7 +16,7 @@ package storage

 import "github.com/casdoor/oss"

-func GetStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string) (oss.StorageInterface, error) {
+func GetStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string, cert string, content string) (oss.StorageInterface, error) {
 	switch providerType {
 	case "Local File System":
 		return NewLocalFileSystemStorageProvider(), nil
@ -36,6 +36,8 @@ func GetStorageProvider(providerType string, clientId string, clientSecret strin
 		return NewGoogleCloudStorageProvider(clientSecret, bucket, endpoint), nil
 	case "Synology":
 		return NewSynologyNasStorageProvider(clientId, clientSecret, endpoint), nil
+	case "Casdoor":
+		return NewCasdoorStorageProvider(providerType, clientId, clientSecret, region, bucket, endpoint, cert, content), nil
 	}

 	return nil, nil
--- a/util/log.go
+++ b/util/log.go
@ -23,50 +23,50 @@ import (
 	"github.com/beego/beego/logs"
 )

-func GetIPInfo(clientIP string) string {
-	if clientIP == "" {
+func getIpInfo(clientIp string) string {
+	if clientIp == "" {
 		return ""
 	}

-	ips := strings.Split(clientIP, ",")
-	res := ""
-	for i := range ips {
-		ip := strings.TrimSpace(ips[i])
-		// desc := GetDescFromIP(ip)
-		ipstr := fmt.Sprintf("%s: %s", ip, "")
-		if i != len(ips)-1 {
-			res += ipstr + " -> "
-		} else {
-			res += ipstr
-		}
-	}
+	ips := strings.Split(clientIp, ",")
+	res := strings.TrimSpace(ips[0])
+	//res := ""
+	//for i := range ips {
+	//	ip := strings.TrimSpace(ips[i])
+	//	ipstr := fmt.Sprintf("%s: %s", ip, "")
+	//	if i != len(ips)-1 {
+	//		res += ipstr + " -> "
+	//	} else {
+	//		res += ipstr
+	//	}
+	//}

 	return res
 }

-func GetIPFromRequest(req *http.Request) string {
-	clientIP := req.Header.Get("x-forwarded-for")
-	if clientIP == "" {
+func GetClientIpFromRequest(req *http.Request) string {
+	clientIp := req.Header.Get("x-forwarded-for")
+	if clientIp == "" {
 		ipPort := strings.Split(req.RemoteAddr, ":")
 		if len(ipPort) >= 1 && len(ipPort) <= 2 {
-			clientIP = ipPort[0]
+			clientIp = ipPort[0]
 		} else if len(ipPort) > 2 {
 			idx := strings.LastIndex(req.RemoteAddr, ":")
-			clientIP = req.RemoteAddr[0:idx]
-			clientIP = strings.TrimLeft(clientIP, "[")
-			clientIP = strings.TrimRight(clientIP, "]")
+			clientIp = req.RemoteAddr[0:idx]
+			clientIp = strings.TrimLeft(clientIp, "[")
+			clientIp = strings.TrimRight(clientIp, "]")
 		}
 	}

-	return GetIPInfo(clientIP)
+	return getIpInfo(clientIp)
 }

 func LogInfo(ctx *context.Context, f string, v ...interface{}) {
-	ipString := fmt.Sprintf("(%s) ", GetIPFromRequest(ctx.Request))
+	ipString := fmt.Sprintf("(%s) ", GetClientIpFromRequest(ctx.Request))
 	logs.Info(ipString+f, v...)
 }

 func LogWarning(ctx *context.Context, f string, v ...interface{}) {
-	ipString := fmt.Sprintf("(%s) ", GetIPFromRequest(ctx.Request))
+	ipString := fmt.Sprintf("(%s) ", GetClientIpFromRequest(ctx.Request))
 	logs.Warning(ipString+f, v...)
 }
--- a/util/obfuscator.go
+++ b/util/obfuscator.go
@ -0,0 +1,76 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/des"
+	"encoding/hex"
+	"fmt"
+)
+
+func unPaddingPkcs7(s []byte) []byte {
+	length := len(s)
+	if length == 0 {
+		return s
+	}
+	unPadding := int(s[length-1])
+	return s[:(length - unPadding)]
+}
+
+func decryptDesOrAes(passwordCipher string, block cipher.Block) (string, error) {
+	passwordCipherBytes, err := hex.DecodeString(passwordCipher)
+	if err != nil {
+		return "", err
+	}
+
+	if len(passwordCipherBytes) < block.BlockSize() {
+		return "", fmt.Errorf("the password ciphertext should contain a random hexadecimal string of length %d at the beginning", block.BlockSize()*2)
+	}
+
+	iv := passwordCipherBytes[:block.BlockSize()]
+	password := make([]byte, len(passwordCipherBytes)-block.BlockSize())
+
+	mode := cipher.NewCBCDecrypter(block, iv)
+	mode.CryptBlocks(password, passwordCipherBytes[block.BlockSize():])
+
+	return string(unPaddingPkcs7(password)), nil
+}
+
+func GetUnobfuscatedPassword(passwordObfuscatorType string, passwordObfuscatorKey string, passwordCipher string) (string, error) {
+	if passwordObfuscatorType == "Plain" || passwordObfuscatorType == "" {
+		return passwordCipher, nil
+	} else if passwordObfuscatorType == "DES" || passwordObfuscatorType == "AES" {
+		key, err := hex.DecodeString(passwordObfuscatorKey)
+		if err != nil {
+			return "", err
+		}
+
+		var block cipher.Block
+		if passwordObfuscatorType == "DES" {
+			block, err = des.NewCipher(key)
+		} else {
+			block, err = aes.NewCipher(key)
+		}
+		if err != nil {
+			return "", err
+		}
+
+		return decryptDesOrAes(passwordCipher, block)
+	} else {
+		return "", fmt.Errorf("unsupported password obfuscator type: %s", passwordObfuscatorType)
+	}
+}
--- a/util/string.go
+++ b/util/string.go
@ -131,6 +131,15 @@ func GetOwnerAndNameFromId(id string) (string, string) {
 	return tokens[0], tokens[1]
 }

+func GetOwnerAndNameFromIdWithError(id string) (string, string, error) {
+	tokens := strings.Split(id, "/")
+	if len(tokens) != 2 {
+		return "", "", errors.New("GetOwnerAndNameFromId() error, wrong token count for ID: " + id)
+	}
+
+	return tokens[0], tokens[1], nil
+}
+
 func GetOwnerFromId(id string) string {
 	tokens := strings.Split(id, "/")
 	if len(tokens) != 2 {
--- a/util/validation.go
+++ b/util/validation.go
@ -17,6 +17,7 @@ package util
 import (
 	"fmt"
 	"net/mail"
+	"net/url"
 	"regexp"
 	"strings"

@ -24,10 +25,11 @@ import (
 )

 var (
-	rePhone          *regexp.Regexp
-	ReWhiteSpace     *regexp.Regexp
-	ReFieldWhiteList *regexp.Regexp
-	ReUserName       *regexp.Regexp
+	rePhone             *regexp.Regexp
+	ReWhiteSpace        *regexp.Regexp
+	ReFieldWhiteList    *regexp.Regexp
+	ReUserName          *regexp.Regexp
+	ReUserNameWithEmail *regexp.Regexp
 )

 func init() {
@ -35,6 +37,7 @@ func init() {
 	ReWhiteSpace, _ = regexp.Compile(`\s`)
 	ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*$")
+	ReUserNameWithEmail, _ = regexp.Compile(`^([a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*)|([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$`) // Add support for email formats
 }

 func IsEmailValid(email string) bool {
@ -51,6 +54,9 @@ func IsPhoneValid(phone string, countryCode string) bool {
 }

 func IsPhoneAllowInRegin(countryCode string, allowRegions []string) bool {
+	if ContainsString(allowRegions, "All") {
+		return true
+	}
 	return ContainsString(allowRegions, countryCode)
 }

@ -97,3 +103,21 @@ func GetCountryCode(prefix string, phone string) (string, error) {
 func FilterField(field string) bool {
 	return ReFieldWhiteList.MatchString(field)
 }
+
+func IsValidOrigin(origin string) (bool, error) {
+	urlObj, err := url.Parse(origin)
+	if err != nil {
+		return false, err
+	}
+	if urlObj == nil {
+		return false, nil
+	}
+
+	originHostOnly := ""
+	if urlObj.Host != "" {
+		originHostOnly = fmt.Sprintf("%s://%s", urlObj.Scheme, urlObj.Hostname())
+	}
+
+	res := originHostOnly == "http://localhost" || originHostOnly == "https://localhost" || originHostOnly == "http://127.0.0.1" || originHostOnly == "http://casdoor-app" || strings.HasSuffix(originHostOnly, ".chromiumapp.org")
+	return res, nil
+}
--- a/web/package.json
+++ b/web/package.json
@ -27,6 +27,7 @@
    "copy-to-clipboard": "^3.3.1",
    "core-js": "^3.25.0",
    "craco-less": "^2.0.0",
+    "crypto-js": "^4.2.0",
    "echarts": "^5.4.3",
    "ethers": "5.6.9",
    "face-api.js": "^0.22.2",
--- a/web/src/App.js
+++ b/web/src/App.js
@ -344,7 +344,8 @@ class App extends Component {
        window.location.pathname.startsWith("/cas") ||
        window.location.pathname.startsWith("/select-plan") ||
        window.location.pathname.startsWith("/buy-plan") ||
-        window.location.pathname.startsWith("/qrcode") ;
+        window.location.pathname.startsWith("/qrcode") ||
+        window.location.pathname.startsWith("/captcha");
  }

  onClick = ({key}) => {
@ -361,7 +362,11 @@ class App extends Component {
    if (this.isDoorPages()) {
      return (
        <ConfigProvider theme={{
-          algorithm: Setting.getAlgorithm(["default"]),
+          token: {
+            colorPrimary: this.state.themeData.colorPrimary,
+            borderRadius: this.state.themeData.borderRadius,
+          },
+          algorithm: Setting.getAlgorithm(this.state.themeAlgorithm),
        }}>
          <StyleProvider hashPriority="high" transformers={[legacyLogicalPropertiesTransformer]}>
            <Layout id="parent-area">
@ -371,6 +376,7 @@ class App extends Component {
                    <EntryPage
                      account={this.state.account}
                      theme={this.state.themeData}
+                      themeAlgorithm={this.state.themeAlgorithm}
                      updateApplication={(application) => {
                        this.setState({
                          application: application,
@ -445,7 +451,6 @@ class App extends Component {
                setLogoutState={() => {
                  this.setState({
                    account: null,
-                    themeAlgorithm: ["default"],
                  });
                }}
              />
--- a/web/src/App.less
+++ b/web/src/App.less
@ -129,6 +129,15 @@ img {
  background-attachment: fixed;
 }

+.loginBackgroundDark {
+  flex: auto;
+  display: flex;
+  align-items: center;
+  background: #000 no-repeat;
+  background-size: 100% 100%;
+  background-attachment: fixed;
+}
+
 .ant-menu-horizontal {
  border-bottom: none !important;
 }
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@ -46,12 +46,18 @@ require("codemirror/mode/css/css");
 const {Option} = Select;

 const template = `<style>
-  .login-panel{
+  .login-panel {
    padding: 40px 70px 0 70px;
    border-radius: 10px;
    background-color: #ffffff;
    box-shadow: 0 0 30px 20px rgba(0, 0, 0, 0.20);
-}
+  }
+  .login-panel-dark {
+    padding: 40px 70px 0 70px;
+    border-radius: 10px;
+    background-color: #333333;
+    box-shadow: 0 0 30px 20px rgba(255, 255, 255, 0.20);
+  }
 </style>`;

