fix: token endpoint supports json format (#641)

Signed-off-by: Steve0x2a <stevesough@gmail.com>

.gitignore

@@ -13,7 +13,8 @@
 *.out
 
 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
+bin/
 
 .idea/
 *.iml

.golangci.yml

@@ -0,0 +1,42 @@
+linters:
+  disable-all: true
+  enable:
+    - deadcode
+    - dupl
+    - errcheck
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - prealloc
+    - staticcheck
+    - structcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+    - revive
+    - exportloopref
+run:
+  deadline: 5m
+  skip-dirs:
+    - api
+  # skip-files:
+  #   - ".*_test\\.go$"
+  modules-download-mode: vendor
+# all available settings of specific linters
+linters-settings:
+  lll:
+    # max line length, lines longer will be reported. Default is 120.
+    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+    line-length: 150
+    # tab width in spaces. Default to 1.
+    tab-width: 1

Makefile

@@ -0,0 +1,113 @@
+
+# Image URL to use all building/pushing image targets
+REGISTRY ?= casbin
+IMG ?= casdoor
+IMG_TAG ?=$(shell git --no-pager log -1 --format="%ad" --date=format:"%Y%m%d")-$(shell git describe --tags --always --dirty --abbrev=6)
+NAMESPACE ?= casdoor
+APP ?= casdoor
+HOST ?= test.com
+
+
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+# Setting SHELL to bash allows bash commands to be executed by recipes.
+# This is a requirement for 'setup-envtest.sh' in the test target.
+# Options are set to exit when a recipe line exits non-zero or a piped command fails.
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+
+.PHONY: all
+all: docker-build docker-push deploy
+
+##@ General
+
+# The help target prints out all targets with their descriptions organized
+# beneath their categories. The categories are represented by '##@' and the
+# target descriptions by '##'. The awk commands is responsible for reading the
+# entire set of makefiles included in this invocation, looking for lines of the
+# file as xyz: ## something, and then pretty-format the target and help. Then,
+# if there's a line with ##@ something, that gets pretty-printed as a category.
+# More info on the usage of ANSI control characters for terminal formatting:
+# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
+# More info on the awk command:
+# http://linuxcommand.org/lc3_adv_awk.php
+
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Development
+
+.PHONY: fmt
+fmt: ## Run go fmt against code.
+	go fmt ./...
+
+.PHONY: vet
+vet: ## Run go vet against code.
+	go vet ./...
+
+.PHONY: ut
+ut: ## UT test
+	go test -v -cover -coverprofile=coverage.out ./...
+	go tool cover -func=coverage.out
+
+##@ Build
+
+.PHONY: backend
+backend: fmt vet ## Build backend binary.
+	go build -o bin/manager main.go
+
+.PHONY: backend-vendor
+backend-vendor: vendor fmt vet ## Build backend binary with vendor.
+	go build -mod=vendor -o bin/manager main.go
+
+.PHONY: frontend
+frontend: ## Build backend binary.
+	cd web/ && yarn && yarn run build && cd -
+
+.PHONY: vendor
+vendor: ## Update vendor.
+	go mod vendor
+
+.PHONY: run
+run: fmt vet ## Run backend in local 
+	go run ./main.go
+
+.PHONY: docker-build
+docker-build: ## Build docker image with the manager.
+	docker build -t ${REGISTRY}/${IMG}:${IMG_TAG} .
+
+.PHONY: docker-push
+docker-push: ## Push docker image with the manager.
+	docker push ${REGISTRY}/${IMG}:${IMG_TAG}
+
+lint-install: ## Install golangci-lint
+	@# The following installs a specific version of golangci-lint, which is appropriate for a CI server to avoid different results from build to build
+	go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.40.1
+
+lint: ## Run golangci-lint
+	@echo "---lint---"
+	golangci-lint run --modules-download-mode=vendor ./...
+
+##@ Deployment
+
+.PHONY: deploy
+deploy:  ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+	helm upgrade --install ${APP} manifests/casdoor --create-namespace --set ingress.enabled=true \
+	--set "ingress.hosts[0].host=${HOST},ingress.hosts[0].paths[0].path=/,ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \
+	--set image.tag=${IMG_TAG} --set image.repository=${REGISTRY} --set image.name=${IMG} --version ${IMG_TAG} -n ${NAMESPACE}
+
+.PHONY: dry-run
+dry-run: ## Dry run for helm install
+	helm upgrade --install ${APP} manifests/casdoor --set ingress.enabled=true \
+	--set "ingress.hosts[0].host=${HOST},ingress.hosts[0].paths[0].path=/,ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \
+	--set image.tag=${IMG_TAG} --set image.repository=${REGISTRY} --set image.name=${IMG} --version ${IMG_TAG} -n ${NAMESPACE} --dry-run
+
+.PHONY: undeploy
+undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	helm delete ${APP} -n ${NAMESPACE}

README.md

@@ -82,6 +82,14 @@ Edit `conf/app.conf`, modify `dataSourceName` to correct database info, which fo
 username:password@tcp(database_ip:database_port)/
 ```
 
+Then create an empty schema (database) named `casdoor` in your relational database. After the program runs for the first time, it will automatically create tables in this schema.
+
+You can also edit `main.go`, modify `false` to `true`. It will automatically create the schema (database) named `casdoor` in this database.
+
+```bash
+createDatabase := flag.Bool("createDatabase", false, "true if you need casdoor to create database")
+```
+
 #### Run
 
 Casdoor provides two run modes, the difference is binary size and user prompt.
@@ -158,6 +166,19 @@ dataSourceName = root:123456@tcp(db:3306)/
 docker-compose up
 ```
 
+### K8S
+You could use helm to deploy casdoor in k8s. At first, you should modify the [configmap](./manifests/casdoor/templates/configmap.yaml) for your application.
+And then run bellow command to deploy it.
+
+```bash
+IMG_TAG=latest make deploy 
+```
+
+And undeploy it with:
+```bash
+make undeploy
+```
+
 That's it! Try to visit http://localhost:8000/. :small_airplane:
 
 ## Detailed documentation

authz/authz.go

@@ -15,7 +15,6 @@
 package authz
 
 import (
-	"github.com/astaxie/beego"
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
 	xormadapter "github.com/casbin/xorm-adapter/v2"
@@ -28,8 +27,8 @@ var Enforcer *casbin.Enforcer
 func InitAuthz() {
 	var err error
 
-	tableNamePrefix := beego.AppConfig.String("tableNamePrefix")
-	a, err := xormadapter.NewAdapterWithTableName(beego.AppConfig.String("driverName"), conf.GetBeegoConfDataSourceName()+beego.AppConfig.String("dbName"), "casbin_rule", tableNamePrefix, true)
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	a, err := xormadapter.NewAdapterWithTableName(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName()+conf.GetConfigString("dbName"), "casbin_rule", tableNamePrefix, true)
 	if err != nil {
 		panic(err)
 	}
@@ -54,7 +53,7 @@ m = (r.subOwner == p.subOwner || p.subOwner == "*") && \
     (r.urlPath == p.urlPath || p.urlPath == "*") && \
     (r.objOwner == p.objOwner || p.objOwner == "*") && \
     (r.objName == p.objName || p.objName == "*") || \
-    (r.urlPath == "/api/update-user" && r.subOwner == r.objOwner && r.subName == r.objName)
+    (r.subOwner == r.objOwner && r.subName == r.objName)
 `
 
 	m, err := model.NewModelFromString(modelText)
@@ -83,14 +82,15 @@ p, *, *, GET, /api/get-account, *, *
 p, *, *, GET, /api/userinfo, *, *
 p, *, *, POST, /api/login/oauth/access_token, *, *
 p, *, *, POST, /api/login/oauth/refresh_token, *, *
+p, *, *, GET, /api/login/oauth/logout, *, *
 p, *, *, GET, /api/get-application, *, *
-p, *, *, GET, /api/get-users, *, *
 p, *, *, GET, /api/get-user, *, *
-p, *, *, GET, /api/get-organizations, *, *
 p, *, *, GET, /api/get-user-application, *, *
-p, *, *, GET, /api/get-default-providers, *, *
 p, *, *, GET, /api/get-resources, *, *
-p, *, *, POST, /api/upload-avatar, *, *
+p, *, *, GET, /api/get-product, *, *
+p, *, *, POST, /api/buy-product, *, *
+p, *, *, GET, /api/get-payment, *, *
+p, *, *, GET, /api/get-providers, *, *
 p, *, *, POST, /api/unlink, *, *
 p, *, *, POST, /api/set-password, *, *
 p, *, *, POST, /api/send-verification-code, *, *
@@ -98,7 +98,7 @@ p, *, *, GET, /api/get-human-check, *, *
 p, *, *, POST, /api/reset-email-or-phone, *, *
 p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
-p, *, *, *, /api/certs, *, *
+p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
 `

conf/app.conf

@@ -12,7 +12,7 @@ redisEndpoint =
 defaultStorageProvider = 
 isCloudIntranet = false
 authState = "casdoor"
-httpProxy = "127.0.0.1:10808"
+sock5Proxy = "127.0.0.1:10808"
 verificationCodeTimeout = 10
 initScore = 2000
 logPostOnly = true

conf/conf.go

@@ -15,14 +15,49 @@
 package conf
 
 import (
+	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
 	"github.com/astaxie/beego"
 )
 
+func GetConfigString(key string) string {
+	if value, ok := os.LookupEnv(key); ok {
+		return value
+	}
+	return beego.AppConfig.String(key)
+}
+
+func GetConfigBool(key string) (bool, error) {
+	value := GetConfigString(key)
+	if value == "true" {
+		return true, nil
+	} else if value == "false" {
+		return false, nil
+	}
+	return false, fmt.Errorf("value %s cannot be converted into bool", value)
+}
+
+func GetConfigInt64(key string) (int64, error) {
+	value := GetConfigString(key)
+	num, err := strconv.ParseInt(value, 10, 64)
+	return num, err
+}
+
+func init() {
+	//this array contains the beego configuration items that may be modified via env
+	var presetConfigItems = []string{"httpport", "appname"}
+	for _, key := range presetConfigItems {
+		if value, ok := os.LookupEnv(key); ok {
+			beego.AppConfig.Set(key, value)
+		}
+	}
+}
+
 func GetBeegoConfDataSourceName() string {
-	dataSourceName := beego.AppConfig.String("dataSourceName")
+	dataSourceName := GetConfigString("dataSourceName")
 
 	runningInDocker := os.Getenv("RUNNING_IN_DOCKER")
 	if runningInDocker == "true" {

conf/conf_test.go

@@ -0,0 +1,98 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package conf
+
+import (
+	"os"
+	"testing"
+
+	"github.com/astaxie/beego"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetConfString(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return casbin", "appname", "casbin"},
+		{"Should be return 8000", "httpport", "8000"},
+		{"Should be return  value", "key", "value"},
+	}
+
+	//do some set up job
+
+	os.Setenv("appname", "casbin")
+	os.Setenv("key", "value")
+
+	err := beego.LoadAppConfig("ini", "app.conf")
+	assert.Nil(t, err)
+
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetConfigString(scenery.input)
+			assert.Equal(t, scenery.expected, actual)
+		})
+	}
+}
+
+func TestGetConfInt(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return 8000", "httpport", 8001},
+		{"Should be return 8000", "verificationCodeTimeout", 10},
+	}
+
+	//do some set up job
+	os.Setenv("httpport", "8001")
+
+	err := beego.LoadAppConfig("ini", "app.conf")
+	assert.Nil(t, err)
+
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual, err := GetConfigInt64(scenery.input)
+			assert.Nil(t, err)
+			assert.Equal(t, scenery.expected, int(actual))
+		})
+	}
+}
+
+func TestGetConfBool(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return false", "SessionOn", false},
+		{"Should be return false", "copyrequestbody", true},
+	}
+
+	//do some set up job
+	os.Setenv("SessionOn", "false")
+
+	err := beego.LoadAppConfig("ini", "app.conf")
+	assert.Nil(t, err)
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual, err := GetConfigBool(scenery.input)
+			assert.Nil(t, err)
+			assert.Equal(t, scenery.expected, actual)
+		})
+	}
+}

controllers/account.go

@@ -20,14 +20,15 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/astaxie/beego"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
 
 const (
-	ResponseTypeLogin = "login"
-	ResponseTypeCode  = "code"
+	ResponseTypeLogin   = "login"
+	ResponseTypeCode    = "code"
+	ResponseTypeToken   = "token"
+	ResponseTypeIdToken = "id_token"
 )
 
 type RequestForm struct {
@@ -37,6 +38,8 @@ type RequestForm struct {
 	Username     string `json:"username"`
 	Password     string `json:"password"`
 	Name         string `json:"name"`
+	FirstName    string `json:"firstName"`
+	LastName     string `json:"lastName"`
 	Email        string `json:"email"`
 	Phone        string `json:"phone"`
 	Affiliation  string `json:"affiliation"`
@@ -69,18 +72,6 @@ type Response struct {
 	Data2  interface{} `json:"data2"`
 }
 
-type Userinfo struct {
-	Sub         string `json:"sub"`
-	Iss         string `json:"iss"`
-	Aud         string `json:"aud"`
-	Name        string `json:"name,omitempty"`
-	DisplayName string `json:"preferred_username,omitempty"`
-	Email       string `json:"email,omitempty"`
-	Avatar      string `json:"picture,omitempty"`
-	Address     string `json:"address,omitempty"`
-	Phone       string `json:"phone,omitempty"`
-}
-
 type HumanCheck struct {
 	Type         string      `json:"type"`
 	AppKey       string      `json:"appKey"`
@@ -116,7 +107,7 @@ func (c *ApiController) Signup() {
 	}
 
 	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", form.Organization))
-	msg := object.CheckUserSignup(application, organization, form.Username, form.Password, form.Name, form.Email, form.Phone, form.Affiliation)
+	msg := object.CheckUserSignup(application, organization, form.Username, form.Password, form.Name, form.FirstName, form.LastName, form.Email, form.Phone, form.Affiliation)
 	if msg != "" {
 		c.ResponseError(msg)
 		return
@@ -140,12 +131,15 @@ func (c *ApiController) Signup() {
 		}
 	}
 
-	userId := fmt.Sprintf("%s/%s", form.Organization, form.Username)
-
 	id := util.GenerateId()
 	if application.GetSignupItemRule("ID") == "Incremental" {
 		lastUser := object.GetLastUser(form.Organization)
-		lastIdInt := util.ParseInt(lastUser.Id)
+
+		lastIdInt := -1
+		if lastUser != nil {
+			lastIdInt = util.ParseInt(lastUser.Id)
+		}
+
 		id = strconv.Itoa(lastIdInt + 1)
 	}
 
@@ -176,6 +170,22 @@ func (c *ApiController) Signup() {
 		IsDeleted:         false,
 		SignupApplication: application.Name,
 		Properties:        map[string]string{},
+		Karma:             0,
+	}
+
+	if len(organization.Tags) > 0 {
+		tokens := strings.Split(organization.Tags[0], "|")
+		if len(tokens) > 0 {
+			user.Tag = tokens[0]
+		}
+	}
+
+	if application.GetSignupItemRule("Display name") == "First, last" {
+		if form.FirstName != "" || form.LastName != "" {
+			user.DisplayName = fmt.Sprintf("%s %s", form.FirstName, form.LastName)
+			user.FirstName = form.FirstName
+			user.LastName = form.LastName
+		}
 	}
 
 	affected := object.AddUser(user)
@@ -194,6 +204,12 @@ func (c *ApiController) Signup() {
 	object.DisableVerificationCode(form.Email)
 	object.DisableVerificationCode(checkPhone)
 
+	record := object.NewRecord(c.Ctx)
+	record.Organization = application.Organization
+	record.User = user.Name
+	go object.AddRecord(record)
+
+	userId := fmt.Sprintf("%s/%s", user.Owner, user.Name)
 	util.LogInfo(c.Ctx, "API: [%s] is signed up as new user", userId)
 
 	c.ResponseOk(userId)
@@ -209,10 +225,15 @@ func (c *ApiController) Logout() {
 	user := c.GetSessionUsername()
 	util.LogInfo(c.Ctx, "API: [%s] logged out", user)
 
+	application := c.GetSessionApplication()
 	c.SetSessionUsername("")
 	c.SetSessionData(nil)
 
-	c.ResponseOk(user)
+	if application == nil || application.Name == "app-built-in" || application.HomepageUrl == "" {
+		c.ResponseOk(user)
+		return
+	}
+	c.ResponseOk(user, application.HomepageUrl)
 }
 
 // GetAccount
@@ -249,38 +270,18 @@ func (c *ApiController) GetAccount() {
 // @Title UserInfo
 // @Tag Account API
 // @Description return user information according to OIDC standards
-// @Success 200 {object} controllers.Userinfo The Response object
+// @Success 200 {object} object.Userinfo The Response object
 // @router /userinfo [get]
 func (c *ApiController) GetUserinfo() {
 	userId, ok := c.RequireSignedIn()
 	if !ok {
 		return
 	}
-	user := object.GetUser(userId)
-	if user == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
-		return
-	}
 	scope, aud := c.GetSessionOidc()
-	iss := beego.AppConfig.String("origin")
-	resp := Userinfo{
-		Sub: user.Id,
-		Iss: iss,
-		Aud: aud,
-	}
-	if strings.Contains(scope, "profile") {
-		resp.Name = user.Name
-		resp.DisplayName = user.DisplayName
-		resp.Avatar = user.Avatar
-	}
-	if strings.Contains(scope, "email") {
-		resp.Email = user.Email
-	}
-	if strings.Contains(scope, "address") {
-		resp.Address = user.Location
-	}
-	if strings.Contains(scope, "phone") {
-		resp.Phone = user.Phone
+	host := c.Ctx.Request.Host
+	resp, err := object.GetUserInfo(userId, scope, aud, host)
+	if err != nil {
+		c.ResponseError(err.Error())
 	}
 	c.Data["json"] = resp
 	c.ServeJSON()

controllers/application.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 
 	"github.com/astaxie/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -85,7 +86,7 @@ func (c *ApiController) GetUserApplication() {
 	id := c.Input().Get("id")
 	user := object.GetUser(id)
 	if user == nil {
-		c.ResponseError("No such user.")
+		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", id))
 		return
 	}
 

controllers/auth.go

@@ -23,7 +23,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/idp"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
@@ -38,6 +38,14 @@ func codeToResponse(code *object.Code) *Response {
 	return &Response{Status: "ok", Msg: "", Data: code.Code}
 }
 
+func tokenToResponse(token *object.Token) *Response {
+	if token.AccessToken == "" {
+		return &Response{Status: "error", Msg: "fail to get accessToken", Data: token.AccessToken}
+	}
+	return &Response{Status: "ok", Msg: "", Data: token.AccessToken}
+
+}
+
 // HandleLoggedIn ...
 func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *RequestForm) (resp *Response) {
 	userId := user.GetId()
@@ -59,13 +67,22 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			c.ResponseError("Challenge method should be S256")
 			return
 		}
-		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge)
+		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host)
 		resp = codeToResponse(code)
 
 		if application.EnableSigninSession || application.HasPromptPage() {
 			// The prompt page needs the user to be signed in
 			c.SetSessionUsername(userId)
 		}
+	} else if form.Type == ResponseTypeToken || form.Type == ResponseTypeIdToken { //implicit flow
+		if !object.IsGrantTypeValid(form.Type, application.GrantTypes) {
+			resp = &Response{Status: "error", Msg: fmt.Sprintf("error: grant_type: %s is not supported in this application", form.Type), Data: ""}
+		} else {
+			scope := c.Input().Get("scope")
+			token, _ := object.GetTokenByUser(application, user, scope, c.Ctx.Request.Host)
+			resp = tokenToResponse(token)
+		}
+
 	} else {
 		resp = &Response{Status: "error", Msg: fmt.Sprintf("Unknown response type: %s", form.Type)}
 	}
@@ -101,6 +118,7 @@ func (c *ApiController) GetApplicationLogin() {
 	state := c.Input().Get("state")
 
 	msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state)
+	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
 	} else {
@@ -109,7 +127,7 @@ func (c *ApiController) GetApplicationLogin() {
 }
 
 func setHttpClient(idProvider idp.IdProvider, providerType string) {
-	if providerType == "GitHub" || providerType == "Google" || providerType == "Facebook" || providerType == "LinkedIn" {
+	if providerType == "GitHub" || providerType == "Google" || providerType == "Facebook" || providerType == "LinkedIn" || providerType == "Steam" {
 		idProvider.SetHttpClient(proxy.ProxyHttpClient)
 	} else {
 		idProvider.SetHttpClient(proxy.DefaultHttpClient)
@@ -149,9 +167,16 @@ func (c *ApiController) Login() {
 			var verificationCodeType string
 			var checkResult string
 
