feat: fix incorrect VerifyTypePhone value (#1968 )

fix: clean timeout when componentWillUnmount in PaymentResult page (#1962 )
fix: fix bug in PayPal payment provider (#1959 )
2025-07-15 06:13:49 +08:00 · 2023-06-13 17:26:37 +08:00 · 2023-06-13 02:00:52 +08:00 · 2023-06-12 13:43:37 +08:00 · 2023-06-12 09:27:16 +08:00 · 2023-06-12 01:57:58 +08:00
297 changed files with 21540 additions and 6121 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -66,7 +66,7 @@ jobs:
      - uses: actions/setup-go@v4
        with:
          go-version: '^1.16.5'
-          cache-dependency-path: ./go.mod
+          cache: false

      # gen a dummy config file
      - run: touch dummy.yml
--- a/.gitignore
+++ b/.gitignore
@ -30,3 +30,5 @@ commentsRouter*.go

 # ignore build result
 casdoor
+server_linux_arm64
+server_linux_amd64
--- a/4
+++ b/4
@ -1,11 +1,11 @@
-FROM node:16.13.0 AS FRONT
+FROM node:16.18.0 AS FRONT
 WORKDIR /web
 COPY ./web .
 RUN yarn config set registry https://registry.npmmirror.com
 RUN yarn install --frozen-lockfile --network-timeout 1000000 && yarn run build


-FROM golang:1.17.5 AS BACK
+FROM golang:1.19.9 AS BACK
 WORKDIR /go/src/casdoor
 COPY . .
 RUN ./build.sh
--- a/ai/ai.go
+++ b/ai/ai.go
@ -0,0 +1,141 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ai
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/sashabaranov/go-openai"
+)
+
+func queryAnswer(authToken string, question string, timeout int) (string, error) {
+	// fmt.Printf("Question: %s\n", question)
+
+	client := getProxyClientFromToken(authToken)
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(2+timeout*2)*time.Second)
+	defer cancel()
+
+	resp, err := client.CreateChatCompletion(
+		ctx,
+		openai.ChatCompletionRequest{
+			Model: openai.GPT3Dot5Turbo,
+			Messages: []openai.ChatCompletionMessage{
+				{
+					Role:    openai.ChatMessageRoleUser,
+					Content: question,
+				},
+			},
+		},
+	)
+	if err != nil {
+		return "", err
+	}
+
+	res := resp.Choices[0].Message.Content
+	res = strings.Trim(res, "\n")
+	// fmt.Printf("Answer: %s\n\n", res)
+	return res, nil
+}
+
+func QueryAnswerSafe(authToken string, question string) string {
+	var res string
+	var err error
+	for i := 0; i < 10; i++ {
+		res, err = queryAnswer(authToken, question, i)
+		if err != nil {
+			if i > 0 {
+				fmt.Printf("\tFailed (%d): %s\n", i+1, err.Error())
+			}
+		} else {
+			break
+		}
+	}
+	if err != nil {
+		panic(err)
+	}
+
+	return res
+}
+
+func QueryAnswerStream(authToken string, question string, writer io.Writer, builder *strings.Builder) error {
+	client := getProxyClientFromToken(authToken)
+
+	ctx := context.Background()
+	flusher, ok := writer.(http.Flusher)
+	if !ok {
+		return fmt.Errorf("writer does not implement http.Flusher")
+	}
+	// https://platform.openai.com/tokenizer
+	// https://github.com/pkoukk/tiktoken-go#available-encodings
+	promptTokens, err := getTokenSize(openai.GPT3TextDavinci003, question)
+	if err != nil {
+		return err
+	}
+
+	// https://platform.openai.com/docs/models/gpt-3-5
+	maxTokens := 4097 - promptTokens
+
+	respStream, err := client.CreateCompletionStream(
+		ctx,
+		openai.CompletionRequest{
+			Model:     openai.GPT3TextDavinci003,
+			Prompt:    question,
+			MaxTokens: maxTokens,
+			Stream:    true,
+		},
+	)
+	if err != nil {
+		return err
+	}
+	defer respStream.Close()
+
+	isLeadingReturn := true
+	for {
+		completion, streamErr := respStream.Recv()
+		if streamErr != nil {
+			if streamErr == io.EOF {
+				break
+			}
+			return streamErr
+		}
+
+		data := completion.Choices[0].Text
+		if isLeadingReturn && len(data) != 0 {
+			if strings.Count(data, "\n") == len(data) {
+				continue
+			} else {
+				isLeadingReturn = false
+			}
+		}
+
+		fmt.Printf("%s", data)
+
+		// Write the streamed data as Server-Sent Events
+		if _, err = fmt.Fprintf(writer, "data: %s\n\n", data); err != nil {
+			return err
+		}
+		flusher.Flush()
+		// Append the response to the strings.Builder
+		builder.WriteString(data)
+	}
+
+	return nil
+}
--- a/ai/ai_test.go
+++ b/ai/ai_test.go
@ -0,0 +1,42 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skipCi
+// +build !skipCi
+
+package ai
+
+import (
+	"testing"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/sashabaranov/go-openai"
+)
+
+func TestRun(t *testing.T) {
+	object.InitConfig()
+	proxy.InitHttpClient()
+
+	text, err := queryAnswer("", "hi", 5)
+	if err != nil {
+		panic(err)
+	}
+
+	println(text)
+}
+
+func TestToken(t *testing.T) {
+	println(getTokenSize(openai.GPT3TextDavinci003, ""))
+}
--- a/ai/proxy.go
+++ b/ai/proxy.go
@ -0,0 +1,28 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ai
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/sashabaranov/go-openai"
+)
+
+func getProxyClientFromToken(authToken string) *openai.Client {
+	config := openai.DefaultConfig(authToken)
+	config.HTTPClient = proxy.ProxyHttpClient
+
+	c := openai.NewClientWithConfig(config)
+	return c
+}
--- a/ai/util.go
+++ b/ai/util.go
@ -0,0 +1,28 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ai
+
+import "github.com/pkoukk/tiktoken-go"
+
+func getTokenSize(model string, prompt string) (int, error) {
+	tkm, err := tiktoken.EncodingForModel(model)
+	if err != nil {
+		return 0, err
+	}
+
+	token := tkm.Encode(prompt, nil, nil)
+	res := len(token)
+	return res, nil
+}
--- a/authz/authz.go
+++ b/authz/authz.go
@ -15,13 +15,13 @@
 package authz

 import (
-	"fmt"
 	"strings"

 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 	xormadapter "github.com/casdoor/xorm-adapter/v3"
 	stringadapter "github.com/qiangmzsx/string-adapter/v2"
 )
@ -88,8 +88,10 @@ p, *, *, GET, /api/logout, *, *
 p, *, *, GET, /api/get-account, *, *
 p, *, *, GET, /api/userinfo, *, *
 p, *, *, GET, /api/user, *, *
+p, *, *, GET, /api/health, *, *
 p, *, *, POST, /api/webhook, *, *
 p, *, *, GET, /api/get-webhook-event, *, *
+p, *, *, GET, /api/get-captcha-status, *, *
 p, *, *, *, /api/login/oauth, *, *
 p, *, *, GET, /api/get-application, *, *
 p, *, *, GET, /api/get-organization-applications, *, *
@ -120,6 +122,11 @@ p, *, *, *, /cas, *, *
 p, *, *, *, /api/webauthn, *, *
 p, *, *, GET, /api/get-release, *, *
 p, *, *, GET, /api/get-default-application, *, *
+p, *, *, GET, /api/get-prometheus-info, *, *
+p, *, *, *, /api/metrics, *, *
+p, *, *, GET, /api/get-pricing, *, *
+p, *, *, GET, /api/get-plan, *, *
+p, *, *, GET, /api/get-organization-names, *, *
 `

 		sa := stringadapter.NewAdapter(ruleText)
@ -146,9 +153,12 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 		}
 	}

-	userId := fmt.Sprintf("%s/%s", subOwner, subName)
-	user := object.GetUser(userId)
-	if user != nil && user.IsAdmin && (subOwner == objOwner || (objOwner == "admin" && subOwner == objName)) {
+	user, err := object.GetUser(util.GetId(subOwner, subName))
+	if err != nil {
+		panic(err)
+	}
+
+	if user != nil && user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
 		return true
 	}

--- a/conf/app.conf
+++ b/conf/app.conf
@ -20,5 +20,6 @@ staticBaseUrl = "https://cdn.casbin.org"
 isDemoMode = false
 batchSize = 100
 ldapServerPort = 389
-languages = en,zh,es,fr,de,id,ja,ko,ru,vi
 quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
+logConfig = {"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
+initDataFile = "./init_data.json"
--- a/conf/conf.go
+++ b/conf/conf.go
@ -16,7 +16,6 @@ package conf

 import (
 	"encoding/json"
-	"fmt"
 	"os"
 	"runtime"
 	"strconv"
@ -67,20 +66,21 @@ func GetConfigString(key string) string {
 	if res == "" {
 		if key == "staticBaseUrl" {
 			res = "https://cdn.casbin.org"
+		} else if key == "logConfig" {
+			res = "{\"filename\": \"logs/casdoor.log\", \"maxdays\":99999, \"perm\":\"0770\"}"
 		}
 	}

 	return res
 }

-func GetConfigBool(key string) (bool, error) {
+func GetConfigBool(key string) bool {
 	value := GetConfigString(key)
 	if value == "true" {
-		return true, nil
-	} else if value == "false" {
-		return false, nil
+		return true
+	} else {
+		return false
 	}
-	return false, fmt.Errorf("value %s cannot be converted into bool", value)
 }

 func GetConfigInt64(key string) (int64, error) {
@ -110,15 +110,10 @@ func GetLanguage(language string) string {
 		return "en"
 	}