 const previewGrid = Setting.isMobile() ? 22 : 11;
@ -407,6 +413,16 @@ class ApplicationEditPage extends React.Component {
            />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("application:Token signing method"), i18next.t("application:Token signing method - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} style={{width: "100%"}} value={this.state.application.tokenSigningMethod === "" ? "RS256" : this.state.application.tokenSigningMethod} onChange={(value => {this.updateApplicationField("tokenSigningMethod", value);})}
+              options={["RS256", "RS512", "ES256", "ES512", "ES384"].map((item) => Setting.getOption(item, item))}
+            />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("application:Token fields"), i18next.t("application:Token fields - Tooltip"))} :
@ -582,6 +598,16 @@ class ApplicationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Input placeholder = {this.state.application.organizationObj?.ipWhitelist} value={this.state.application.ipWhitelist} onChange={e => {
+              this.updateApplicationField("ipWhitelist", e.target.value);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("signup:Terms of Use"), i18next.t("signup:Terms of Use - Tooltip"))} :
@ -693,6 +719,16 @@ class ApplicationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}}>
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("application:Use Email as NameID"), i18next.t("application:Use Email as NameID - Tooltip"))} :
+          </Col>
+          <Col span={1}>
+            <Switch checked={this.state.application.useEmailAsSamlNameId} onChange={checked => {
+              this.updateApplicationField("useEmailAsSamlNameId", checked);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("application:Enable SAML POST binding"), i18next.t("application:Enable SAML POST binding - Tooltip"))} :
@ -957,6 +993,7 @@ class ApplicationEditPage extends React.Component {
                <SigninTable
                  title={i18next.t("application:Signin items")}
                  table={this.state.application.signinItems}
+                  themeAlgorithm={this.state.themeAlgorithm}
                  onUpdateTable={(value) => {
                    this.updateApplicationField("signinItems", value);
                  }}
--- a/web/src/CaptchaPage.js
+++ b/web/src/CaptchaPage.js
@ -0,0 +1,116 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React from "react";
+import {CaptchaModal} from "./common/modal/CaptchaModal";
+import * as ApplicationBackend from "./backend/ApplicationBackend";
+import * as Setting from "./Setting";
+
+class CaptchaPage extends React.Component {
+  constructor(props) {
+    super(props);
+    const params = new URLSearchParams(this.props.location.search);
+    this.state = {
+      owner: "admin",
+      application: null,
+      clientId: params.get("client_id"),
+      applicationName: params.get("state"),
+      redirectUri: params.get("redirect_uri"),
+    };
+  }
+
+  componentDidMount() {
+    this.getApplication();
+  }
+
+  onUpdateApplication(application) {
+    this.setState({
+      application: application,
+    });
+  }
+
+  getApplication() {
+    if (this.state.applicationName === null) {
+      return null;
+    }
+
+    ApplicationBackend.getApplication(this.state.owner, this.state.applicationName)
+      .then((res) => {
+        if (res.status === "error") {
+          this.onUpdateApplication(null);
+          this.setState({
+            msg: res.msg,
+          });
+          return ;
+        }
+        this.onUpdateApplication(res.data);
+      });
+  }
+
+  getCaptchaProviderItems(application) {
+    const providers = application?.providers;
+
+    if (providers === undefined || providers === null) {
+      return null;
+    }
+
+    return providers.filter(providerItem => {
+      if (providerItem.provider === undefined || providerItem.provider === null) {
+        return false;
+      }
+
+      return providerItem.provider.category === "Captcha";
+    });
+  }
+
+  callback(values) {
+    Setting.goToLink(`${this.state.redirectUri}?code=${values.captchaToken}&type=${values.captchaType}&secret=${values.clientSecret}&applicationId=${values.applicationId}`);
+  }
+
+  renderCaptchaModal(application) {
+    const captchaProviderItems = this.getCaptchaProviderItems(application);
+    if (captchaProviderItems === null) {
+      return null;
+    }
+    const alwaysProviderItems = captchaProviderItems.filter(providerItem => providerItem.rule === "Always");
+    const dynamicProviderItems = captchaProviderItems.filter(providerItem => providerItem.rule === "Dynamic");
+    const provider = alwaysProviderItems.length > 0
+      ? alwaysProviderItems[0].provider
+      : dynamicProviderItems[0].provider;
+
+    return <CaptchaModal
+      owner={provider.owner}
+      name={provider.name}
+      visible={true}
+      onOk={(captchaType, captchaToken, clientSecret) => {
+        const values = {
+          captchaType: captchaType,
+          captchaToken: captchaToken,
+          clientSecret: clientSecret,
+          applicationId: `${provider.owner}/${provider.name}`,
+        };
+        this.callback(values);
+      }}
+      onCancel={() => this.callback({captchaType: "none", captchaToken: "", clientSecret: ""})}
+      isCurrentProvider={true}
+    />;
+  }
+  render() {
+    return (
+      this.renderCaptchaModal(this.state.application)
+    );
+  }
+}
+
+export default CaptchaPage;
--- a/web/src/CasbinEditor.js
+++ b/web/src/CasbinEditor.js
@ -0,0 +1,97 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React, {useCallback, useEffect, useRef, useState} from "react";
+import {Controlled as CodeMirror} from "react-codemirror2";
+import "codemirror/lib/codemirror.css";
+import "codemirror/mode/properties/properties";
+import * as Setting from "./Setting";
+import IframeEditor from "./IframeEditor";
+import {Tabs} from "antd";
+
+const {TabPane} = Tabs;
+
+const CasbinEditor = ({model, onModelTextChange}) => {
+  const [activeKey, setActiveKey] = useState("advanced");
+  const iframeRef = useRef(null);
+  const [localModelText, setLocalModelText] = useState(model.modelText);
+
+  const handleModelTextChange = useCallback((newModelText) => {
+    if (!Setting.builtInObject(model)) {
+      setLocalModelText(newModelText);
+      onModelTextChange(newModelText);
+    }
+  }, [model, onModelTextChange]);
+
+  const syncModelText = useCallback(() => {
+    return new Promise((resolve) => {
+      if (activeKey === "advanced" && iframeRef.current) {
+        const handleSyncMessage = (event) => {
+          if (event.data.type === "modelUpdate") {
+            window.removeEventListener("message", handleSyncMessage);
+            handleModelTextChange(event.data.modelText);
+            resolve();
+          }
+        };
+        window.addEventListener("message", handleSyncMessage);
+        iframeRef.current.getModelText();
+      } else {
+        resolve();
+      }
+    });
+  }, [activeKey, handleModelTextChange]);
+
+  const handleTabChange = (key) => {
+    syncModelText().then(() => {
+      setActiveKey(key);
+      if (key === "advanced" && iframeRef.current) {
+        iframeRef.current.updateModelText(localModelText);
+      }
+    });
+  };
+
+  useEffect(() => {
+    setLocalModelText(model.modelText);
+  }, [model.modelText]);
+
+  return (
+    <div style={{height: "100%", width: "100%", display: "flex", flexDirection: "column"}}>
+      <Tabs activeKey={activeKey} onChange={handleTabChange} style={{flex: "0 0 auto", marginTop: "-10px"}}>
+        <TabPane tab="Basic Editor" key="basic" />
+        <TabPane tab="Advanced Editor" key="advanced" />
+      </Tabs>
+      <div style={{flex: "1 1 auto", overflow: "hidden"}}>
+        {activeKey === "advanced" ? (
+          <IframeEditor
+            ref={iframeRef}
+            initialModelText={localModelText}
+            onModelTextChange={handleModelTextChange}
+            style={{width: "100%", height: "100%"}}
+          />
+        ) : (
+          <CodeMirror
+            value={localModelText}
+            className="full-height-editor no-horizontal-scroll-editor"
+            options={{mode: "properties", theme: "default"}}
+            onBeforeChange={(editor, data, value) => {
+              handleModelTextChange(value);
+            }}
+          />
+        )}
+      </div>
+    </div>
+  );
+};
+
+export default CasbinEditor;
--- a/web/src/CertEditPage.js
+++ b/web/src/CertEditPage.js
@ -288,14 +288,14 @@ class CertEditPage extends React.Component {
          Setting.showMessage("success", i18next.t("general:Successfully saved"));
          this.setState({
            certName: this.state.cert.name,
+          }, () => {
+            if (exitAfterSave) {
+              this.props.history.push("/certs");
+            } else {
+              this.props.history.push(`/certs/${this.state.cert.owner}/${this.state.cert.name}`);
+              this.getCert();
+            }
          });
-
-          if (exitAfterSave) {
-            this.props.history.push("/certs");
-          } else {
-            this.props.history.push(`/certs/${this.state.cert.owner}/${this.state.cert.name}`);
-            this.getCert();
-          }
        } else {
          Setting.showMessage("error", `${i18next.t("general:Failed to save")}: ${res.msg}`);
          this.updateCertField("name", this.state.certName);
--- a/web/src/EntryPage.js
+++ b/web/src/EntryPage.js
@ -32,7 +32,9 @@ import {authConfig} from "./auth/Auth";
 import ProductBuyPage from "./ProductBuyPage";
 import PaymentResultPage from "./PaymentResultPage";
 import QrCodePage from "./QrCodePage";
+import CaptchaPage from "./CaptchaPage";
 import CustomHead from "./basic/CustomHead";
+import * as Util from "./auth/Util";

 class EntryPage extends React.Component {
  constructor(props) {
@ -93,10 +95,20 @@ class EntryPage extends React.Component {
        });
    };

+    if (this.state.application?.ipRestriction) {
+      return Util.renderMessageLarge(this, this.state.application.ipRestriction);
+    }
+
+    if (this.state.application?.organizationObj?.ipRestriction) {
+      return Util.renderMessageLarge(this, this.state.application.organizationObj.ipRestriction);
+    }
+
+    const isDarkMode = this.props.themeAlgorithm.includes("dark");
+
    return (
      <React.Fragment>
        <CustomHead headerHtml={this.state.application?.headerHtml} />
-        <div className="loginBackground"
+        <div className={`${isDarkMode ? "loginBackgroundDark" : "loginBackground"}`}
          style={{backgroundImage: Setting.inIframe() || Setting.isMobile() ? null : `url(${this.state.application?.formBackgroundUrl})`}}>
          <Spin size="large" spinning={this.state.application === undefined && this.state.pricing === undefined} tip={i18next.t("login:Loading")}
            style={{margin: "0 auto"}} />
@ -120,8 +132,10 @@ class EntryPage extends React.Component {
            <Route exact path="/buy-plan/:owner/:pricingName" render={(props) => <ProductBuyPage {...this.props} pricing={this.state.pricing} onUpdatePricing={onUpdatePricing} {...props} />} />
            <Route exact path="/buy-plan/:owner/:pricingName/result" render={(props) => <PaymentResultPage {...this.props} pricing={this.state.pricing} onUpdatePricing={onUpdatePricing} {...props} />} />
            <Route exact path="/qrcode/:owner/:paymentName" render={(props) => <QrCodePage {...this.props} onUpdateApplication={onUpdateApplication} {...props} />} />
+            <Route exact path="/captcha" render={(props) => <CaptchaPage {...props} />} />
          </Switch>
        </div>
+
      </React.Fragment>
    );
  }
--- a/web/src/IframeEditor.js
+++ b/web/src/IframeEditor.js
@ -0,0 +1,66 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React, {forwardRef, useEffect, useImperativeHandle, useRef, useState} from "react";
+
+const IframeEditor = forwardRef(({initialModelText, onModelTextChange}, ref) => {
+  const iframeRef = useRef(null);
+  const [iframeReady, setIframeReady] = useState(false);
+
+  useEffect(() => {
+    const handleMessage = (event) => {
+      if (event.origin !== "https://editor.casbin.org") {return;}
+
+      if (event.data.type === "modelUpdate") {
+        onModelTextChange(event.data.modelText);
+      } else if (event.data.type === "iframeReady") {
+        setIframeReady(true);
+        iframeRef.current?.contentWindow.postMessage({
+          type: "initializeModel",
+          modelText: initialModelText,
+        }, "*");
+      }
+    };
+
+    window.addEventListener("message", handleMessage);
+    return () => window.removeEventListener("message", handleMessage);
+  }, [onModelTextChange, initialModelText]);
+
+  useImperativeHandle(ref, () => ({
+    getModelText: () => {
+      iframeRef.current?.contentWindow.postMessage({type: "getModelText"}, "*");
+    },
+    updateModelText: (newModelText) => {
+      if (iframeReady) {
+        iframeRef.current?.contentWindow.postMessage({
+          type: "updateModelText",
+          modelText: newModelText,
+        }, "*");
+      }
+    },
+  }));
+
+  return (
+    <iframe
+      ref={iframeRef}
+      src="https://editor.casbin.org/model-editor"
+      frameBorder="0"
+      width="100%"
+      height="500px"
+      title="Casbin Model Editor"
+    />
+  );
+});
+
+export default IframeEditor;
--- a/web/src/InvitationEditPage.js
+++ b/web/src/InvitationEditPage.js
@ -20,6 +20,7 @@ import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
 import copy from "copy-to-clipboard";
+import * as GroupBackend from "./backend/GroupBackend";

 const {Option} = Select;

@ -33,6 +34,7 @@ class InvitationEditPage extends React.Component {
      invitation: null,
      organizations: [],
      applications: [],
+      groups: [],
      mode: props.location.mode !== undefined ? props.location.mode : "edit",
    };
  }
@ -41,6 +43,7 @@ class InvitationEditPage extends React.Component {
    this.getInvitation();
    this.getOrganizations();
    this.getApplicationsByOrganization(this.state.organizationName);
+    this.getGroupsByOrganization(this.state.organizationName);
  }

  getInvitation() {
@ -75,6 +78,17 @@ class InvitationEditPage extends React.Component {
      });
  }

+  getGroupsByOrganization(organizationName) {
+    GroupBackend.getGroups(organizationName)
+      .then((res) => {
+        if (res.status === "ok") {
+          this.setState({
+            groups: res.data,
+          });
+        }
+      });
+  }
+
  parseInvitationField(key, value) {
    if ([""].includes(key)) {
      value = Setting.myParseInt(value);
@ -120,7 +134,7 @@ class InvitationEditPage extends React.Component {
            {Setting.getLabel(i18next.t("general:Organization"), i18next.t("general:Organization - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value); this.getApplicationsByOrganization(value);})}>
+            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value); this.getApplicationsByOrganization(value);this.getGroupsByOrganization(value);})}>
              {
                this.state.organizations.map((organization, index) => <Option key={index} value={organization.name}>{organization.name}</Option>)
              }
@ -204,6 +218,21 @@ class InvitationEditPage extends React.Component {
              ]} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("provider:Signup group"), i18next.t("provider:Signup group - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} style={{width: "100%"}} value={this.state.invitation.signupGroup} onChange={(value => {this.updateInvitationField("signupGroup", value);})}>
+              <Option key={""} value={""}>
+                {i18next.t("general:Default")}
+              </Option>
+              {
+                this.state.groups.map((group, index) => <Option key={index} value={`${group.owner}/${group.name}`}>{group.name}</Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("signup:Username"), i18next.t("signup:Username - Tooltip"))} :
--- a/web/src/LdapEditPage.js
+++ b/web/src/LdapEditPage.js
@ -13,12 +13,13 @@
 // limitations under the License.

 import React from "react";
-import {Button, Card, Col, Input, InputNumber, Row, Select, Switch} from "antd";
-import {EyeInvisibleOutlined, EyeTwoTone} from "@ant-design/icons";
+import {Button, Card, Col, Input, InputNumber, Row, Select, Space, Switch} from "antd";
+import {EyeInvisibleOutlined, EyeTwoTone, HolderOutlined, UsergroupAddOutlined} from "@ant-design/icons";
 import * as LddpBackend from "./backend/LdapBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
+import * as GroupBackend from "./backend/GroupBackend";

 const {Option} = Select;

@ -30,12 +31,14 @@ class LdapEditPage extends React.Component {
      organizationName: props.match.params.organizationName,
      ldap: null,
      organizations: [],
+      groups: null,
    };
  }

  UNSAFE_componentWillMount() {
    this.getLdap();
    this.getOrganizations();
+    this.getGroups();
  }

  getLdap() {
@ -60,6 +63,17 @@ class LdapEditPage extends React.Component {
      });
  }