+			if form.Name != "" {
+				user = object.GetUserByFields(form.Organization, form.Name)
+			}
+
 			// check result through Email or Phone
 			if strings.Contains(form.Username, "@") {
 				verificationCodeType = "email"
+				if user != nil && util.GetMaskedEmail(user.Email) == form.Username {
+					form.Username = user.Email
+				}
 				checkResult = object.CheckVerificationCode(form.Username, form.Code)
 			} else {
 				verificationCodeType = "phone"
@@ -160,6 +185,9 @@ func (c *ApiController) Login() {
 					c.ResponseError(responseText)
 					return
 				}
+				if user != nil && util.GetMaskedPhone(user.Phone) == form.Username {
+					form.Username = user.Phone
+				}
 				checkPhone := fmt.Sprintf("+%s%s", form.PhonePrefix, form.Username)
 				checkResult = object.CheckVerificationCode(checkPhone, form.Code)
 			}
@@ -174,7 +202,7 @@ func (c *ApiController) Login() {
 
 			user = object.GetUserByFields(form.Organization, form.Username)
 			if user == nil {
-				c.ResponseError("No such user.")
+				c.ResponseError(fmt.Sprintf("The user: %s/%s doesn't exist", form.Organization, form.Username))
 				return
 			}
 		} else {
@@ -186,6 +214,11 @@ func (c *ApiController) Login() {
 			resp = &Response{Status: "error", Msg: msg}
 		} else {
 			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			if application == nil {
+				c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+				return
+			}
+
 			resp = c.HandleLoggedIn(application, user, &form)
 
 			record := object.NewRecord(c.Ctx)
@@ -195,6 +228,11 @@ func (c *ApiController) Login() {
 		}
 	} else if form.Provider != "" {
 		application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+		if application == nil {
+			c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+			return
+		}
+
 		organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", application.Organization))
 		provider := object.GetProvider(fmt.Sprintf("admin/%s", form.Provider))
 		providerItem := application.GetProviderItem(provider.Name)
@@ -221,7 +259,7 @@ func (c *ApiController) Login() {
 				clientSecret = provider.ClientSecret2
 			}
 
-			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri)
+			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri, provider.Domain)
 			if idProvider == nil {
 				c.ResponseError(fmt.Sprintf("The provider type: %s is not supported", provider.Type))
 				return
@@ -229,8 +267,8 @@ func (c *ApiController) Login() {
 
 			setHttpClient(idProvider, provider.Type)
 
-			if form.State != beego.AppConfig.String("authState") && form.State != application.Name {
-				c.ResponseError(fmt.Sprintf("state expected: \"%s\", but got: \"%s\"", beego.AppConfig.String("authState"), form.State))
+			if form.State != conf.GetConfigString("authState") && form.State != application.Name {
+				c.ResponseError(fmt.Sprintf("state expected: \"%s\", but got: \"%s\"", conf.GetConfigString("authState"), form.State))
 				return
 			}
 
@@ -365,6 +403,11 @@ func (c *ApiController) Login() {
 		if c.GetSessionUsername() != "" {
 			// user already signed in to Casdoor, so let the user click the avatar button to do the quick sign-in
 			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			if application == nil {
+				c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+				return
+			}
+
 			user := c.getCurrentUser()
 			resp = c.HandleLoggedIn(application, user, &form)
 		} else {

controllers/base.go

@@ -72,6 +72,15 @@ func (c *ApiController) GetSessionUsername() string {
 	return user.(string)
 }
 
+func (c *ApiController) GetSessionApplication() *object.Application {
+	clientId := c.GetSession("aud")
+	if clientId == nil {
+		return nil
+	}
+	application := object.GetApplicationByClientId(clientId.(string))
+	return application
+}
+
 func (c *ApiController) GetSessionOidc() (string, string) {
 	sessionData := c.GetSessionData()
 	if sessionData != nil &&
@@ -132,3 +141,11 @@ func wrapActionResponse(affected bool) *Response {
 		return &Response{Status: "ok", Msg: "", Data: "Unaffected"}
 	}
 }
+
+func wrapErrorResponse(err error) *Response {
+	if err == nil {
+		return &Response{Status: "ok", Msg: ""}
+	} else {
+		return &Response{Status: "error", Msg: err.Error()}
+	}
+}

controllers/ldap.go

@@ -170,6 +170,7 @@ func (c *ApiController) UpdateLdap() {
 		return
 	}
 
+	prevLdap := object.GetLdap(ldap.Id)
 	affected := object.UpdateLdap(&ldap)
 	resp := wrapActionResponse(affected)
 	if affected {
@@ -177,6 +178,8 @@ func (c *ApiController) UpdateLdap() {
 	}
 	if ldap.AutoSync != 0 {
 		object.GetLdapAutoSynchronizer().StartAutoSync(ldap.Id)
+	} else if ldap.AutoSync == 0 && prevLdap.AutoSync != 0 {
+		object.GetLdapAutoSynchronizer().StopAutoSync(ldap.Id)
 	}
 
 	c.Data["json"] = resp

controllers/oidc_discovery.go

@@ -25,10 +25,10 @@ func (c *RootController) GetOidcDiscovery() {
 	c.ServeJSON()
 }
 
-// @Title GetOidcCert
+// @Title GetJwks
 // @Tag OIDC API
-// @router /api/certs [get]
-func (c *RootController) GetOidcCert() {
+// @router /.well-known/jwks [get]
+func (c *RootController) GetJwks() {
 	jwks, err := object.GetJsonWebKeySet()
 	if err != nil {
 		c.ResponseError(err.Error())

controllers/payment.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 
 	"github.com/astaxie/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -48,6 +49,24 @@ func (c *ApiController) GetPayments() {
 	}
 }
 
+// GetUserPayments
+// @Title GetUserPayments
+// @Tag Payment API
+// @Description get payments for a user
+// @Param   owner     query    string  true        "The owner of payments"
+// @Param   organization    query   string  true   "The organization of the user"
+// @Param   user    query   string  true           "The username of the user"
+// @Success 200 {array} object.Payment The Response object
+// @router /get-user-payments [get]
+func (c *ApiController) GetUserPayments() {
+	owner := c.Input().Get("owner")
+	organization := c.Input().Get("organization")
+	user := c.Input().Get("user")
+
+	payments := object.GetUserPayments(owner, organization, user)
+	c.ResponseOk(payments)
+}
+
 // @Title GetPayment
 // @Tag Payment API
 // @Description get payment
@@ -114,3 +133,28 @@ func (c *ApiController) DeletePayment() {
 	c.Data["json"] = wrapActionResponse(object.DeletePayment(&payment))
 	c.ServeJSON()
 }
+
+// @Title NotifyPayment
+// @Tag Payment API
+// @Description notify payment
+// @Param   body    body   object.Payment  true        "The details of the payment"
+// @Success 200 {object} controllers.Response The Response object
+// @router /notify-payment [post]
+func (c *ApiController) NotifyPayment() {
+	owner := c.Ctx.Input.Param(":owner")
+	providerName := c.Ctx.Input.Param(":provider")
+	productName := c.Ctx.Input.Param(":product")
+	paymentName := c.Ctx.Input.Param(":payment")
+
+	body := c.Ctx.Input.RequestBody
+
+	ok := object.NotifyPayment(c.Ctx.Request, body, owner, providerName, productName, paymentName)
+	if ok {
+		_, err := c.Ctx.ResponseWriter.Write([]byte("success"))
+		if err != nil {
+			panic(err)
+		}
+	} else {
+		panic(fmt.Errorf("NotifyPayment() failed: %v", ok))
+	}
+}

controllers/product.go

@@ -0,0 +1,150 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/astaxie/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetProducts
+// @Title GetProducts
+// @Tag Product API
+// @Description get products
+// @Param   owner     query    string  true        "The owner of products"
+// @Success 200 {array} object.Product The Response object
+// @router /get-products [get]
+func (c *ApiController) GetProducts() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	if limit == "" || page == "" {
+		c.Data["json"] = object.GetProducts(owner)
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetProductCount(owner, field, value)))
+		products := object.GetPaginationProducts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		c.ResponseOk(products, paginator.Nums())
+	}
+}
+
+// @Title GetProduct
+// @Tag Product API
+// @Description get product
+// @Param   id    query    string  true        "The id of the product"
+// @Success 200 {object} object.Product The Response object
+// @router /get-product [get]
+func (c *ApiController) GetProduct() {
+	id := c.Input().Get("id")
+
+	c.Data["json"] = object.GetProduct(id)
+	c.ServeJSON()
+}
+
+// @Title UpdateProduct
+// @Tag Product API
+// @Description update product
+// @Param   id    query    string  true        "The id of the product"
+// @Param   body    body   object.Product  true        "The details of the product"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-product [post]
+func (c *ApiController) UpdateProduct() {
+	id := c.Input().Get("id")
+
+	var product object.Product
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &product)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateProduct(id, &product))
+	c.ServeJSON()
+}
+
+// @Title AddProduct
+// @Tag Product API
+// @Description add product
+// @Param   body    body   object.Product  true        "The details of the product"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-product [post]
+func (c *ApiController) AddProduct() {
+	var product object.Product
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &product)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddProduct(&product))
+	c.ServeJSON()
+}
+
+// @Title DeleteProduct
+// @Tag Product API
+// @Description delete product
+// @Param   body    body   object.Product  true        "The details of the product"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-product [post]
+func (c *ApiController) DeleteProduct() {
+	var product object.Product
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &product)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteProduct(&product))
+	c.ServeJSON()
+}
+
+// @Title BuyProduct
+// @Tag Product API
+// @Description buy product
+// @Param   id    query    string  true            "The id of the product"
+// @Param   providerName    query    string  true  "The name of the provider"
+// @Success 200 {object} controllers.Response The Response object
+// @router /buy-product [post]
+func (c *ApiController) BuyProduct() {
+	id := c.Input().Get("id")
+	providerName := c.Input().Get("providerName")
+	host := c.Ctx.Request.Host
+
+	userId := c.GetSessionUsername()
+	if userId == "" {
+		c.ResponseError("Please login first")
+		return
+	}
+
+	user := object.GetUser(userId)
+	if user == nil {
+		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
+		return
+	}
+
+	payUrl, err := object.BuyProduct(id, providerName, user, host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(payUrl)
+}

controllers/token.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"encoding/json"
+	"net/http"
 
 	"github.com/astaxie/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -149,8 +150,9 @@ func (c *ApiController) GetOAuthCode() {
 		c.ResponseError("Challenge method should be S256")
 		return
 	}
+	host := c.Ctx.Request.Host
 
-	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge)
+	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, host)
 	c.ServeJSON()
 }
 
@@ -170,23 +172,42 @@ func (c *ApiController) GetOAuthToken() {
 	clientSecret := c.Input().Get("client_secret")
 	code := c.Input().Get("code")
 	verifier := c.Input().Get("code_verifier")
+	scope := c.Input().Get("scope")
+	username := c.Input().Get("username")
+	password := c.Input().Get("password")
 
 	if clientId == "" && clientSecret == "" {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
 	}
+	if clientId == "" {
+		// If clientID is empty, try to read data from RequestBody
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			clientId = tokenRequest.ClientId
+			clientSecret = tokenRequest.ClientSecret
+			grantType = tokenRequest.GrantType
+			code = tokenRequest.Code
+			verifier = tokenRequest.Verifier
+			scope = tokenRequest.Scope
+			username = tokenRequest.Username
+			password = tokenRequest.Password
+		}
+	}
+	host := c.Ctx.Request.Host
 
-	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier)
+	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host)
 	c.ServeJSON()
 }
 
 // RefreshToken
 // @Title RefreshToken
+// @Tag Token API
 // @Description refresh OAuth access token
 // @Param   grant_type     query    string  true        "OAuth grant type"
 // @Param	refresh_token	query	string	true		"OAuth refresh token"
 // @Param   scope     query    string  true        "OAuth scope"
 // @Param   client_id     query    string  true        "OAuth client id"
-// @Param   client_secret     query    string  true        "OAuth client secret"
+// @Param   client_secret     query    string  false        "OAuth client secret"
 // @Success 200 {object} object.TokenWrapper The Response object
 // @router /login/oauth/refresh_token [post]
 func (c *ApiController) RefreshToken() {
@@ -195,7 +216,104 @@ func (c *ApiController) RefreshToken() {
 	scope := c.Input().Get("scope")
 	clientId := c.Input().Get("client_id")
 	clientSecret := c.Input().Get("client_secret")
+	host := c.Ctx.Request.Host
 
-	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret)
+	if clientId == "" {
+		// If clientID is empty, try to read data from RequestBody
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			clientId = tokenRequest.ClientId
+			clientSecret = tokenRequest.ClientSecret
+			grantType = tokenRequest.GrantType
+			scope = tokenRequest.Scope
+
+		}
+	}
+
+	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+	c.ServeJSON()
+}
+
+// TokenLogout
+// @Title TokenLogout
+// @Tag Token API
+// @Description delete token by AccessToken
+// @Param   id_token_hint     query    string  true        "id_token_hint"
+// @Param   post_logout_redirect_uri    query    string  false      "post_logout_redirect_uri"
+// @Param   state     query    string  true        "state"
+// @Success 200 {object} controllers.Response The Response object
+// @router /login/oauth/logout [get]
+func (c *ApiController) TokenLogout() {
+	token := c.Input().Get("id_token_hint")
+	flag, application := object.DeleteTokenByAceessToken(token)
+	redirectUri := c.Input().Get("post_logout_redirect_uri")
+	state := c.Input().Get("state")
+	if application != nil && object.CheckRedirectUriValid(application, redirectUri) {
+		c.Ctx.Redirect(http.StatusFound, redirectUri+"?state="+state)
+		return
+	}
+	c.Data["json"] = wrapActionResponse(flag)
+	c.ServeJSON()
+}
+
+// IntrospectToken
+// @Title IntrospectToken
+// @Description The introspection endpoint is an OAuth 2.0 endpoint that takes a
+//  parameter representing an OAuth 2.0 token and returns a JSON document
+//  representing the meta information surrounding the
+//  token, including whether this token is currently active.
+//  This endpoint only support Basic Authorization.
+// @Param token formData string true "access_token's value or refresh_token's value"
+// @Param token_type_hint formData string true "the token type access_token or refresh_token"
+// @Success 200 {object} object.IntrospectionResponse The Response object
+// @router /login/oauth/introspect [post]
+func (c *ApiController) IntrospectToken() {
+	tokenValue := c.Input().Get("token")
+	clientId, clientSecret, ok := c.Ctx.Request.BasicAuth()
+	if !ok {
+		util.LogWarning(c.Ctx, "Basic Authorization parses failed")
+		c.Data["json"] = Response{Status: "error", Msg: "Unauthorized operation"}
+		c.ServeJSON()
+		return
+	}
+	application := object.GetApplicationByClientId(clientId)
+	if application == nil || application.ClientSecret != clientSecret {
+		util.LogWarning(c.Ctx, "Basic Authorization failed")
+		c.Data["json"] = Response{Status: "error", Msg: "Unauthorized operation"}
+		c.ServeJSON()
+		return
+	}
+	token := object.GetTokenByTokenAndApplication(tokenValue, application.Name)
+	if token == nil {
+		util.LogWarning(c.Ctx, "application: %s can not find token", application.Name)
+		c.Data["json"] = &object.IntrospectionResponse{Active: false}
+		c.ServeJSON()
+		return
+	}
+	jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
+	if err != nil || jwtToken.Valid() != nil {
+		// and token revoked case. but we not implement
+		// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
+		// refs: https://tools.ietf.org/html/rfc7009
+		util.LogWarning(c.Ctx, "token invalid")
+		c.Data["json"] = &object.IntrospectionResponse{Active: false}
+		c.ServeJSON()
+		return
+	}
+
+	c.Data["json"] = &object.IntrospectionResponse{
+		Active:    true,
+		Scope:     jwtToken.Scope,
+		ClientId:  clientId,
+		Username:  token.User,
+		TokenType: token.TokenType,
+		Exp:       jwtToken.ExpiresAt.Unix(),
+		Iat:       jwtToken.IssuedAt.Unix(),
+		Nbf:       jwtToken.NotBefore.Unix(),
+		Sub:       jwtToken.Subject,
+		Aud:       jwtToken.Audience,
+		Iss:       jwtToken.Issuer,
+		Jti:       jwtToken.Id,
+	}
 	c.ServeJSON()
 }

controllers/types.go

@@ -0,0 +1,26 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+type TokenRequest struct {
+	GrantType    string `json:"grant_type"`
+	Code         string `json:"code"`
+	ClientId     string `json:"client_id"`
+	ClientSecret string `json:"client_secret"`
+	Verifier     string `json:"code_verifier"`
+	Scope        string `json:"scope"`
+	Username     string `json:"username"`
+	Password     string `json:"password"`
+}

controllers/user.go

@@ -44,6 +44,7 @@ func (c *ApiController) GetGlobalUsers() {
 		limit := util.ParseInt(limit)
 		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalUserCount(field, value)))
 		users := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder)
+		users = object.GetMaskedUsers(users)
 		c.ResponseOk(users, paginator.Nums())
 	}
 }
@@ -70,6 +71,7 @@ func (c *ApiController) GetUsers() {
 		limit := util.ParseInt(limit)
 		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetUserCount(owner, field, value)))
 		users := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		users = object.GetMaskedUsers(users)
 		c.ResponseOk(users, paginator.Nums())
 	}
 }
@@ -188,19 +190,23 @@ func (c *ApiController) GetEmailAndPhone() {
 
 	user := object.GetUserByFields(form.Organization, form.Username)
 	if user == nil {
-		c.ResponseError("No such user.")
+		c.ResponseError(fmt.Sprintf("The user: %s/%s doesn't exist", form.Organization, form.Username))
 		return
 	}
 
-	respUser := object.User{Email: user.Email, Phone: user.Phone, Name: user.Name}
+	respUser := object.User{Name: user.Name}
 	var contentType string
 	switch form.Username {
 	case user.Email:
 		contentType = "email"
+		respUser.Email = user.Email
 	case user.Phone:
 		contentType = "phone"
+		respUser.Phone = user.Phone
 	case user.Name:
 		contentType = "username"
+		respUser.Email = util.GetMaskedEmail(user.Email)
+		respUser.Phone = util.GetMaskedPhone(user.Phone)
 	}
 
 	c.ResponseOk(respUser, contentType)
@@ -224,7 +230,7 @@ func (c *ApiController) SetPassword() {
 
 	requestUserId := c.GetSessionUsername()
 	if requestUserId == "" {
-		c.ResponseError("Please login first.")
+		c.ResponseError("Please login first")
 		return
 	}
 

controllers/util.go

@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -62,7 +62,7 @@ func (c *ApiController) RequireSignedIn() (string, bool) {
 }
 
 func getInitScore() int {
-	score, err := strconv.Atoi(beego.AppConfig.String("initScore"))
+	score, err := strconv.Atoi(conf.GetConfigString("initScore"))
 	if err != nil {
 		panic(err)
 	}

controllers/verification.go

@@ -68,15 +68,22 @@ func (c *ApiController) SendVerificationCode() {
 	organization := object.GetOrganization(orgId)
 	application := object.GetApplicationByOrganizationName(organization.Name)
 
-	if checkUser == "true" && user == nil &&
-		object.GetUserByFields(organization.Name, dest) == nil {
-		c.ResponseError("No such user.")
+	if checkUser == "true" && user == nil && object.GetUserByFields(organization.Name, dest) == nil {
+		c.ResponseError("Please login first")
 		return
 	}
 