-	if len(language) < 2 {
+	if len(language) != 2 {
 		return "en"
-	}
-
-	language = language[0:2]
-	if strings.Contains(GetConfigString("languages"), language) {
-		return language
 	} else {
-		return "en"
+		return language
 	}
 }

--- a/conf/conf_test.go
+++ b/conf/conf_test.go
@ -87,7 +87,7 @@ func TestGetConfBool(t *testing.T) {
 	assert.Nil(t, err)
 	for _, scenery := range scenarios {
 		t.Run(scenery.description, func(t *testing.T) {
-			actual, err := GetConfigBool(scenery.input)
+			actual := GetConfigBool(scenery.input)
 			assert.Nil(t, err)
 			assert.Equal(t, scenery.expected, actual)
 		})
@ -109,3 +109,19 @@ func TestGetConfigQuota(t *testing.T) {
 		assert.Equal(t, scenery.expected, quota)
 	}
 }
+
+func TestGetConfigLogs(t *testing.T) {
+	scenarios := []struct {
+		description string
+		expected    string
+	}{
+		{"Default log config", `{"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}`},
+	}
+
+	err := beego.LoadAppConfig("ini", "app.conf")
+	assert.Nil(t, err)
+	for _, scenery := range scenarios {
+		quota := GetConfigString("logConfig")
+		assert.Equal(t, scenery.expected, quota)
+	}
+}
--- a/controllers/account.go
+++ b/controllers/account.go
@ -21,6 +21,7 @@ import (
 	"strconv"
 	"strings"

+	"github.com/casdoor/casdoor/form"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@ -34,44 +35,6 @@ const (
 	ResponseTypeCas     = "cas"
 )

-type RequestForm struct {
-	Type string `json:"type"`
-
-	Organization string `json:"organization"`
-	Username     string `json:"username"`
-	Password     string `json:"password"`
-	Name         string `json:"name"`
-	FirstName    string `json:"firstName"`
-	LastName     string `json:"lastName"`
-	Email        string `json:"email"`
-	Phone        string `json:"phone"`
-	Affiliation  string `json:"affiliation"`
-	IdCard       string `json:"idCard"`
-	Region       string `json:"region"`
-
-	Application string `json:"application"`
-	ClientId    string `json:"clientId"`
-	Provider    string `json:"provider"`
-	Code        string `json:"code"`
-	State       string `json:"state"`
-	RedirectUri string `json:"redirectUri"`
-	Method      string `json:"method"`
-
-	EmailCode   string `json:"emailCode"`
-	PhoneCode   string `json:"phoneCode"`
-	CountryCode string `json:"countryCode"`
-
-	AutoSignin bool `json:"autoSignin"`
-
-	RelayState   string `json:"relayState"`
-	SamlRequest  string `json:"samlRequest"`
-	SamlResponse string `json:"samlResponse"`
-
-	CaptchaType  string `json:"captchaType"`
-	CaptchaToken string `json:"captchaToken"`
-	ClientSecret string `json:"clientSecret"`
-}
-
 type Response struct {
 	Status string      `json:"status"`
 	Msg    string      `json:"msg"`
@ -108,28 +71,38 @@ func (c *ApiController) Signup() {
 		return
 	}

-	var form RequestForm
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &form)
+	var authForm form.AuthForm
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &authForm)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
 	if !application.EnableSignUp {
 		c.ResponseError(c.T("account:The application does not allow to sign up new account"))
 		return
 	}

-	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", form.Organization))
-	msg := object.CheckUserSignup(application, organization, form.Username, form.Password, form.Name, form.FirstName, form.LastName, form.Email, form.Phone, form.CountryCode, form.Affiliation, c.GetAcceptLanguage())
+	organization, err := object.GetOrganization(util.GetId("admin", authForm.Organization))
+	if err != nil {
+		c.ResponseError(c.T(err.Error()))
+		return
+	}
+
+	msg := object.CheckUserSignup(application, organization, &authForm, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
 	}

-	if application.IsSignupItemVisible("Email") && application.GetSignupItemRule("Email") != "No verification" && form.Email != "" {
-		checkResult := object.CheckVerificationCode(form.Email, form.EmailCode, c.GetAcceptLanguage())
+	if application.IsSignupItemVisible("Email") && application.GetSignupItemRule("Email") != "No verification" && authForm.Email != "" {
+		checkResult := object.CheckVerificationCode(authForm.Email, authForm.EmailCode, c.GetAcceptLanguage())
 		if checkResult.Code != object.VerificationSuccess {
 			c.ResponseError(checkResult.Msg)
 			return
@ -137,9 +110,9 @@ func (c *ApiController) Signup() {
 	}

 	var checkPhone string
-	if application.IsSignupItemVisible("Phone") && application.GetSignupItemRule("Phone") != "No verification" && form.Phone != "" {
-		checkPhone, _ = util.GetE164Number(form.Phone, form.CountryCode)
-		checkResult := object.CheckVerificationCode(checkPhone, form.PhoneCode, c.GetAcceptLanguage())
+	if application.IsSignupItemVisible("Phone") && application.GetSignupItemRule("Phone") != "No verification" && authForm.Phone != "" {
+		checkPhone, _ = util.GetE164Number(authForm.Phone, authForm.CountryCode)
+		checkResult := object.CheckVerificationCode(checkPhone, authForm.PhoneCode, c.GetAcceptLanguage())
 		if checkResult.Code != object.VerificationSuccess {
 			c.ResponseError(checkResult.Msg)
 			return
@ -148,7 +121,11 @@ func (c *ApiController) Signup() {

 	id := util.GenerateId()
 	if application.GetSignupItemRule("ID") == "Incremental" {
-		lastUser := object.GetLastUser(form.Organization)
+		lastUser, err := object.GetLastUser(authForm.Organization)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}

 		lastIdInt := -1
 		if lastUser != nil {
@ -158,33 +135,33 @@ func (c *ApiController) Signup() {
 		id = strconv.Itoa(lastIdInt + 1)
 	}

-	username := form.Username
+	username := authForm.Username
 	if !application.IsSignupItemVisible("Username") {
 		username = id
 	}

-	initScore, err := getInitScore(organization)
+	initScore, err := organization.GetInitScore()
 	if err != nil {
 		c.ResponseError(fmt.Errorf(c.T("account:Get init score failed, error: %w"), err).Error())
 		return
 	}

 	user := &object.User{
-		Owner:             form.Organization,
+		Owner:             authForm.Organization,
 		Name:              username,
 		CreatedTime:       util.GetCurrentTime(),
 		Id:                id,
 		Type:              "normal-user",
-		Password:          form.Password,
-		DisplayName:       form.Name,
+		Password:          authForm.Password,
+		DisplayName:       authForm.Name,
 		Avatar:            organization.DefaultAvatar,
-		Email:             form.Email,
-		Phone:             form.Phone,
-		CountryCode:       form.CountryCode,
+		Email:             authForm.Email,
+		Phone:             authForm.Phone,
+		CountryCode:       authForm.CountryCode,
 		Address:           []string{},
-		Affiliation:       form.Affiliation,
-		IdCard:            form.IdCard,
-		Region:            form.Region,
+		Affiliation:       authForm.Affiliation,
+		IdCard:            authForm.IdCard,
+		Region:            authForm.Region,
 		Score:             initScore,
 		IsAdmin:           false,
 		IsGlobalAdmin:     false,
@ -203,28 +180,55 @@ func (c *ApiController) Signup() {
 	}

 	if application.GetSignupItemRule("Display name") == "First, last" {
-		if form.FirstName != "" || form.LastName != "" {
-			user.DisplayName = fmt.Sprintf("%s %s", form.FirstName, form.LastName)
-			user.FirstName = form.FirstName
-			user.LastName = form.LastName
+		if authForm.FirstName != "" || authForm.LastName != "" {
+			user.DisplayName = fmt.Sprintf("%s %s", authForm.FirstName, authForm.LastName)
+			user.FirstName = authForm.FirstName
+			user.LastName = authForm.LastName
 		}
 	}

-	affected := object.AddUser(user)
+	affected, err := object.AddUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	if !affected {
 		c.ResponseError(c.T("account:Failed to add user"), util.StructToJson(user))
 		return
 	}

-	object.AddUserToOriginalDatabase(user)
+	err = object.AddUserToOriginalDatabase(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	if application.HasPromptPage() {
 		// The prompt page needs the user to be signed in
 		c.SetSessionUsername(user.GetId())
 	}