+  getGroups() {
+    GroupBackend.getGroups(this.state.organizationName)
+      .then((res) => {
+        if (res.status === "ok") {
+          this.setState({
+            groups: res.data,
+          });
+        }
+      });
+  }
+
  updateLdapField(key, value) {
    this.setState((prevState) => {
      prevState.ldap[key] = value;
@ -214,6 +228,31 @@ class LdapEditPage extends React.Component {
            />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{lineHeight: "32px", textAlign: "right", paddingRight: "25px"}} span={3}>
+            {Setting.getLabel(i18next.t("ldap:Default group"), i18next.t("ldap:Default group - Tooltip"))} :
+          </Col>
+          <Col span={21}>
+            <Select virtual={false} style={{width: "100%"}} value={this.state.ldap.defaultGroup ?? []} onChange={(value => {
+              this.updateLdapField("defaultGroup", value);
+            })}
+            >
+              <Option key={""} value={""}>
+                <Space>
+                  {i18next.t("general:Default")}
+                </Space>
+              </Option>
+              {
+                this.state.groups?.map((group) => <Option key={group.name} value={`${group.owner}/${group.name}`}>
+                  <Space>
+                    {group.type === "Physical" ? <UsergroupAddOutlined /> : <HolderOutlined />}
+                    {group.displayName}
+                  </Space>
+                </Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}}>
          <Col style={{lineHeight: "32px", textAlign: "right", paddingRight: "25px"}} span={3}>
            {Setting.getLabel(i18next.t("ldap:Auto Sync"), i18next.t("ldap:Auto Sync - Tooltip"))} :
--- a/web/src/ModelEditPage.js
+++ b/web/src/ModelEditPage.js
@ -18,11 +18,7 @@ import * as ModelBackend from "./backend/ModelBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
-
-import {Controlled as CodeMirror} from "react-codemirror2";
-import "codemirror/lib/codemirror.css";
-
-require("codemirror/mode/properties/properties");
+import ModelEditor from "./CasbinEditor";

 const {Option} = Select;

@ -147,16 +143,10 @@ class ModelEditPage extends React.Component {
            {Setting.getLabel(i18next.t("model:Model text"), i18next.t("model:Model text - Tooltip"))} :
          </Col>
          <Col span={22}>
-            <div style={{width: "100%"}} >
-              <CodeMirror
-                value={this.state.model.modelText}
-                options={{mode: "properties", theme: "default"}}
-                onBeforeChange={(editor, data, value) => {
-                  if (Setting.builtInObject(this.state.model)) {
-                    return;
-                  }
-                  this.updateModelField("modelText", value);
-                }}
+            <div style={{position: "relative", height: "500px"}} >
+              <ModelEditor
+                model={this.state.model}
+                onModelTextChange={(value) => this.updateModelField("modelText", value)}
              />
            </div>
          </Col>
--- a/web/src/OrganizationEditPage.js
+++ b/web/src/OrganizationEditPage.js
@ -19,6 +19,7 @@ import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as LdapBackend from "./backend/LdapBackend";
 import * as Setting from "./Setting";
 import * as Conf from "./Conf";
+import * as Obfuscator from "./auth/Obfuscator";
 import i18next from "i18next";
 import {LinkOutlined} from "@ant-design/icons";
 import LdapTable from "./table/LdapTable";
@ -112,6 +113,22 @@ class OrganizationEditPage extends React.Component {
    });
  }

+  updatePasswordObfuscator(key, value) {
+    const organization = this.state.organization;
+    if (organization.passwordObfuscatorType === "") {
+      organization.passwordObfuscatorType = "Plain";
+    }
+    if (key === "type") {
+      organization.passwordObfuscatorType = value;
+      organization.passwordObfuscatorKey = Obfuscator.getRandomKeyForObfuscator(value);
+    } else if (key === "key") {
+      organization.passwordObfuscatorKey = value;
+    }
+    this.setState({
+      organization: organization,
+    });
+  }
+
  renderOrganization() {
    return (
      <Card size="small" title={
@ -294,6 +311,44 @@ class OrganizationEditPage extends React.Component {
            />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:Password obfuscator"), i18next.t("general:Password obfuscator - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} style={{width: "100%"}}
+              value={this.state.organization.passwordObfuscatorType}
+              onChange={(value => {this.updatePasswordObfuscator("type", value);})}>
+              {
+                [
+                  {id: "Plain", name: "Plain"},
+                  {id: "AES", name: "AES"},
+                  {id: "DES", name: "DES"},
+                ].map((obfuscatorType, index) => <Option key={index} value={obfuscatorType.id}>{obfuscatorType.name}</Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
+        {
+          (this.state.organization.passwordObfuscatorType === "Plain" || this.state.organization.passwordObfuscatorType === "") ? null : (<Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+              {Setting.getLabel(i18next.t("general:Password obf key"), i18next.t("general:Password obf key - Tooltip"))} :
+            </Col>
+            <Col span={22} >
+              <Input value={this.state.organization.passwordObfuscatorKey} onChange={(e) => {this.updatePasswordObfuscator("key", e.target.value);}} />
+            </Col>
+          </Row>)
+        }
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("organization:Password expire days"), i18next.t("organization:Password expire days - Tooltip"))} :
+          </Col>
+          <Col span={4} >
+            <InputNumber value={this.state.organization.passwordExpireDays} onChange={value => {
+              this.updateOrganizationField("passwordExpireDays", value);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:Supported country codes"), i18next.t("general:Supported country codes - Tooltip"))} :
@ -305,6 +360,7 @@ class OrganizationEditPage extends React.Component {
              }}
              filterOption={(input, option) => (option?.text ?? "").toLowerCase().includes(input.toLowerCase())}
            >
+              {Setting.getCountryCodeOption({name: i18next.t("organization:All"), code: "All", phone: 0})}
              {
                Setting.getCountryCodeData().map((country) => Setting.getCountryCodeOption(country))
              }
@ -406,6 +462,16 @@ class OrganizationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Input value={this.state.organization.ipWhitelist} onChange={e => {
+              this.updateOrganizationField("ipWhitelist", e.target.value);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("organization:Init score"), i18next.t("organization:Init score - Tooltip"))} :
@ -528,6 +594,12 @@ class OrganizationEditPage extends React.Component {
    const organization = Setting.deepCopy(this.state.organization);
    organization.accountItems = organization.accountItems?.filter(accountItem => accountItem.name !== "Please select an account item");

+    const passwordObfuscatorErrorMessage = Obfuscator.checkPasswordObfuscator(organization.passwordObfuscatorType, organization.passwordObfuscatorKey);
+    if (passwordObfuscatorErrorMessage.length > 0) {
+      Setting.showMessage("error", passwordObfuscatorErrorMessage);
+      return;
+    }
+
    OrganizationBackend.updateOrganization(this.state.organization.owner, this.state.organizationName, organization)
      .then((res) => {
        if (res.status === "ok") {
--- a/web/src/OrganizationListPage.js
+++ b/web/src/OrganizationListPage.js
@ -35,6 +35,9 @@ class OrganizationListPage extends BaseListPage {
      passwordType: "plain",
      PasswordSalt: "",
      passwordOptions: [],
+      passwordObfuscatorType: "Plain",
+      passwordObfuscatorKey: "",
+      passwordExpireDays: 0,
      countryCodes: ["US"],
      defaultAvatar: `${Setting.StaticBaseUrl}/img/casbin.svg`,
      defaultApplication: "",
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@ -843,7 +843,7 @@ class ProviderEditPage extends React.Component {
          )
        }
        {
-          this.state.provider.type !== "ADFS" && this.state.provider.type !== "AzureAD" && this.state.provider.type !== "AzureADB2C" && this.state.provider.type !== "Casdoor" && this.state.provider.type !== "Okta" ? null : (
+          this.state.provider.type !== "ADFS" && this.state.provider.type !== "AzureAD" && this.state.provider.type !== "AzureADB2C" && (this.state.provider.type !== "Casdoor" && this.state.category !== "Storage") && this.state.provider.type !== "Okta" ? null : (
            <Row style={{marginTop: "20px"}} >
              <Col style={{marginTop: "5px"}} span={2}>
                {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
@ -870,7 +870,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["Custom HTTP SMS", "Local File System", "MinIO", "Tencent Cloud COS", "Google Cloud Storage", "Qiniu Cloud Kodo", "Synology"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "Local File System", "MinIO", "Tencent Cloud COS", "Google Cloud Storage", "Qiniu Cloud Kodo", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {Setting.getLabel(i18next.t("provider:Endpoint (Intranet)"), i18next.t("provider:Region endpoint for Intranet"))} :
@ -885,7 +885,9 @@ class ProviderEditPage extends React.Component {
            {["Custom HTTP SMS", "Local File System"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
-                  {Setting.getLabel(i18next.t("provider:Bucket"), i18next.t("provider:Bucket - Tooltip"))} :
+                  {["Casdoor"].includes(this.state.provider.type) ?
+                    Setting.getLabel(i18next.t("general:Provider"), i18next.t("provider:Provider - Tooltip"))
+                    : Setting.getLabel(i18next.t("provider:Bucket"), i18next.t("provider:Bucket - Tooltip"))} :
                </Col>
                <Col span={22} >
                  <Input value={this.state.provider.bucket} onChange={e => {
@ -906,7 +908,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["Custom HTTP SMS", "Qiniu Cloud Kodo", "Synology"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
@ -918,10 +920,24 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo"].includes(this.state.provider.type) ? (
+            {["Casdoor"].includes(this.state.provider.type) ? (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
-                  {Setting.getLabel(i18next.t("provider:Region ID"), i18next.t("provider:Region ID - Tooltip"))} :
+                  {Setting.getLabel(i18next.t("general:Organization"), i18next.t("general:Organization - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <Input value={this.state.provider.content} onChange={e => {
+                    this.updateProviderField("content", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+            ) : null}
+            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo", "Casdoor"].includes(this.state.provider.type) ? (
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={2}>
+                  {["Casdoor"].includes(this.state.provider.type) ?
+                    Setting.getLabel(i18next.t("general:Application"), i18next.t("general:Application - Tooltip")) :
+                    Setting.getLabel(i18next.t("provider:Region ID"), i18next.t("provider:Region ID - Tooltip"))} :
                </Col>
                <Col span={22} >
                  <Input value={this.state.provider.regionId} onChange={e => {
@ -1298,7 +1314,7 @@ class ProviderEditPage extends React.Component {
          ) : null
        }
        {
-          (this.state.provider.type === "Alipay" || this.state.provider.type === "WeChat Pay") ? (
+          (this.state.provider.type === "Alipay" || this.state.provider.type === "WeChat Pay" || this.state.provider.type === "Casdoor") ? (
            <Row style={{marginTop: "20px"}} >
              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                {Setting.getLabel(i18next.t("general:Cert"), i18next.t("general:Cert - Tooltip"))} :
--- a/web/src/RoleEditPage.js
+++ b/web/src/RoleEditPage.js
@ -187,7 +187,7 @@ class RoleEditPage extends React.Component {
            {Setting.getLabel(i18next.t("role:Sub users"), i18next.t("role:Sub users - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
+            <Select virtual={true} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
              onChange={(value => {this.updateRoleField("users", value);})}
              options={this.state.users.map((user) => Setting.getOption(`${user.owner}/${user.name}`, `${user.owner}/${user.name}`))}
            />
--- a/web/src/Setting.js
+++ b/web/src/Setting.js
@ -229,6 +229,10 @@ export const OtherProviderInfo = {
      logo: `${StaticBaseUrl}/img/social_synology.png`,
      url: "https://www.synology.com/en-global/dsm/feature/file_sharing",
    },
+    "Casdoor": {
+      logo: `${StaticBaseUrl}/img/casdoor.png`,
+      url: "https://casdoor.org/docs/provider/storage/overview",
+    },
  },
  SAML: {
    "Aliyun IDaaS": {
@ -279,6 +283,10 @@ export const OtherProviderInfo = {
      logo: `${StaticBaseUrl}/img/captcha_default.png`,
      url: "https://pkg.go.dev/github.com/dchest/captcha",
    },
+    "reCAPTCHA": {
+      logo: `${StaticBaseUrl}/img/social_recaptcha.png`,
+      url: "https://www.google.com/recaptcha",
+    },
    "reCAPTCHA v2": {
      logo: `${StaticBaseUrl}/img/social_recaptcha.png`,
      url: "https://www.google.com/recaptcha",
@ -410,6 +418,9 @@ export function getCountryCode(country) {
 }

 export function getCountryCodeData(countryCodes = phoneNumber.getCountries()) {
+  if (countryCodes?.includes("All")) {
+    countryCodes = phoneNumber.getCountries();
+  }
  return countryCodes?.map((countryCode) => {
    if (phoneNumber.isSupportedCountry(countryCode)) {
      const name = initCountries().getName(countryCode, getLanguage());
@ -428,10 +439,10 @@ export function getCountryCodeOption(country) {
    <Option key={country.code} value={country.code} label={`+${country.phone}`} text={`${country.name}, ${country.code}, ${country.phone}`} >
      <div style={{display: "flex", justifyContent: "space-between", marginRight: "10px"}}>
        <div>
-          {getCountryImage(country)}
+          {country.code === "All" ? null : getCountryImage(country)}
          {`${country.name}`}
        </div>
-        {`+${country.phone}`}
+        {country.code === "All" ? null : `+${country.phone}`}
      </div>
    </Option>
  );
@ -1066,6 +1077,7 @@ export function getProviderTypeOptions(category) {
        {id: "Qiniu Cloud Kodo", name: "Qiniu Cloud Kodo"},
        {id: "Google Cloud Storage", name: "Google Cloud Storage"},
        {id: "Synology", name: "Synology"},
+        {id: "Casdoor", name: "Casdoor"},
      ]
    );
  } else if (category === "SAML") {
@ -1159,7 +1171,7 @@ export function renderLogo(application) {

 function isSigninMethodEnabled(application, signinMethod) {
  if (application && application.signinMethods) {
-    return application.signinMethods.filter(item => item.name === signinMethod).length > 0;
+    return application.signinMethods.filter(item => item.name === signinMethod && item.rule !== "Hide-Password").length > 0;
  } else {
    return false;
  }
@ -1545,3 +1557,7 @@ export function getCurrencyText(product) {
    return "(Unknown currency)";
  }
 }
+
+export function isDarkTheme(themeAlgorithm) {
+  return themeAlgorithm && themeAlgorithm.includes("dark");
+}
--- a/web/src/SyncerEditPage.js
+++ b/web/src/SyncerEditPage.js
@ -434,10 +434,9 @@ class SyncerEditPage extends React.Component {
            {Setting.getLabel(i18next.t("syncer:Table"), i18next.t("syncer:Table - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Input value={this.state.syncer.table}
-              disabled={this.state.syncer.type === "Keycloak"} onChange={e => {
-                this.updateSyncerField("table", e.target.value);
-              }} />
+            <Input value={this.state.syncer.table} onChange={e => {
+              this.updateSyncerField("table", e.target.value);
+            }} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
--- a/web/src/UserEditPage.js
+++ b/web/src/UserEditPage.js
@ -1050,6 +1050,8 @@ class UserEditPage extends React.Component {
            <MfaAccountTable
              title={i18next.t("user:MFA accounts")}
              table={this.state.user.mfaAccounts}
+              accessToken={this.props.account?.accessToken}
+              icon={this.state.user.avatar}
              onUpdateTable={(table) => {this.updateUserField("mfaAccounts", table);}}
            />
          </Col>
@ -1068,6 +1070,19 @@ class UserEditPage extends React.Component {
          </Col>
        </Row>
      );
+    } else if (accountItem.name === "IP whitelist") {
+      return (
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
+          </Col>
+          <Col span={22}>
+            <Input value={this.state.user.ipWhitelist} onChange={e => {
+              this.updateUserField("ipWhitelist", e.target.value);
+            }} />
+          </Col>
+        </Row>
+      );
    }
  }