-	sendResp := errors.New("Invalid dest type.")
+	sendResp := errors.New("Invalid dest type")
+
+	if user == nil && checkUser != "" && checkUser != "true" {
+		_, name := util.GetOwnerAndNameFromId(orgId)
+		user = object.GetUser(fmt.Sprintf("%s/%s", name, checkUser))
+	}
 	switch destType {
 	case "email":
+		if user != nil && util.GetMaskedEmail(user.Email) == dest {
+			dest = user.Email
+		}
 		if !util.IsEmailValid(dest) {
 			c.ResponseError("Invalid Email address")
 			return
@@ -85,6 +92,9 @@ func (c *ApiController) SendVerificationCode() {
 		provider := application.GetEmailProvider()
 		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, dest)
 	case "phone":
+		if user != nil && util.GetMaskedPhone(user.Phone) == dest {
+			dest = user.Phone
+		}
 		if !util.IsPhoneCnValid(dest) {
 			c.ResponseError("Invalid phone number")
 			return
@@ -121,7 +131,7 @@ func (c *ApiController) ResetEmailOrPhone() {
 
 	user := object.GetUser(userId)
 	if user == nil {
-		c.ResponseError("No such user.")
+		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
 		return
 	}
 

docker-compose.yml

@@ -11,6 +11,8 @@ services:
       - db
     environment:
       RUNNING_IN_DOCKER: "true"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     volumes:
       - ./conf:/conf/
   db:

go.mod

@@ -9,14 +9,16 @@ require (
 	github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f // indirect
 	github.com/casbin/casbin/v2 v2.30.1
 	github.com/casbin/xorm-adapter/v2 v2.5.1
-	github.com/casdoor/go-sms-sender v0.0.5
+	github.com/casdoor/go-sms-sender v0.2.0
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/go-gomail/gomail v0.0.0-20160411212932-81ebce5c23df
 	github.com/go-ldap/ldap/v3 v3.3.0
+	github.com/go-pay/gopay v1.5.72
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/golang-jwt/jwt/v4 v4.1.0
 	github.com/google/uuid v1.2.0
 	github.com/jinzhu/configor v1.2.1 // indirect
+	github.com/lestrrat-go/jwx v0.9.0
 	github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/qor/oss v0.0.0-20191031055114-aef9ba66bf76
@@ -25,10 +27,10 @@ require (
 	github.com/russellhaering/goxmldsig v1.1.1
 	github.com/satori/go.uuid v1.2.0 // indirect
 	github.com/smartystreets/goconvey v1.6.4 // indirect
-	github.com/stretchr/testify v1.6.1
+	github.com/stretchr/testify v1.7.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
+	golang.org/x/crypto v0.0.0-20220208233918-bba287dce954
 	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2
 	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect

go.sum

@@ -81,6 +81,8 @@ github.com/casbin/xorm-adapter/v2 v2.5.1 h1:BkpIxRHKa0s3bSMx173PpuU7oTs+Zw7XmD0B
 github.com/casbin/xorm-adapter/v2 v2.5.1/go.mod h1:AeH4dBKHC9/zYxzdPVHhPDzF8LYLqjDdb767CWJoV54=
 github.com/casdoor/go-sms-sender v0.0.5 h1:9qhlMM+UoSOvvY7puUULqSHBBA7fbe02Px/tzchQboo=
 github.com/casdoor/go-sms-sender v0.0.5/go.mod h1:TMM/BsZQAa+7JVDXl2KqgxnzZgCjmHEX5MBN662mM5M=
+github.com/casdoor/go-sms-sender v0.2.0 h1:52bin4EBOPzOee64s9UK7jxd22FODvT9/+Y/Z+PSHpg=
+github.com/casdoor/go-sms-sender v0.2.0/go.mod h1:fsZsNnALvFIo+HFcE1U/oCQv4ZT42FdglXKMsEm3WSk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -124,6 +126,8 @@ github.com/go-ldap/ldap/v3 v3.3.0 h1:lwx+SJpgOHd8tG6SumBQZXCmNX51zM8B1cfxJ5gv4tQ
 github.com/go-ldap/ldap/v3 v3.3.0/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-pay/gopay v1.5.72 h1:3zm64xMBhJBa8rXbm//q5UiGgOa4WO5XYEnU394N2Zw=
+github.com/go-pay/gopay v1.5.72/go.mod h1:0qOGIJuFW7PKDOjmecwKyW0mgsVImgwB9yPJj0ilpn8=
 github.com/go-redis/redis v6.14.2+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
@@ -343,8 +347,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/syndtr/goleveldb v0.0.0-20160425020131-cfa635847112/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
 github.com/syndtr/goleveldb v0.0.0-20181127023241-353a9fca669c/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
@@ -376,10 +381,11 @@ golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220208233918-bba287dce954 h1:BkypuErRT9A9I/iljuaG3/zdMjd/J6m8tKKJQtGfSdA=
+golang.org/x/crypto v0.0.0-20220208233918-bba287dce954/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

idp/adfs.go

@@ -0,0 +1,136 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/jwk"
+	"github.com/lestrrat-go/jwx/jwt"
+	"golang.org/x/oauth2"
+)
+
+type AdfsIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+	Host   string
+}
+
+func NewAdfsIdProvider(clientId string, clientSecret string, redirectUrl string, hostUrl string) *AdfsIdProvider {
+	idp := &AdfsIdProvider{}
+
+	config := idp.getConfig(hostUrl)
+	config.ClientID = clientId
+	config.ClientSecret = clientSecret
+	config.RedirectURL = redirectUrl
+	idp.Config = config
+	idp.Host = hostUrl
+	return idp
+}
+
+func (idp *AdfsIdProvider) SetHttpClient(client *http.Client) {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+	idp.Client = client
+	idp.Client.Transport = tr
+}
+
+func (idp *AdfsIdProvider) getConfig(hostUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		AuthURL:  fmt.Sprintf("%s/adfs/oauth2/authorize", hostUrl),
+		TokenURL: fmt.Sprintf("%s/adfs/oauth2/token", hostUrl),
+	}
+
+	var config = &oauth2.Config{
+		Endpoint: endpoint,
+	}
+
+	return config
+}
+
+type AdfsToken struct {
+	IdToken   string `json:"id_token"`
+	ExpiresIn int    `json:"expires_in"`
+	ErrMsg    string `json:"error_description"`
+}
+
+// get more detail via: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#request-an-access-token
+func (idp *AdfsIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	payload := url.Values{}
+	payload.Set("code", code)
+	payload.Set("grant_type", "authorization_code")
+	payload.Set("client_id", idp.Config.ClientID)
+	payload.Set("redirect_uri", idp.Config.RedirectURL)
+	resp, err := idp.Client.PostForm(idp.Config.Endpoint.TokenURL, payload)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	pToken := &AdfsToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, fmt.Errorf("fail to unmarshal token response: %s", err.Error())
+	}
+	if pToken.ErrMsg != "" {
+		return nil, fmt.Errorf("pToken.Errmsg = %s", pToken.ErrMsg)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.IdToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+	return token, nil
+}
+
+// Since the userinfo endpoint of ADFS only returns sub,
+// the id_token is used to resolve the userinfo
+func (idp *AdfsIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	resp, err := idp.Client.Get(fmt.Sprintf("%s/adfs/discovery/keys", idp.Host))
+	if err != nil {
+		return nil, err
+	}
+	keyset, err := jwk.Parse(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	tokenSrc := []byte(token.AccessToken)
+	publicKey, _ := keyset.Keys[0].Materialize()
+	id_token, _ := jwt.Parse(bytes.NewReader(tokenSrc), jwt.WithVerify(jwa.RS256, publicKey))
+	sid, _ := id_token.Get("sid")
+	upn, _ := id_token.Get("upn")
+	name, _ := id_token.Get("unique_name")
+	userinfo := &UserInfo{
+		Id:          sid.(string),
+		Username:    name.(string),
+		DisplayName: name.(string),
+		Email:       upn.(string),
+	}
+	return userinfo, nil
+}

idp/alipay.go

@@ -0,0 +1,292 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"sort"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type AlipayIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+// NewAlipayIdProvider ...
+func NewAlipayIdProvider(clientId string, clientSecret string, redirectUrl string) *AlipayIdProvider {
+	idp := &AlipayIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+
+	return idp
+}
+
+// SetHttpClient ...
+func (idp *AlipayIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+// getConfig return a point of Config, which describes a typical 3-legged OAuth2 flow
+func (idp *AlipayIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		AuthURL:  "https://openauth.alipay.com/oauth2/publicAppAuthorize.htm",
+		TokenURL: "https://openapi.alipay.com/gateway.do",
+	}
+
+	var config = &oauth2.Config{
+		Scopes:       []string{"", ""},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type AlipayAccessToken struct {
+	Response AlipaySystemOauthTokenResponse `json:"alipay_system_oauth_token_response"`
+	Sign     string                         `json:"sign"`
+}
+
+type AlipaySystemOauthTokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	AlipayUserId string `json:"alipay_user_id"`
+	ExpiresIn    int    `json:"expires_in"`
+	ReExpiresIn  int    `json:"re_expires_in"`
+	RefreshToken string `json:"refresh_token"`
+	UserId       string `json:"user_id"`
+}
+
+// GetToken use code to get access_token
+func (idp *AlipayIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	pTokenParams := &struct {
+		ClientId  string `json:"app_id"`
+		CharSet   string `json:"charset"`
+		Code      string `json:"code"`
+		GrantType string `json:"grant_type"`
+		Method    string `json:"method"`
+		SignType  string `json:"sign_type"`
+		TimeStamp string `json:"timestamp"`
+		Version   string `json:"version"`
+	}{idp.Config.ClientID, "utf-8", code, "authorization_code", "alipay.system.oauth.token", "RSA2", time.Now().Format("2006-01-02 15:04:05"), "1.0"}
+
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+
+	pToken := &AlipayAccessToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, err
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.Response.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.Response.ExpiresIn), 0),
+	}
+	return token, nil
+}
+
+/*
+{
+    "alipay_user_info_share_response":{
+        "code":"10000",
+        "msg":"Success",
+        "avatar":"https:\/\/tfs.alipayobjects.com\/images\/partner\/T1.QxFXk4aXXXXXXXX",
+        "nick_name":"zhangsan",
+        "user_id":"2099222233334444"
+    },
+    "sign":"m8rWJeqfoa5tDQRRVnPhRHcpX7NZEgjIPTPF1QBxos6XXXXXXXXXXXXXXXXXXXXXXXXXX"
+}
+*/
+
+type AlipayUserResponse struct {
+	AlipayUserInfoShareResponse AlipayUserInfoShareResponse `json:"alipay_user_info_share_response"`
+	Sign                        string                      `json:"sign"`
+}
+
+type AlipayUserInfoShareResponse struct {
+	Code     string `json:"code"`
+	Msg      string `json:"msg"`
+	Avatar   string `json:"avatar"`
+	NickName string `json:"nick_name"`
+	UserId   string `json:"user_id"`
+}
+
+// GetUserInfo Use access_token to get UserInfo
+func (idp *AlipayIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	atUserInfo := &AlipayUserResponse{}
+	accessToken := token.AccessToken
+
+	pTokenParams := &struct {
+		ClientId  string `json:"app_id"`
+		CharSet   string `json:"charset"`
+		AuthToken string `json:"auth_token"`
+		Method    string `json:"method"`
+		SignType  string `json:"sign_type"`
+		TimeStamp string `json:"timestamp"`
+		Version   string `json:"version"`
+	}{idp.Config.ClientID, "utf-8", accessToken, "alipay.user.info.share", "RSA2", time.Now().Format("2006-01-02 15:04:05"), "1.0"}
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(data, atUserInfo)
+	if err != nil {
+		return nil, err
+	}
+
+	userInfo := UserInfo{
+		Id:          atUserInfo.AlipayUserInfoShareResponse.UserId,
+		Username:    atUserInfo.AlipayUserInfoShareResponse.NickName,
+		DisplayName: atUserInfo.AlipayUserInfoShareResponse.NickName,
+		AvatarUrl:   atUserInfo.AlipayUserInfoShareResponse.Avatar,
+	}
+
+	return &userInfo, nil
+}
+
+func (idp *AlipayIdProvider) postWithBody(body interface{}, targetUrl string) ([]byte, error) {
+	bs, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+
+	bodyJson := make(map[string]interface{})
+	err = json.Unmarshal(bs, &bodyJson)
+	if err != nil {
+		return nil, err
+	}
+
+	formData := url.Values{}
+	for k := range bodyJson {
+		formData.Set(k, bodyJson[k].(string))
+	}
+
+	sign, err := rsaSignWithRSA256(getStringToSign(formData), idp.Config.ClientSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	formData.Set("sign", sign)
+
+	resp, err := idp.Client.PostForm(targetUrl, formData)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	return data, nil
+}
+
+// get the string to sign, see https://opendocs.alipay.com/common/02kf5q
+func getStringToSign(formData url.Values) string {
+	keys := make([]string, 0, len(formData))
+	for k := range formData {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	str := ""
+	for _, k := range keys {
+		if k == "sign" || formData[k][0] == "" {
+			continue
+		} else {
+			str += "&" + k + "=" + formData[k][0]
+		}
+	}
+	str = strings.Trim(str, "&")
+	return str
+}
+
+// use privateKey to sign the content
+func rsaSignWithRSA256(signContent string, privateKey string) (string, error) {
+	privateKey = formatPrivateKey(privateKey)
+	block, _ := pem.Decode([]byte(privateKey))
+	if block == nil {
+		panic("fail to parse privateKey")
+	}
+
+	h := sha256.New()
+	h.Write([]byte(signContent))
+	hashed := h.Sum(nil)
+
+	privateKeyRSA, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return "", err
+	}
+
+	signature, err := rsa.SignPKCS1v15(rand.Reader, privateKeyRSA.(*rsa.PrivateKey), crypto.SHA256, hashed)
+	if err != nil {
+		return "", err
+	}
+
+	return base64.StdEncoding.EncodeToString(signature), nil
+}
+
+// privateKey in database is a string, format it to PEM style
+func formatPrivateKey(privateKey string) string {
+	// each line length is 64
+	preFmtPrivateKey := ""
+	for i := 0; ; {
+		if i+64 <= len(privateKey) {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:i+64] + "\n"
+			i += 64
+		} else {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:]
+			break
+		}
+	}
+	privateKey = strings.Trim(preFmtPrivateKey, "\n")
+
+	// add pkcs#8 BEGIN and END
+	PemBegin := "-----BEGIN PRIVATE KEY-----\n"
+	PemEnd := "\n-----END PRIVATE KEY-----"
+	if !strings.HasPrefix(privateKey, PemBegin) {
+		privateKey = PemBegin + privateKey
+	}
+	if !strings.HasSuffix(privateKey, PemEnd) {
+		privateKey = privateKey + PemEnd
+	}
+	return privateKey
+}

idp/baidu.go

@@ -18,7 +18,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 
 	"golang.org/x/oauth2"
@@ -97,7 +97,7 @@ func (idp *BaiduIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/casdoor.go

@@ -0,0 +1,158 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type CasdoorIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+	Host   string
+}
+
+func NewCasdoorIdProvider(clientId string, clientSecret string, redirectUrl string, hostUrl string) *CasdoorIdProvider {
+	idp := &CasdoorIdProvider{}
+	config := idp.getConfig(hostUrl)
+	config.ClientID = clientId
+	config.ClientSecret = clientSecret
+	config.RedirectURL = redirectUrl
+	idp.Config = config
+	idp.Host = hostUrl
+	return idp
+}
+
+func (idp *CasdoorIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *CasdoorIdProvider) getConfig(hostUrl string) *oauth2.Config {
+	return &oauth2.Config{
+		Endpoint: oauth2.Endpoint{
+			TokenURL: hostUrl + "/api/login/oauth/access_token",
+		},
+		Scopes: []string{"openid email profile"},
+	}
+}
+
+type CasdoorToken struct {
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"`
+}
+
+func (idp *CasdoorIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	resp, err := http.PostForm(idp.Config.Endpoint.TokenURL, url.Values{
+		"client_id":     {idp.Config.ClientID},
+		"client_secret": {idp.Config.ClientSecret},
+		"code":          {code},
+		"grant_type":    {"authorization_code"},
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+
+	if err != nil {
+		return nil, err
+	}
+	pToken := &CasdoorToken{}
+	err = json.Unmarshal(body, pToken)
+	if err != nil {
+		return nil, err
+	}
+
+	//check if token is expired
+	if pToken.ExpiresIn <= 0 {
+		return nil, fmt.Errorf("%s", pToken.AccessToken)
+	}
+	token := &oauth2.Token{
+		AccessToken: pToken.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+	return token, nil
+
+}
+
+/*
+{
+    "sub": "2f80c349-4beb-407f-b1f0-528aac0f1acd",
+    "iss": "https://door.casbin.com",
+    "aud": "7a11****0fa2172",
+    "name": "admin",
+    "preferred_username": "Admin",
+    "email": "admin@example.com",
+    "picture": "https://casbin.org/img/casbin.svg",
+    "address": "Guangdong",
+    "phone": "12345678910"
+}
+*/
+
+type CasdoorUserInfo struct {
+	Id          string `json:"sub"`
+	Name        string `json:"name"`
+	DisplayName string `json:"preferred_username"`
+	Email       string `json:"email"`
+	AvatarUrl   string `json:"picture"`
+	Status      string `json:"status"`
+	Msg         string `json:"msg"`
+}
+
+func (idp *CasdoorIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	cdUserinfo := &CasdoorUserInfo{}
+	accessToken := token.AccessToken
+	request, err := http.NewRequest("GET", fmt.Sprintf("%s/api/userinfo", idp.Host), nil)
+	if err != nil {
+		return nil, err
+	}
+	//add accesstoken to bearer token
+	request.Header.Add("Authorization", fmt.Sprintf("Bearer %s", accessToken))
+	resp, err := idp.Client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(data, cdUserinfo)
+	if err != nil {
+		return nil, err
+	}
+
+	if cdUserinfo.Status != "" {
+		return nil, fmt.Errorf("err: %s", cdUserinfo.Msg)
+	}
+
+	userInfo := &UserInfo{
+		Id:          cdUserinfo.Id,
+		Username:    cdUserinfo.Name,
+		DisplayName: cdUserinfo.DisplayName,
+		Email:       cdUserinfo.Email,
+		AvatarUrl:   cdUserinfo.AvatarUrl,
+	}
+	return userInfo, nil
+
+}

idp/dingtalk.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
@@ -143,7 +144,7 @@ func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -178,7 +179,7 @@ func (idp *DingTalkIdProvider) postWithBody(body interface{}, url string) ([]byt
 	if err != nil {
 		return nil, err
 	}
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/facebook.go

@@ -122,9 +122,9 @@ func (idp *FacebookIdProvider) GetToken(code string) (*oauth2.Token, error) {
 //}
 
 type FacebookUserInfo struct {
-	Id         string `json:"id"`          // The app user's App-Scoped User ID. This ID is unique to the app and cannot be used by other apps.
-	Name       string `json:"name"`        // The person's full name.
-	NameFormat string `json:"name_format"` // The person's name formatted to correctly handle Chinese, Japanese, or Korean ordering.
+	Id         string   `json:"id"`          // The app user's App-Scoped User ID. This ID is unique to the app and cannot be used by other apps.
+	Name       string   `json:"name"`        // The person's full name.
+	NameFormat string   `json:"name_format"` // The person's name formatted to correctly handle Chinese, Japanese, or Korean ordering.
 	Picture    struct { // The person's profile picture.
 		Data struct { // This struct is different as https://developers.facebook.com/docs/graph-api/reference/user/picture/
 			Height       int    `json:"height"`
@@ -164,6 +164,7 @@ func (idp *FacebookIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 
 	userInfo := UserInfo{
 		Id:          facebookUserInfo.Id,
+		Username:    facebookUserInfo.Name,
 		DisplayName: facebookUserInfo.Name,
 		Email:       facebookUserInfo.Email,
 		AvatarUrl:   facebookUserInfo.Picture.Data.Url,

idp/gitee.go

@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -92,7 +93,7 @@ func (idp *GiteeIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	rbs, err := io.ReadAll(resp.Body)
+	rbs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/github.go

@@ -15,11 +15,13 @@
 package idp
 
 import (
-	"context"
 	"encoding/json"
+	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
 	"golang.org/x/oauth2"
@@ -60,9 +62,38 @@ func (idp *GithubIdProvider) getConfig() *oauth2.Config {
 	return config
 }
 
+type GithubToken struct {
+	AccessToken string `json:"access_token"`
+	TokenType   string `json:"token_type"`
+	Scope       string `json:"scope"`
+	Error       string `json:"error"`
+}
+
 func (idp *GithubIdProvider) GetToken(code string) (*oauth2.Token, error) {
-	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, idp.Client)
-	return idp.Config.Exchange(ctx, code)
+	params := &struct {
+		Code         string `json:"code"`
+		ClientId     string `json:"client_id"`
+		ClientSecret string `json:"client_secret"`
+	}{code, idp.Config.ClientID, idp.Config.ClientSecret}
+	data, err := idp.postWithBody(params, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+	pToken := &GithubToken{}
+	if err = json.Unmarshal(data, pToken); err != nil {
+		return nil, err
+	}
+	if pToken.Error != "" {
+		return nil, fmt.Errorf("err: %s", pToken.Error)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.AccessToken,
+		TokenType:   "Bearer",
+	}
+
+	return token, nil
+
 }
 
 //{
@@ -172,7 +203,7 @@ func (idp *GithubIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 
 	defer resp.Body.Close()
 