-	object.DisableVerificationCode(form.Email)
-	object.DisableVerificationCode(checkPhone)
+	err = object.DisableVerificationCode(authForm.Email)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	err = object.DisableVerificationCode(checkPhone)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	isSignupFromPricing := authForm.Plan != "" && authForm.Pricing != ""
+	if isSignupFromPricing {
+		_, err = object.Subscribe(organization.Name, user.Name, authForm.Plan, authForm.Pricing)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}

 	record := object.NewRecord(c.Ctx)
 	record.Organization = application.Organization
@ -263,7 +267,11 @@ func (c *ApiController) Logout() {

 		c.ClearUserSession()
 		owner, username := util.GetOwnerAndNameFromId(user)
-		object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
+		_, err := object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}

 		util.LogInfo(c.Ctx, "API: [%s] logged out", user)

@ -284,7 +292,12 @@ func (c *ApiController) Logout() {
 			return
 		}

-		affected, application, token := object.ExpireTokenByAccessToken(accessToken)
+		affected, application, token, err := object.ExpireTokenByAccessToken(accessToken)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		if !affected {
 			c.ResponseError(c.T("token:Token not found, invalid accessToken"))
 			return
@ -304,7 +317,12 @@ func (c *ApiController) Logout() {
 			// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
 			owner, username := util.GetOwnerAndNameFromId(user)

-			object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
+			_, err := object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
 			util.LogInfo(c.Ctx, "API: [%s] logged out", user)

 			c.Ctx.Redirect(http.StatusFound, fmt.Sprintf("%s?state=%s", strings.TrimRight(redirectUri, "/"), state))
@ -322,6 +340,7 @@ func (c *ApiController) Logout() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /get-account [get]
 func (c *ApiController) GetAccount() {
+	var err error
 	user, ok := c.RequireSignedInUser()
 	if !ok {
 		return
@ -329,20 +348,39 @@ func (c *ApiController) GetAccount() {

 	managedAccounts := c.Input().Get("managedAccounts")
 	if managedAccounts == "1" {
-		user = object.ExtendManagedAccountsWithUser(user)
+		user, err = object.ExtendManagedAccountsWithUser(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}

-	object.ExtendUserWithRolesAndPermissions(user)
+	err = object.ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	user.Permissions = object.GetMaskedPermissions(user.Permissions)
 	user.Roles = object.GetMaskedRoles(user.Roles)

-	organization := object.GetMaskedOrganization(object.GetOrganizationByUser(user))
+	organization, err := object.GetMaskedOrganization(object.GetOrganizationByUser(user))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	u, err := object.GetMaskedUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	resp := Response{
 		Status: "ok",
 		Sub:    user.Id,
 		Name:   user.Name,
-		Data:   object.GetMaskedUser(user),
+		Data:   u,
 		Data2:  organization,
 	}
 	c.Data["json"] = resp
@ -423,7 +461,12 @@ func (c *ApiController) GetCaptcha() {

 	if captchaProvider != nil {
 		if captchaProvider.Type == "Default" {
-			id, img := object.GetCaptcha()
+			id, img, err := object.GetCaptcha()
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
 			c.ResponseOk(Captcha{Type: captchaProvider.Type, CaptchaId: id, CaptchaImage: img})
 			return
 		} else if captchaProvider.Type != "" {
--- a/controllers/application.go
+++ b/controllers/application.go
@ -40,21 +40,35 @@ func (c *ApiController) GetApplications() {
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
 	organization := c.Input().Get("organization")
-
+	var err error
 	if limit == "" || page == "" {
 		var applications []*object.Application
 		if organization == "" {
-			applications = object.GetApplications(owner)
+			applications, err = object.GetApplications(owner)
 		} else {
-			applications = object.GetOrganizationApplications(owner, organization)
+			applications, err = object.GetOrganizationApplications(owner, organization)
+		}
+
+		if err != nil {
+			panic(err)
 		}

 		c.Data["json"] = object.GetMaskedApplications(applications, userId)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetApplicationCount(owner, field, value)))
-		applications := object.GetMaskedApplications(object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder), userId)
+		count, err := object.GetApplicationCount(owner, field, value)
+		if err != nil {
+			panic(err)
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		app, err := object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			panic(err)
+		}
+
+		applications := object.GetMaskedApplications(app, userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
@ -69,8 +83,12 @@ func (c *ApiController) GetApplications() {
 func (c *ApiController) GetApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
+	app, err := object.GetApplication(id)
+	if err != nil {
+		panic(err)
+	}

-	c.Data["json"] = object.GetMaskedApplication(object.GetApplication(id), userId)
+	c.Data["json"] = object.GetMaskedApplication(app, userId)
 	c.ServeJSON()
 }

@ -84,13 +102,22 @@ func (c *ApiController) GetApplication() {
 func (c *ApiController) GetUserApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
-	user := object.GetUser(id)
+	user, err := object.GetUser(id)
+	if err != nil {
+		panic(err)
+	}
+
 	if user == nil {
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), id))
 		return
 	}

-	c.Data["json"] = object.GetMaskedApplication(object.GetApplicationByUser(user), userId)
+	app, err := object.GetApplicationByUser(user)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = object.GetMaskedApplication(app, userId)
 	c.ServeJSON()
 }

@ -118,14 +145,30 @@ func (c *ApiController) GetOrganizationApplications() {
 	}

 	if limit == "" || page == "" {
-		var applications []*object.Application
-		applications = object.GetOrganizationApplications(owner, organization)
+		applications, err := object.GetOrganizationApplications(owner, organization)
+		if err != nil {
+			panic(err)
+		}
+
 		c.Data["json"] = object.GetMaskedApplications(applications, userId)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetOrganizationApplicationCount(owner, organization, field, value)))
-		applications := object.GetMaskedApplications(object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder), userId)
+
+		count, err := object.GetOrganizationApplicationCount(owner, organization, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		app, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		applications := object.GetMaskedApplications(app, userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
@ -167,8 +210,13 @@ func (c *ApiController) AddApplication() {
 		return
 	}

-	count := object.GetApplicationCount("", "", "")
-	if err := checkQuotaForApplication(count); err != nil {
+	count, err := object.GetApplicationCount("", "", "")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if err := checkQuotaForApplication(int(count)); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -24,10 +24,10 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"

 	"github.com/casdoor/casdoor/captcha"
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/form"
 	"github.com/casdoor/casdoor/idp"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
@ -56,7 +56,7 @@ func tokenToResponse(token *object.Token) *Response {
 }

 // HandleLoggedIn ...
-func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *RequestForm) (resp *Response) {
+func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *form.AuthForm) (resp *Response) {
 	userId := user.GetId()

 	allowed, err := object.CheckAccessPermission(userId, application)
@ -69,6 +69,12 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		return
 	}

+	if form.Password != "" && user.IsMfaEnabled() {
+		c.setMfaSessionData(&object.MfaSessionData{UserId: userId})
+		resp = &Response{Status: object.NextMfa, Data: user.GetPreferMfa(true)}
+		return
+	}
+
 	if form.Type == ResponseTypeLogin {
 		c.SetSessionUsername(userId)
 		util.LogInfo(c.Ctx, "API: [%s] signed in", userId)
@ -87,7 +93,12 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			c.ResponseError(c.T("auth:Challenge method should be S256"))
 			return
 		}
-		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
+		code, err := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error(), nil)
+			return
+		}
+
 		resp = codeToResponse(code)

 		if application.EnableSigninSession || application.HasPromptPage() {
@ -132,20 +143,20 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob

 	// if user did not check auto signin
 	if resp.Status == "ok" && !form.AutoSignin {
-		timestamp := time.Now().Unix()
-		timestamp += 3600 * 24
-		c.SetSessionData(&SessionData{
-			ExpireTime: timestamp,
-		})
+		c.setExpireForSession()
 	}

-	if resp.Status == "ok" && user.Owner == object.CasdoorOrganization && application.Name == object.CasdoorApplication {
-		object.AddSession(&object.Session{
+	if resp.Status == "ok" {
+		_, err = object.AddSession(&object.Session{
 			Owner:       user.Owner,
 			Name:        user.Name,
 			Application: application.Name,
 			SessionId:   []string{c.Ctx.Input.CruSession.SessionID()},
 		})
+		if err != nil {
+			c.ResponseError(err.Error(), nil)
+			return
+		}
 	}

 	return resp
@ -169,7 +180,12 @@ func (c *ApiController) GetApplicationLogin() {
 	scope := c.Input().Get("scope")
 	state := c.Input().Get("state")

-	msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
+	msg, application, err := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
@ -221,21 +237,21 @@ func isProxyProviderType(providerType string) bool {
 // @Param nonce     query    string  false nonce
 // @Param code_challenge_method   query    string  false code_challenge_method
 // @Param code_challenge          query    string  false code_challenge
-// @Param   form   body   controllers.RequestForm  true        "Login information"
+// @Param   form   body   controllers.AuthForm  true        "Login information"
 // @Success 200 {object} Response The Response object
 // @router /login [post]
 func (c *ApiController) Login() {
 	resp := &Response{}