--- a/web/src/auth/CasLogout.js
+++ b/web/src/auth/CasLogout.js
@ -34,25 +34,42 @@ class CasLogout extends React.Component {

  UNSAFE_componentWillMount() {
    const params = new URLSearchParams(this.props.location.search);
+    const logoutInterval = 100;
+
+    const logoutTimeOut = (redirectUri) => {
+      setTimeout(() => {
+        AuthBackend.getAccount().then((accountRes) => {
+          if (accountRes.status === "ok") {
+            AuthBackend.logout().then((logoutRes) => {
+              if (logoutRes.status === "ok") {
+                logoutTimeOut(logoutRes.data2);
+              } else {
+                Setting.showMessage("error", `${i18next.t("login:Failed to log out")}: ${logoutRes.msg}`);
+              }
+            });
+          } else {
+            Setting.showMessage("success", i18next.t("application:Logged out successfully"));
+            this.props.onUpdateAccount(null);
+            if (redirectUri !== null && redirectUri !== undefined && redirectUri !== "") {
+              Setting.goToLink(redirectUri);
+            } else if (params.has("service")) {
+              Setting.goToLink(params.get("service"));
+            } else {
+              Setting.goToLinkSoft(this, `/cas/${this.state.owner}/${this.state.applicationName}/login`);
+            }
+          }
+        });
+      }, logoutInterval);
+    };

    AuthBackend.logout()
      .then((res) => {
        if (res.status === "ok") {
-          Setting.showMessage("success", "Logged out successfully");
-          this.props.onUpdateAccount(null);
-          const redirectUri = res.data2;
-          if (redirectUri !== null && redirectUri !== undefined && redirectUri !== "") {
-            Setting.goToLink(redirectUri);
-          } else if (params.has("service")) {
-            Setting.goToLink(params.get("service"));
-          } else {
-            Setting.goToLinkSoft(this, `/cas/${this.state.owner}/${this.state.applicationName}/login`);
-          }
+          logoutTimeOut(res.data2);
        } else {
-          Setting.showMessage("error", `Failed to log out: ${res.msg}`);
+          Setting.showMessage("error", `${i18next.t("login:Failed to log out")}: ${res.msg}`);
        }
      });
-
  }

  render() {
--- a/web/src/auth/LoginPage.js
+++ b/web/src/auth/LoginPage.js
@ -19,6 +19,7 @@ import {withRouter} from "react-router-dom";
 import * as UserWebauthnBackend from "../backend/UserWebauthnBackend";
 import OrganizationSelect from "../common/select/OrganizationSelect";
 import * as Conf from "../Conf";
+import * as Obfuscator from "./Obfuscator";
 import * as AuthBackend from "./AuthBackend";
 import * as OrganizationBackend from "../backend/OrganizationBackend";
 import * as ApplicationBackend from "../backend/ApplicationBackend";
@ -51,7 +52,6 @@ class LoginPage extends React.Component {
      username: null,
      validEmailOrPhone: false,
      validEmail: false,
-      enableCaptchaModal: CaptchaRule.Never,
      openCaptchaModal: false,
      openFaceRecognitionModal: false,
      verifyCaptcha: undefined,
@ -92,17 +92,6 @@ class LoginPage extends React.Component {
    }
    if (prevProps.application !== this.props.application) {
      this.setState({loginMethod: this.getDefaultLoginMethod(this.props.application)});
-
-      const captchaProviderItems = this.getCaptchaProviderItems(this.props.application);
-      if (captchaProviderItems) {
-        if (captchaProviderItems.some(providerItem => providerItem.rule === "Always")) {
-          this.setState({enableCaptchaModal: CaptchaRule.Always});
-        } else if (captchaProviderItems.some(providerItem => providerItem.rule === "Dynamic")) {
-          this.setState({enableCaptchaModal: CaptchaRule.Dynamic});
-        } else {
-          this.setState({enableCaptchaModal: CaptchaRule.Never});
-        }
-      }
    }

    if (prevProps.account !== this.props.account && this.props.account !== undefined) {
@ -132,6 +121,19 @@ class LoginPage extends React.Component {
    }
  }

+  getCaptchaRule(application) {
+    const captchaProviderItems = this.getCaptchaProviderItems(application);
+    if (captchaProviderItems) {
+      if (captchaProviderItems.some(providerItem => providerItem.rule === "Always")) {
+        return CaptchaRule.Always;
+      } else if (captchaProviderItems.some(providerItem => providerItem.rule === "Dynamic")) {
+        return CaptchaRule.Dynamic;
+      } else {
+        return CaptchaRule.Never;
+      }
+    }
+  }
+
  checkCaptchaStatus(values) {
    AuthBackend.getCaptchaStatus(values)
      .then((res) => {
@ -225,6 +227,22 @@ class LoginPage extends React.Component {
    return "password";
  }

+  getCurrentLoginMethod() {
+    if (this.state.loginMethod === "password") {
+      return "Password";
+    } else if (this.state.loginMethod?.includes("verificationCode")) {
+      return "Verification code";
+    } else if (this.state.loginMethod === "webAuthn") {
+      return "WebAuthn";
+    } else if (this.state.loginMethod === "ldap") {
+      return "LDAP";
+    } else if (this.state.loginMethod === "faceId") {
+      return "Face ID";
+    } else {
+      return "Password";
+    }
+  }
+
  getPlaceholder() {
    switch (this.state.loginMethod) {
    case "verificationCode": return i18next.t("login:Email or phone");
@ -260,17 +278,7 @@ class LoginPage extends React.Component {
      values["organization"] = this.getApplicationObj().organization;
    }

-    if (this.state.loginMethod === "password") {
-      values["signinMethod"] = "Password";
-    } else if (this.state.loginMethod?.includes("verificationCode")) {
-      values["signinMethod"] = "Verification code";
-    } else if (this.state.loginMethod === "webAuthn") {
-      values["signinMethod"] = "WebAuthn";
-    } else if (this.state.loginMethod === "ldap") {
-      values["signinMethod"] = "LDAP";
-    } else if (this.state.loginMethod === "faceId") {
-      values["signinMethod"] = "Face ID";
-    }
+    values["signinMethod"] = this.getCurrentLoginMethod();
    const oAuthParams = Util.getOAuthGetParameters();

    values["type"] = oAuthParams?.responseType ?? this.state.type;
@ -379,13 +387,22 @@ class LoginPage extends React.Component {
      return;
    }
    if (this.state.loginMethod === "password" || this.state.loginMethod === "ldap") {
-      if (this.state.enableCaptchaModal === CaptchaRule.Always) {
+      const organization = this.getApplicationObj()?.organizationObj;
+      const [passwordCipher, errorMessage] = Obfuscator.encryptByPasswordObfuscator(organization?.passwordObfuscatorType, organization?.passwordObfuscatorKey, values["password"]);
+      if (errorMessage.length > 0) {
+        Setting.showMessage("error", errorMessage);
+        return;
+      } else {
+        values["password"] = passwordCipher;
+      }
+      const captchaRule = this.getCaptchaRule(this.getApplicationObj());
+      if (captchaRule === CaptchaRule.Always) {
        this.setState({
          openCaptchaModal: true,
          values: values,
        });
        return;
-      } else if (this.state.enableCaptchaModal === CaptchaRule.Dynamic) {
+      } else if (captchaRule === CaptchaRule.Dynamic) {
        this.checkCaptchaStatus(values);
        return;
      }
@ -398,6 +415,7 @@ class LoginPage extends React.Component {
    if (this.state.type === "cas") {
      // CAS
      const casParams = Util.getCasParameters();
+      values["signinMethod"] = this.getCurrentLoginMethod();
      values["type"] = this.state.type;
      AuthBackend.loginCas(values, casParams).then((res) => {
        const loginHandler = (res) => {
@ -426,8 +444,8 @@ class LoginPage extends React.Component {
                    formValues={values}
                    authParams={casParams}
                    application={this.getApplicationObj()}
-                    onFail={() => {
-                      Setting.showMessage("error", i18next.t("mfa:Verification failed"));
+                    onFail={(errorMessage) => {
+                      Setting.showMessage("error", errorMessage);
                    }}
                    onSuccess={(res) => loginHandler(res)}
                  />);
@ -495,8 +513,8 @@ class LoginPage extends React.Component {
                      formValues={values}
                      authParams={oAuthParams}
                      application={this.getApplicationObj()}
-                      onFail={() => {
-                        Setting.showMessage("error", i18next.t("mfa:Verification failed"));
+                      onFail={(errorMessage) => {
+                        Setting.showMessage("error", errorMessage);
                      }}
                      onSuccess={(res) => loginHandler(res)}
                    />);
@ -902,7 +920,7 @@ class LoginPage extends React.Component {
  }

  renderCaptchaModal(application) {
-    if (this.state.enableCaptchaModal === CaptchaRule.Never) {
+    if (this.getCaptchaRule(this.getApplicationObj()) === CaptchaRule.Never) {
      return null;
    }
    const captchaProviderItems = this.getCaptchaProviderItems(application);
@ -938,7 +956,7 @@ class LoginPage extends React.Component {
            signinItem.label ? Setting.renderSignupLink(application, signinItem.label) :
              (
                <React.Fragment>
-                  {i18next.t("login:No account?")}
+                  {i18next.t("login:No account?")}&nbsp;
                  {
                    Setting.renderSignupLink(application, i18next.t("login:sign up now"))
                  }
@ -1125,6 +1143,9 @@ class LoginPage extends React.Component {
    ]);

    application?.signinMethods?.forEach((signinMethod) => {
+      if (signinMethod.rule === "Hide-Password") {
+        return;
+      }
      const item = itemsMap.get(generateItemKey(signinMethod.name, signinMethod.rule));
      if (item) {
        let label = signinMethod.name === signinMethod.displayName ? item.label : signinMethod.displayName;
@ -1279,7 +1300,7 @@ class LoginPage extends React.Component {
        <div className="login-content" style={{margin: this.props.preview ?? this.parseOffset(application.formOffset)}}>
          {Setting.inIframe() || Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCss}} />}
          {Setting.inIframe() || !Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCssMobile}} />}
-          <div className="login-panel">
+          <div className={Setting.isDarkTheme(this.props.themeAlgorithm) ? "login-panel-dark" : "login-panel"}>
            <div className="side-image" style={{display: application.formOffset !== 4 ? "none" : null}}>
              <div dangerouslySetInnerHTML={{__html: application.formSideHtml}} />
            </div>
--- a/web/src/auth/MfaSetupPage.js
+++ b/web/src/auth/MfaSetupPage.js
@ -37,7 +37,7 @@ class MfaSetupPage extends React.Component {
    this.state = {
      account: props.account,
      application: null,
-      applicationName: props.account.signupApplication ?? "",
+      applicationName: props.account.signupApplication ?? localStorage.getItem("applicationName") ?? "",
      current: location.state?.from !== undefined ? 1 : 0,
      mfaProps: null,
      mfaType: params.get("mfaType") ?? SmsMfaType,
--- a/web/src/auth/Obfuscator.js
+++ b/web/src/auth/Obfuscator.js
@ -0,0 +1,96 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import CryptoJS from "crypto-js";
+import i18next from "i18next";
+import {Buffer} from "buffer";
+
+export function getRandomKeyForObfuscator(obfuscatorType) {
+  if (obfuscatorType === "DES") {
+    return getRandomHexKey(16);
+  } else if (obfuscatorType === "AES") {
+    return getRandomHexKey(32);
+  } else {
+    return "";
+  }
+}
+
+export const passwordObfuscatorKeyRegexes = {
+  "DES": /^[1-9a-f]{16}$/,
+  "AES": /^[1-9a-f]{32}$/,
+};
+
+function encrypt(cipher, key, iv, password) {
+  const encrypted = cipher.encrypt(
+    CryptoJS.enc.Hex.parse(Buffer.from(password, "utf-8").toString("hex")),
+    CryptoJS.enc.Hex.parse(key),
+    {
+      iv: iv,
+      mode: CryptoJS.mode.CBC,
+      pad: CryptoJS.pad.Pkcs7,
+    }
+  );
+  return iv.concat(encrypted.ciphertext).toString(CryptoJS.enc.Hex);
+}
+
+export function checkPasswordObfuscator(passwordObfuscatorType, passwordObfuscatorKey) {
+  if (passwordObfuscatorType === undefined) {
+    return i18next.t("organization:failed to get password obfuscator");
+  } else if (passwordObfuscatorType === "Plain" || passwordObfuscatorType === "") {
+    return "";
+  } else if (passwordObfuscatorType === "AES" || passwordObfuscatorType === "DES") {
+    if (passwordObfuscatorKeyRegexes[passwordObfuscatorType].test(passwordObfuscatorKey)) {
+      return "";
+    } else {
+      return `${i18next.t("organization:The password obfuscator key doesn't match the regex")}: ${passwordObfuscatorKeyRegexes[passwordObfuscatorType].source}`;
+    }
+  } else {
+    return `${i18next.t("organization:unsupported password obfuscator type")}: ${passwordObfuscatorType}`;
+  }
+}
+
+export function encryptByPasswordObfuscator(passwordObfuscatorType, passwordObfuscatorKey, password) {
+  const passwordObfuscatorErrorMessage = checkPasswordObfuscator(passwordObfuscatorType, passwordObfuscatorKey);
+  if (passwordObfuscatorErrorMessage.length > 0) {
+    return ["", passwordObfuscatorErrorMessage];
+  } else {
+    if (passwordObfuscatorType === "Plain" || passwordObfuscatorType === "") {
+      return [password, ""];
+    } else if (passwordObfuscatorType === "AES") {
+      return [encryptByAes(passwordObfuscatorKey, password), ""];
+    } else if (passwordObfuscatorType === "DES") {
+      return [encryptByDes(passwordObfuscatorKey, password), ""];
+    }
+  }
+}
+
+function encryptByDes(key, password) {
+  const iv = CryptoJS.lib.WordArray.random(8);
+  return encrypt(CryptoJS.DES, key, iv, password);
+}
+
+function encryptByAes(key, password) {
+  const iv = CryptoJS.lib.WordArray.random(16);
+  return encrypt(CryptoJS.AES, key, iv, password);
+}
+
+function getRandomHexKey(length) {
+  const characters = "123456789abcdef";
+  let key = "";
+  for (let i = 0; i < length; i++) {
+    const randomIndex = Math.floor(Math.random() * characters.length);
+    key += characters[randomIndex];
+  }
+  return key;
+}
--- a/web/src/auth/SignupPage.js
+++ b/web/src/auth/SignupPage.js
@ -13,7 +13,7 @@
 // limitations under the License.