-	body, err := io.ReadAll(resp.Body)
+	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -192,3 +223,30 @@ func (idp *GithubIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 	}
 	return &userInfo, nil
 }
+
+func (idp *GithubIdProvider) postWithBody(body interface{}, url string) ([]byte, error) {
+	bs, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	r := strings.NewReader(string(bs))
+	req, _ := http.NewRequest("POST", url, r)
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := idp.Client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	return data, nil
+}

idp/gitlab.go

@@ -17,7 +17,7 @@ package idp
 import (
 	"encoding/json"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -85,7 +85,7 @@ func (idp *GitlabIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -209,7 +209,7 @@ func (idp *GitlabIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/google.go

@@ -19,7 +19,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 
 	"golang.org/x/oauth2"
@@ -95,7 +95,7 @@ func (idp *GoogleIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 	}
 
 	defer resp.Body.Close()
-	body, err := io.ReadAll(resp.Body)
+	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/goth.go

@@ -45,6 +45,7 @@ import (
 	"github.com/markbates/goth/providers/salesforce"
 	"github.com/markbates/goth/providers/shopify"
 	"github.com/markbates/goth/providers/slack"
+	"github.com/markbates/goth/providers/steam"
 	"github.com/markbates/goth/providers/tumblr"
 	"github.com/markbates/goth/providers/twitter"
 	"github.com/markbates/goth/providers/yahoo"
@@ -171,6 +172,11 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 			Provider: slack.New(clientId, clientSecret, redirectUrl),
 			Session:  &slack.Session{},
 		}
+	case "Steam":
+		idp = GothIdProvider{
+			Provider: steam.New(clientSecret, redirectUrl),
+			Session:  &steam.Session{},
+		}
 	case "Tumblr":
 		idp = GothIdProvider{
 			Provider: tumblr.New(clientId, clientSecret, redirectUrl),
@@ -209,11 +215,26 @@ func (idp *GothIdProvider) SetHttpClient(client *http.Client) {
 
 func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	var expireAt time.Time
-	//Need to construct variables supported by goth
-	//to call the function to obtain accessToken
-	value := url.Values{}
-	value.Add("code", code)
+	var value url.Values
+	var err error
+	if idp.Provider.Name() == "steam" {
+		value, err = url.ParseQuery(code)
+		returnUrl := reflect.ValueOf(idp.Session).Elem().FieldByName("CallbackURL")
+		returnUrl.Set(reflect.ValueOf(value.Get("openid.return_to")))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		//Need to construct variables supported by goth
+		//to call the function to obtain accessToken
+		value = url.Values{}
+		value.Add("code", code)
+	}
 	accessToken, err := idp.Session.Authorize(idp.Provider, value)
+	if err != nil {
+		return nil, err
+	}
+
 	//Get ExpiresAt's value
 	valueOfExpire := reflect.ValueOf(idp.Session).Elem().FieldByName("ExpiresAt")
 	if valueOfExpire.IsValid() {
@@ -223,7 +244,8 @@ func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		AccessToken: accessToken,
 		Expiry:      expireAt,
 	}
-	return &token, err
+
+	return &token, nil
 }
 
 func (idp *GothIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
@@ -231,10 +253,10 @@ func (idp *GothIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	if err != nil {
 		return nil, err
 	}
-	return getUser(gothUser), nil
+	return getUser(gothUser, idp.Provider.Name()), nil
 }
 
-func getUser(gothUser goth.User) *UserInfo {
+func getUser(gothUser goth.User, provider string) *UserInfo {
 	user := UserInfo{
 		Id:          gothUser.UserID,
 		Username:    gothUser.Name,
@@ -258,7 +280,10 @@ func getUser(gothUser goth.User) *UserInfo {
 			user.DisplayName = user.Username
 		}
 	}
-
+	if provider == "steam" {
+		user.Username = user.DisplayName
+		user.Email = ""
+	}
 	return &user
 }
 

idp/infoflow_internal.go

@@ -17,7 +17,7 @@ package idp
 import (
 	"encoding/json"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 
 	"golang.org/x/oauth2"
@@ -69,7 +69,7 @@ func (idp *InfoflowInternalIdProvider) GetToken(code string) (*oauth2.Token, err
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -147,7 +147,7 @@ func (idp *InfoflowInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserIn
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -165,7 +165,7 @@ func (idp *InfoflowInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserIn
 		return nil, err
 	}
 
-	data, err = io.ReadAll(resp.Body)
+	data, err = ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/infoflow_third_party.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
@@ -143,7 +144,7 @@ func (idp *InfoflowIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -161,7 +162,7 @@ func (idp *InfoflowIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		return nil, err
 	}
 
-	data, err = io.ReadAll(resp.Body)
+	data, err = ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -196,7 +197,7 @@ func (idp *InfoflowIdProvider) postWithBody(body interface{}, url string) ([]byt
 	if err != nil {
 		return nil, err
 	}
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/lark.go

@@ -17,6 +17,7 @@ package idp
 import (
 	"encoding/json"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
@@ -168,7 +169,7 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	req.Header.Set("Authorization", "Bearer "+token.AccessToken)
 
 	resp, err := idp.Client.Do(req)
-	data, err = io.ReadAll(resp.Body)
+	data, err = ioutil.ReadAll(resp.Body)
 	err = resp.Body.Close()
 	if err != nil {
 		return nil, err
@@ -200,7 +201,7 @@ func (idp *LarkIdProvider) postWithBody(body interface{}, url string) ([]byte, e
 	if err != nil {
 		return nil, err
 	}
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/linkedin.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -84,7 +85,7 @@ func (idp *LinkedInIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	rbs, err := io.ReadAll(resp.Body)
+	rbs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -322,7 +323,7 @@ func (idp *LinkedInIdProvider) GetUrlRespWithAuthorization(url, token string) ([
 		}
 	}(resp.Body)
 
-	bs, err := io.ReadAll(resp.Body)
+	bs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/provider.go

@@ -35,7 +35,7 @@ type IdProvider interface {
 	GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 }
 
-func GetIdProvider(typ string, subType string, clientId string, clientSecret string, appId string, redirectUrl string) IdProvider {
+func GetIdProvider(typ string, subType string, clientId string, clientSecret string, appId string, redirectUrl string, hostUrl string) IdProvider {
 	if typ == "GitHub" {
 		return NewGithubIdProvider(clientId, clientSecret, redirectUrl)
 	} else if typ == "Google" {
@@ -66,8 +66,12 @@ func GetIdProvider(typ string, subType string, clientId string, clientSecret str
 		return NewLarkIdProvider(clientId, clientSecret, redirectUrl)
 	} else if typ == "GitLab" {
 		return NewGitlabIdProvider(clientId, clientSecret, redirectUrl)
+	} else if typ == "Adfs" {
+		return NewAdfsIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
 	} else if typ == "Baidu" {
 		return NewBaiduIdProvider(clientId, clientSecret, redirectUrl)
+	} else if typ == "Alipay" {
+		return NewAlipayIdProvider(clientId, clientSecret, redirectUrl)
 	} else if typ == "Infoflow" {
 		if subType == "Internal" {
 			return NewInfoflowInternalIdProvider(clientId, clientSecret, appId, redirectUrl)
@@ -76,6 +80,8 @@ func GetIdProvider(typ string, subType string, clientId string, clientSecret str
 		} else {
 			return nil
 		}
+	} else if typ == "Casdoor" {
+		return NewCasdoorIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
 	} else if isGothSupport(typ) {
 		return NewGothIdProvider(typ, clientId, clientSecret, redirectUrl)
 	}
@@ -83,7 +89,7 @@ func GetIdProvider(typ string, subType string, clientId string, clientSecret str
 	return nil
 }
 
-var gothList = []string{"Apple", "AzureAd", "Slack"}
+var gothList = []string{"Apple", "AzureAd", "Slack", "Steam"}
 
 func isGothSupport(provider string) bool {
 	for _, value := range gothList {

idp/qq.go

@@ -18,7 +18,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -75,7 +75,10 @@ func (idp *QqIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	}
 
 	defer resp.Body.Close()
-	tokenContent, err := io.ReadAll(resp.Body)
+	tokenContent, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
 
 	re := regexp.MustCompile("token=(.*?)&")
 	matched := re.FindAllStringSubmatch(string(tokenContent), -1)
@@ -145,7 +148,10 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	}
 
 	defer resp.Body.Close()
-	openIdBody, err := io.ReadAll(resp.Body)
+	openIdBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
 
 	re := regexp.MustCompile("\"openid\":\"(.*?)\"}")
 	matched := re.FindAllStringSubmatch(string(openIdBody), -1)
@@ -161,7 +167,7 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	}
 
 	defer resp.Body.Close()
-	userInfoBody, err := io.ReadAll(resp.Body)
+	userInfoBody, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -178,6 +184,7 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 
 	userInfo := UserInfo{
 		Id:          openId,
+		Username:    qqUserInfo.Nickname,
 		DisplayName: qqUserInfo.Nickname,
 		AvatarUrl:   qqUserInfo.FigureurlQq1,
 	}

idp/wecom_internal.go

@@ -17,7 +17,7 @@ package idp
 import (
 	"encoding/json"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 	"time"
 
@@ -72,7 +72,7 @@ func (idp *WeComInternalIdProvider) GetToken(code string) (*oauth2.Token, error)
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -111,6 +111,7 @@ type WecomInternalUserInfo struct {
 	Email   string `json:"email"`
 	Avatar  string `json:"avatar"`
 	OpenId  string `json:"open_userid"`
+	UserId  string `json:"userid"`
 }
 
 func (idp *WeComInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
@@ -122,7 +123,7 @@ func (idp *WeComInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo,
 		return nil, err
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -143,7 +144,7 @@ func (idp *WeComInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo,
 		return nil, err
 	}
 
-	data, err = io.ReadAll(resp.Body)
+	data, err = ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -156,7 +157,7 @@ func (idp *WeComInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo,
 		return nil, fmt.Errorf("userInfoResp.errcode = %d, userInfoResp.errmsg = %s", infoResp.Errcode, infoResp.Errmsg)
 	}
 	userInfo := UserInfo{
-		Id:          infoResp.OpenId,
+		Id:          infoResp.UserId,
 		Username:    infoResp.Name,
 		DisplayName: infoResp.Name,
 		Email:       infoResp.Email,

idp/wecom_third_party.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
@@ -194,7 +195,7 @@ func (idp *WeComIdProvider) postWithBody(body interface{}, url string) ([]byte,
 	if err != nil {
 		return nil, err
 	}
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

idp/weibo.go

@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -91,7 +92,7 @@ func (idp *WeiBoIdProvider) GetToken(code string) (*oauth2.Token, error) {
 			return
 		}
 	}(resp.Body)
-	bs, err := io.ReadAll(resp.Body)
+	bs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

main.go

@@ -16,11 +16,13 @@ package main
 
 import (
 	"flag"
+	"fmt"
 
 	"github.com/astaxie/beego"
 	"github.com/astaxie/beego/logs"
 	_ "github.com/astaxie/beego/session/redis"
 	"github.com/casdoor/casdoor/authz"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
 	"github.com/casdoor/casdoor/routers"
@@ -30,6 +32,7 @@ import (
 func main() {
 	createDatabase := flag.Bool("createDatabase", false, "true if you need casdoor to create database")
 	flag.Parse()
+
 	object.InitAdapter(*createDatabase)
 	object.InitDb()
 	object.InitDefaultStorageProvider()
@@ -51,12 +54,12 @@ func main() {
 	beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)
 
 	beego.BConfig.WebConfig.Session.SessionName = "casdoor_session_id"
-	if beego.AppConfig.String("redisEndpoint") == "" {
+	if conf.GetConfigString("redisEndpoint") == "" {
 		beego.BConfig.WebConfig.Session.SessionProvider = "file"
 		beego.BConfig.WebConfig.Session.SessionProviderConfig = "./tmp"
 	} else {
 		beego.BConfig.WebConfig.Session.SessionProvider = "redis"
-		beego.BConfig.WebConfig.Session.SessionProviderConfig = beego.AppConfig.String("redisEndpoint")
+		beego.BConfig.WebConfig.Session.SessionProviderConfig = conf.GetConfigString("redisEndpoint")
 	}
 	beego.BConfig.WebConfig.Session.SessionCookieLifeTime = 3600 * 24 * 30
 	//beego.BConfig.WebConfig.Session.SessionCookieSameSite = http.SameSiteNoneMode
@@ -65,8 +68,8 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
+	port := beego.AppConfig.DefaultInt("httpport", 8000)
 	//logs.SetLevel(logs.LevelInformational)
 	logs.SetLogFuncCall(false)
-
-	beego.Run()
+	beego.Run(fmt.Sprintf(":%v", port))
 }

manifests/casdoor/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

manifests/casdoor/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: casdoor
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

manifests/casdoor/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "casdoor.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "casdoor.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "casdoor.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "casdoor.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

manifests/casdoor/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "casdoor.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "casdoor.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "casdoor.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "casdoor.labels" -}}
+helm.sh/chart: {{ include "casdoor.chart" . }}
+{{ include "casdoor.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "casdoor.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "casdoor.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "casdoor.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "casdoor.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

manifests/casdoor/templates/configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: casdoor-config
+data:
+  app.conf: |
+    appname = casdoor
+    httpport = 80
+    runmode = dev
+    SessionOn = true
+    copyrequestbody = true
+    driverName = mysql
+    dataSourceName = root:123456@tcp(localhost:3306)/
+    dbName = casdoor
+    redisEndpoint =
+    defaultStorageProvider = 
+    isCloudIntranet = false
+    authState = "casdoor"
+    sock5Proxy = "127.0.0.1:10808"
+    verificationCodeTimeout = 10
+    initScore = 2000
+    logPostOnly = true
+    origin = "https://door.casbin.com"

manifests/casdoor/templates/deployment.yaml

@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "casdoor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "casdoor.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "casdoor.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          # command: ["sleep", "100000000"]
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - name: config-volume
+            mountPath: /conf
+      volumes:
+       - name: config-volume
+         projected:
+           defaultMode: 420
+           sources:
+           - configMap:
+               items:
+               - key: app.conf
+                 path: app.conf
+               name: casdoor-config
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

manifests/casdoor/templates/hpa.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "casdoor.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

manifests/casdoor/templates/ingress.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "casdoor.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

manifests/casdoor/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "casdoor.selectorLabels" . | nindent 4 }}

manifests/casdoor/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "casdoor.serviceAccountName" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

manifests/casdoor/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "casdoor.fullname" . }}-test-connection"
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "casdoor.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

manifests/casdoor/values.yaml

@@ -0,0 +1,83 @@
+# Default values for casdoor.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: casbin
+  name: casdoor-all-in-one
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

object/adapter.go

@@ -17,7 +17,6 @@ package object
 import (
 	"fmt"
 	"runtime"
-	"xorm.io/core"
 
 	"github.com/astaxie/beego"
 	"github.com/casdoor/casdoor/conf"
@@ -25,6 +24,7 @@ import (
 	//_ "github.com/denisenkom/go-mssqldb" // db = mssql
 	_ "github.com/go-sql-driver/mysql" // db = mysql
 	//_ "github.com/lib/pq"                // db = postgres
+	"xorm.io/core"
 	"xorm.io/xorm"
 )
 
@@ -41,7 +41,7 @@ func InitConfig() {
 
 func InitAdapter(createDatabase bool) {
 
-	adapter = NewAdapter(beego.AppConfig.String("driverName"), conf.GetBeegoConfDataSourceName(), beego.AppConfig.String("dbName"))
+	adapter = NewAdapter(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName(), conf.GetConfigString("dbName"))
 	if createDatabase {
 		adapter.CreateDatabase()
 	}
@@ -111,10 +111,10 @@ func (a *Adapter) close() {
 }
 
 func (a *Adapter) createTable() {
-	showSql, _ := beego.AppConfig.Bool("showSql")
+	showSql, _ := conf.GetConfigBool("showSql")
 	a.Engine.ShowSQL(showSql)
 
-	tableNamePrefix := beego.AppConfig.String("tableNamePrefix")
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
 	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
 	a.Engine.SetTableMapper(tbMapper)
 
@@ -183,6 +183,11 @@ func (a *Adapter) createTable() {
 		panic(err)
 	}
 
+	err = a.Engine.Sync2(new(Product))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(Payment))
 	if err != nil {
 		panic(err)

object/application.go

@@ -16,6 +16,7 @@ package object
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
@@ -38,6 +39,7 @@ type Application struct {
 	EnableCodeSignin    bool            `json:"enableCodeSignin"`
 	Providers           []*ProviderItem `xorm:"mediumtext" json:"providers"`
 	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
+	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`
 
 	ClientId             string   `xorm:"varchar(100)" json:"clientId"`
@@ -215,6 +217,18 @@ func GetMaskedApplication(application *Application, userId string) *Application
 	if application.ClientSecret != "" {
 		application.ClientSecret = "***"
 	}
+
+	if application.OrganizationObj != nil {
+		if application.OrganizationObj.MasterPassword != "" {
+			application.OrganizationObj.MasterPassword = "***"
+		}
+		if application.OrganizationObj.PasswordType != "" {
+			application.OrganizationObj.PasswordType = "***"
+		}
+		if application.OrganizationObj.PasswordSalt != "" {
+			application.OrganizationObj.PasswordSalt = "***"
+		}
+	}
 	return application
 }
 
@@ -282,3 +296,15 @@ func DeleteApplication(application *Application) bool {
 func (application *Application) GetId() string {
 	return fmt.Sprintf("%s/%s", application.Owner, application.Name)
 }
+
+func CheckRedirectUriValid(application *Application, redirectUri string) bool {
+	var validUri = false
+	for _, tmpUri := range application.RedirectUris {
+		fmt.Println(tmpUri, redirectUri)
+		if strings.Contains(redirectUri, tmpUri) {
+			validUri = true
+			break
+		}
+	}
+	return validUri
+}

object/avatar.go

@@ -19,14 +19,14 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/proxy"
 )
 
 var defaultStorageProvider *Provider = nil
 
 func InitDefaultStorageProvider() {
-	defaultStorageProviderStr := beego.AppConfig.String("defaultStorageProvider")
+	defaultStorageProviderStr := conf.GetConfigString("defaultStorageProvider")
 	if defaultStorageProviderStr != "" {
 		defaultStorageProvider = getProvider("admin", defaultStorageProviderStr)
 	}

object/cert.go

@@ -33,8 +33,10 @@ type Cert struct {
 	BitSize         int    `json:"bitSize"`
 	ExpireInYears   int    `json:"expireInYears"`
 
-	PublicKey  string `xorm:"mediumtext" json:"publicKey"`
-	PrivateKey string `xorm:"mediumtext" json:"privateKey"`
+	PublicKey              string `xorm:"mediumtext" json:"publicKey"`
+	PrivateKey             string `xorm:"mediumtext" json:"privateKey"`
+	AuthorityPublicKey     string `xorm:"mediumtext" json:"authorityPublicKey"`
+	AuthorityRootPublicKey string `xorm:"mediumtext" json:"authorityRootPublicKey"`
 }
 
 func GetMaskedCert(cert *Cert) *Cert {

object/check.go

@@ -33,7 +33,7 @@ func init() {
 	reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 }
 
-func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, email string, phone string, affiliation string) string {
+func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, firstName string, lastName string, email string, phone string, affiliation string) string {
 	if organization == nil {
 		return "organization does not exist"
 	}
@@ -85,11 +85,19 @@ func CheckUserSignup(application *Application, organization *Organization, usern
 	}
 
 	if application.IsSignupItemVisible("Display name") {
-		if displayName == "" {
-			return "displayName cannot be blank"
-		} else if application.GetSignupItemRule("Display name") == "Personal" {
-			if !isValidPersonalName(displayName) {
-				return "displayName is not valid personal name"
+		if application.GetSignupItemRule("Display name") == "First, last" && (firstName != "" || lastName != "") {
+			if firstName == "" {
+				return "firstName cannot be blank"
+			} else if lastName == "" {
+				return "lastName cannot be blank"
+			}
+		} else {
+			if displayName == "" {
+				return "displayName cannot be blank"
+			} else if application.GetSignupItemRule("Display name") == "Real name" {
+				if !isValidRealName(displayName) {
+					return "displayName is not valid real name"
+				}
 			}
 		}
 	}
@@ -171,16 +179,16 @@ func CheckUserPassword(organization string, username string, password string) (*
 	if user.IsForbidden {
 		return nil, "the user is forbidden to sign in, please contact the administrator"
 	}
-	//for ldap users
+
 	if user.Ldap != "" {
+		//ONLY for ldap users
 		return checkLdapUserPassword(user, password)
+	} else {
+		msg := CheckPassword(user, password)
+		if msg != "" {
+			return nil, msg
+		}
 	}
-
-	msg := CheckPassword(user, password)
-	if msg != "" {
-		return nil, msg
-	}
-
 	return user, ""
 }
 

object/check_util.go

@@ -16,16 +16,16 @@ package object
 
 import "regexp"
 