-	var form RequestForm
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &form)
+	var authForm form.AuthForm
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &authForm)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	if form.Username != "" {
-		if form.Type == ResponseTypeLogin {
+	if authForm.Username != "" {
+		if authForm.Type == ResponseTypeLogin {
 			if c.GetSessionUsername() != "" {
 				c.ResponseError(c.T("account:Please sign out first"), c.GetSessionUsername())
 				return
@ -245,45 +261,60 @@ func (c *ApiController) Login() {
 		var user *object.User
 		var msg string

-		if form.Password == "" {
-			if user = object.GetUserByFields(form.Organization, form.Username); user == nil {
-				c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(form.Organization, form.Username)))
+		if authForm.Password == "" {
+			if user, err = object.GetUserByFields(authForm.Organization, authForm.Username); err != nil {
+				c.ResponseError(err.Error(), nil)
+				return
+			} else if user == nil {
+				c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(authForm.Organization, authForm.Username)))
 				return
 			}

-			verificationCodeType := object.GetVerifyType(form.Username)
+			verificationCodeType := object.GetVerifyType(authForm.Username)
 			var checkDest string
 			if verificationCodeType == object.VerifyTypePhone {
-				form.CountryCode = user.GetCountryCode(form.CountryCode)
+				authForm.CountryCode = user.GetCountryCode(authForm.CountryCode)
 				var ok bool
-				if checkDest, ok = util.GetE164Number(form.Username, form.CountryCode); !ok {
-					c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), form.CountryCode))
+				if checkDest, ok = util.GetE164Number(authForm.Username, authForm.CountryCode); !ok {
+					c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), authForm.CountryCode))
 					return
 				}
 			}

 			// check result through Email or Phone
-			checkResult := object.CheckSigninCode(user, checkDest, form.Code, c.GetAcceptLanguage())
+			checkResult := object.CheckSigninCode(user, checkDest, authForm.Code, c.GetAcceptLanguage())
 			if len(checkResult) != 0 {
 				c.ResponseError(fmt.Sprintf("%s - %s", verificationCodeType, checkResult))
 				return
 			}

 			// disable the verification code
-			object.DisableVerificationCode(checkDest)
+			err := object.DisableVerificationCode(checkDest)
+			if err != nil {
+				c.ResponseError(err.Error(), nil)
+				return
+			}
 		} else {
-			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			if err != nil {
+				c.ResponseError(err.Error(), nil)
+				return
+			}
+
 			if application == nil {
-				c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), form.Application))
+				c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
 				return
 			}
 			if !application.EnablePassword {
 				c.ResponseError(c.T("auth:The login method: login with password is not enabled for the application"))
 				return
 			}
-
-			if object.CheckToEnableCaptcha(application) {
-				isHuman, err := captcha.VerifyCaptchaByCaptchaType(form.CaptchaType, form.CaptchaToken, form.ClientSecret)
+			var enableCaptcha bool
+			if enableCaptcha, err = object.CheckToEnableCaptcha(application, authForm.Organization, authForm.Username); err != nil {
+				c.ResponseError(err.Error())
+				return
+			} else if enableCaptcha {
+				isHuman, err := captcha.VerifyCaptchaByCaptchaType(authForm.CaptchaType, authForm.CaptchaToken, authForm.ClientSecret)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@ -295,41 +326,71 @@ func (c *ApiController) Login() {
 				}
 			}

-			password := form.Password
-			user, msg = object.CheckUserPassword(form.Organization, form.Username, password, c.GetAcceptLanguage())
+			password := authForm.Password
+			user, msg = object.CheckUserPassword(authForm.Organization, authForm.Username, password, c.GetAcceptLanguage(), enableCaptcha)
 		}

 		if msg != "" {
 			resp = &Response{Status: "error", Msg: msg}
 		} else {
-			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
-			if application == nil {
-				c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), form.Application))
+			application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			if err != nil {
+				c.ResponseError(err.Error())
 				return
 			}

-			resp = c.HandleLoggedIn(application, user, &form)
+			if application == nil {
+				c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
+				return
+			}
+
+			resp = c.HandleLoggedIn(application, user, &authForm)
+
+			organization, err := object.GetOrganizationByUser(user)
+			if err != nil {
+				c.ResponseError(err.Error())
+			}
+
+			if user != nil && organization.HasRequiredMfa() && !user.IsMfaEnabled() {
+				resp.Msg = object.RequiredMfa
+			}

 			record := object.NewRecord(c.Ctx)
 			record.Organization = application.Organization
 			record.User = user.Name
 			util.SafeGoroutine(func() { object.AddRecord(record) })
 		}
-	} else if form.Provider != "" {
+	} else if authForm.Provider != "" {
 		var application *object.Application
-		if form.ClientId != "" {
-			application = object.GetApplicationByClientId(form.ClientId)
+		if authForm.ClientId != "" {
+			application, err = object.GetApplicationByClientId(authForm.ClientId)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
 		} else {
-			application = object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
 		}

 		if application == nil {
-			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), form.Application))
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
+			return
+		}
+		organization, err := object.GetOrganization(util.GetId("admin", application.Organization))
+		if err != nil {
+			c.ResponseError(c.T(err.Error()))
+		}
+
+		provider, err := object.GetProvider(util.GetId("admin", authForm.Provider))
+		if err != nil {
+			c.ResponseError(err.Error())
 			return
 		}

-		organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", application.Organization))
-		provider := object.GetProvider(util.GetId("admin", form.Provider))
 		providerItem := application.GetProviderItem(provider.Name)
 		if !providerItem.IsProviderVisible() {
 			c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s is not enabled for the application"), provider.Name))
@ -339,7 +400,7 @@ func (c *ApiController) Login() {
 		userInfo := &idp.UserInfo{}
 		if provider.Category == "SAML" {
 			// SAML
-			userInfo.Id, err = object.ParseSamlResponse(form.SamlResponse, provider, c.Ctx.Request.Host)
+			userInfo.Id, err = object.ParseSamlResponse(authForm.SamlResponse, provider, c.Ctx.Request.Host)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -354,7 +415,7 @@ func (c *ApiController) Login() {
 				clientSecret = provider.ClientSecret2
 			}

-			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri, provider.Domain, provider.CustomAuthUrl, provider.CustomTokenUrl, provider.CustomUserInfoUrl)
+			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, authForm.RedirectUri, provider.Domain, provider.CustomAuthUrl, provider.CustomTokenUrl, provider.CustomUserInfoUrl)
 			if idProvider == nil {
 				c.ResponseError(fmt.Sprintf(c.T("storage:The provider type: %s is not supported"), provider.Type))
 				return
@ -362,13 +423,13 @@ func (c *ApiController) Login() {

 			setHttpClient(idProvider, provider.Type)

-			if form.State != conf.GetConfigString("authState") && form.State != application.Name {
-				c.ResponseError(fmt.Sprintf(c.T("auth:State expected: %s, but got: %s"), conf.GetConfigString("authState"), form.State))
+			if authForm.State != conf.GetConfigString("authState") && authForm.State != application.Name {
+				c.ResponseError(fmt.Sprintf(c.T("auth:State expected: %s, but got: %s"), conf.GetConfigString("authState"), authForm.State))
 				return
 			}

 			// https://github.com/golang/oauth2/issues/123#issuecomment-103715338
-			token, err := idProvider.GetToken(form.Code)
+			token, err := idProvider.GetToken(authForm.Code)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -386,12 +447,20 @@ func (c *ApiController) Login() {
 			}
 		}

-		if form.Method == "signup" {
+		if authForm.Method == "signup" {
 			user := &object.User{}
 			if provider.Category == "SAML" {
-				user = object.GetUser(fmt.Sprintf("%s/%s", application.Organization, userInfo.Id))
+				user, err = object.GetUser(util.GetId(application.Organization, userInfo.Id))
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
 			} else if provider.Category == "OAuth" {
-				user = object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
+				user, err = object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
 			}

 			if user != nil && !user.IsDeleted {
@ -401,7 +470,7 @@ func (c *ApiController) Login() {
 					c.ResponseError(c.T("check:The user is forbidden to sign in, please contact the administrator"))
 				}