 import React from "react";
-import {Button, Form, Input, Radio, Result, Row, message} from "antd";
+import {Button, Form, Input, Radio, Result, Row, Select, message} from "antd";
 import * as Setting from "../Setting";
 import * as AuthBackend from "./AuthBackend";
 import * as ProviderButton from "./ProviderButton";
@ -50,6 +50,38 @@ const formItemLayout = {
  },
 };

+const renderFormItem = (signupItem) => {
+  const commonProps = {
+    name: signupItem.name.toLowerCase(),
+    label: signupItem.label || signupItem.name,
+    rules: [
+      {
+        required: signupItem.required,
+        message: i18next.t(`signup:Please input your ${signupItem.label || signupItem.name}!`),
+      },
+    ],
+  };
+
+  if (!signupItem.type || signupItem.type === "Input") {
+    return (
+      <Form.Item {...commonProps}>
+        <Input placeholder={signupItem.placeholder} />
+      </Form.Item>
+    );
+  } else if (signupItem.type === "Single Choice" || signupItem.type === "Multiple Choices") {
+    return (
+      <Form.Item {...commonProps}>
+        <Select
+          mode={signupItem.type === "Multiple Choices" ? "multiple" : "single"}
+          placeholder={signupItem.placeholder}
+          showSearch={false}
+          options={signupItem.options.map(option => ({label: option, value: option}))}
+        />
+      </Form.Item>
+    );
+  }
+};
+
 export const tailFormItemLayout = {
  wrapperCol: {
    xs: {
@ -198,6 +230,22 @@ class SignupPage extends React.Component {
  onFinish(values) {
    const application = this.getApplicationObj();

+    if (Array.isArray(values.gender)) {
+      values.gender = values.gender.join(", ");
+    }
+
+    if (Array.isArray(values.bio)) {
+      values.bio = values.bio.join(", ");
+    }
+
+    if (Array.isArray(values.tag)) {
+      values.tag = values.tag.join(", ");
+    }
+
+    if (Array.isArray(values.education)) {
+      values.education = values.education.join(", ");
+    }
+
    const params = new URLSearchParams(window.location.search);
    values.plan = params.get("plan");
    values.pricing = params.get("pricing");
@ -238,6 +286,7 @@ class SignupPage extends React.Component {
  }

  renderFormItem(application, signupItem) {
+    const validItems = ["Gender", "Bio", "Tag", "Education"];
    if (!signupItem.visible) {
      return null;
    }
@ -366,7 +415,9 @@ class SignupPage extends React.Component {
            },
          ]}
        >
-          <RegionSelect className="signup-region-select" onChange={(value) => {this.setState({region: value});}} />
+          <RegionSelect className="signup-region-select" onChange={(value) => {
+            this.setState({region: value});
+          }} />
        </Form.Item>
      );
    } else if (signupItem.name === "Email" || signupItem.name === "Phone" || signupItem.name === "Email or Phone" || signupItem.name === "Phone or Email") {
@ -669,8 +720,9 @@ class SignupPage extends React.Component {
            </span>
          );
        })
-
      );
+    } else if (validItems.includes(signupItem.name)) {
+      return renderFormItem(signupItem);
    }
  }

@ -790,7 +842,7 @@ class SignupPage extends React.Component {
        <div className="login-content" style={{margin: this.props.preview ?? this.parseOffset(application.formOffset)}}>
          {Setting.inIframe() || Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCss}} />}
          {Setting.inIframe() || !Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCssMobile}} />}
-          <div className="login-panel" >
+          <div className={Setting.isDarkTheme(this.props.themeAlgorithm) ? "login-panel-dark" : "login-panel"}>
            <div className="side-image" style={{display: application.formOffset !== 4 ? "none" : null}}>
              <div dangerouslySetInnerHTML={{__html: application.formSideHtml}} />
            </div>
--- a/web/src/auth/mfa/MfaAuthVerifyForm.js
+++ b/web/src/auth/mfa/MfaAuthVerifyForm.js
@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import React, {useState} from "react";
+import React, {Fragment, useState} from "react";
 import i18next from "i18next";
 import {Button, Input} from "antd";
 import * as AuthBackend from "../AuthBackend";
@ -67,24 +67,32 @@ export function MfaAuthVerifyForm({formValues, authParams, mfaProps, application

  if (mfaType !== RecoveryMfaType) {
    return (
-      <div style={{width: 300, height: 350}}>
+      <div style={{width: 320, height: 350}}>
        <div style={{marginBottom: 24, textAlign: "center", fontSize: "24px"}}>
          {i18next.t("mfa:Multi-factor authentication")}
        </div>
-        <div style={{marginBottom: 24}}>
-          {i18next.t("mfa:Multi-factor authentication description")}
-        </div>
        {mfaType === SmsMfaType || mfaType === EmailMfaType ? (
-          <MfaVerifySmsForm
-            mfaProps={mfaProps}
-            method={mfaAuth}
-            onFinish={verify}
-            application={application}
-          />) : (
-          <MfaVerifyTotpForm
-            mfaProps={mfaProps}
-            onFinish={verify}
-          />
+          <Fragment>
+            <div style={{marginBottom: 24}}>
+              {i18next.t("mfa:You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue")}
+            </div>
+            <MfaVerifySmsForm
+              mfaProps={mfaProps}
+              method={mfaAuth}
+              onFinish={verify}
+              application={application}
+            />
+          </Fragment>
+        ) : (
+          <Fragment>
+            <div style={{marginBottom: 24}}>
+              {i18next.t("mfa:You have enabled Multi-Factor Authentication, please enter the TOTP code")}
+            </div>
+            <MfaVerifyTotpForm
+              mfaProps={mfaProps}
+              onFinish={verify}
+            />
+          </Fragment>
        )}
        <span style={{float: "right"}}>
          {i18next.t("mfa:Have problems?")}
--- a/web/src/common/CaptchaWidget.js
+++ b/web/src/common/CaptchaWidget.js
@ -27,6 +27,7 @@ export const CaptchaWidget = (props) => {