-var rePersonalName *regexp.Regexp
+var reRealName *regexp.Regexp
 
 func init() {
 	var err error
-	rePersonalName, err = regexp.Compile("^[\u4E00-\u9FA5]{2,3}(?:·[\u4E00-\u9FA5]{2,3})*$")
+	reRealName, err = regexp.Compile("^[\u4E00-\u9FA5]{2,3}(?:·[\u4E00-\u9FA5]{2,3})*$")
 	if err != nil {
 		panic(err)
 	}
 }
 
-func isValidPersonalName(s string) bool {
-	return rePersonalName.MatchString(s)
+func isValidRealName(s string) bool {
+	return reRealName.MatchString(s)
 }

object/init.go

@@ -15,29 +15,25 @@
 package object
 
 import (
-	_ "embed"
+	"io/ioutil"
 
 	"github.com/casdoor/casdoor/util"
 )
 
-//go:embed token_jwt_key.pem
-var tokenJwtPublicKey string
-
-//go:embed token_jwt_key.key
-var tokenJwtPrivateKey string
-
 func InitDb() {
-	initBuiltInOrganization()
-	initBuiltInUser()
-	initBuiltInApplication()
-	initBuiltInCert()
-	initBuiltInLdap()
+	existed := initBuiltInOrganization()
+	if !existed {
+		initBuiltInUser()
+		initBuiltInApplication()
+		initBuiltInCert()
+		initBuiltInLdap()
+	}
 }
 
-func initBuiltInOrganization() {
+func initBuiltInOrganization() bool {
 	organization := getOrganization("admin", "built-in")
 	if organization != nil {
-		return
+		return true
 	}
 
 	organization = &Organization{
@@ -47,11 +43,13 @@ func initBuiltInOrganization() {
 		DisplayName:   "Built-in Organization",
 		WebsiteUrl:    "https://example.com",
 		Favicon:       "https://cdn.casbin.com/static/favicon.ico",
+		PasswordType:  "plain",
 		PhonePrefix:   "86",
 		DefaultAvatar: "https://casbin.org/img/casbin.svg",
-		PasswordType:  "plain",
+		Tags:          []string{},
 	}
 	AddOrganization(organization)
+	return false
 }
 
 func initBuiltInUser() {
@@ -121,7 +119,22 @@ func initBuiltInApplication() {
 	AddApplication(application)
 }
 
+func readTokenFromFile() (string, string) {
+	pemPath := "./object/token_jwt_key.pem"
+	keyPath := "./object/token_jwt_key.key"
+	pem, err := ioutil.ReadFile(pemPath)
+	if err != nil {
+		return "", ""
+	}
+	key, err := ioutil.ReadFile(keyPath)
+	if err != nil {
+		return "", ""
+	}
+	return string(pem), string(key)
+}
+
 func initBuiltInCert() {
+	tokenJwtPublicKey, tokenJwtPrivateKey := readTokenFromFile()
 	cert := getCert("admin", "cert-built-in")
 	if cert != nil {
 		return

object/ldap.go

@@ -162,7 +162,7 @@ func (l *ldapConn) GetLdapUsers(baseDn string) ([]ldapUser, error) {
 	searchReq := goldap.NewSearchRequest(baseDn,
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
 		SearchFilter, SearchAttributes, nil)
-	searchResult, err := l.Conn.Search(searchReq)
+	searchResult, err := l.Conn.SearchWithPaging(searchReq, 100)
 	if err != nil {
 		return nil, err
 	}

object/ldap_autosync.go

@@ -65,6 +65,13 @@ func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) {
 	ticker := time.NewTicker(time.Duration(ldap.AutoSync) * time.Minute)
 	defer ticker.Stop()
 	for {
+		select {
+		case <-stopChan:
+			logs.Info(fmt.Sprintf("autoSync goroutine for %s stopped", ldap.Id))
+			return
+		case <-ticker.C:
+		}
+
 		UpdateLdapSyncTime(ldap.Id)
 		//fetch all users
 		conn, err := GetLdapConn(ldap.Host, ldap.Port, ldap.Admin, ldap.Passwd)
@@ -84,12 +91,6 @@ func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) {
 		} else {
 			logs.Info(fmt.Sprintf("ldap autosync success, %d new users, %d existing users", len(users)-len(*existed), len(*existed)))
 		}
-		select {
-		case <-stopChan:
-			logs.Info(fmt.Sprintf("autoSync goroutine for %s stopped", ldap.Id))
-			return
-		case <-ticker.C:
-		}
 	}
 
 }

object/oidc_discovery.go

@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"gopkg.in/square/go-jose.v2"
 )
 
@@ -30,6 +30,7 @@ type OidcDiscovery struct {
 	TokenEndpoint                          string   `json:"token_endpoint"`
 	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
 	JwksUri                                string   `json:"jwks_uri"`
+	IntrospectionEndpoint                  string   `json:"introspection_endpoint"`
 	ResponseTypesSupported                 []string `json:"response_types_supported"`
 	ResponseModesSupported                 []string `json:"response_modes_supported"`
 	GrantTypesSupported                    []string `json:"grant_types_supported"`
@@ -57,7 +58,7 @@ func getOriginFromHost(host string) (string, string) {
 func GetOidcDiscovery(host string) OidcDiscovery {
 	originFrontend, originBackend := getOriginFromHost(host)
 
-	origin := beego.AppConfig.String("origin")
+	origin := conf.GetConfigString("origin")
 	if origin != "" {
 		originFrontend = origin
 		originBackend = origin
@@ -69,11 +70,12 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 	// https://accounts.google.com/.well-known/openid-configuration
 	// https://access.line.me/.well-known/openid-configuration
 	oidcDiscovery := OidcDiscovery{
-		Issuer:                                 originFrontend,
+		Issuer:                                 originBackend,
 		AuthorizationEndpoint:                  fmt.Sprintf("%s/login/oauth/authorize", originFrontend),
 		TokenEndpoint:                          fmt.Sprintf("%s/api/login/oauth/access_token", originBackend),
 		UserinfoEndpoint:                       fmt.Sprintf("%s/api/userinfo", originBackend),
-		JwksUri:                                fmt.Sprintf("%s/api/certs", originBackend),
+		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks", originBackend),
+		IntrospectionEndpoint:                  fmt.Sprintf("%s/api/login/oauth/introspect", originBackend),
 		ResponseTypesSupported:                 []string{"id_token"},
 		ResponseModesSupported:                 []string{"login", "code", "link"},
 		GrantTypesSupported:                    []string{"password", "authorization_code"},
@@ -89,21 +91,22 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 }
 
 func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {
-	cert := GetDefaultCert()
-
+	certs := GetCerts("admin")
+	jwks := jose.JSONWebKeySet{}
 	//follows the protocol rfc 7517(draft)
 	//link here: https://self-issued.info/docs/draft-ietf-jose-json-web-key.html
 	//or https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key
-	certPemBlock := []byte(cert.PublicKey)
-	certDerBlock, _ := pem.Decode(certPemBlock)
-	x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)
+	for _, cert := range certs {
+		certPemBlock := []byte(cert.PublicKey)
+		certDerBlock, _ := pem.Decode(certPemBlock)
+		x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)
 
-	var jwk jose.JSONWebKey
-	jwk.Key = x509Cert.PublicKey
-	jwk.Certificates = []*x509.Certificate{x509Cert}
-	jwk.KeyID = cert.Name
+		var jwk jose.JSONWebKey
+		jwk.Key = x509Cert.PublicKey
+		jwk.Certificates = []*x509.Certificate{x509Cert}
+		jwk.KeyID = cert.Name
+		jwks.Keys = append(jwks.Keys, jwk)
+	}
 
-	var jwks jose.JSONWebKeySet
-	jwks.Keys = []jose.JSONWebKey{jwk}
 	return jwks, nil
 }

object/organization.go

@@ -25,15 +25,16 @@ type Organization struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 
-	DisplayName        string `xorm:"varchar(100)" json:"displayName"`
-	WebsiteUrl         string `xorm:"varchar(100)" json:"websiteUrl"`
-	Favicon            string `xorm:"varchar(100)" json:"favicon"`
-	PasswordType       string `xorm:"varchar(100)" json:"passwordType"`
-	PasswordSalt       string `xorm:"varchar(100)" json:"passwordSalt"`
-	PhonePrefix        string `xorm:"varchar(10)"  json:"phonePrefix"`
-	DefaultAvatar      string `xorm:"varchar(100)" json:"defaultAvatar"`
-	MasterPassword     string `xorm:"varchar(100)" json:"masterPassword"`
-	EnableSoftDeletion bool   `json:"enableSoftDeletion"`
+	DisplayName        string   `xorm:"varchar(100)" json:"displayName"`
+	WebsiteUrl         string   `xorm:"varchar(100)" json:"websiteUrl"`
+	Favicon            string   `xorm:"varchar(100)" json:"favicon"`
+	PasswordType       string   `xorm:"varchar(100)" json:"passwordType"`
+	PasswordSalt       string   `xorm:"varchar(100)" json:"passwordSalt"`
+	PhonePrefix        string   `xorm:"varchar(10)"  json:"phonePrefix"`
+	DefaultAvatar      string   `xorm:"varchar(100)" json:"defaultAvatar"`
+	Tags               []string `xorm:"mediumtext" json:"tags"`
+	MasterPassword     string   `xorm:"varchar(100)" json:"masterPassword"`
+	EnableSoftDeletion bool     `json:"enableSoftDeletion"`
 }
 
 func GetOrganizationCount(owner, field, value string) int {

object/payment.go

@@ -16,6 +16,7 @@ package object
 
 import (
 	"fmt"
+	"net/http"
 
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
@@ -27,15 +28,22 @@ type Payment struct {
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
 
-	Provider     string `xorm:"varchar(100)" json:"provider"`
-	Type         string `xorm:"varchar(100)" json:"type"`
-	Organization string `xorm:"varchar(100)" json:"organization"`
-	User         string `xorm:"varchar(100)" json:"user"`
-	Good         string `xorm:"varchar(100)" json:"good"`
-	Amount       string `xorm:"varchar(100)" json:"amount"`
-	Currency     string `xorm:"varchar(100)" json:"currency"`
+	Provider           string `xorm:"varchar(100)" json:"provider"`
+	Type               string `xorm:"varchar(100)" json:"type"`
+	Organization       string `xorm:"varchar(100)" json:"organization"`
+	User               string `xorm:"varchar(100)" json:"user"`
+	ProductName        string `xorm:"varchar(100)" json:"productName"`
+	ProductDisplayName string `xorm:"varchar(100)" json:"productDisplayName"`
 
-	State string `xorm:"varchar(100)" json:"state"`
+	Detail   string  `xorm:"varchar(100)" json:"detail"`
+	Tag      string  `xorm:"varchar(100)" json:"tag"`
+	Currency string  `xorm:"varchar(100)" json:"currency"`
+	Price    float64 `json:"price"`
+
+	PayUrl    string `xorm:"varchar(2000)" json:"payUrl"`
+	ReturnUrl string `xorm:"varchar(1000)" json:"returnUrl"`
+	State     string `xorm:"varchar(100)" json:"state"`
+	Message   string `xorm:"varchar(1000)" json:"message"`
 }
 
 func GetPaymentCount(owner, field, value string) int {
@@ -58,6 +66,16 @@ func GetPayments(owner string) []*Payment {
 	return payments
 }
 
+func GetUserPayments(owner string, organization string, user string) []*Payment {
+	payments := []*Payment{}
+	err := adapter.Engine.Desc("created_time").Find(&payments, &Payment{Owner: owner, Organization: organization, User: user})
+	if err != nil {
+		panic(err)
+	}
+
+	return payments
+}
+
 func GetPaginationPayments(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Payment {
 	payments := []*Payment{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
@@ -124,6 +142,61 @@ func DeletePayment(payment *Payment) bool {
 	return affected != 0
 }
 
+func notifyPayment(request *http.Request, body []byte, owner string, providerName string, productName string, paymentName string) (*Payment, error) {
+	payment := getPayment(owner, paymentName)
+	if payment == nil {
+		return nil, fmt.Errorf("the payment: %s does not exist", paymentName)
+	}
+
+	product := getProduct(owner, productName)
+	if product == nil {
+		return nil, fmt.Errorf("the product: %s does not exist", productName)
+	}
+
+	provider, err := product.getProvider(providerName)
+	if err != nil {
+		return payment, err
+	}
+
+	pProvider, cert, err := provider.getPaymentProvider()
+	if err != nil {
+		return payment, err
+	}
+
+	productDisplayName, paymentName, price, productName, providerName, err := pProvider.Notify(request, body, cert.AuthorityPublicKey)
+	if err != nil {
+		return payment, err
+	}
+
+	if productDisplayName != "" && productDisplayName != product.DisplayName {
+		return nil, fmt.Errorf("the payment's product name: %s doesn't equal to the expected product name: %s", productDisplayName, product.DisplayName)
+	}
+
+	if price != product.Price {
+		return nil, fmt.Errorf("the payment's price: %f doesn't equal to the expected price: %f", price, product.Price)
+	}
+
+	return payment, nil
+}
+
+func NotifyPayment(request *http.Request, body []byte, owner string, providerName string, productName string, paymentName string) bool {
+	payment, err := notifyPayment(request, body, owner, providerName, productName, paymentName)
+
+	if payment != nil {
+		if err != nil {
+			payment.State = "Error"
+			payment.Message = err.Error()
+		} else {
+			payment.State = "Paid"
+		}
+
+		UpdatePayment(payment.GetId(), payment)
+	}
+
+	ok := err == nil
+	return ok
+}
+
 func (payment *Payment) GetId() string {
 	return fmt.Sprintf("%s/%s", payment.Owner, payment.Name)
 }

object/product.go

@@ -0,0 +1,210 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+	"xorm.io/core"
+)
+
+type Product struct {
+	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
+	DisplayName string `xorm:"varchar(100)" json:"displayName"`
+
+	Image     string   `xorm:"varchar(100)" json:"image"`
+	Detail    string   `xorm:"varchar(100)" json:"detail"`
+	Tag       string   `xorm:"varchar(100)" json:"tag"`
+	Currency  string   `xorm:"varchar(100)" json:"currency"`
+	Price     float64  `json:"price"`
+	Quantity  int      `json:"quantity"`
+	Sold      int      `json:"sold"`
+	Providers []string `xorm:"varchar(100)" json:"providers"`
+	ReturnUrl string   `xorm:"varchar(1000)" json:"returnUrl"`
+
+	State string `xorm:"varchar(100)" json:"state"`
+}
+
+func GetProductCount(owner, field, value string) int {
+	session := GetSession(owner, -1, -1, field, value, "", "")
+	count, err := session.Count(&Product{})
+	if err != nil {
+		panic(err)
+	}
+
+	return int(count)
+}
+
+func GetProducts(owner string) []*Product {
+	products := []*Product{}
+	err := adapter.Engine.Desc("created_time").Find(&products, &Product{Owner: owner})
+	if err != nil {
+		panic(err)
+	}
+
+	return products
+}
+
+func GetPaginationProducts(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Product {
+	products := []*Product{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&products)
+	if err != nil {
+		panic(err)
+	}
+
+	return products
+}
+
+func getProduct(owner string, name string) *Product {
+	if owner == "" || name == "" {
+		return nil
+	}
+
+	product := Product{Owner: owner, Name: name}
+	existed, err := adapter.Engine.Get(&product)
+	if err != nil {
+		panic(err)
+	}
+
+	if existed {
+		return &product
+	} else {
+		return nil
+	}
+}
+
+func GetProduct(id string) *Product {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	return getProduct(owner, name)
+}
+
+func UpdateProduct(id string, product *Product) bool {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	if getProduct(owner, name) == nil {
+		return false
+	}
+
+	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(product)
+	if err != nil {
+		panic(err)
+	}
+
+	return affected != 0
+}
+
+func AddProduct(product *Product) bool {
+	affected, err := adapter.Engine.Insert(product)
+	if err != nil {
+		panic(err)
+	}
+
+	return affected != 0
+}
+
+func DeleteProduct(product *Product) bool {
+	affected, err := adapter.Engine.ID(core.PK{product.Owner, product.Name}).Delete(&Product{})
+	if err != nil {
+		panic(err)
+	}
+
+	return affected != 0
+}
+
+func (product *Product) GetId() string {
+	return fmt.Sprintf("%s/%s", product.Owner, product.Name)
+}
+
+func (product *Product) isValidProvider(provider *Provider) bool {
+	for _, providerName := range product.Providers {
+		if providerName == provider.Name {
+			return true
+		}
+	}
+	return false
+}
+
+func (product *Product) getProvider(providerId string) (*Provider, error) {
+	provider := getProvider(product.Owner, providerId)
+	if provider == nil {
+		return nil, fmt.Errorf("the payment provider: %s does not exist", providerId)
+	}
+
+	if !product.isValidProvider(provider) {
+		return nil, fmt.Errorf("the payment provider: %s is not valid for the product: %s", providerId, product.Name)
+	}
+
+	return provider, nil
+}
+
+func BuyProduct(id string, providerName string, user *User, host string) (string, error) {
+	product := GetProduct(id)
+	if product == nil {
+		return "", fmt.Errorf("the product: %s does not exist", id)
+	}
+
+	provider, err := product.getProvider(providerName)
+	if err != nil {
+		return "", err
+	}
+
+	pProvider, _, err := provider.getPaymentProvider()
+	if err != nil {
+		return "", err
+	}
+
+	owner := product.Owner
+	productName := product.Name
+	paymentName := util.GenerateTimeId()
+	productDisplayName := product.DisplayName
+
+	originFrontend, originBackend := getOriginFromHost(host)
+	returnUrl := fmt.Sprintf("%s/payments/%s/result", originFrontend, paymentName)
+	notifyUrl := fmt.Sprintf("%s/api/notify-payment/%s/%s/%s/%s", originBackend, owner, providerName, productName, paymentName)
+
+	payUrl, err := pProvider.Pay(providerName, productName, paymentName, productDisplayName, product.Price, returnUrl, notifyUrl)
+	if err != nil {
+		return "", err
+	}
+
+	payment := Payment{
+		Owner:              product.Owner,
+		Name:               paymentName,
+		CreatedTime:        util.GetCurrentTime(),
+		DisplayName:        paymentName,
+		Provider:           provider.Name,
+		Type:               provider.Type,
+		Organization:       user.Owner,
+		User:               user.Name,
+		ProductName:        productName,
+		ProductDisplayName: productDisplayName,
+		Detail:             product.Detail,
+		Tag:                product.Tag,
+		Currency:           product.Currency,
+		Price:              product.Price,
+		PayUrl:             payUrl,
+		ReturnUrl:          product.ReturnUrl,
+		State:              "Created",
+	}
+	affected := AddPayment(&payment)
+	if !affected {
+		return "", fmt.Errorf("failed to add payment: %s", util.StructToJson(payment))
+	}
+
+	return payUrl, err
+}

object/product_test.go

@@ -0,0 +1,44 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skipCi
+// +build !skipCi
+
+package object
+
+import (
+	"testing"
+
+	"github.com/casdoor/casdoor/pp"
+	"github.com/casdoor/casdoor/util"
+)
+
+func TestProduct(t *testing.T) {
+	InitConfig()
+
+	product := GetProduct("admin/product_123")
+	provider := getProvider(product.Owner, "provider_pay_alipay")
+	cert := getCert(product.Owner, "cert-pay-alipay")
+	pProvider := pp.GetPaymentProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.Host, cert.PublicKey, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey)
+
+	paymentId := util.GenerateTimeId()
+	returnUrl := ""
+	notifyUrl := ""
+	payUrl, err := pProvider.Pay(product.DisplayName, product.Name, provider.Name, paymentId, product.Price, returnUrl, notifyUrl)
+	if err != nil {
+		panic(err)
+	}
+
+	println(payUrl)
+}

object/provider.go

@@ -17,6 +17,7 @@ package object
 import (
 	"fmt"
 