-				resp = c.HandleLoggedIn(application, user, &form)
+				resp = c.HandleLoggedIn(application, user, &authForm)

 				record := object.NewRecord(c.Ctx)
 				record.Organization = application.Organization
@ -409,24 +478,44 @@ func (c *ApiController) Login() {
 				util.SafeGoroutine(func() { object.AddRecord(record) })
 			} else if provider.Category == "OAuth" {
 				// Sign up via OAuth
-				if !application.EnableSignUp {
-					c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support"), provider.Type, userInfo.Username, userInfo.DisplayName))
-					return
-				}
-
-				if !providerItem.CanSignUp {
-					c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up"), provider.Type, userInfo.Username, userInfo.DisplayName, provider.Type))
-					return
-				}
-
 				if application.EnableLinkWithEmail {
-					// find user that has the same email
-					user = object.GetUserByField(application.Organization, "email", userInfo.Email)
+					if userInfo.Email != "" {
+						// Find existing user with Email
+						user, err = object.GetUserByField(application.Organization, "email", userInfo.Email)
+						if err != nil {
+							c.ResponseError(err.Error())
+							return
+						}
+					}
+
+					if user == nil && userInfo.Phone != "" {
+						// Find existing user with phone number
+						user, err = object.GetUserByField(application.Organization, "phone", userInfo.Phone)
+						if err != nil {
+							c.ResponseError(err.Error())
+							return
+						}
+					}
 				}

 				if user == nil || user.IsDeleted {
+					if !application.EnableSignUp {
+						c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support"), provider.Type, userInfo.Username, userInfo.DisplayName))
+						return
+					}
+
+					if !providerItem.CanSignUp {
+						c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up"), provider.Type, userInfo.Username, userInfo.DisplayName, provider.Type))
+						return
+					}
+
 					// Handle username conflicts
-					tmpUser := object.GetUser(fmt.Sprintf("%s/%s", application.Organization, userInfo.Username))
+					tmpUser, err := object.GetUser(util.GetId(application.Organization, userInfo.Username))
+					if err != nil {
+						c.ResponseError(err.Error())
+						return
+					}
+
 					if tmpUser != nil {
 						uid, err := uuid.NewRandom()
 						if err != nil {
@ -439,8 +528,14 @@ func (c *ApiController) Login() {
 					}

 					properties := map[string]string{}
-					properties["no"] = strconv.Itoa(object.GetUserCount(application.Organization, "", "") + 2)
-					initScore, err := getInitScore(organization)
+					count, err := object.GetUserCount(application.Organization, "", "", "")
+					if err != nil {
+						c.ResponseError(err.Error())
+						return
+					}
+
+					properties["no"] = strconv.Itoa(int(count + 2))
+					initScore, err := organization.GetInitScore()
 					if err != nil {
 						c.ResponseError(fmt.Errorf(c.T("account:Get init score failed, error: %w"), err).Error())
 						return
@ -456,6 +551,9 @@ func (c *ApiController) Login() {
 						Avatar:            userInfo.AvatarUrl,
 						Address:           []string{},
 						Email:             userInfo.Email,
+						Phone:             userInfo.Phone,
+						CountryCode:       userInfo.CountryCode,
+						Region:            userInfo.CountryCode,
 						Score:             initScore,
 						IsAdmin:           false,
 						IsGlobalAdmin:     false,
@ -465,7 +563,12 @@ func (c *ApiController) Login() {
 						Properties:        properties,
 					}

-					affected := object.AddUser(user)
+					affected, err := object.AddUser(user)
+					if err != nil {
+						c.ResponseError(err.Error())
+						return
+					}
+
 					if !affected {
 						c.ResponseError(fmt.Sprintf(c.T("auth:Failed to create user, user information is invalid: %s"), util.StructToJson(user)))
 						return
@ -473,10 +576,19 @@ func (c *ApiController) Login() {
 				}

 				// sync info from 3rd-party if possible
-				object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
-				object.LinkUserAccount(user, provider.Type, userInfo.Id)
+				_, err := object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}

-				resp = c.HandleLoggedIn(application, user, &form)
+				_, err = object.LinkUserAccount(user, provider.Type, userInfo.Id)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
+
+				resp = c.HandleLoggedIn(application, user, &authForm)

 				record := object.NewRecord(c.Ctx)
 				record.Organization = application.Organization
@ -492,49 +604,113 @@ func (c *ApiController) Login() {
 				resp = &Response{Status: "error", Msg: fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(application.Organization, userInfo.Id))}
 			}
 			// resp = &Response{Status: "ok", Msg: "", Data: res}
-		} else { // form.Method != "signup"
+		} else { // authForm.Method != "signup"
 			userId := c.GetSessionUsername()
 			if userId == "" {
 				c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(application.Organization, userInfo.Id)), userInfo)
 				return
 			}

-			oldUser := object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
+			oldUser, err := object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
 			if oldUser != nil {
 				c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)"), provider.Type, userInfo.Username, userInfo.DisplayName, oldUser.Name, oldUser.DisplayName))
 				return
 			}

-			user := object.GetUser(userId)
+			user, err := object.GetUser(userId)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}

 			// sync info from 3rd-party if possible
-			object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+			_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
+			isLinked, err := object.LinkUserAccount(user, provider.Type, userInfo.Id)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}

-			isLinked := object.LinkUserAccount(user, provider.Type, userInfo.Id)
 			if isLinked {
 				resp = &Response{Status: "ok", Msg: "", Data: isLinked}
 			} else {
 				resp = &Response{Status: "error", Msg: "Failed to link user account", Data: isLinked}
 			}
 		}
+	} else if c.getMfaSessionData() != nil {
+		mfaSession := c.getMfaSessionData()
+		user, err := object.GetUser(mfaSession.UserId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if authForm.Passcode != "" {
+			MfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferMfa(false))
+			err = MfaUtil.Verify(authForm.Passcode)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+		if authForm.RecoveryCode != "" {
+			err = object.RecoverTfs(user, authForm.RecoveryCode)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+
+		application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if application == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
+			return
+		}
+
+		resp = c.HandleLoggedIn(application, user, &authForm)
+
+		record := object.NewRecord(c.Ctx)
+		record.Organization = application.Organization
+		record.User = user.Name
+		util.SafeGoroutine(func() { object.AddRecord(record) })
 	} else {
 		if c.GetSessionUsername() != "" {
 			// user already signed in to Casdoor, so let the user click the avatar button to do the quick sign-in
-			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
 			if application == nil {
-				c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), form.Application))
+				c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
 				return
 			}

 			user := c.getCurrentUser()
-			resp = c.HandleLoggedIn(application, user, &form)
+			resp = c.HandleLoggedIn(application, user, &authForm)

 			record := object.NewRecord(c.Ctx)
 			record.Organization = application.Organization
 			record.User = user.Name
 			util.SafeGoroutine(func() { object.AddRecord(record) })
 		} else {
-			c.ResponseError(fmt.Sprintf(c.T("auth:Unknown authentication type (not password or provider), form = %s"), util.StructToJson(form)))
+			c.ResponseError(fmt.Sprintf(c.T("auth:Unknown authentication type (not password or provider), form = %s"), util.StructToJson(authForm)))
 			return
 		}
 	}
@ -575,8 +751,9 @@ func (c *ApiController) HandleSamlLogin() {
 func (c *ApiController) HandleOfficialAccountEvent() {
 	respBytes, err := ioutil.ReadAll(c.Ctx.Request.Body)
 	if err != nil {
-		c.ResponseError(err.Error())
+		panic(err)
 	}
+
 	var data struct {
 		MsgType  string `xml:"MsgType"`
 		Event    string `xml:"Event"`
@ -584,8 +761,9 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 	}
 	err = xml.Unmarshal(respBytes, &data)
 	if err != nil {
-		c.ResponseError(err.Error())
+		panic(err)
 	}
+
 	lock.Lock()
 	defer lock.Unlock()
 	if data.EventKey != "" {
@ -610,3 +788,26 @@ func (c *ApiController) GetWebhookEventType() {
 	wechatScanType = ""
 	c.ServeJSON()
 }
+
+// GetCaptchaStatus
+// @Title GetCaptchaStatus
+// @Tag Token API
+// @Description Get Login Error Counts
+// @Param   id     query    string  true        "The id ( owner/name ) of user"
+// @Success 200 {object} controllers.Response The Response object
+// @router /api/get-captcha-status [get]
+func (c *ApiController) GetCaptchaStatus() {
+	organization := c.Input().Get("organization")
+	userId := c.Input().Get("user_id")
+	user, err := object.GetUserByFields(organization, userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var captchaEnabled bool
+	if user != nil && user.SigninWrongTimes >= object.SigninWrongTimesLimit {
+		captchaEnabled = true
+	}
+	c.ResponseOk(captchaEnabled)
+}
--- a/controllers/base.go
+++ b/controllers/base.go
@ -41,18 +41,48 @@ type SessionData struct {
 }

 func (c *ApiController) IsGlobalAdmin() bool {
-	username := c.GetSessionUsername()
-	if strings.HasPrefix(username, "app/") {
-		// e.g., "app/app-casnode"
-		return true
-	}
+	isGlobalAdmin, _ := c.isGlobalAdmin()

-	user := object.GetUser(username)
-	if user == nil {
+	return isGlobalAdmin
+}
+
+func (c *ApiController) IsAdmin() bool {
+	isGlobalAdmin, user := c.isGlobalAdmin()
+	if !isGlobalAdmin && user == nil {
 		return false
 	}

-	return user.Owner == "built-in" || user.IsGlobalAdmin
+	return isGlobalAdmin || user.IsAdmin
+}
+
+func (c *ApiController) isGlobalAdmin() (bool, *object.User) {
+	username := c.GetSessionUsername()
+	if strings.HasPrefix(username, "app/") {
+		// e.g., "app/app-casnode"
+		return true, nil
+	}
+
+	user := c.getCurrentUser()
+	if user == nil {
+		return false, nil
+	}
+
+	return user.Owner == "built-in" || user.IsGlobalAdmin, user
+}
+
+func (c *ApiController) getCurrentUser() *object.User {
+	var user *object.User
+	var err error
+	userId := c.GetSessionUsername()
+	if userId == "" {
+		user = nil
+	} else {
+		user, err = object.GetUser(userId)
+		if err != nil {
+			panic(err)
+		}
+	}
+	return user
 }