  useEffect(() => {
    switch (captchaType) {
+    case "reCAPTCHA" :
    case "reCAPTCHA v2": {
      const reTimer = setInterval(() => {
        if (!window.grecaptcha) {
@ -47,9 +48,21 @@ export const CaptchaWidget = (props) => {
        if (!window.grecaptcha) {
          loadScript(`https://recaptcha.net/recaptcha/api.js?render=${siteKey}`);
        }
-        if (window.grecaptcha && window.grecaptcha.execute) {
-          window.grecaptcha.execute(siteKey, {action: "submit"}).then(function(token) {
-            onChange(token);
+        if (window.grecaptcha && window.grecaptcha.render) {
+          const clientId = window.grecaptcha.render("captcha", {
+            "sitekey": siteKey,
+            "badge": "inline",
+            "size": "invisible",
+            "callback": onChange,
+            "error-callback": function() {
+              const logoWidth = `${document.getElementById("captcha").offsetWidth + 40}px`;
+              document.getElementsByClassName("grecaptcha-logo")[0].firstChild.style.width = logoWidth;
+              document.getElementsByClassName("grecaptcha-badge")[0].style.width = logoWidth;
+            },
+          });
+
+          window.grecaptcha.ready(function() {
+            window.grecaptcha.execute(clientId, {action: "submit"});
          });
          clearInterval(reTimer);
        }
--- a/web/src/common/CasdoorAppConnector.js
+++ b/web/src/common/CasdoorAppConnector.js
@ -0,0 +1,121 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React from "react";
+import {Alert, Button, QRCode} from "antd";
+import * as Setting from "../Setting";
+import i18next from "i18next";
+
+export const generateCasdoorAppUrl = (accessToken, forQrCode = true) => {
+  let qrUrl = "";
+  let error = null;
+
+  if (!accessToken) {
+    error = i18next.t("general:Access token is empty");
+    return {qrUrl, error};
+  }
+
+  qrUrl = `casdoor-app://login?serverUrl=${window.location.origin}&accessToken=${accessToken}`;
+
+  if (forQrCode && qrUrl.length >= 2000) {
+    qrUrl = "";
+    error = i18next.t("general:QR code is too large");
+  }
+
+  return {qrUrl, error};
+};
+
+export const CasdoorAppQrCode = ({accessToken, icon}) => {
+  const {qrUrl, error} = generateCasdoorAppUrl(accessToken, true);
+
+  if (error) {
+    return <Alert message={error} type="error" showIcon />;
+  }
+
+  return (
+    <QRCode
+      value={qrUrl}
+      icon={icon}
+      errorLevel="M"
+      size={230}
+      bordered={false}
+    />
+  );
+};
+
+export const CasdoorAppUrl = ({accessToken}) => {
+  const {qrUrl, error} = generateCasdoorAppUrl(accessToken, false);
+
+  const handleCopyUrl = async() => {
+    if (!window.isSecureContext) {
+      return;
+    }
+
+    try {
+      await navigator.clipboard.writeText(qrUrl);
+      Setting.showMessage("success", i18next.t("general:Copied to clipboard"));
+    } catch (err) {
+      Setting.showMessage("error", i18next.t("general:Failed to copy"));
+    }
+  };
+
+  if (error) {
+    return <Alert message={error} type="error" showIcon />;
+  }
+
+  return (
+    <div>
+      <div style={{
+        display: "flex",
+        justifyContent: "space-between",
+        alignItems: "center",
+        marginBottom: "10px",
+      }}>
+        <span>{i18next.t("general:URL String")}</span>
+        {window.isSecureContext && (
+          <Button
+            size="small"
+            onClick={handleCopyUrl}
+            style={{marginLeft: "10px"}}
+          >
+            {i18next.t("general:Copy URL")}
+          </Button>
+        )}
+      </div>
+      <div
+        style={{
+          padding: "10px",
+          maxWidth: "400px",
+          maxHeight: "100px",
+          overflow: "auto",
+          wordBreak: "break-all",
+          whiteSpace: "pre-wrap",
+          cursor: "pointer",
+          userSelect: "all",
+          backgroundColor: "#f5f5f5",
+          borderRadius: "4px",
+        }}
+        onClick={(e) => {
+          const selection = window.getSelection();
+          const range = document.createRange();
+          range.selectNodeContents(e.target);
+          selection.removeAllRanges();
+          selection.addRange(range);
+        }}
+      >
+        {qrUrl}
+      </div>
+    </div>
+  );
+};
--- a/web/src/common/modal/CaptchaModal.js
+++ b/web/src/common/modal/CaptchaModal.js
@ -115,7 +115,7 @@ export const CaptchaModal = (props) => {
    } else {
      return (
        <Col>
-          <Row>
+          <Row justify={"center"}>
            <CaptchaWidget
              captchaType={captchaType}
              subType={subType}
--- a/web/src/index.css
+++ b/web/src/index.css
@ -51,3 +51,19 @@ code {
 .custom-link:hover {
  color: rgb(64 64 64) !important;
 }
+
+.full-height-editor {
+  height: 100%;
+}
+
+.full-height-editor [class*="CodeMirror"] {
+  height: 100%;
+}
+
+.no-horizontal-scroll-editor [class*="CodeMirror-hscrollbar"] {
+  display: none !important;
+}
+
+.no-horizontal-scroll-editor [class*="CodeMirror-scroll"] {
+  overflow-x: hidden !important;
+}
--- a/web/src/locales/ar/data.json
+++ b/web/src/locales/ar/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Token format",
    "Token format - Tooltip": "The format of access token",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
    "Is enabled - Tooltip": "Set whether it can use",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP servers",
    "Languages": "Languages",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Base DN",
    "Base DN - Tooltip": "Base DN during LDAP search",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Edit LDAP",
    "Enable SSL": "Enable SSL",
    "Enable SSL - Tooltip": "Whether to enable SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Edit Model",
    "Model text": "Model text",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Managed accounts",
    "Modify password...": "Modify password...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/cs/data.json
+++ b/web/src/locales/cs/data.json
@ -74,6 +74,7 @@
    "Left": "Vlevo",
    "Logged in successfully": "Úspěšně přihlášen",
    "Logged out successfully": "Úspěšně odhlášen",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Nová aplikace",
    "No verification": "Bez ověření",
    "Normal": "Normální",
@ -112,6 +113,7 @@
    "Signin session": "Přihlašovací relace",
    "Signup items": "Položky registrace",
    "Signup items - Tooltip": "Položky, které uživatelé vyplňují při registraci nových účtů",
+    "Single Choice": "Single Choice",
    "Small icon": "Malá ikona",
    "Tags - Tooltip": "Pouze uživatelé s tagem uvedeným v tazích aplikace se mohou přihlásit",
    "The application does not allow to sign up new account": "Aplikace neumožňuje registraci nového účtu",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Uživatelská pole zahrnutá v tokenu",
    "Token format": "Formát tokenu",
    "Token format - Tooltip": "Formát přístupového tokenu",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Nečekali jste, že uvidíte tuto výzvu"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Přístupový klíč - Tooltip",
    "Access secret": "Přístupové tajemství",
    "Access secret - Tooltip": "Přístupové tajemství - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Akce",
    "Adapter": "Adaptér",
    "Adapter - Tooltip": "Název tabulky úložiště politiky",
@ -234,6 +241,8 @@
    "Enable": "Povolit",
    "Enable dark logo": "Povolit tmavé logo",
    "Enable dark logo - Tooltip": "Povolit tmavé logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Povoleno",
    "Enabled successfully": "Úspěšně povoleno",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Pozvánky",
    "Is enabled": "Je povoleno",
    "Is enabled - Tooltip": "Nastavit, zda může být použito",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPy",
    "LDAPs - Tooltip": "LDAP servery",
    "Languages": "Jazyky",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Poskytovatelé plateb, které mají být nakonfigurovány, včetně PayPal, Alipay, WeChat Pay, atd.",
    "Providers": "Poskytovatelé",
    "Providers - Tooltip": "Poskytovatelé, kteří mají být nakonfigurováni, včetně přihlášení třetích stran, objektového úložiště, ověřovacího kódu, atd.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Skutečné jméno",
    "Records": "Záznamy",
    "Request URI": "Požadavek URI",
@ -441,6 +454,8 @@
    "Base DN": "Základní DN",
    "Base DN - Tooltip": "Základní DN při vyhledávání v LDAP",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Upravit LDAP",
    "Enable SSL": "Povolit SSL",
    "Enable SSL - Tooltip": "Zda povolit SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Rozpoznávání obličeje",
    "Face recognition failed": "Rozpoznávání obličeje selhalo",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Nepodařilo se získat autorizaci MetaMask",
    "Failed to obtain Web3-Onboard authorization": "Nepodařilo se získat autorizaci Web3-Onboard",
    "Forgot password?": "Zapomněli jste heslo?",
@ -521,8 +537,7 @@
    "Failed to initiate MFA": "Nepodařilo se zahájit MFA",
    "Have problems?": "Máte problémy?",
    "Multi-factor authentication": "Vícefaktorové ověřování",
-    "Multi-factor authentication - Tooltip": "Dvoufaktorové ověřování - Tooltip",
-    "Multi-factor authentication description": "Popis dvoufaktorového ověřování",
+    "Multi-factor authentication - Tooltip ": "Dvoufaktorové ověřování - Tooltip",
    "Multi-factor methods": "Metody dvoufaktorového ověřování",
    "Multi-factor recover": "Obnovení dvoufaktorového ověřování",
    "Multi-factor recover description": "Popis obnovení dvoufaktorového ověřování",
@ -547,10 +562,17 @@
    "Verification failed": "Ověření selhalo",
    "Verify Code": "Ověřit kód",
    "Verify Password": "Ověřit heslo",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Váš email je",
    "Your phone is": "Váš telefon je",
    "preferred": "preferované"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Upravit model",
    "Model text": "Text modelu",
@ -818,6 +840,7 @@
    "Project Id": "ID projektu",
    "Project Id - Tooltip": "Nápověda k ID projektu",
    "Prompted": "Vyzván",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL poskytovatele",
    "Provider URL - Tooltip": "URL pro konfiguraci poskytovatele služby, toto pole je pouze pro referenci a není použito v Casdoor",
    "Public key": "Veřejný klíč",
@ -937,6 +960,7 @@
    "Have account?": "Máte účet?",
    "Label": "Štítek",
    "Label HTML": "HTML štítek",
+    "Options": "Options",
    "Placeholder": "Zástupný text",
    "Please accept the agreement!": "Prosím přijměte smlouvu!",
    "Please click the below button to sign in": "Prosím klikněte na tlačítko níže pro přihlášení",
@ -1136,6 +1160,7 @@
    "Link": "Odkaz",
    "Location": "Místo",
    "Location - Tooltip": "Město bydliště",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Spravované účty",
    "Modify password...": "Změnit heslo...",
    "Multi-factor authentication": "Vícefaktorové ověřování",
--- a/web/src/locales/de/data.json
+++ b/web/src/locales/de/data.json
@ -74,6 +74,7 @@
    "Left": "Links",
    "Logged in successfully": "Erfolgreich eingeloggt",
    "Logged out successfully": "Erfolgreich ausgeloggt",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Neue Anwendung",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Anmeldesession",
    "Signup items": "Registrierungs Items",
    "Signup items - Tooltip": "Items, die Benutzer ausfüllen müssen, wenn sie neue Konten registrieren",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "Die Anwendung erlaubt es nicht, ein neues Konto zu registrieren",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Token-Format",
    "Token format - Tooltip": "Das Format des Access-Tokens",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Sie sind unerwartet auf diese Aufforderungsseite gelangt"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Aktion",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Tabellenname des Policy Stores",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Ist aktiviert",
    "Is enabled - Tooltip": "Festlegen, ob es verwendet werden kann",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP-Server",
    "Languages": "Sprachen",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Zahlungsprovider, die konfiguriert werden müssen, inkl. PayPal, Alipay, WeChat Pay usw.",
    "Providers": "Provider",
    "Providers - Tooltip": "Provider, die konfiguriert werden müssen, einschließlich Drittanbieter-Logins, Objektspeicherung, Verifizierungscode usw.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Echter Name",
    "Records": "Datensätze",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Basis-DN",
    "Base DN - Tooltip": "Basis-DN während der LDAP-Suche",
    "CN": "KN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "LDAP bearbeiten",
    "Enable SSL": "Aktivieren Sie SSL",
    "Enable SSL - Tooltip": "Ob SSL aktiviert werden soll",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Passwort vergessen?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Modell bearbeiten",
    "Model text": "Modelltext",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "ausgelöst",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Anbieter-URL",
    "Provider URL - Tooltip": "URL zur Konfiguration des Dienstanbieters, dieses Feld dient nur als Referenz und wird in Casdoor nicht verwendet",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Haben Sie ein Konto?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Bitte akzeptieren Sie die Vereinbarung!",
    "Please click the below button to sign in": "Bitte klicken Sie auf den untenstehenden Button, um sich anzumelden",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Ort",
    "Location - Tooltip": "Stadt des Wohnsitzes",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Verwaltete Konten",
    "Modify password...": "Passwort ändern...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/en/data.json
+++ b/web/src/locales/en/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "The user fields included in the token",
    "Token format": "Token format",
    "Token format - Tooltip": "The format of access token",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
    "Is enabled - Tooltip": "Set whether it can use",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP servers",
    "Languages": "Languages",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Base DN",
    "Base DN - Tooltip": "Base DN during LDAP search",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Edit LDAP",
    "Enable SSL": "Enable SSL",
    "Enable SSL - Tooltip": "Whether to enable SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Edit Model",
    "Model text": "Model text",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Managed accounts",
    "Modify password...": "Modify password...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/es/data.json
+++ b/web/src/locales/es/data.json
@ -74,6 +74,7 @@
    "Left": "Izquierda",
    "Logged in successfully": "Acceso satisfactorio",
    "Logged out successfully": "Cerró sesión exitosamente",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Nueva aplicación",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Sesión de inicio de sesión",
    "Signup items": "Artículos de registro",
    "Signup items - Tooltip": "Elementos para que los usuarios los completen al registrar nuevas cuentas",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "La aplicación no permite registrarse una cuenta nueva",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Formato del token",
    "Token format - Tooltip": "El formato del token de acceso",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Es inesperado ver esta página de inicio"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Acción",
    "Adapter": "Adaptador",
    "Adapter - Tooltip": "Nombre de la tabla de la tienda de políticas",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Está habilitado",
    "Is enabled - Tooltip": "Establecer si se puede usar",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs (Secure LDAP)",
    "LDAPs - Tooltip": "Servidores LDAP",
    "Languages": "Idiomas",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Proveedores de pago a configurar, incluyendo PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Proveedores",
    "Providers - Tooltip": "Proveedores a configurar, incluyendo inicio de sesión de terceros, almacenamiento de objetos, código de verificación, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Nombre real",
    "Records": "Registros",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "DN base",
    "Base DN - Tooltip": "Base DN durante la búsqueda LDAP",
    "CN": "CN (siglas en inglés) podría traducirse como \"Red de Comunicaciones\". Sin embargo, sin más contexto, no es posible saber cuál es el significado exacto de estas siglas",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Editar LDAP",
    "Enable SSL": "Habilitar SSL",
    "Enable SSL - Tooltip": "Si se habilita SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "¿Olvidaste tu contraseña?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Editar modelo",
    "Model text": "Texto modelo",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Estimulado",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL del proveedor",