+	"github.com/casdoor/casdoor/pp"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )
@@ -32,9 +33,10 @@ type Provider struct {
 	SubType       string `xorm:"varchar(100)" json:"subType"`
 	Method        string `xorm:"varchar(100)" json:"method"`
 	ClientId      string `xorm:"varchar(100)" json:"clientId"`
-	ClientSecret  string `xorm:"varchar(100)" json:"clientSecret"`
+	ClientSecret  string `xorm:"varchar(2000)" json:"clientSecret"`
 	ClientId2     string `xorm:"varchar(100)" json:"clientId2"`
 	ClientSecret2 string `xorm:"varchar(100)" json:"clientSecret2"`
+	Cert          string `xorm:"varchar(100)" json:"cert"`
 
 	Host    string `xorm:"varchar(100)" json:"host"`
 	Port    int    `json:"port"`
@@ -181,6 +183,23 @@ func DeleteProvider(provider *Provider) bool {
 	return affected != 0
 }
 
+func (p *Provider) getPaymentProvider() (pp.PaymentProvider, *Cert, error) {
+	cert := &Cert{}
+	if p.Cert != "" {
+		cert = getCert(p.Owner, p.Cert)
+		if cert == nil {
+			return nil, nil, fmt.Errorf("the cert: %s does not exist", p.Cert)
+		}
+	}
+
+	pProvider := pp.GetPaymentProvider(p.Type, p.ClientId, p.ClientSecret, p.Host, cert.PublicKey, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey)
+	if pProvider == nil {
+		return nil, cert, fmt.Errorf("the payment provider type: %s is not supported", p.Type)
+	}
+
+	return pProvider, cert, nil
+}
+
 func (p *Provider) GetId() string {
 	return fmt.Sprintf("%s/%s", p.Owner, p.Name)
 }

object/provider_item.go

@@ -34,6 +34,9 @@ func (application *Application) GetProviderItem(providerName string) *ProviderIt
 }
 
 func (pi *ProviderItem) IsProviderVisible() bool {
+	if pi.Provider == nil {
+		return false
+	}
 	return pi.Provider.Category == "OAuth" || pi.Provider.Category == "SAML"
 }
 

object/record.go

@@ -18,8 +18,8 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/astaxie/beego"
 	"github.com/astaxie/beego/context"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
 )
 
@@ -27,7 +27,7 @@ var logPostOnly bool
 
 func init() {
 	var err error
-	logPostOnly, err = beego.AppConfig.Bool("logPostOnly")
+	logPostOnly, err = conf.GetConfigBool("logPostOnly")
 	if err != nil {
 		//panic(err)
 	}

object/resource.go

@@ -23,7 +23,7 @@ import (
 
 type Resource struct {
 	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
-	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
+	Name        string `xorm:"varchar(200) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 
 	User        string `xorm:"varchar(100)" json:"user"`

object/saml.go

@@ -23,7 +23,7 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	saml2 "github.com/russellhaering/gosaml2"
 	dsig "github.com/russellhaering/goxmldsig"
 )
@@ -73,7 +73,7 @@ func buildSp(provider *Provider, samlResponse string) (*saml2.SAMLServiceProvide
 	certStore := dsig.MemoryX509CertificateStore{
 		Roots: []*x509.Certificate{},
 	}
-	origin := beego.AppConfig.String("origin")
+	origin := conf.GetConfigString("origin")
 	certEncodedData := ""
 	if samlResponse != "" {
 		certEncodedData = parseSamlResponse(samlResponse, provider.Type)

object/sms.go

@@ -18,6 +18,9 @@ import "github.com/casdoor/go-sms-sender"
 
 func SendSms(provider *Provider, content string, phoneNumbers ...string) error {
 	client, err := go_sms_sender.NewSmsClient(provider.Type, provider.ClientId, provider.ClientSecret, provider.SignName, provider.TemplateCode, provider.AppId)
+	if provider.Type == go_sms_sender.HuaweiCloud {
+		client, err = go_sms_sender.NewSmsClient(provider.Type, provider.ClientId, provider.ClientSecret, provider.SignName, provider.TemplateCode, provider.ProviderUrl, provider.AppId)
+	}
 	if err != nil {
 		return err
 	}

object/storage.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/storage"
 	"github.com/casdoor/casdoor/util"
 )
@@ -28,7 +28,7 @@ var isCloudIntranet bool
 
 func init() {
 	var err error
-	isCloudIntranet, err = beego.AppConfig.Bool("isCloudIntranet")
+	isCloudIntranet, err = conf.GetConfigBool("isCloudIntranet")
 	if err != nil {
 		//panic(err)
 	}

object/syncer_user_test.go

@@ -10,6 +10,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 //go:build !skipCi
 // +build !skipCi
 

object/token.go

@@ -17,6 +17,7 @@ package object
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -59,6 +60,21 @@ type TokenWrapper struct {
 	Scope        string `json:"scope"`
 }
 
+type IntrospectionResponse struct {
+	Active    bool     `json:"active"`
+	Scope     string   `json:"scope,omitempty"`
+	ClientId  string   `json:"client_id,omitempty"`
+	Username  string   `json:"username,omitempty"`
+	TokenType string   `json:"token_type,omitempty"`
+	Exp       int64    `json:"exp,omitempty"`
+	Iat       int64    `json:"iat,omitempty"`
+	Nbf       int64    `json:"nbf,omitempty"`
+	Sub       string   `json:"sub,omitempty"`
+	Aud       []string `json:"aud,omitempty"`
+	Iss       string   `json:"iss,omitempty"`
+	Jti       string   `json:"jti,omitempty"`
+}
+
 func GetTokenCount(owner, field, value string) int {
 	session := GetSession(owner, -1, -1, field, value, "", "")
 	count, err := session.Count(&Token{})
@@ -168,6 +184,25 @@ func DeleteToken(token *Token) bool {
 	return affected != 0
 }
 
+func DeleteTokenByAceessToken(accessToken string) (bool, *Application) {
+	token := Token{AccessToken: accessToken}
+	existed, err := adapter.Engine.Get(&token)
+	if err != nil {
+		panic(err)
+	}
+
+	if !existed {
+		return false, nil
+	}
+	application := getApplication(token.Owner, token.Application)
+	affected, err := adapter.Engine.Where("access_token=?", accessToken).Delete(&Token{})
+	if err != nil {
+		panic(err)
+	}
+
+	return affected != 0, application
+}
+
 func GetTokenByAccessToken(accessToken string) *Token {
 	//Check if the accessToken is in the database
 	token := Token{AccessToken: accessToken}
@@ -178,9 +213,18 @@ func GetTokenByAccessToken(accessToken string) *Token {
 	return &token
 }
 
+func GetTokenByTokenAndApplication(token string, application string) *Token {
+	tokenResult := Token{}
+	existed, err := adapter.Engine.Where("(refresh_token = ? or access_token = ? ) and application = ?", token, token, application).Get(&tokenResult)
+	if err != nil || !existed {
+		return nil
+	}
+	return &tokenResult
+}
+
 func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string) (string, *Application) {
-	if responseType != "code" {
-		return "response_type should be \"code\"", nil
+	if responseType != "code" && responseType != "token" && responseType != "id_token" {
+		return fmt.Sprintf("error: grant_type: %s is not supported in this application", responseType), nil
 	}
 
 	application := GetApplicationByClientId(clientId)
@@ -204,7 +248,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 	return "", application
 }
 
-func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string) *Code {
+func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string) *Code {
 	user := GetUser(userId)
 	if user == nil {
 		return &Code{
@@ -227,7 +271,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 		}
 	}
 
-	accessToken, refreshToken, err := generateJwtToken(application, user, nonce, scope)
+	accessToken, refreshToken, err := generateJwtToken(application, user, nonce, scope, host)
 	if err != nil {
 		panic(err)
 	}
@@ -261,7 +305,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 	}
 }
 
-func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string) *TokenWrapper {
+func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, username string, password string, host string) *TokenWrapper {
 	application := GetApplicationByClientId(clientId)
 	if application == nil {
 		return &TokenWrapper{
@@ -272,75 +316,30 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 		}
 	}
 
-	if grantType != "authorization_code" {
+	//Check if grantType is allowed in the current application
+	if !IsGrantTypeValid(grantType, application.GrantTypes) {
 		return &TokenWrapper{
-			AccessToken: "error: grant_type should be \"authorization_code\"",
+			AccessToken: fmt.Sprintf("error: grant_type: %s is not supported in this application", grantType),
 			TokenType:   "",
 			ExpiresIn:   0,
 			Scope:       "",
 		}
 	}
 
-	if code == "" {
-		return &TokenWrapper{
-			AccessToken: "error: authorization code should not be empty",
-			TokenType:   "",
-			ExpiresIn:   0,
-			Scope:       "",
-		}
+	var token *Token
+	var err error
+	switch grantType {
+	case "authorization_code": // Authorization Code Grant
+		token, err = GetAuthorizationCodeToken(application, clientSecret, code, verifier)
+	case "password": //	Resource Owner Password Credentials Grant
+		token, err = GetPasswordToken(application, username, password, scope, host)
+	case "client_credentials": // Client Credentials Grant
+		token, err = GetClientCredentialsToken(application, clientSecret, scope, host)
 	}
 
-	token := getTokenByCode(code)
-	if token == nil {
+	if err != nil {
 		return &TokenWrapper{
-			AccessToken: "error: invalid authorization code",
-			TokenType:   "",
-			ExpiresIn:   0,
-			Scope:       "",
-		}
-	}
-
-	if application.Name != token.Application {
-		return &TokenWrapper{
-			AccessToken: "error: the token is for wrong application (client_id)",
-			TokenType:   "",
-			ExpiresIn:   0,
-			Scope:       "",
-		}
-	}
-
-	if application.ClientSecret != clientSecret {
-		return &TokenWrapper{
-			AccessToken: "error: invalid client_secret",
-			TokenType:   "",
-			ExpiresIn:   0,
-			Scope:       "",
-		}
-	}
-
-	if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
-		return &TokenWrapper{
-			AccessToken: "error: incorrect code_verifier",
-			TokenType:   "",
-			ExpiresIn:   0,
-			Scope:       "",
-		}
-	}
-
-	if token.CodeIsUsed {
-		// anti replay attacks
-		return &TokenWrapper{
-			AccessToken: "error: authorization code has been used",
-			TokenType:   "",
-			ExpiresIn:   0,
-			Scope:       "",
-		}
-	}
-
-	if time.Now().Unix() > token.CodeExpireIn {
-		// code must be used within 5 minutes
-		return &TokenWrapper{
-			AccessToken: "error: authorization code has expired",
+			AccessToken: err.Error(),
 			TokenType:   "",
 			ExpiresIn:   0,
 			Scope:       "",
@@ -361,7 +360,7 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 	return tokenWrapper
 }
 
-func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string) *TokenWrapper {
+func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) *TokenWrapper {
 	// check parameters
 	if grantType != "refresh_token" {
 		return &TokenWrapper{
@@ -380,7 +379,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 			Scope:       "",
 		}
 	}
-	if application.ClientSecret != clientSecret {
+	if clientSecret != "" && application.ClientSecret != clientSecret {
 		return &TokenWrapper{
 			AccessToken: "error: invalid client_secret",
 			TokenType:   "",
@@ -420,7 +419,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 			Scope:       "",
 		}
 	}
-	newAccessToken, newRefreshToken, err := generateJwtToken(application, user, "", scope)
+	newAccessToken, newRefreshToken, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		panic(err)
 	}
@@ -440,14 +439,15 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 		TokenType:    "Bearer",
 	}
 	AddToken(newToken)
+	DeleteToken(&token)
 
 	tokenWrapper := &TokenWrapper{
-		AccessToken:  token.AccessToken,
-		IdToken:      token.AccessToken,
-		RefreshToken: token.RefreshToken,
-		TokenType:    token.TokenType,
-		ExpiresIn:    token.ExpiresIn,
-		Scope:        token.Scope,
+		AccessToken:  newToken.AccessToken,
+		IdToken:      newToken.AccessToken,
+		RefreshToken: newToken.RefreshToken,
+		TokenType:    newToken.TokenType,
+		ExpiresIn:    newToken.ExpiresIn,
+		Scope:        newToken.Scope,
 	}
 
 	return tokenWrapper
@@ -459,3 +459,152 @@ func pkceChallenge(verifier string) string {
 	challenge := base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(sum[:])
 	return challenge
 }
+
+// Check if grantType is allowed in the current application
+// authorization_code is allowed by default
+func IsGrantTypeValid(method string, grantTypes []string) bool {
+	if method == "authorization_code" {
+		return true
+	}
+	for _, m := range grantTypes {
+		if m == method {
+			return true
+		}
+	}
+	return false
+}
+
+// Authorization code flow
+func GetAuthorizationCodeToken(application *Application, clientSecret string, code string, verifier string) (*Token, error) {
+	if code == "" {
+		return nil, errors.New("error: authorization code should not be empty")
+	}
+
+	token := getTokenByCode(code)
+	if token == nil {
+		return nil, errors.New("error: invalid authorization code")
+	}
+	if token.CodeIsUsed {
+		// anti replay attacks
+		return nil, errors.New("error: authorization code has been used")
+	}
+
+	if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
+		return nil, errors.New("error: incorrect code_verifier")
+	}
+
+	if application.ClientSecret != clientSecret {
+		// when using PKCE, the Client Secret can be empty,
+		// but if it is provided, it must be accurate.
+		if token.CodeChallenge == "" {
+			return nil, errors.New("error: invalid client_secret")
+		} else {
+			if clientSecret != "" {
+				return nil, errors.New("error: invalid client_secret")
+			}
+		}
+	}
+
+	if application.Name != token.Application {
+		return nil, errors.New("error: the token is for wrong application (client_id)")
+	}
+
+	if time.Now().Unix() > token.CodeExpireIn {
+		// code must be used within 5 minutes
+		return nil, errors.New("error: authorization code has expired")
+	}
+	return token, nil
+}
+
+// Resource Owner Password Credentials flow
+func GetPasswordToken(application *Application, username string, password string, scope string, host string) (*Token, error) {
+	user := getUser(application.Organization, username)
+	if user == nil {
+		return nil, errors.New("error: the user does not exist")
+	}
+	msg := CheckPassword(user, password)
+	if msg != "" {
+		return nil, errors.New("error: invalid username or password")
+	}
+	if user.IsForbidden {
+		return nil, errors.New("error: the user is forbidden to sign in, please contact the administrator")
+	}
+	accessToken, refreshToken, err := generateJwtToken(application, user, "", scope, host)
+	if err != nil {
+		return nil, err
+	}
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         util.GenerateId(),
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: user.Owner,
+		User:         user.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    application.ExpireInHours * 60,
+		Scope:        scope,
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+	AddToken(token)
+	return token, nil
+}
+
+// Client Credentials flow
+func GetClientCredentialsToken(application *Application, clientSecret string, scope string, host string) (*Token, error) {
+	if application.ClientSecret != clientSecret {
+		return nil, errors.New("error: invalid client_secret")
+	}
+	nullUser := &User{
+		Owner: application.Owner,
+		Id:    application.GetId(),
+		Name:  fmt.Sprintf("app/%s", application.Name),
+	}
+	accessToken, _, err := generateJwtToken(application, nullUser, "", scope, host)
+	if err != nil {
+		return nil, err
+	}
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         util.GenerateId(),
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: application.Organization,
+		User:         nullUser.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  accessToken,
+		ExpiresIn:    application.ExpireInHours * 60,
+		Scope:        scope,
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+	AddToken(token)
+	return token, nil
+}
+
+// Implicit flow
+func GetTokenByUser(application *Application, user *User, scope string, host string) (*Token, error) {
+	accessToken, refreshToken, err := generateJwtToken(application, user, "", scope, host)
+	if err != nil {
+		return nil, err
+	}
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         util.GenerateId(),
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: user.Owner,
+		User:         user.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    application.ExpireInHours * 60,
+		Scope:        scope,
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+	AddToken(token)
+	return token, nil
+}

object/token_jwt.go

@@ -15,11 +15,10 @@
 package object
 
 import (
-	_ "embed"
 	"fmt"
 	"time"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/golang-jwt/jwt/v4"
 )
 
@@ -61,12 +60,17 @@ func getShortClaims(claims Claims) ClaimsShort {
 	return res
 }
 
-func generateJwtToken(application *Application, user *User, nonce string, scope string) (string, string, error) {
+func generateJwtToken(application *Application, user *User, nonce string, scope string, host string) (string, string, error) {
 	nowTime := time.Now()
 	expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour)
 	refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours) * time.Hour)
 
 	user.Password = ""
+	origin := conf.GetConfigString("origin")
+	_, originBackend := getOriginFromHost(host)
+	if origin != "" {
+		originBackend = origin
+	}
 
 	claims := Claims{
 		User:  user,
@@ -75,7 +79,7 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		Tag:   user.Tag,
 		Scope: scope,
 		RegisteredClaims: jwt.RegisteredClaims{
-			Issuer:    beego.AppConfig.String("origin"),
+			Issuer:    originBackend,
 			Subject:   user.Id,
 			Audience:  []string{application.ClientId},
 			ExpiresAt: jwt.NewNumericDate(expireTime),
@@ -142,3 +146,7 @@ func ParseJwtToken(token string, cert *Cert) (*Claims, error) {
 
 	return nil, err
 }
+
+func ParseJwtTokenByApplication(token string, application *Application) (*Claims, error) {
+	return ParseJwtToken(token, getCertByApplication(application))
+}

object/user.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )
@@ -33,6 +34,8 @@ type User struct {
 	Password          string   `xorm:"varchar(100)" json:"password"`
 	PasswordSalt      string   `xorm:"varchar(100)" json:"passwordSalt"`
 	DisplayName       string   `xorm:"varchar(100)" json:"displayName"`
+	FirstName         string   `xorm:"varchar(100)" json:"firstName"`
+	LastName          string   `xorm:"varchar(100)" json:"lastName"`
 	Avatar            string   `xorm:"varchar(500)" json:"avatar"`
 	PermanentAvatar   string   `xorm:"varchar(500)" json:"permanentAvatar"`
 	Email             string   `xorm:"varchar(100) index" json:"email"`
@@ -52,6 +55,7 @@ type User struct {
 	Birthday          string   `xorm:"varchar(100)" json:"birthday"`
 	Education         string   `xorm:"varchar(100)" json:"education"`
 	Score             int      `json:"score"`
+	Karma             int      `json:"karma"`
 	Ranking           int      `json:"ranking"`
 	IsDefaultAvatar   bool     `json:"isDefaultAvatar"`
 	IsOnline          bool     `json:"isOnline"`
@@ -79,16 +83,32 @@ type User struct {
 	Wecom    string `xorm:"wecom varchar(100)" json:"wecom"`
 	Lark     string `xorm:"lark varchar(100)" json:"lark"`
 	Gitlab   string `xorm:"gitlab varchar(100)" json:"gitlab"`
+	Adfs     string `xorm:"adfs varchar(100)" json:"adfs"`
 	Baidu    string `xorm:"baidu varchar(100)" json:"baidu"`
+	Alipay   string `xorm:"alipay varchar(100)" json:"alipay"`
+	Casdoor  string `xorm:"casdoor varchar(100)" json:"casdoor"`
 	Infoflow string `xorm:"infoflow varchar(100)" json:"infoflow"`
 	Apple    string `xorm:"apple varchar(100)" json:"apple"`
 	AzureAD  string `xorm:"azuread varchar(100)" json:"azuread"`
 	Slack    string `xorm:"slack varchar(100)" json:"slack"`
+	Steam    string `xorm:"steam varchar(100)" json:"steam"`
 
 	Ldap       string            `xorm:"ldap varchar(100)" json:"ldap"`
 	Properties map[string]string `json:"properties"`
 }
 
+type Userinfo struct {
+	Sub         string `json:"sub"`
+	Iss         string `json:"iss"`
+	Aud         string `json:"aud"`
+	Name        string `json:"name,omitempty"`
+	DisplayName string `json:"preferred_username,omitempty"`
+	Email       string `json:"email,omitempty"`
+	Avatar      string `json:"picture,omitempty"`
+	Address     string `json:"address,omitempty"`
+	Phone       string `json:"phone,omitempty"`
+}
+
 func GetGlobalUserCount(field, value string) int {
 	session := GetSession("", -1, -1, field, value, "", "")
 	count, err := session.Count(&User{})
@@ -285,7 +305,7 @@ func UpdateUser(id string, user *User, columns []string, isGlobalAdmin bool) boo
 			"is_admin", "is_global_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties"}
 	}
 	if isGlobalAdmin {
-		columns = append(columns, "name")
+		columns = append(columns, "name", "email", "phone")
 	}
 
 	affected, err := adapter.Engine.ID(core.PK{owner, name}).Cols(columns...).Update(user)
@@ -334,6 +354,8 @@ func AddUser(user *User) bool {
 
 	user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
 
+	user.Ranking = GetUserCount(user.Owner, "", "") + 1
+
 	affected, err := adapter.Engine.Insert(user)
 	if err != nil {
 		panic(err)
@@ -360,7 +382,9 @@ func AddUsers(users []*User) bool {
 
 	affected, err := adapter.Engine.Insert(users)
 	if err != nil {
-		panic(err)
+		if !strings.Contains(err.Error(), "Duplicate entry") {
+			panic(err)
+		}
 	}
 
 	return affected != 0
@@ -401,6 +425,39 @@ func DeleteUser(user *User) bool {
 	return affected != 0
 }
 