 // GetSessionUsername ...
@ -80,7 +110,11 @@ func (c *ApiController) GetSessionApplication() *object.Application {
 	if clientId == nil {
 		return nil
 	}
-	application := object.GetApplicationByClientId(clientId.(string))
+	application, err := object.GetApplicationByClientId(clientId.(string))
+	if err != nil {
+		panic(err)
+	}
+
 	return application
 }

@ -142,8 +176,34 @@ func (c *ApiController) SetSessionData(s *SessionData) {
 	c.SetSession("SessionData", util.StructToJson(s))
 }

-func wrapActionResponse(affected bool) *Response {
-	if affected {
+func (c *ApiController) setMfaSessionData(data *object.MfaSessionData) {
+	c.SetSession(object.MfaSessionUserId, data.UserId)
+}
+
+func (c *ApiController) getMfaSessionData() *object.MfaSessionData {
+	userId := c.GetSession(object.MfaSessionUserId)
+	if userId == nil {
+		return nil
+	}
+
+	data := &object.MfaSessionData{
+		UserId: userId.(string),
+	}
+	return data
+}
+
+func (c *ApiController) setExpireForSession() {
+	timestamp := time.Now().Unix()
+	timestamp += 3600 * 24
+	c.SetSessionData(&SessionData{
+		ExpireTime: timestamp,
+	})
+}
+
+func wrapActionResponse(affected bool, e ...error) *Response {
+	if len(e) != 0 && e[0] != nil {
+		return &Response{Status: "error", Msg: e[0].Error()}
+	} else if affected {
 		return &Response{Status: "ok", Msg: "", Data: "Affected"}
 	} else {
 		return &Response{Status: "ok", Msg: "", Data: "Unaffected"}
@ -157,3 +217,14 @@ func wrapErrorResponse(err error) *Response {
 		return &Response{Status: "error", Msg: err.Error()}
 	}
 }
+
+func (c *ApiController) Finish() {
+	if strings.HasPrefix(c.Ctx.Input.URL(), "/api") {
+		startTime := c.Ctx.Input.GetData("startTime")
+		if startTime != nil {
+			latency := time.Since(startTime.(time.Time)).Milliseconds()
+			object.ApiLatency.WithLabelValues(c.Ctx.Input.URL(), c.Ctx.Input.Method()).Observe(float64(latency))
+		}
+	}
+	c.Controller.Finish()
+}
--- a/controllers/casbin_adapter.go
+++ b/controllers/casbin_adapter.go
@ -31,20 +31,42 @@ func (c *ApiController) GetCasbinAdapters() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+	organization := c.Input().Get("organization")
 	if limit == "" || page == "" {
-		adapters := object.GetCasbinAdapters(owner)
+		adapters, err := object.GetCasbinAdapters(owner, organization)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(adapters)
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetCasbinAdapterCount(owner, field, value)))
-		adapters := object.GetPaginationCasbinAdapters(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetCasbinAdapterCount(owner, organization, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		adapters, err := object.GetPaginationCasbinAdapters(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(adapters, paginator.Nums())
 	}
 }

 func (c *ApiController) GetCasbinAdapter() {
 	id := c.Input().Get("id")
-	adapter := object.GetCasbinAdapter(id)
+	adapter, err := object.GetCasbinAdapter(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.ResponseOk(adapter)
 }

@ -88,7 +110,11 @@ func (c *ApiController) DeleteCasbinAdapter() {

 func (c *ApiController) SyncPolicies() {
 	id := c.Input().Get("id")
-	adapter := object.GetCasbinAdapter(id)
+	adapter, err := object.GetCasbinAdapter(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	policies, err := object.SyncPolicies(adapter)
 	if err != nil {
@ -101,9 +127,14 @@ func (c *ApiController) SyncPolicies() {

 func (c *ApiController) UpdatePolicy() {
 	id := c.Input().Get("id")
-	adapter := object.GetCasbinAdapter(id)
+	adapter, err := object.GetCasbinAdapter(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	var policies []xormadapter.CasbinRule
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policies)
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policies)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -120,9 +151,14 @@ func (c *ApiController) UpdatePolicy() {

 func (c *ApiController) AddPolicy() {
 	id := c.Input().Get("id")
-	adapter := object.GetCasbinAdapter(id)
+	adapter, err := object.GetCasbinAdapter(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	var policy xormadapter.CasbinRule
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -139,9 +175,14 @@ func (c *ApiController) AddPolicy() {

 func (c *ApiController) RemovePolicy() {
 	id := c.Input().Get("id")
-	adapter := object.GetCasbinAdapter(id)
+	adapter, err := object.GetCasbinAdapter(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	var policy xormadapter.CasbinRule
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/cert.go
+++ b/controllers/cert.go
@ -37,13 +37,67 @@ func (c *ApiController) GetCerts() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetMaskedCerts(object.GetCerts(owner))
+		maskedCerts, err := object.GetMaskedCerts(object.GetCerts(owner))
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = maskedCerts
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetCertCount(owner, field, value)))
-		certs := object.GetMaskedCerts(object.GetPaginationCerts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		count, err := object.GetCertCount(owner, field, value)
+		if err != nil {
+			panic(err)
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		certs, err := object.GetMaskedCerts(object.GetPaginationCerts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		if err != nil {
+			panic(err)
+		}
+
+		c.ResponseOk(certs, paginator.Nums())
+	}
+}
+
+// GetGlobleCerts
+// @Title GetGlobleCerts
+// @Tag Cert API
+// @Description get globle certs
+// @Success 200 {array} object.Cert The Response object
+// @router /get-globle-certs [get]
+func (c *ApiController) GetGlobleCerts() {
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	if limit == "" || page == "" {
+		maskedCerts, err := object.GetMaskedCerts(object.GetGlobleCerts())
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = maskedCerts
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetGlobalCertsCount(field, value)
+		if err != nil {
+			panic(err)
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		certs, err := object.GetMaskedCerts(object.GetPaginationGlobalCerts(paginator.Offset(), limit, field, value, sortField, sortOrder))
+		if err != nil {
+			panic(err)
+		}
+
 		c.ResponseOk(certs, paginator.Nums())
 	}
 }
@ -57,8 +111,12 @@ func (c *ApiController) GetCerts() {
 // @router /get-cert [get]
 func (c *ApiController) GetCert() {
 	id := c.Input().Get("id")
+	cert, err := object.GetCert(id)
+	if err != nil {
+		panic(err)
+	}

-	c.Data["json"] = object.GetMaskedCert(object.GetCert(id))
+	c.Data["json"] = object.GetMaskedCert(cert)
 	c.ServeJSON()
 }

--- a/controllers/chat.go
+++ b/controllers/chat.go
@ -30,20 +30,37 @@ import (
 // @Success 200 {array} object.Chat The Response object
 // @router /get-chats [get]
 func (c *ApiController) GetChats() {
-	owner := c.Input().Get("owner")
+	owner := "admin"
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
 	field := c.Input().Get("field")
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetMaskedChats(object.GetChats(owner))
+		maskedChats, err := object.GetMaskedChats(object.GetChats(owner))
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = maskedChats
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetChatCount(owner, field, value)))
-		chats := object.GetMaskedChats(object.GetPaginationChats(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		count, err := object.GetChatCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		chats, err := object.GetMaskedChats(object.GetPaginationChats(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(chats, paginator.Nums())
 	}
 }
@ -58,7 +75,12 @@ func (c *ApiController) GetChats() {
 func (c *ApiController) GetChat() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetMaskedChat(object.GetChat(id))
+	maskedChat, err := object.GetMaskedChat(object.GetChat(id))
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = maskedChat
 	c.ServeJSON()
 }

--- a/controllers/enforcer.go
+++ b/controllers/enforcer.go
@ -18,30 +18,133 @@ import (
 	"encoding/json"

 	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

+// Enforce
+// @Title Enforce
+// @Tag Enforce API
+// @Description Call Casbin Enforce API
+// @Param   body    body   object.CasbinRequest  true   "Casbin request"
+// @Param   permissionId    query   string  false   "permission id"
+// @Param   modelId    query   string  false   "model id"
+// @Param   resourceId    query   string  false   "resource id"
+// @Success 200 {object} controllers.Response The Response object
+// @router /enforce [post]
 func (c *ApiController) Enforce() {
-	var permissionRule object.PermissionRule
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &permissionRule)
+	permissionId := c.Input().Get("permissionId")
+	modelId := c.Input().Get("modelId")
+	resourceId := c.Input().Get("resourceId")
+
+	var request object.CasbinRequest
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &request)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.Data["json"] = object.Enforce(&permissionRule)
-	c.ServeJSON()
+	if permissionId != "" {
+		enforceResult, err := object.Enforce(permissionId, &request)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		res := []bool{}
+		res = append(res, enforceResult)
+		c.ResponseOk(res)
+		return
+	}
+
+	permissions := []*object.Permission{}
+	if modelId != "" {
+		owner, modelName := util.GetOwnerAndNameFromId(modelId)
+		permissions, err = object.GetPermissionsByModel(owner, modelName)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else if resourceId != "" {
+		permissions, err = object.GetPermissionsByResource(resourceId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else {
+		c.ResponseError(c.T("general:Missing parameter"))
+		return
+	}
+
+	res := []bool{}
+	for _, permission := range permissions {
+		enforceResult, err := object.Enforce(permission.GetId(), &request)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		res = append(res, enforceResult)
+	}
+	c.ResponseOk(res)
 }