    "Provider URL - Tooltip": "Dirección URL para configurar el proveedor de servicios, este campo sólo se utiliza como referencia y no se utiliza en Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "¿Tiene una cuenta?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "¡Por favor, acepta el acuerdo!",
    "Please click the below button to sign in": "Por favor, haga clic en el botón de abajo para iniciar sesión",
@ -1136,6 +1160,7 @@
    "Link": "Enlace",
    "Location": "Ubicación",
    "Location - Tooltip": "Ciudad de residencia",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Cuentas gestionadas",
    "Modify password...": "Modificar contraseña...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/fa/data.json
+++ b/web/src/locales/fa/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Token format",
    "Token format - Tooltip": "The format of access token",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
    "Is enabled - Tooltip": "Set whether it can use",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP servers",
    "Languages": "Languages",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Base DN",
    "Base DN - Tooltip": "Base DN during LDAP search",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Edit LDAP",
    "Enable SSL": "Enable SSL",
    "Enable SSL - Tooltip": "Whether to enable SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Edit Model",
    "Model text": "Model text",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Managed accounts",
    "Modify password...": "Modify password...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/fi/data.json
+++ b/web/src/locales/fi/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Token format",
    "Token format - Tooltip": "The format of access token",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
    "Is enabled - Tooltip": "Set whether it can use",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP servers",
    "Languages": "Languages",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Base DN",
    "Base DN - Tooltip": "Base DN during LDAP search",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Edit LDAP",
    "Enable SSL": "Enable SSL",
    "Enable SSL - Tooltip": "Whether to enable SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Edit Model",
    "Model text": "Model text",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Managed accounts",
    "Modify password...": "Modify password...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/fr/data.json
+++ b/web/src/locales/fr/data.json
@ -74,6 +74,7 @@
    "Left": "Gauche",
    "Logged in successfully": "Connexion réussie",
    "Logged out successfully": "Déconnexion réussie",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Nouvelle application",
    "No verification": "Aucune vérification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Session de connexion",
    "Signup items": "Champs d'inscription",
    "Signup items - Tooltip": "Champs à remplir lors de l'enregistrement de nouveaux comptes",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Seuls les comptes ayant leur étiquette listée dans les étiquettes de l'application peuvent se connecter",
    "The application does not allow to sign up new account": "L'application ne permet pas de créer un nouveau compte",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Format de jeton",
    "Token format - Tooltip": "Le format du jeton d'accès",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Il n'était pas prévu que vous voyez cette page de saisie"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Clé d'accès - Infobulle",
    "Access secret": "Clé secrète",
    "Access secret - Tooltip": "Clé secrète - Info-bulle",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adaptateur",
    "Adapter - Tooltip": "Nom de la table du magasin de règle",
@ -234,6 +241,8 @@
    "Enable": "Activer",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Activé",
    "Enabled successfully": "Activé avec succès",
    "Enforcers": "Exécuteurs",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Est activé",
    "Is enabled - Tooltip": "Définir s'il peut être utilisé",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "Serveurs LDAP",
    "Languages": "Langues",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Les fournisseurs de paiement à configurer, tels que PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Fournisseurs",
    "Providers - Tooltip": "Les fournisseurs à configurer, tels que la connexion via un service tiers, le stockage d'objets, le code de vérification, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Nom complet",
    "Records": "Enregistrements",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "DN racine",
    "Base DN - Tooltip": "Le DN racine (base DN) lors de la recherche LDAP",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Modifier le LDAP",
    "Enable SSL": "Activer SSL",
    "Enable SSL - Tooltip": "Activer SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Échec de l'obtention de l'autorisation MetaMask",
    "Failed to obtain Web3-Onboard authorization": "Échec de l'obtention de l'autorisation MetaMask",
    "Forgot password?": "Mot de passe oublié ?",
@ -522,7 +538,6 @@
    "Have problems?": "Des problèmes ?",
    "Multi-factor authentication": "Authentification multifacteur",
    "Multi-factor authentication - Tooltip ": "Authentification multifacteur - infobulle ",
-    "Multi-factor authentication description": "Description de l'authentification multifacteur",
    "Multi-factor methods": "Méthodes d'authentification multifacteur",
    "Multi-factor recover": "Restauration de l'authentification multifacteur",
    "Multi-factor recover description": "Description de la restauration de l'authentification multifacteur",
@ -547,10 +562,17 @@
    "Verification failed": "Échec de la vérification",
    "Verify Code": "Vérifier le code",
    "Verify Password": "Confirmez le mot de passe",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Votre e-mail est",
    "Your phone is": "Votre téléphone est",
    "preferred": "préféré"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Modifier le modèle",
    "Model text": "Définition du modèle",
@ -818,6 +840,7 @@
    "Project Id": "ID du projet",
    "Project Id - Tooltip": "ID du projet - Infobulle",
    "Prompted": "Incité",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL du fournisseur",
    "Provider URL - Tooltip": "URL pour configurer le fournisseur de services, ce champ est uniquement utilisé à titre de référence et n'est pas utilisé dans Casdoor",
    "Public key": "Clé publique",
@ -937,6 +960,7 @@
    "Have account?": "Avez-vous un compte ?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Veuillez accepter l'accord !",
    "Please click the below button to sign in": "Veuillez cliquer sur le bouton ci-dessous pour vous connecter",
@ -1136,6 +1160,7 @@
    "Link": "Lier",
    "Location": "Localisation",
    "Location - Tooltip": "Ville de résidence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Comptes gérés",
    "Modify password...": "Modifier le mot de passe...",
    "Multi-factor authentication": "Authentification multifacteur",
--- a/web/src/locales/he/data.json
+++ b/web/src/locales/he/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Token format",
    "Token format - Tooltip": "The format of access token",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
    "Is enabled - Tooltip": "Set whether it can use",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP servers",
    "Languages": "Languages",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Base DN",
    "Base DN - Tooltip": "Base DN during LDAP search",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Edit LDAP",
    "Enable SSL": "Enable SSL",
    "Enable SSL - Tooltip": "Whether to enable SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Edit Model",
    "Model text": "Model text",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Managed accounts",
    "Modify password...": "Modify password...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/id/data.json
+++ b/web/src/locales/id/data.json
@ -74,6 +74,7 @@
    "Left": "Kiri",
    "Logged in successfully": "Berhasil masuk",
    "Logged out successfully": "Berhasil keluar dari sistem",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Aplikasi Baru",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Sesi masuk",
    "Signup items": "Item pendaftaran",
    "Signup items - Tooltip": "Item-item yang harus diisi pengguna saat mendaftar untuk akun baru",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "Aplikasi tidak memperbolehkan untuk mendaftar akun baru",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Format token",
    "Token format - Tooltip": "Format dari token akses",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Anda tidak mengharapkan untuk melihat halaman prompt ini"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Aksi",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Nama tabel dari penyimpanan kebijakan",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Diaktifkan",
    "Is enabled - Tooltip": "Atur apakah itu dapat digunakan",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "Server LDAP",
    "Languages": "Bahasa-bahasa",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Penyedia pembayaran harus dikonfigurasi, termasuk PayPal, Alipay, WeChat Pay, dan sebagainya.",
    "Providers": "Penyedia-penyedia",
    "Providers - Tooltip": "Penyedia harus dikonfigurasi, termasuk login pihak ketiga, penyimpanan objek, kode verifikasi, dan lain-lain.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Nama asli",
    "Records": "Catatan",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "DN dasar",
    "Base DN - Tooltip": "Base DN selama pencarian LDAP",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Mengedit LDAP",
    "Enable SSL": "Aktifkan SSL",
    "Enable SSL - Tooltip": "Apakah untuk mengaktifkan SSL?",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Lupa kata sandi?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Mengedit Model",
    "Model text": "Teks Model",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Mendorong",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL penyedia",
    "Provider URL - Tooltip": "URL untuk melakukan konfigurasi service provider, kolom ini hanya digunakan sebagai referensi dan tidak digunakan dalam Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Punya akun?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Tolong terima perjanjian ini!",
    "Please click the below button to sign in": "Silakan klik tombol di bawah ini untuk masuk",
@ -1136,6 +1160,7 @@
    "Link": "Tautan",
    "Location": "Lokasi",
    "Location - Tooltip": "Kota tempat tinggal",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Akun yang dikelola",
    "Modify password...": "Mengubah kata sandi...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/it/data.json
+++ b/web/src/locales/it/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Token format",
    "Token format - Tooltip": "The format of access token",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
    "Is enabled - Tooltip": "Set whether it can use",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP servers",
    "Languages": "Languages",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Base DN",
    "Base DN - Tooltip": "Base DN during LDAP search",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Edit LDAP",
    "Enable SSL": "Enable SSL",
    "Enable SSL - Tooltip": "Whether to enable SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Edit Model",
    "Model text": "Model text",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Managed accounts",
    "Modify password...": "Modify password...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/ja/data.json
+++ b/web/src/locales/ja/data.json
@ -74,6 +74,7 @@
    "Left": "左",
    "Logged in successfully": "正常にログインしました",
    "Logged out successfully": "正常にログアウトしました",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "新しいアプリケーション",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "サインインセッション",
    "Signup items": "サインアップアイテム",
    "Signup items - Tooltip": "新しいアカウントを登録する際にユーザーが入力するアイテム",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "アプリケーションでは新しいアカウントの登録ができません",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "トークン形式",
    "Token format - Tooltip": "アクセストークンのフォーマット",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "このプロンプトページを見ることは予期せぬことである"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "アクション",
    "Adapter": "アダプター",
    "Adapter - Tooltip": "ポリシー・ストアのテーブル名",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "可能になっています",
    "Is enabled - Tooltip": "使用可能かどうかを設定してください",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAP",
    "LDAPs - Tooltip": "LDAPサーバー",
    "Languages": "言語",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "支払いプロバイダーを設定する必要があります。これには、PayPal、Alipay、WeChat Payなどが含まれます。",
    "Providers": "プロバイダー",
    "Providers - Tooltip": "設定するプロバイダーには、サードパーティのログイン、オブジェクトストレージ、検証コードなどが含まれます。",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "本名",
    "Records": "記録",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "ベース DN",
    "Base DN - Tooltip": "LDAP検索中のBase DN",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "LDAPを編集",
    "Enable SSL": "SSL を有効にする",
    "Enable SSL - Tooltip": "SSLを有効にするかどうか",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "パスワードを忘れましたか？",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "編集モデル",
    "Model text": "モデルテキスト",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "促された",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "プロバイダーURL",
    "Provider URL - Tooltip": "サービスプロバイダーの設定用URL。このフィールドは参照用にのみ使用され、Casdoorでは使用されません",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "アカウントはありますか？",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "合意に同意してください！",
    "Please click the below button to sign in": "以下のボタンをクリックしてログインしてください",
@ -1136,6 +1160,7 @@
    "Link": "リンク",
    "Location": "場所",
    "Location - Tooltip": "居住都市",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "管理アカウント",
    "Modify password...": "パスワードを変更する...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/web/src/locales/kk/data.json
+++ b/web/src/locales/kk/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -121,6 +123,10 @@
    "Token fields - Tooltip": "Token fields - Tooltip",
    "Token format": "Token format",
    "Token format - Tooltip": "The format of access token",
+    "Token signing method": "Token signing method",
+    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -177,6 +183,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -234,6 +241,8 @@
    "Enable": "Enable",
    "Enable dark logo": "Enable dark logo",
    "Enable dark logo - Tooltip": "Enable dark logo",
+    "Enable tour": "Enable tour",
+    "Enable tour - Tooltip": "Display tour for users",
    "Enabled": "Enabled",
    "Enabled successfully": "Enabled successfully",
    "Enforcers": "Enforcers",
@ -265,6 +274,8 @@
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
    "Is enabled - Tooltip": "Set whether it can use",
+    "Is shared": "Is shared",
+    "Is shared - Tooltip": "Share this application with other organizations",
    "LDAPs": "LDAPs",
    "LDAPs - Tooltip": "LDAP servers",
    "Languages": "Languages",
@ -328,6 +339,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -441,6 +454,8 @@
    "Base DN": "Base DN",
    "Base DN - Tooltip": "Base DN during LDAP search",
    "CN": "CN",
+    "Default group": "Default group",
+    "Default group - Tooltip": "Group to which users belong after synchronization",
    "Edit LDAP": "Edit LDAP",
    "Enable SSL": "Enable SSL",
    "Enable SSL - Tooltip": "Whether to enable SSL",
@ -470,6 +485,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -522,7 +538,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -547,10 +562,17 @@
    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
  },
+  "mfaAccount": {
+    "Account Name": "Account Name",
+    "Issuer": "Issuer",
+    "Secret Key": "Secret Key"
+  },
  "model": {
    "Edit Model": "Edit Model",
    "Model text": "Model text",
@ -818,6 +840,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -937,6 +960,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1136,6 +1160,7 @@
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
+    "MFA accounts": "MFA accounts",
    "Managed accounts": "Managed accounts",
    "Modify password...": "Modify password...",
    "Multi-factor authentication": "Multi-factor authentication",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Yang Luo	7ccd8c4d4f	feat: add RunCasbinCommand() API	2024-11-15 17:44:57 +08:00
ZhaoYP 2001	b0fa3fc484	feat: add Casbin CLI API to Casdoor (#3351 )	2024-11-15 16:10:22 +08:00
Yang Luo	af01c4226a	feat: add Organization.PasswordExpireDays field	2024-11-15 11:33:28 +08:00
DacongDA	7a3d85a29a	feat: update github token to fix CI cannot release issue (#3348 )	2024-11-14 18:05:56 +08:00
IZUMI-Zu	fd5ccd8d41	feat: support copying token to clipboard for casdoor-app (#3345 ) * feat: support copy token to clipboard for casdoor-app auth * feat: abstract casdoor-app related code	2024-11-13 17:06:09 +08:00