+func GetUserInfo(userId string, scope string, aud string, host string) (*Userinfo, error) {
+	user := GetUser(userId)
+	if user == nil {
+		return nil, fmt.Errorf("the user: %s doesn't exist", userId)
+	}
+	origin := conf.GetConfigString("origin")
+	_, originBackend := getOriginFromHost(host)
+	if origin != "" {
+		originBackend = origin
+	}
+
+	resp := Userinfo{
+		Sub: user.Id,
+		Iss: originBackend,
+		Aud: aud,
+	}
+	if strings.Contains(scope, "profile") {
+		resp.Name = user.Name
+		resp.DisplayName = user.DisplayName
+		resp.Avatar = user.Avatar
+	}
+	if strings.Contains(scope, "email") {
+		resp.Email = user.Email
+	}
+	if strings.Contains(scope, "address") {
+		resp.Address = user.Location
+	}
+	if strings.Contains(scope, "phone") {
+		resp.Phone = user.Phone
+	}
+	return &resp, nil
+}
+
 func LinkUserAccount(user *User, field string, value string) bool {
 	return SetUserField(user, field, value)
 }

object/user_upload.go

@@ -52,8 +52,8 @@ func UploadUsers(owner string, fileId string) bool {
 
 	oldUserMap := getUserMap(owner)
 	newUsers := []*User{}
-	for _, line := range table {
-		if parseLineItem(&line, 0) == "" {
+	for index, line := range table {
+		if index == 0 || parseLineItem(&line, 0) == "" {
 			continue
 		}
 
@@ -67,38 +67,42 @@ func UploadUsers(owner string, fileId string) bool {
 			Password:          parseLineItem(&line, 6),
 			PasswordSalt:      parseLineItem(&line, 7),
 			DisplayName:       parseLineItem(&line, 8),
-			Avatar:            parseLineItem(&line, 9),
+			FirstName:         parseLineItem(&line, 9),
+			LastName:          parseLineItem(&line, 10),
+			Avatar:            parseLineItem(&line, 11),
 			PermanentAvatar:   "",
-			Email:             parseLineItem(&line, 10),
-			Phone:             parseLineItem(&line, 11),
-			Location:          parseLineItem(&line, 12),
-			Address:           []string{parseLineItem(&line, 13)},
-			Affiliation:       parseLineItem(&line, 14),
-			Title:             parseLineItem(&line, 15),
-			IdCardType:        parseLineItem(&line, 16),
-			IdCard:            parseLineItem(&line, 17),
-			Homepage:          parseLineItem(&line, 18),
-			Bio:               parseLineItem(&line, 19),
-			Tag:               parseLineItem(&line, 20),
-			Region:            parseLineItem(&line, 21),
-			Language:          parseLineItem(&line, 22),
-			Gender:            parseLineItem(&line, 23),
-			Birthday:          parseLineItem(&line, 24),
-			Education:         parseLineItem(&line, 25),
-			Score:             parseLineItemInt(&line, 26),
-			Ranking:           parseLineItemInt(&line, 27),
+			Email:             parseLineItem(&line, 12),
+			Phone:             parseLineItem(&line, 13),
+			Location:          parseLineItem(&line, 14),
+			Address:           []string{parseLineItem(&line, 15)},
+			Affiliation:       parseLineItem(&line, 16),
+			Title:             parseLineItem(&line, 17),
+			IdCardType:        parseLineItem(&line, 18),
+			IdCard:            parseLineItem(&line, 19),
+			Homepage:          parseLineItem(&line, 20),
+			Bio:               parseLineItem(&line, 21),
+			Tag:               parseLineItem(&line, 22),
+			Region:            parseLineItem(&line, 23),
+			Language:          parseLineItem(&line, 24),
+			Gender:            parseLineItem(&line, 25),
+			Birthday:          parseLineItem(&line, 26),
+			Education:         parseLineItem(&line, 27),
+			Score:             parseLineItemInt(&line, 28),
+			Karma:             parseLineItemInt(&line, 29),
+			Ranking:           parseLineItemInt(&line, 30),
 			IsDefaultAvatar:   false,
-			IsOnline:          parseLineItemBool(&line, 28),
-			IsAdmin:           parseLineItemBool(&line, 29),
-			IsGlobalAdmin:     parseLineItemBool(&line, 30),
-			IsForbidden:       parseLineItemBool(&line, 31),
-			IsDeleted:         parseLineItemBool(&line, 32),
-			SignupApplication: parseLineItem(&line, 33),
+			IsOnline:          parseLineItemBool(&line, 31),
+			IsAdmin:           parseLineItemBool(&line, 32),
+			IsGlobalAdmin:     parseLineItemBool(&line, 33),
+			IsForbidden:       parseLineItemBool(&line, 34),
+			IsDeleted:         parseLineItemBool(&line, 35),
+			SignupApplication: parseLineItem(&line, 36),
 			Hash:              "",
 			PreHash:           "",
-			CreatedIp:         parseLineItem(&line, 34),
-			LastSigninTime:    parseLineItem(&line, 35),
-			LastSigninIp:      parseLineItem(&line, 36),
+			CreatedIp:         parseLineItem(&line, 37),
+			LastSigninTime:    parseLineItem(&line, 38),
+			LastSigninIp:      parseLineItem(&line, 39),
+			Ldap:              "",
 			Properties:        map[string]string{},
 		}
 

object/verification.go

@@ -20,7 +20,7 @@ import (
 	"math/rand"
 	"time"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )
@@ -129,7 +129,7 @@ func CheckVerificationCode(dest, code string) string {
 		return "Code has not been sent yet!"
 	}
 
-	timeout, err := beego.AppConfig.Int64("verificationCodeTimeout")
+	timeout, err := conf.GetConfigInt64("verificationCodeTimeout")
 	if err != nil {
 		panic(err)
 	}

pp/alipay.go

@@ -0,0 +1,92 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pp
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/go-pay/gopay"
+	"github.com/go-pay/gopay/alipay"
+)
+
+type AlipayPaymentProvider struct {
+	Client *alipay.Client
+}
+
+func NewAlipayPaymentProvider(appId string, appPublicKey string, appPrivateKey string, authorityPublicKey string, authorityRootPublicKey string) *AlipayPaymentProvider {
+	pp := &AlipayPaymentProvider{}
+
+	client, err := alipay.NewClient(appId, appPrivateKey, true)
+	if err != nil {
+		panic(err)
+	}
+
+	err = client.SetCertSnByContent([]byte(appPublicKey), []byte(authorityRootPublicKey), []byte(authorityPublicKey))
+	if err != nil {
+		panic(err)
+	}
+
+	pp.Client = client
+	return pp
+}
+
+func (pp *AlipayPaymentProvider) Pay(providerName string, productName string, paymentName string, productDisplayName string, price float64, returnUrl string, notifyUrl string) (string, error) {
+	//pp.Client.DebugSwitch = gopay.DebugOn
+
+	bm := gopay.BodyMap{}
+
+	bm.Set("providerName", providerName)
+	bm.Set("productName", productName)
+
+	bm.Set("return_url", returnUrl)
+	bm.Set("notify_url", notifyUrl)
+
+	bm.Set("subject", productDisplayName)
+	bm.Set("out_trade_no", paymentName)
+	bm.Set("total_amount", getPriceString(price))
+
+	payUrl, err := pp.Client.TradePagePay(context.Background(), bm)
+	if err != nil {
+		return "", err
+	}
+	return payUrl, nil
+}
+
+func (pp *AlipayPaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string) (string, string, float64, string, string, error) {
+	bm, err := alipay.ParseNotifyToBodyMap(request)
+	if err != nil {
+		return "", "", 0, "", "", err
+	}
+
+	providerName := bm.Get("providerName")
+	productName := bm.Get("productName")
+
+	productDisplayName := bm.Get("subject")
+	paymentName := bm.Get("out_trade_no")
+	price := util.ParseFloat(bm.Get("total_amount"))
+
+	ok, err := alipay.VerifySignWithCert(authorityPublicKey, bm)
+	if err != nil {
+		return "", "", 0, "", "", err
+	}
+	if !ok {
+		return "", "", 0, "", "", fmt.Errorf("VerifySignWithCert() failed: %v", ok)
+	}
+
+	return productDisplayName, paymentName, price, productName, providerName, nil
+}

pp/gc.go

@@ -0,0 +1,232 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pp
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/casdoor/casdoor/util"
+)
+
+type GcPaymentProvider struct {
+	Xmpch     string
+	SecretKey string
+	Host      string
+}
+
+type GcPayReqInfo struct {
+	OrderDate string `json:"orderdate"`
+	OrderNo   string `json:"orderno"`
+	Amount    string `json:"amount"`
+	PayerId   string `json:"payerid"`
+	PayerName string `json:"payername"`
+	Xmpch     string `json:"xmpch"`
+	ReturnUrl string `json:"return_url"`
+	NotifyUrl string `json:"notify_url"`
+}
+
+type GcPayRespInfo struct {
+	Jylsh     string `json:"jylsh"`
+	Amount    string `json:"amount"`
+	PayerId   string `json:"payerid"`
+	PayerName string `json:"payername"`
+	PayUrl    string `json:"payurl"`
+}
+
+type GcNotifyRespInfo struct {
+	Xmpch      string  `json:"xmpch"`
+	OrderDate  string  `json:"orderdate"`
+	OrderNo    string  `json:"orderno"`
+	Amount     float64 `json:"amount"`
+	Jylsh      string  `json:"jylsh"`
+	TradeNo    string  `json:"tradeno"`
+	PayMethod  string  `json:"paymethod"`
+	OrderState string  `json:"orderstate"`
+	ReturnType string  `json:"return_type"`
+	PayerId    string  `json:"payerid"`
+	PayerName  string  `json:"payername"`
+}
+
+type GcRequestBody struct {
+	Op          string `json:"op"`
+	Xmpch       string `json:"xmpch"`
+	Version     string `json:"version"`
+	Data        string `json:"data"`
+	RequestTime string `json:"requesttime"`
+	Sign        string `json:"sign"`
+}
+
+type GcResponseBody struct {
+	Op         string `json:"op"`
+	Xmpch      string `json:"xmpch"`
+	Version    string `json:"version"`
+	ReturnCode string `json:"return_code"`
+	ReturnMsg  string `json:"return_msg"`
+	Data       string `json:"data"`
+	NotifyTime string `json:"notifytime"`
+	Sign       string `json:"sign"`
+}
+
+func NewGcPaymentProvider(clientId string, clientSecret string, host string) *GcPaymentProvider {
+	pp := &GcPaymentProvider{}
+
+	pp.Xmpch = clientId
+	pp.SecretKey = clientSecret
+	pp.Host = host
+	return pp
+}
+
+func (pp *GcPaymentProvider) doPost(postBytes []byte) ([]byte, error) {
+	client := &http.Client{}
+
+	var resp *http.Response
+	var err error
+
+	contentType := "text/plain;charset=UTF-8"
+	body := bytes.NewReader(postBytes)
+
+	req, err := http.NewRequest("POST", pp.Host, body)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", contentType)
+
+	resp, err = client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	respBytes, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return respBytes, nil
+}
+
+func (pp *GcPaymentProvider) Pay(providerName string, productName string, paymentName string, productDisplayName string, price float64, returnUrl string, notifyUrl string) (string, error) {
+	payReqInfo := GcPayReqInfo{
+		OrderDate: util.GenerateSimpleTimeId(),
+		OrderNo:   util.GenerateTimeId(),
+		Amount:    getPriceString(price),
+		PayerId:   "",
+		PayerName: "",
+		Xmpch:     pp.Xmpch,
+		ReturnUrl: returnUrl,
+		NotifyUrl: notifyUrl,
+	}
+
+	b, err := json.Marshal(payReqInfo)
+	if err != nil {
+		return "", err
+	}
+
+	body := GcRequestBody{
+		Op:          "OrderCreate",
+		Xmpch:       pp.Xmpch,
+		Version:     "1.4",
+		Data:        base64.StdEncoding.EncodeToString(b),
+		RequestTime: util.GenerateSimpleTimeId(),
+	}
+
+	params := fmt.Sprintf("data=%s&op=%s&requesttime=%s&version=%s&xmpch=%s%s", body.Data, body.Op, body.RequestTime, body.Version, body.Xmpch, pp.SecretKey)
+	body.Sign = strings.ToUpper(util.GetMd5Hash(params))
+
+	bodyBytes, err := json.Marshal(body)
+	if err != nil {
+		return "", err
+	}
+
+	respBytes, err := pp.doPost(bodyBytes)
+	if err != nil {
+		return "", err
+	}
+
+	var respBody GcResponseBody
+	err = json.Unmarshal(respBytes, &respBody)
+	if err != nil {
+		return "", err
+	}
+
+	if respBody.ReturnCode != "SUCCESS" {
+		return "", fmt.Errorf("%s: %s", respBody.ReturnCode, respBody.ReturnMsg)
+	}
+
+	payRespInfoBytes, err := base64.StdEncoding.DecodeString(respBody.Data)
+	if err != nil {
+		return "", err
+	}
+
+	var payRespInfo GcPayRespInfo
+	err = json.Unmarshal(payRespInfoBytes, &payRespInfo)
+	if err != nil {
+		return "", err
+	}
+
+	return payRespInfo.PayUrl, nil
+}
+
+func (pp *GcPaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string) (string, string, float64, string, string, error) {
+	reqBody := GcRequestBody{}
+	m, err := url.ParseQuery(string(body))
+	if err != nil {
+		return "", "", 0, "", "", err
+	}
+
+	reqBody.Op = m["op"][0]
+	reqBody.Xmpch = m["xmpch"][0]
+	reqBody.Version = m["version"][0]
+	reqBody.Data = m["data"][0]
+	reqBody.RequestTime = m["requesttime"][0]
+	reqBody.Sign = m["sign"][0]
+
+	notifyReqInfoBytes, err := base64.StdEncoding.DecodeString(reqBody.Data)
+	if err != nil {
+		return "", "", 0, "", "", err
+	}
+
+	var notifyRespInfo GcNotifyRespInfo
+	err = json.Unmarshal(notifyReqInfoBytes, &notifyRespInfo)
+	if err != nil {
+		return "", "", 0, "", "", err
+	}
+
+	providerName := ""
+	productName := ""
+
+	productDisplayName := ""
+	paymentName := notifyRespInfo.OrderNo
+	price := notifyRespInfo.Amount
+
+	if notifyRespInfo.OrderState != "1" {
+		return "", "", 0, "", "", fmt.Errorf("error order state: %s", notifyRespInfo.OrderDate)
+	}
+
+	return productDisplayName, paymentName, price, productName, providerName, nil
+}

pp/provider.go

@@ -0,0 +1,31 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pp
+
+import "net/http"
+
+type PaymentProvider interface {
+	Pay(providerName string, productName string, paymentName string, productDisplayName string, price float64, returnUrl string, notifyUrl string) (string, error)
+	Notify(request *http.Request, body []byte, authorityPublicKey string) (string, string, float64, string, string, error)
+}
+
+func GetPaymentProvider(typ string, appId string, clientSecret string, host string, appPublicKey string, appPrivateKey string, authorityPublicKey string, authorityRootPublicKey string) PaymentProvider {
+	if typ == "Alipay" {
+		return NewAlipayPaymentProvider(appId, appPublicKey, appPrivateKey, authorityPublicKey, authorityRootPublicKey)
+	} else if typ == "GC" {
+		return NewGcPaymentProvider(appId, clientSecret, host)
+	}
+	return nil
+}

pp/util.go

@@ -0,0 +1,25 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pp
+
+import (
+	"fmt"
+	"strings"
+)
+
+func getPriceString(price float64) string {
+	priceString := strings.TrimRight(strings.TrimRight(fmt.Sprintf("%.2f", price), "0"), ".")
+	return priceString
+}

proxy/proxy.go

@@ -21,7 +21,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/astaxie/beego"
+	"github.com/casdoor/casdoor/conf"
 	"golang.org/x/net/proxy"
 )
 
@@ -54,17 +54,17 @@ func isAddressOpen(address string) bool {
 }
 
 func getProxyHttpClient() *http.Client {
-	httpProxy := beego.AppConfig.String("httpProxy")
-	if httpProxy == "" {
+	sock5Proxy := conf.GetConfigString("sock5Proxy")
+	if sock5Proxy == "" {
 		return &http.Client{}
 	}
 
-	if !isAddressOpen(httpProxy) {
+	if !isAddressOpen(sock5Proxy) {
 		return &http.Client{}
 	}
 
 	// https://stackoverflow.com/questions/33585587/creating-a-go-socks5-client
-	dialer, err := proxy.SOCKS5("tcp", httpProxy, nil, proxy.Direct)
+	dialer, err := proxy.SOCKS5("tcp", sock5Proxy, nil, proxy.Direct)
 	if err != nil {
 		panic(err)
 	}

routers/authz_filter.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/astaxie/beego/context"
 	"github.com/casdoor/casdoor/authz"
@@ -57,6 +58,8 @@ func getSubject(ctx *context.Context) (string, string) {
 
 func getObject(ctx *context.Context) (string, string) {
 	method := ctx.Request.Method
+	path := ctx.Request.URL.Path
+
 	if method == http.MethodGet {
 		// query == "?id=built-in/admin"
 		id := ctx.Input.Query("id")
@@ -78,6 +81,14 @@ func getObject(ctx *context.Context) (string, string) {
 			//panic(err)
 			return "", ""
 		}
+
+		if path == "/api/delete-resource" {
+			tokens := strings.Split(obj.Name, "/")
+			if len(tokens) >= 5 {
+				obj.Name = tokens[4]
+			}
+		}
+
 		return obj.Owner, obj.Name
 	}
 }

routers/auto_signin_filter.go

@@ -29,10 +29,8 @@ func AutoSigninFilter(ctx *context.Context) {
 
 	// GET parameter like "/page?access_token=123" or
 	// HTTP Bearer token like "Authorization: Bearer 123"
-	accessToken := ctx.Input.Query("accessToken")
-	if accessToken == "" {
-		accessToken = parseBearerToken(ctx)
-	}
+	accessToken := util.GetMaxLenStr(ctx.Input.Query("accessToken"), ctx.Input.Query("access_token"), parseBearerToken(ctx))
+
 	if accessToken != "" {
 		token := object.GetTokenByAccessToken(accessToken)
 		if token == nil {
@@ -62,7 +60,7 @@ func AutoSigninFilter(ctx *context.Context) {
 	// "/page?username=abc&password=123"
 	userId = ctx.Input.Query("username")
 	password := ctx.Input.Query("password")
-	if userId != "" && password != "" {
+	if userId != "" && password != "" && ctx.Input.Query("grant_type") == "" {
 		owner, name := util.GetOwnerAndNameFromId(userId)
 		_, msg := object.CheckUserPassword(owner, name, password)
 		if msg != "" {

routers/record.go

@@ -54,7 +54,7 @@ func getUserByClientIdSecret(ctx *context.Context) string {
 }
 
 func RecordMessage(ctx *context.Context) {
-	if ctx.Request.URL.Path == "/api/login" {
+	if ctx.Request.URL.Path == "/api/login" || ctx.Request.URL.Path == "/api/signup" {
 		return
 	}
 

routers/router.go

@@ -127,6 +127,8 @@ func initAPI() {
 	beego.Router("/api/login/oauth/code", &controllers.ApiController{}, "POST:GetOAuthCode")
 	beego.Router("/api/login/oauth/access_token", &controllers.ApiController{}, "POST:GetOAuthToken")
 	beego.Router("/api/login/oauth/refresh_token", &controllers.ApiController{}, "POST:RefreshToken")
+	beego.Router("/api/login/oauth/introspect", &controllers.ApiController{}, "POST:IntrospectToken")
+	beego.Router("/api/login/oauth/logout", &controllers.ApiController{}, "GET:TokenLogout")
 
 	beego.Router("/api/get-records", &controllers.ApiController{}, "GET:GetRecords")
 	beego.Router("/api/get-records-filter", &controllers.ApiController{}, "POST:GetRecordsByFilter")
@@ -149,15 +151,24 @@ func initAPI() {
 	beego.Router("/api/add-cert", &controllers.ApiController{}, "POST:AddCert")
 	beego.Router("/api/delete-cert", &controllers.ApiController{}, "POST:DeleteCert")
 