+// BatchEnforce
+// @Title BatchEnforce
+// @Tag Enforce API
+// @Description Call Casbin BatchEnforce API
+// @Param   body    body   object.CasbinRequest  true   "array of casbin requests"
+// @Param   permissionId    query   string  false   "permission id"
+// @Param   modelId    query   string  false   "model id"
+// @Success 200 {object} controllers.Response The Response object
+// @router /batch-enforce [post]
 func (c *ApiController) BatchEnforce() {
-	var permissionRules []object.PermissionRule
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &permissionRules)
+	permissionId := c.Input().Get("permissionId")
+	modelId := c.Input().Get("modelId")
+
+	var requests []object.CasbinRequest
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &requests)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.Data["json"] = object.BatchEnforce(permissionRules)
-	c.ServeJSON()
+	if permissionId != "" {
+		enforceResult, err := object.BatchEnforce(permissionId, &requests)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		res := [][]bool{}
+		res = append(res, enforceResult)
+		c.ResponseOk(res)
+		return
+	}
+
+	permissions := []*object.Permission{}
+	if modelId != "" {
+		owner, modelName := util.GetOwnerAndNameFromId(modelId)
+		permissions, err = object.GetPermissionsByModel(owner, modelName)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else {
+		c.ResponseError(c.T("general:Missing parameter"))
+		return
+	}
+
+	res := [][]bool{}
+	for _, permission := range permissions {
+		enforceResult, err := object.BatchEnforce(permission.GetId(), &requests)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		res = append(res, enforceResult)
+	}
+	c.ResponseOk(res)
 }

 func (c *ApiController) GetAllObjects() {
@ -51,8 +154,7 @@ func (c *ApiController) GetAllObjects() {
 		return
 	}

-	c.Data["json"] = object.GetAllObjects(userId)
-	c.ServeJSON()
+	c.ResponseOk(object.GetAllObjects(userId))
 }

 func (c *ApiController) GetAllActions() {
@ -62,8 +164,7 @@ func (c *ApiController) GetAllActions() {
 		return
 	}

-	c.Data["json"] = object.GetAllActions(userId)
-	c.ServeJSON()
+	c.ResponseOk(object.GetAllActions(userId))
 }

 func (c *ApiController) GetAllRoles() {
@ -73,6 +174,5 @@ func (c *ApiController) GetAllRoles() {
 		return
 	}

-	c.Data["json"] = object.GetAllRoles(userId)
-	c.ServeJSON()
+	c.ResponseOk(object.GetAllRoles(userId))
 }
--- a/controllers/group.go
+++ b/controllers/group.go
@ -0,0 +1,147 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetGroups
+// @Title GetGroups
+// @Tag Group API
+// @Description get groups
+// @Param   owner     query    string  true        "The owner of groups"
+// @Success 200 {array} object.Group The Response object
+// @router /get-groups [get]
+func (c *ApiController) GetGroups() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	withTree := c.Input().Get("withTree")
+
+	if limit == "" || page == "" {
+		groups, err := object.GetGroups(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		} else {
+			if withTree == "true" {
+				c.ResponseOk(object.ConvertToTreeData(groups, owner))
+				return
+			}
+			c.ResponseOk(groups)
+		}
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetGroupCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		groups, err := object.GetPaginationGroups(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		} else {
+			c.ResponseOk(groups, paginator.Nums())
+		}
+	}
+}
+
+// GetGroup
+// @Title GetGroup
+// @Tag Group API
+// @Description get group
+// @Param   id     query    string  true        "The id ( owner/name ) of the group"
+// @Success 200 {object} object.Group The Response object
+// @router /get-group [get]
+func (c *ApiController) GetGroup() {
+	id := c.Input().Get("id")
+
+	group, err := object.GetGroup(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+	} else {
+		c.ResponseOk(group)
+	}
+}
+
+// UpdateGroup
+// @Title UpdateGroup
+// @Tag Group API
+// @Description update group
+// @Param   id     query    string  true        "The id ( owner/name ) of the group"
+// @Param   body    body   object.Group  true        "The details of the group"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-group [post]
+func (c *ApiController) UpdateGroup() {
+	id := c.Input().Get("id")
+
+	var group object.Group
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &group)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateGroup(id, &group))
+	c.ServeJSON()
+}
+
+// AddGroup
+// @Title AddGroup
+// @Tag Group API
+// @Description add group
+// @Param   body    body   object.Group  true      "The details of the group"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-group [post]
+func (c *ApiController) AddGroup() {
+	var group object.Group
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &group)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddGroup(&group))
+	c.ServeJSON()
+}
+
+// DeleteGroup
+// @Title DeleteGroup
+// @Tag Group API
+// @Description delete group
+// @Param   body    body   object.Group  true        "The details of the group"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-group [post]
+func (c *ApiController) DeleteGroup() {
+	var group object.Group
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &group)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(wrapActionResponse(object.DeleteGroup(&group)))
+}
--- a/controllers/ldap.go
+++ b/controllers/ldap.go
@ -23,7 +23,8 @@ import (

 type LdapResp struct {
 	// Groups []LdapRespGroup `json:"groups"`
-	Users []object.LdapRespUser `json:"users"`
+	Users      []object.LdapUser `json:"users"`
+	ExistUuids []string          `json:"existUuids"`
 }

 //type LdapRespGroup struct {
@ -32,8 +33,8 @@ type LdapResp struct {
 //}

 type LdapSyncResp struct {
-	Exist  []object.LdapRespUser `json:"exist"`
-	Failed []object.LdapRespUser `json:"failed"`
+	Exist  []object.LdapUser `json:"exist"`
+	Failed []object.LdapUser `json:"failed"`
 }

 // GetLdapUsers
@ -44,7 +45,11 @@ func (c *ApiController) GetLdapUsers() {
 	id := c.Input().Get("id")

 	_, ldapId := util.GetOwnerAndNameFromId(id)
-	ldapServer := object.GetLdap(ldapId)
+	ldapServer, err := object.GetLdap(ldapId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	conn, err := ldapServer.GetLdapConn()
 	if err != nil {
@ -71,27 +76,21 @@ func (c *ApiController) GetLdapUsers() {
 		return
 	}

-	var resp LdapResp
 	uuids := make([]string, len(users))
-	for _, user := range users {
-		resp.Users = append(resp.Users, object.LdapRespUser{
-			UidNumber: user.UidNumber,
-			Uid:       user.Uid,
-			Cn:        user.Cn,
-			GroupId:   user.GidNumber,
-			// GroupName: groupsMap[user.GidNumber].Cn,
-			Uuid:        user.Uuid,
-			DisplayName: user.DisplayName,
-			Email:       util.GetMaxLenStr(user.Mail, user.Email, user.EmailAddress),
-			Phone:       util.GetMaxLenStr(user.TelephoneNumber, user.Mobile, user.MobileTelephoneNumber),
-			Address:     util.GetMaxLenStr(user.RegisteredAddress, user.PostalAddress),
-		})
-		uuids = append(uuids, user.Uuid)
+	for i, user := range users {
+		uuids[i] = user.GetLdapUuid()
+	}
+	existUuids, err := object.GetExistUuids(ldapServer.Owner, uuids)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
 	}

-	existUuids := object.GetExistUuids(ldapServer.Owner, uuids)
-
-	c.ResponseOk(resp, existUuids)
+	resp := LdapResp{
+		Users:      object.AutoAdjustLdapUser(users),
+		ExistUuids: existUuids,
+	}
+	c.ResponseOk(resp)
 }

 // GetLdaps
@ -137,17 +136,23 @@ func (c *ApiController) AddLdap() {
 		return
 	}

-	if object.CheckLdapExist(&ldap) {
+	if ok, err := object.CheckLdapExist(&ldap); err != nil {
+		c.ResponseError(err.Error())
+		return
+	} else if ok {
 		c.ResponseError(c.T("ldap:Ldap server exist"))
 		return
 	}

-	affected := object.AddLdap(&ldap)
-	resp := wrapActionResponse(affected)
+	resp := wrapActionResponse(object.AddLdap(&ldap))
 	resp.Data2 = ldap

 	if ldap.AutoSync != 0 {
-		object.GetLdapAutoSynchronizer().StartAutoSync(ldap.Id)
+		err = object.GetLdapAutoSynchronizer().StartAutoSync(ldap.Id)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}

 	c.Data["json"] = resp
@ -166,11 +171,24 @@ func (c *ApiController) UpdateLdap() {
 		return
 	}