Yang Luo	a439c5195d	feat: get token only by hash now, remove get-by-value backward-compatible code	2024-11-13 17:04:27 +08:00
Yang Luo	ba2e997d54	feat: fix CheckUpdateUser() logic to fix add-user error	2024-11-06 08:34:13 +08:00
Luckery	0818de85d1	feat: fix username checks when organization.UseEmailAsUsername is enabled (#3329 ) * feat: Username support email format * feat: Only fulfill the first requirement * fix: Improve code robustness	2024-11-05 20:38:47 +08:00
Yang Luo	457c6098a4	feat: fix MFA empty CountryCode bug and show MFA error better in frontend	2024-11-04 16:17:24 +08:00
Yang Luo	60f979fbb5	feat: fix MfaSetupPage empty bug when user's signup application is empty	2024-11-04 00:04:47 +08:00
Luckery	ff53e44fa6	feat: use virtual select UI in role edit page (#3322 )	2024-11-03 20:05:34 +08:00
Yang Luo	1832de47db	feat: fix bug in CheckEntryIp()	2024-11-03 20:00:52 +08:00
Yang Luo	535eb0c465	fix: fix IP Whitelist field bug in application edit page	2024-11-03 19:55:59 +08:00
ithilelda	c190634cf3	feat: show Domain field for Qiniu storage provider (#3318 ) allow Qiniu Provider to edit the Domain property in the edit page.	2024-10-27 14:10:58 +08:00
Cliff	f7559aa040	feat: set created time if not presented in AddUser() API (#3315 )	2024-10-24 23:06:05 +08:00
DacongDA	1e0b709c73	feat: pass signin method to CAS login to fix bug (#3313 )	2024-10-24 14:56:12 +08:00
DacongDA	c0800b7fb3	feat: add util.IsValidOrigin() to improve CORS filter (#3301 ) * fix: CORS check issue * fix: promote format * fix: promote format * fix: promote format * fix: promote format * Update application.go * Update cors_filter.go * Update validation.go --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-20 20:09:21 +08:00
eya46	6fcdad2100	feat: fix bug that fails to login when PasswordObfuscator is enabled (#3299 )	2024-10-19 23:09:59 +08:00
Cliff	69d26d5c21	feat: add-user/update-user API should check if username/id/email/phone has duplicated with existing user (#3295 )	2024-10-18 22:18:37 +08:00
DacongDA	94e6b5ecb8	feat: fix bug in SetPassword() API (#3296 )	2024-10-18 20:50:43 +08:00
DacongDA	95e8bdcd36	feat: add initDataNewOnly to app.conf to skip overriding existing data in initDataFromFile() (#3294 ) * feat: support control whether overwrite existing data during initDataFromFile * feat: change conf var name * feat: change conf var name	2024-10-18 00:08:08 +08:00
liuaiolos	6f1f93725e	feat: fix GetAllActions()'s bug (#3289 )	2024-10-16 21:55:06 +08:00
DacongDA	7ae067e369	feat: only admin can specify user in BuyProduct() (#3287 ) * fix: balance can be used without login * fix: balance can be used without login * fix: fix bug * fix: fix bug	2024-10-16 00:02:04 +08:00
Yang Luo	dde936e935	feat: fix null application crash in CheckEntryIp()	2024-10-15 22:11:15 +08:00
Yang Luo	fb561a98c8	feat: fix null user crash in RefreshToken()	2024-10-15 21:38:33 +08:00
ZhaoYP 2001	7cd8f030ee	feat: support IP limitation for user entry pages (#3267 ) * feat: support IP limitation for user entry pages * fix: error message, ip whiteList, check_entry_ip * fix: perform checks on the backend * fix: change the implementation of checking IpWhitelist * fix: add entryIpCheck in SetPassword and remove it from VerifyCode * fix: remove additional error message pop-ups * fix: add isRestricted and show ip error in EntryPage.js * fix: error message * Update auth.go * Update check_ip.go * Update check_ip.go * fix: update return value of the check function from string to error * fix: remoteAddress position * fix: IP whitelist * fix: clientIp * fix:add util.GetClientIpFromRequest * fix: remove duplicate IP and port separation codes and remove extra special characters after clientIp * fix: gofumpt * fix: getIpInfo and localhost --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-15 20:40:14 +08:00
Yang Luo	a3f8ded10c	feat: refactor util.GetClientIpFromRequest()	2024-10-15 12:22:38 +08:00
DacongDA	e3d135bc6e	feat: improve MFA desc text (#3284 ) * fix: fix i18n error for mfa * fix: fix i18n error for mfa * fix: promote translate	2024-10-14 18:31:48 +08:00
千石	fc864b0de4	feat: support ".login-panel-dark" CSS for signup/login pages (#3269 ) * feat: add custom dark mode CSS for login and registration forms. * refactor: extract dark theme check to Setting.js	2024-10-13 22:31:54 +08:00
ZhaoYP 2001	3211bcc777	feat: add getCaptchaRule() to fix bug (#3281 ) * feat: update captcha rule when the login page component is mounted * fix: remove enableCaptchaModel from the state of the login page to avoid inconsistency issues * fix: use this.getApplicationObj() instead of this.props.application	2024-10-12 10:02:45 +08:00
DacongDA	9f4430ed04	feat: fix MFA's i18n error (#3273 )	2024-10-08 21:58:06 +08:00
Yang Luo	05830b9ff6	feat: update import lib: github.com/casdoor/ldapserver	2024-10-08 19:18:56 +08:00
千石	347b25676f	feat: dark mode now works for login/signup pages too (#3252 ) * fix: trying to fix dark mode not applying on login/registration interface * fix: trying to fix dark mode not applying on login/registration interface * fix: trying to fix dark mode not applying on login/registration interface * fix: Clean up unused code * fix: loginBackgroundDark move to App.less * fix: fix typo	2024-10-05 21:26:25 +08:00
DacongDA	2417ff84e6	feat: support initial group assignment for new invited users via invitation.SignupGroup field (#3266 )	2024-10-04 20:15:51 +08:00
DacongDA	468631e654	feat: support "All" in organization's country codes (#3264 )	2024-10-03 22:58:09 +08:00
ZhaoYP 2001	e1dea9f697	feat: add organization's PasswordObfuscator to obfuscate login API's password (#3260 ) * feat: add PasswordObfuscator to the login API * fix: change key error message * fix: remove unnecessary change * fix: fix one * fix: fix two * fix: fix three * fix: fix five * fix: disable organization update when key is invalid * fix: fix six * fix: use Form.Item to control key * fix: update obfuscator.js * Update obfuscator.go * Update obfuscator.go * Update auth.go * fix: remove real-time key monitoring --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-03 10:38:37 +08:00
Corey Gaspard	c0f22bae43	feat: better handling of organization.AccountItems on init_data import (#3263 ) * Better handling of accountitems on init_data import. * Removed commented code. * Update init_data.go * Update init_data.go --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-03 08:49:09 +08:00
DacongDA	c9635d9e2b	feat: improve i18n (#3259 )	2024-10-01 00:10:49 +08:00
DacongDA	3bd52172ea	feat: add Hide-Password option for signin method rule field (#3258 )	2024-09-30 23:31:41 +08:00
Yang Luo	bf730050d5	feat: increase Organization.Favicon to 200 chars	2024-09-29 11:45:56 +08:00
Yang Luo	5b733b7f15	feat: improve filterRecordIn24Hours() logic	2024-09-29 11:45:15 +08:00
ZhaoYP 2001	034f28def9	feat: logout if app.conf's inactiveTimeoutMinutes is reached (#3244 ) * feat: logout if there's no activities for a long time * fix: change the implementation of updating LastTime * fix: add logoutMinites to app.conf * fix: change the implementation of judgment statement * fix: use sync.Map to ensure thread safety * fix: syntax standards and Apache headers * fix: change the implementation of obtaining logoutMinutes in app.conf * fix: follow community code standards * fix: <=0 or empty means no restriction * Update logout_filter.go * Update app.conf * Update main.go * Update and rename logout_filter.go to timeout_filter.go * Update app.conf * Update timeout_filter.go * fix: update app.conf --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-09-27 01:18:02 +08:00
DacongDA	c86ac8e6ad	feat: fix UTF-8 charset for Alipay IdP (#3247 )	2024-09-27 00:59:52 +08:00
Jack Merrill	d647eed22a	feat: add OIDC WebFinger support (#3245 ) * feat: add WebFinger support * lint: used gofumpt * oidc: ensure webfinger rel is checked	2024-09-26 13:06:36 +08:00
Yang Luo	717c53f6e5	feat: support enableErrorMask2 config	2024-09-25 19:37:14 +08:00
千石	097adac871	feat: support single-choice and multi-choices in signup page (#3234 ) * feat: add custom signup field * feat: support more field in signup page * feat: support more field in signup page * feat: support more field in signup page * feat: Reduce code duplication in form item rendering * feat: Simplify gender and info checks using includes * feat: update translate * Revert "feat: update translate" This reverts commit `669334c716`. * feat: address feedback from hsluoyz	2024-09-25 12:48:37 +08:00
IZUMI-Zu	74543b9533	feat: improve QR code for casdoor-app (#3226 ) * feat: simplify login url for casdoor-app * feat: add token check * fix: improve logic	2024-09-23 22:27:58 +08:00
Yang Luo	110dc04179	feat: Revert "feat: fix permission problem in standard image" (#3231 ) This reverts commit `6464bd10dc`.	2024-09-23 22:19:27 +08:00
DacongDA	6464bd10dc	feat: fix permission problem in standard image (#3228 )	2024-09-23 18:40:39 +08:00
Yang Luo	db878a890e	feat: add type and options to signup items	2024-09-21 23:40:29 +08:00
Yang Luo	12d6d8e6ce	feat: fix cookie expire time too short bug	2024-09-21 22:45:13 +08:00
Yang Luo	8ed6e4f934	feat: improve UI for "No account?"	2024-09-21 07:35:33 +08:00
limingxie	ed9732caf9	feat: add condition for getWebBuildFolder function (#3219 )	2024-09-20 23:59:13 +08:00
Blackcbears	0de4e7da38	feat: fix organization pagination count error (#3215 ) * fix(organization): ensure count includes shared organizations Adjust the `GetOrganizationCount` function to account for shared organizations by adding an additional parameter and modifying the count query accordingly. This change ensures that the organization count correctly reflects shared organizations within the system. * ```fix(organization): optimize GetOrganizationCount query Refactor the GetOrganizationCount function to use a more efficient search method by leveraging the 'is_shared' field directly in the query condition. This change improves the performance for counting organizations by avoiding unnecessary iteration over potentially large result sets. ``` --------- Co-authored-by: CuiJing <cuijing@tul.com.cn>	2024-09-20 23:58:46 +08:00
Yang Luo	a330fbc11f	docs: fix Docker link	2024-09-17 20:45:32 +08:00
Coki	ed158d4981	feat: support advanced editor in model edit page (#3176 ) * feat: integrate external model editor and handle message events for model updates * feat: add CasbinEditor and IframeEditor components for model editing * feat: add tabbed editor interface for CasbinEditor * fix: Synchronize content between basic and advanced editors * refactor: simplify CasbinEditor and ModelEditPage components * refactor: Refactor CasbinEditor for improved iframe initialization and model synchronization * refactor: update default state of CasbinEditor active tab to "advanced * chore: add Apache License header to CasbinEditor.js and IframeEditor.js files * refactor: update CasbinEditor class names for consistency	2024-09-16 22:25:25 +08:00
千石	8df965b98d	feat: improve SAML XML's xmlns to fix SAML support for some clouds (#3207 )	2024-09-16 08:01:28 +08:00
千石	2c3749820e	feat: add application.UseEmailAsSamlNameId field for SAML (#3203 ) * feat: Add option to use email as SAML NameID based on application config - Updated NewSamlResponse11 to accept an application parameter. - Conditionally set SAML NameIdentifier to user's email or username based on application.UseEmailAsNameId. * refactor: Update GetValidationBySaml to pass application to NewSamlResponse11 - Modified GetValidationBySaml function to include application parameter in NewSamlResponse11 call. * feat: Rename field and update logic for using Email as SAML NameID - Renamed the `UseEmailAsNameId` field to `UseEmailAsSamlNameId` in the `Application` struct. - Updated `NewSamlResponse` and `NewSamlResponse11` functions to use `UseEmailAsSamlNameId` for setting the NameID value. - Modified `ApplicationEditPage.js` to reflect the field name change and update the corresponding logic.	2024-09-15 23:00:50 +08:00
ZhaoYP 2001	0b17cb9746	feat: make Organization.EnableSoftDeletion and User.IsDeleted work (#3205 ) * feat: make Organization.EnableSoftDeletion and User.IsDeleted work * fix: add handling of the situation where organization is nil	2024-09-15 14:35:44 +08:00
ZhaoYP 2001	e2ce9ad625	feat: handle null account item issue in CheckPermissionForUpdateUser() (#3202 ) * feat: improve the logic of the permission check code for users to modify account items * fix: add skip operation for deleted account items in update-user API * fix: add the function of removing deleted account item	2024-09-14 15:00:10 +08:00
DacongDA	64491abc64	feat: fix CORS issue of /api/acs for SAML IdP (#3200 ) * fix: fix CORS problem of /api/acs when login with saml idp * fix: fix origin get null when receive post with http protocol	2024-09-14 12:48:51 +08:00
ZhaoYP 2001	934a8947c8	feat: fix CAS logout failure caused by Beego session update problem (#3194 ) * feat: fix the cas logout failure caused by beego session update problem * fix: simplify the implementation of logout timer * fix: change the location of the login success code * fix: add i18n to CasLogout.js	2024-09-10 21:31:37 +08:00
IZUMI-Zu	943edfb48b	feat: support QR login for casdoor app (#3190 ) * feat: add MFA devices QR code to UserEditPage * chore: remove mfa devices	2024-09-08 22:38:13 +08:00
Yang Luo	0d02b5e768	feat: remove disabled state in syncer.table	2024-09-07 21:08:21 +08:00
Yang Luo	ba8d0b5f46	feat: Revert "feat: Users added through LDAP cannot log in using the set password" (#3186 ) This reverts commit `973a1df6c2`.	2024-09-07 20:55:14 +08:00
DacongDA	973a1df6c2	feat: Users added through LDAP cannot log in using the set password (#3175 ) * fix: login will prioritize the use of password set in casdoor and use ldap when use LDAP option in login form or user never change their password in casdoor after sync * fix: promote if statement	2024-09-06 10:31:34 +08:00
DacongDA	05bfd3a3a3	feat: fix bug that custom SAML providers are removed by GetMaskedApplication() (#3165 )	2024-09-05 20:08:56 +08:00
Yang Luo	69aa3c8a8b	feat: Revert "feat: add Casbin editor's checking in model editor" (#3167 ) This reverts commit `a1b010a406`.	2024-09-03 21:59:06 +08:00
Coki	a1b010a406	feat: add Casbin editor's checking in model editor (#3166 ) * feat: add model syntax linting and update dependencies * refactor: move model linter logic to separate module	2024-09-03 21:32:45 +08:00
DacongDA	89e92cbd47	feat: when using basic auth to fetch access_token will return restful response to oidc client (#3164 )	2024-09-03 08:05:29 +08:00
ZhaoYP 2001	d4c8193357	feat: support reCAPTCHA v3 captcha provider (#3160 ) * feat: support reCAPTCHA v3 captcha provider * fix: modify the implementation of row component style in CaptchaModal.js	2024-09-02 22:15:03 +08:00
DacongDA	9b33800b4c	feat: add email_verified, phone_number and phone_number_verified field for standard jwt token (#3156 ) * feat: add email_verified, phone_number and phone_number_verified field for standard jwt token * fix: fix linter err	2024-08-31 12:49:39 +08:00
DacongDA	ec98785172	feat: certEditPage will be redirected to 404 when name is changed (#3154 )	2024-08-30 23:04:50 +08:00
DacongDA	45dd4cc344	feat: fix nonce not parsed issue in fastAutoSignin() (#3153 ) * fix: fix nonce none passed when auto sign enabled * fix: fix query error	2024-08-30 22:29:23 +08:00
DacongDA	1adb172d6b	feat: add more crypto algorithm for jwt signing (#3150 ) * feat: add more algorithm support for JWT signing * feat: add i18n support * feat: add i18n support * feat: optimize if statement * fix: remove additional space line	2024-08-30 16:59:41 +08:00
DacongDA	c08f2b1f3f	feat: support Casdoor storage provider (#3147 ) * feat: support Casdoor storage provider * fix: fix code format and nil pointer error * feat: change cert if statement	2024-08-27 23:54:03 +08:00
Yang Luo	62bb257c6d	feat: make Resource.Url length to 500	2024-08-26 23:57:41 +08:00
Love98	230a77e3e3	feat: add captcha page (#3144 )	2024-08-26 23:22:53 +08:00
Yang Luo	dce0a96dea	feat: improve uploaded file URL	2024-08-26 21:41:28 +08:00
千石	65563fa0cd	feat: Ensure MFA email and phone are validated before enabling (#3143 ) Added validation checks to ensure that a user's email and phone number are provided before enabling MFA email and phone respectively. This fixes the issue where MFA could be enabled without these values, causing inconsistencies.	2024-08-26 08:40:22 +08:00
DacongDA	f2a94f671a	feat: complete i18n translation (#3141 ) * feat: complete i18n translation * fix: fix problem in cs/data	2024-08-24 23:27:59 +08:00
DacongDA	1460a0498f	feat: support assign a default group for synchronized from external openldap (#3140 ) * feat: support default sync group for ldap (with without add i18n translate) * feat: improve translation * feat: update all i18n translation * revert: remove new i18n translation	2024-08-24 00:12:52 +08:00
Yang Luo	adc63ea726	feat: fix wrong error alert in ApiFilter's getObject()	2024-08-23 23:36:55 +08:00
Yang Luo	0b8be016c5	feat: add enableErrorMask config	2024-08-23 22:19:17 +08:00
Yang Luo	986dcbbda1	feat: handle error in ApiFilter	2024-08-23 21:50:48 +08:00
Yang Luo	7d3920fb1f	feat: add ManagedAccounts to JWT	2024-08-20 22:23:58 +08:00
Yang Luo	b794ef87ee	feat: Revert "feat: support reCAPTCHA v3 captcha provider" (#3135 ) This reverts commit `a0d6f2125e`.	2024-08-20 17:56:53 +08:00