+	beego.Router("/api/get-products", &controllers.ApiController{}, "GET:GetProducts")
+	beego.Router("/api/get-product", &controllers.ApiController{}, "GET:GetProduct")
+	beego.Router("/api/update-product", &controllers.ApiController{}, "POST:UpdateProduct")
+	beego.Router("/api/add-product", &controllers.ApiController{}, "POST:AddProduct")
+	beego.Router("/api/delete-product", &controllers.ApiController{}, "POST:DeleteProduct")
+	beego.Router("/api/buy-product", &controllers.ApiController{}, "POST:BuyProduct")
+
 	beego.Router("/api/get-payments", &controllers.ApiController{}, "GET:GetPayments")
+	beego.Router("/api/get-user-payments", &controllers.ApiController{}, "GET:GetUserPayments")
 	beego.Router("/api/get-payment", &controllers.ApiController{}, "GET:GetPayment")
 	beego.Router("/api/update-payment", &controllers.ApiController{}, "POST:UpdatePayment")
 	beego.Router("/api/add-payment", &controllers.ApiController{}, "POST:AddPayment")
 	beego.Router("/api/delete-payment", &controllers.ApiController{}, "POST:DeletePayment")
+	beego.Router("/api/notify-payment/?:owner/?:provider/?:product/?:payment", &controllers.ApiController{}, "POST:NotifyPayment")
 
 	beego.Router("/api/send-email", &controllers.ApiController{}, "POST:SendEmail")
 	beego.Router("/api/send-sms", &controllers.ApiController{}, "POST:SendSms")
 
 	beego.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery")
-	beego.Router("/api/certs", &controllers.RootController{}, "*:GetOidcCert")
+	beego.Router("/.well-known/jwks", &controllers.RootController{}, "*:GetJwks")
 }

util/regex.go

@@ -20,10 +20,12 @@ import (
 )
 
 var rePhoneCn *regexp.Regexp
+var rePhone *regexp.Regexp
 
 func init() {
 	// https://learnku.com/articles/31543
 	rePhoneCn, _ = regexp.Compile(`^1(3\d|4[5-9]|5[0-35-9]|6[2567]|7[0-8]|8\d|9[0-35-9])\d{8}$`)
+	rePhone, _ = regexp.Compile("(\\d{3})\\d*(\\d{4})")
 }
 
 func IsEmailValid(email string) bool {
@@ -34,3 +36,7 @@ func IsEmailValid(email string) bool {
 func IsPhoneCnValid(phone string) bool {
 	return rePhoneCn.MatchString(phone)
 }
+
+func getMaskedPhone(phone string) string {
+	return rePhone.ReplaceAllString(phone, "$1****$2")
+}

util/string.go

@@ -20,9 +20,10 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"os"
+	"io/ioutil"
 	"strconv"
 	"strings"
+	"time"
 	"unicode"
 
 	"github.com/google/uuid"
@@ -41,6 +42,15 @@ func ParseInt(s string) int {
 	return i
 }
 
+func ParseFloat(s string) float64 {
+	f, err := strconv.ParseFloat(s, 64)
+	if err != nil {
+		panic(err)
+	}
+
+	return f
+}
+
 func ParseBool(s string) bool {
 	i := ParseInt(s)
 	return i != 0
@@ -49,11 +59,11 @@ func ParseBool(s string) bool {
 func BoolToString(b bool) string {
 	if b {
 		return "1"
-	} else {
-		return "0"
 	}
+	return "0"
 }
 
+//CamelToSnakeCase This function transform camelcase in snakecase LoremIpsum in lorem_ipsum
 func CamelToSnakeCase(camel string) string {
 	var buf bytes.Buffer
 	for _, c := range camel {
@@ -63,11 +73,11 @@ func CamelToSnakeCase(camel string) string {
 				buf.WriteRune('_')
 			}
 			buf.WriteRune(c - 'A' + 'a')
-		} else {
-			buf.WriteRune(c)
+			continue
 		}
+		buf.WriteRune(c)
 	}
-	return buf.String()
+	return strings.ReplaceAll(buf.String(), " ", "")
 }
 
 func GetOwnerAndNameFromId(id string) (string, string) {
@@ -88,6 +98,25 @@ func GenerateId() string {
 	return uuid.NewString()
 }
 
+func GenerateTimeId() string {
+	timestamp := time.Now().Unix()
+	tm := time.Unix(timestamp, 0)
+	t := tm.Format("20060102_150405")
+
+	random := uuid.NewString()[0:7]
+
+	res := fmt.Sprintf("%s_%s", t, random)
+	return res
+}
+
+func GenerateSimpleTimeId() string {
+	timestamp := time.Now().Unix()
+	tm := time.Unix(timestamp, 0)
+	t := tm.Format("20060102150405")
+
+	return t
+}
+
 func GetId(name string) string {
 	return fmt.Sprintf("admin/%s", name)
 }
@@ -124,7 +153,7 @@ func GetMinLenStr(strs ...string) string {
 	i := 0
 	for j, str := range strs {
 		l := len(str)
-		if l > m {
+		if l < m {
 			m = l
 			i = j
 		}
@@ -133,7 +162,7 @@ func GetMinLenStr(strs ...string) string {
 }
 
 func ReadStringFromPath(path string) string {
-	data, err := os.ReadFile(path)
+	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		panic(err)
 	}
@@ -142,29 +171,13 @@ func ReadStringFromPath(path string) string {
 }
 
 func WriteStringToPath(s string, path string) {
-	err := os.WriteFile(path, []byte(s), 0644)
+	err := ioutil.WriteFile(path, []byte(s), 0644)
 	if err != nil {
 		panic(err)
 	}
 }
 
-func ReadBytesFromPath(path string) []byte {
-	data, err := os.ReadFile(path)
-	if err != nil {
-		panic(err)
-	}
-
-	return data
-}
-
-func WriteBytesToPath(b []byte, path string) {
-	err := os.WriteFile(path, b, 0644)
-	if err != nil {
-		panic(err)
-	}
-}
-
-// SnakeString XxYy to xx_yy
+// SnakeString transform XxYy to xx_yy
 func SnakeString(s string) string {
 	data := make([]byte, 0, len(s)*2)
 	j := false
@@ -179,7 +192,8 @@ func SnakeString(s string) string {
 		}
 		data = append(data, d)
 	}
-	return strings.ToLower(string(data[:]))
+	result := strings.ToLower(string(data[:]))
+	return strings.ReplaceAll(result, " ", "")
 }
 
 func IsChinese(str string) bool {
@@ -192,3 +206,28 @@ func IsChinese(str string) bool {
 	}
 	return flag
 }
+
+func GetMaskedPhone(phone string) string {
+	return getMaskedPhone(phone)
+}
+
+func GetMaskedEmail(email string) string {
+	if email == "" {
+		return ""
+	}
+
+	tokens := strings.Split(email, "@")
+	username := maskString(tokens[0])
+	domain := tokens[1]
+	domainTokens := strings.Split(domain, ".")
+	domainTokens[len(domainTokens)-2] = maskString(domainTokens[len(domainTokens)-2])
+	return fmt.Sprintf("%s@%s", username, strings.Join(domainTokens, "."))
+}
+
+func maskString(str string) string {
+	if len(str) <= 2 {
+		return str
+	} else {
+		return fmt.Sprintf("%c%s%c", str[0], strings.Repeat("*", len(str)-2), str[len(str)-1])
+	}
+}

util/string_test.go

@@ -0,0 +1,248 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestParseInt(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return zero when value is empty", "", 0},
+		{"Should be return 0", "0", 0},
+		{"Should be return 5", "5", 5},
+		{"Should be return 10", "10", 10},
+		{"Should be return -1", "-1", -1},
+		{"Should be return -5", "-5", -5},
+		{"Should be return -10", "-10", -10},
+		{"Should be return -10", "string", "panic"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			if scenery.expected == "panic" {
+				defer func() {
+					if r := recover(); r == nil {
+						t.Error("function should panic")
+					}
+				}()
+				ParseInt(scenery.input)
+
+			} else {
+				actual := ParseInt(scenery.input)
+				assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+			}
+		})
+	}
+}
+
+func TestParseBool(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return false", "0", false},
+		{"Should be return true", "5", true},
+		{"Should be return true", "10", true},
+		{"Should be return true", "-1", true},
+		{"Should be return false", "", false},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := ParseBool(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestBoolToString(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       bool
+		expected    interface{}
+	}{
+		{"Should be return 1", true, "1"},
+		{"Should be return 0", false, "0"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := BoolToString(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestCamelToSnakeCase(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return casdor_is_the_best", "CasdoorIsTheBest", "casdoor_is_the_best"},
+		{"Should be return lorem_ipsum", "Lorem Ipsum", "lorem_ipsum"},
+		{"Should be return Lorem Ipsum", "lorem Ipsum", "lorem_ipsum"},
+		{"Should be return lorem_ipsum", "lorem ipsum", "loremipsum"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := CamelToSnakeCase(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestGenerateId(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Scenery one", GenerateId(), nil},
+		{"Scenery two", GenerateId(), nil},
+		{"Scenery three", "00000000-0000-0000-0000-000000000000", nil},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			_, err := uuid.Parse(scenery.input)
+			assert.Equal(t, scenery.expected, err, "Should be return empty")
+		})
+	}
+
+	_, SceneryTree := uuid.Parse("00000000-0000-0000-0000-00000000000S")
+	assert.Equal(t, "invalid UUID format", SceneryTree.Error(), "Errou")
+
+	_, SceneryFor := uuid.Parse("00000000-0000-0000-0000-000000000000S")
+	assert.Equal(t, "invalid UUID length: 37", SceneryFor.Error(), "Errou")
+}
+
+func TestGetId(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Scenery one", "casdoor", "admin/casdoor"},
+		{"Scenery two", "casbin", "admin/casbin"},
+		{"Scenery three", "lorem ipsum", "admin/lorem ipsum"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetId(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "This not is a valid MD5")
+		})
+	}
+}
+
+func TestGetMd5Hash(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Scenery one", "casdoor", "0b874f488b4705693a60256b8f3a32da"},
+		{"Scenery two", "casbin", "59c5a967f086f65366a80dbdd1205a6c"},
+		{"Scenery three", "lorem ipsum", "80a751fde577028640c419000e33eba6"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetMd5Hash(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "This not is a valid MD5")
+		})
+	}
+}
+
+func TestIsStrsEmpty(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       []string
+		expected    interface{}
+	}{
+		{"Should be return true if one is empty", []string{"", "lorem", "ipsum"}, true},
+		{"Should be return true if is empty", []string{""}, true},
+		{"Should be return false all is a valid string", []string{"lorem", "ipsum"}, false},
+		{"Should be return false is function called with empty parameters", []string{}, false},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := IsStrsEmpty(scenery.input...)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestGetMaxLenStr(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       []string
+		expected    interface{}
+	}{
+		{"Should be return casdoor", []string{"", "casdoor", "casbin"}, "casdoor"},
+		{"Should be return casdoor_jdk", []string{"", "casdoor", "casbin", "casdoor_jdk"}, "casdoor_jdk"},
+		{"Should be return empty string", []string{""}, ""},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetMaxLenStr(scenery.input...)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestGetMinLenStr(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       []string
+		expected    interface{}
+	}{
+		{"Should be return casbin", []string{"casdoor", "casbin"}, "casbin"},
+		{"Should be return casbin", []string{"casdoor", "casbin", "casdoor_jdk"}, "casbin"},
+		{"Should be return empty string", []string{"a", "", "casbin"}, ""},
+		{"Should be return a", []string{"a", "casdoor", "casbin"}, "a"},
+		{"Should be return a", []string{"casdoor", "a", "casbin"}, "a"},
+		{"Should be return a", []string{"casbin", "casdoor", "a"}, "a"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetMinLenStr(scenery.input...)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestSnakeString(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return casdor_is_the_best", "CasdoorIsTheBest", "casdoor_is_the_best"},
+		{"Should be return lorem_ipsum", "Lorem Ipsum", "lorem_ipsum"},
+		{"Should be return lorem_ipsum", "lorem Ipsum", "lorem_ipsum"},
+		{"Should be return loremipsum", "lorem ipsum", "loremipsum"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := SnakeString(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+

web/package.json

@@ -29,7 +29,9 @@
     "react-i18next": "^11.8.7",
     "react-router-dom": "^5.2.0",
     "react-scripts": "4.0.3",
-    "react-social-login-buttons": "^3.4.0"
+    "react-social-login-buttons": "^3.4.0",
+    "react-app-polyfill": "^3.0.0",
+    "core-js": "^3.21.1"
   },
   "scripts": {
     "start": "cross-env PORT=7001 craco start",
@@ -46,12 +48,14 @@
     "production": [
       ">0.2%",
       "not dead",
-      "not op_mini all"
+      "not op_mini all",
+      "ie > 8"
     ],
     "development": [
       "last 1 chrome version",
       "last 1 firefox version",
-      "last 1 safari version"
+      "last 1 safari version",
+      "ie > 8"
     ]
   },
   "devDependencies": {

web/src/App.js

@@ -43,11 +43,16 @@ import SyncerListPage from "./SyncerListPage";
 import SyncerEditPage from "./SyncerEditPage";
 import CertListPage from "./CertListPage";
 import CertEditPage from "./CertEditPage";
+import ProductListPage from "./ProductListPage";
+import ProductEditPage from "./ProductEditPage";
+import ProductBuyPage from "./ProductBuyPage";
 import PaymentListPage from "./PaymentListPage";
 import PaymentEditPage from "./PaymentEditPage";
+import PaymentResultPage from "./PaymentResultPage";
 import AccountPage from "./account/AccountPage";
 import HomePage from "./basic/HomePage";
 import CustomGithubCorner from "./CustomGithubCorner";
+import * as Conf from "./Conf";
 
 import * as Auth from "./auth/Auth";
 import SignupPage from "./auth/SignupPage";
@@ -128,6 +133,8 @@ class App extends Component {
       this.setState({ selectedMenuKey: '/syncers' });
     } else if (uri.includes('/certs')) {
       this.setState({ selectedMenuKey: '/certs' });
+    } else if (uri.includes('/products')) {
+      this.setState({ selectedMenuKey: '/products' });
     } else if (uri.includes('/payments')) {
       this.setState({ selectedMenuKey: '/payments' });
     } else if (uri.includes('/signup')) {
@@ -141,16 +148,14 @@ class App extends Component {
     }
   }
 
-  getAccessTokenParam() {
+  getAccessTokenParam(params) {
     // "/page?access_token=123"
-    const params = new URLSearchParams(this.props.location.search);
     const accessToken = params.get("access_token");
     return accessToken === null ? "" : `?accessToken=${accessToken}`;
   }
 
-  getCredentialParams() {
+  getCredentialParams(params) {
     // "/page?username=abc&password=123"
-    const params = new URLSearchParams(this.props.location.search);
     if (params.get("username") === null || params.get("password") === null) {
       return "";
     }
@@ -158,8 +163,17 @@ class App extends Component {
   }
 
   getUrlWithoutQuery() {
-    // eslint-disable-next-line no-restricted-globals
-    return location.toString().replace(location.search, "");
+    return window.location.toString().replace(window.location.search, "");
+  }
+
+  getLanguageParam(params) {
+    // "/page?language=en"
+    const language = params.get("language");
+    if (language !== null) {
+      Setting.setLanguage(language);
+      return `language=${language}`;
+    }
+    return "";
   }
 
   setLanguage(account) {
@@ -170,13 +184,23 @@ class App extends Component {
   }
 
   getAccount() {
-    let query = this.getAccessTokenParam();
+    const params = new URLSearchParams(this.props.location.search);
+
+    let query = this.getAccessTokenParam(params);
     if (query === "") {
-      query = this.getCredentialParams();
+      query = this.getCredentialParams(params);
     }
+
+    const query2 = this.getLanguageParam(params);
+    if (query2 !== "") {
+      const url = window.location.toString().replace(new RegExp(`[?&]${query2}`), "");
+      window.history.replaceState({}, document.title, url);
+    }
+
     if (query !== "") {
       window.history.replaceState({}, document.title, this.getUrlWithoutQuery());
     }
+
     AuthBackend.getAccount(query)
       .then((res) => {
         let account = null;
@@ -211,8 +235,12 @@ class App extends Component {
           });
 
           Setting.showMessage("success", `Logged out successfully`);
-
-          Setting.goToLinkSoft(this, "/");
+          let redirectUri = res.data2;
+          if (redirectUri !== null && redirectUri !== undefined && redirectUri !== "") {
+            Setting.goToLink(redirectUri);
+          }else{
+            Setting.goToLinkSoft(this, "/");
+          }
         } else {
           Setting.showMessage("error", `Failed to log out: ${res.msg}`);
         }
@@ -412,13 +440,24 @@ class App extends Component {
           </Link>
         </Menu.Item>
       );
-      res.push(
-        <Menu.Item key="/payments">
-          <Link to="/payments">
-            {i18next.t("general:Payments")}
-          </Link>
-        </Menu.Item>
-      );
+
+      if (Conf.EnableExtraPages) {
+        res.push(
+          <Menu.Item key="/products">
+            <Link to="/products">
+              {i18next.t("general:Products")}
+            </Link>
+          </Menu.Item>
+        );
+        res.push(
+          <Menu.Item key="/payments">
+            <Link to="/payments">
+              {i18next.t("general:Payments")}
+            </Link>
+          </Menu.Item>
+        );
+      }
+
       res.push(
         <Menu.Item key="/swagger">
           <a target="_blank" rel="noreferrer" href={Setting.isLocalhost() ? `${Setting.ServerUrl}/swagger` : "/swagger"}>
@@ -490,8 +529,12 @@ class App extends Component {
           <Route exact path="/syncers/:syncerName" render={(props) => this.renderLoginIfNotLoggedIn(<SyncerEditPage account={this.state.account} {...props} />)}/>
           <Route exact path="/certs" render={(props) => this.renderLoginIfNotLoggedIn(<CertListPage account={this.state.account} {...props} />)}/>
           <Route exact path="/certs/:certName" render={(props) => this.renderLoginIfNotLoggedIn(<CertEditPage account={this.state.account} {...props} />)}/>
+          <Route exact path="/products" render={(props) => this.renderLoginIfNotLoggedIn(<ProductListPage account={this.state.account} {...props} />)}/>
+          <Route exact path="/products/:productName" render={(props) => this.renderLoginIfNotLoggedIn(<ProductEditPage account={this.state.account} {...props} />)}/>
+          <Route exact path="/products/:productName/buy" render={(props) => this.renderLoginIfNotLoggedIn(<ProductBuyPage account={this.state.account} {...props} />)}/>
           <Route exact path="/payments" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentListPage account={this.state.account} {...props} />)}/>
           <Route exact path="/payments/:paymentName" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentEditPage account={this.state.account} {...props} />)}/>
+          <Route exact path="/payments/:paymentName/result" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentResultPage account={this.state.account} {...props} />)}/>
           <Route exact path="/records" render={(props) => this.renderLoginIfNotLoggedIn(<RecordListPage account={this.state.account} {...props} />)}/>
           <Route exact path="/.well-known/openid-configuration" render={(props) => <OdicDiscoveryPage />}/>
           <Route path="" render={() => <Result status="404" title="404 NOT FOUND" subTitle={i18next.t("general:Sorry, the page you visited does not exist.")}
@@ -514,22 +557,22 @@ class App extends Component {
                 </Link>
               )
             }
-            <Menu
-              // theme="dark"
-              mode={(Setting.isMobile() && this.isStartPages()) ? "inline" : "horizontal"}
-              selectedKeys={[`${this.state.selectedMenuKey}`]}
-              style={{ lineHeight: '64px'}}
-            >
+            <div>
+              <Menu
+                  // theme="dark"
+                  mode={(Setting.isMobile() && this.isStartPages()) ? "inline" : "horizontal"}
+                  selectedKeys={[`${this.state.selectedMenuKey}`]}
+                  style={{lineHeight: '64px', width: '80%', position: 'absolute'}}
+              >
+                {
+                  this.renderMenu()
+                }
+              </Menu>
               {
-                this.renderMenu()
+                this.renderAccount()
               }
-            <div style = {{float: 'right'}}>
-            {
-              this.renderAccount()
-            }
-          <SelectLanguageBox/>
-          </div>
-            </Menu>
+              <SelectLanguageBox/>
+            </div>
           </Header>
           <Layout style={{backgroundColor: "#f5f5f5", alignItems: 'stretch'}}>
             <Card className="content-warp-card">