-	prevLdap := object.GetLdap(ldap.Id)
-	affected := object.UpdateLdap(&ldap)
+	prevLdap, err := object.GetLdap(ldap.Id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.UpdateLdap(&ldap)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	if ldap.AutoSync != 0 {
-		object.GetLdapAutoSynchronizer().StartAutoSync(ldap.Id)
+		err := object.GetLdapAutoSynchronizer().StartAutoSync(ldap.Id)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	} else if ldap.AutoSync == 0 && prevLdap.AutoSync != 0 {
 		object.GetLdapAutoSynchronizer().StopAutoSync(ldap.Id)
 	}
@ -191,7 +209,11 @@ func (c *ApiController) DeleteLdap() {
 		return
 	}

-	affected := object.DeleteLdap(&ldap)
+	affected, err := object.DeleteLdap(&ldap)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	object.GetLdapAutoSynchronizer().StopAutoSync(ldap.Id)

@ -206,19 +228,23 @@ func (c *ApiController) DeleteLdap() {
 func (c *ApiController) SyncLdapUsers() {
 	owner := c.Input().Get("owner")
 	ldapId := c.Input().Get("ldapId")
-	var users []object.LdapRespUser
+	var users []object.LdapUser
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &users)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	object.UpdateLdapSyncTime(ldapId)
+	err = object.UpdateLdapSyncTime(ldapId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

-	exist, failed := object.SyncLdapUsers(owner, users, ldapId)
+	exist, failed, _ := object.SyncLdapUsers(owner, users, ldapId)

 	c.ResponseOk(&LdapSyncResp{
-		Exist:  *exist,
-		Failed: *failed,
+		Exist:  exist,
+		Failed: failed,
 	})
 }
--- a/controllers/link.go
+++ b/controllers/link.go
@ -53,7 +53,12 @@ func (c *ApiController) Unlink() {

 	if user.Id == unlinkedUser.Id && !user.IsGlobalAdmin {
 		// if the user is unlinking themselves, should check the provider can be unlinked, if not, we should return an error.
-		application := object.GetApplicationByUser(user)
+		application, err := object.GetApplicationByUser(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		if application == nil {
 			c.ResponseError(c.T("link:You can't unlink yourself, you are not a member of any application"))
 			return
@ -88,8 +93,17 @@ func (c *ApiController) Unlink() {
 		return
 	}

-	object.ClearUserOAuthProperties(&unlinkedUser, providerType)
+	_, err = object.ClearUserOAuthProperties(&unlinkedUser, providerType)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	_, err = object.LinkUserAccount(&unlinkedUser, providerType, "")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

-	object.LinkUserAccount(&unlinkedUser, providerType, "")
 	c.ResponseOk()
 }
--- a/controllers/message.go
+++ b/controllers/message.go
@ -16,8 +16,11 @@ package controllers

 import (
 	"encoding/json"
+	"fmt"
+	"strings"

 	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/ai"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@ -31,6 +34,7 @@ import (
 // @router /get-messages [get]
 func (c *ApiController) GetMessages() {
 	owner := c.Input().Get("owner")
+	organization := c.Input().Get("organization")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
 	field := c.Input().Get("field")
@ -41,18 +45,35 @@ func (c *ApiController) GetMessages() {

 	if limit == "" || page == "" {
 		var messages []*object.Message
+		var err error
 		if chat == "" {
-			messages = object.GetMessages(owner)
+			messages, err = object.GetMessages(owner)
 		} else {
-			messages = object.GetChatMessages(chat)
+			messages, err = object.GetChatMessages(chat)
+		}
+
+		if err != nil {
+			panic(err)
 		}

 		c.Data["json"] = object.GetMaskedMessages(messages)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetMessageCount(owner, field, value)))
-		messages := object.GetMaskedMessages(object.GetPaginationMessages(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		count, err := object.GetMessageCount(owner, organization, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginationMessages, err := object.GetPaginationMessages(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		messages := object.GetMaskedMessages(paginationMessages)
 		c.ResponseOk(messages, paginator.Nums())
 	}
 }
@ -66,11 +87,127 @@ func (c *ApiController) GetMessages() {
 // @router /get-message [get]
 func (c *ApiController) GetMessage() {
 	id := c.Input().Get("id")
+	message, err := object.GetMessage(id)
+	if err != nil {
+		panic(err)
+	}

-	c.Data["json"] = object.GetMaskedMessage(object.GetMessage(id))
+	c.Data["json"] = object.GetMaskedMessage(message)
 	c.ServeJSON()
 }

+func (c *ApiController) ResponseErrorStream(errorText string) {
+	event := fmt.Sprintf("event: myerror\ndata: %s\n\n", errorText)
+	_, err := c.Ctx.ResponseWriter.Write([]byte(event))
+	if err != nil {
+		panic(err)
+	}
+}
+
+// GetMessageAnswer
+// @Title GetMessageAnswer
+// @Tag Message API
+// @Description get message answer
+// @Param   id     query    string  true        "The id ( owner/name ) of the message"
+// @Success 200 {object} object.Message The Response object
+// @router /get-message-answer [get]
+func (c *ApiController) GetMessageAnswer() {
+	id := c.Input().Get("id")
+
+	c.Ctx.ResponseWriter.Header().Set("Content-Type", "text/event-stream")
+	c.Ctx.ResponseWriter.Header().Set("Cache-Control", "no-cache")
+	c.Ctx.ResponseWriter.Header().Set("Connection", "keep-alive")
+
+	message, err := object.GetMessage(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if message == nil {
+		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The message: %s is not found"), id))
+		return
+	}
+
+	if message.Author != "AI" || message.ReplyTo == "" || message.Text != "" {
+		c.ResponseErrorStream(c.T("chat:The message is invalid"))
+		return
+	}
+
+	chatId := util.GetId("admin", message.Chat)
+	chat, err := object.GetChat(chatId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if chat == nil || chat.Organization != message.Organization {
+		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The chat: %s is not found"), chatId))
+		return
+	}
+
+	if chat.Type != "AI" {
+		c.ResponseErrorStream(c.T("chat:The chat type must be \"AI\""))
+		return
+	}
+
+	questionMessage, err := object.GetMessage(message.ReplyTo)
+	if questionMessage == nil {
+		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The message: %s is not found"), id))
+		return
+	}
+
+	providerId := util.GetId(chat.Owner, chat.User2)
+	provider, err := object.GetProvider(providerId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if provider == nil {
+		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The provider: %s is not found"), providerId))
+		return
+	}
+
+	if provider.Category != "AI" || provider.ClientSecret == "" {
+		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The provider: %s is invalid"), providerId))
+		return
+	}
+
+	c.Ctx.ResponseWriter.Header().Set("Content-Type", "text/event-stream")
+	c.Ctx.ResponseWriter.Header().Set("Cache-Control", "no-cache")
+	c.Ctx.ResponseWriter.Header().Set("Connection", "keep-alive")
+
+	authToken := provider.ClientSecret
+	question := questionMessage.Text
+	var stringBuilder strings.Builder
+
+	fmt.Printf("Question: [%s]\n", questionMessage.Text)
+	fmt.Printf("Answer: [")
+
+	err = ai.QueryAnswerStream(authToken, question, c.Ctx.ResponseWriter, &stringBuilder)
+	if err != nil {
+		c.ResponseErrorStream(err.Error())
+		return
+	}
+
+	fmt.Printf("]\n")
+
+	event := fmt.Sprintf("event: end\ndata: %s\n\n", "end")
+	_, err = c.Ctx.ResponseWriter.Write([]byte(event))
+	if err != nil {
+		panic(err)
+	}
+
+	answer := stringBuilder.String()
+
+	message.Text = answer
+	_, err = object.UpdateMessage(message.GetId(), message)
+	if err != nil {
+		panic(err)
+	}
+}
+
 // UpdateMessage
 // @Title UpdateMessage
 // @Tag Message API
@ -108,7 +245,48 @@ func (c *ApiController) AddMessage() {
 		return
 	}

-	c.Data["json"] = wrapActionResponse(object.AddMessage(&message))
+	var chat *object.Chat
+	if message.Chat != "" {
+		chatId := util.GetId("admin", message.Chat)
+		chat, err = object.GetChat(chatId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if chat == nil || chat.Organization != message.Organization {
+			c.ResponseError(fmt.Sprintf(c.T("chat:The chat: %s is not found"), chatId))
+			return
+		}
+	}
+
+	affected, err := object.AddMessage(&message)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if affected {
+		if chat != nil && chat.Type == "AI" {
+			answerMessage := &object.Message{
+				Owner:        message.Owner,
+				Name:         fmt.Sprintf("message_%s", util.GetRandomName()),
+				CreatedTime:  util.GetCurrentTimeEx(message.CreatedTime),
+				Organization: message.Organization,
+				Chat:         message.Chat,
+				ReplyTo:      message.GetId(),
+				Author:       "AI",
+				Text:         "",
+			}
+			_, err = object.AddMessage(answerMessage)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+	}
+
+	c.Data["json"] = wrapActionResponse(affected)
 	c.ServeJSON()
 }

--- a/controllers/mfa.go
+++ b/controllers/mfa.go
@ -0,0 +1,223 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"net/http"
+
+	"github.com/beego/beego"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// MfaSetupInitiate
+// @Title MfaSetupInitiate
+// @Tag MFA API
+// @Description setup MFA
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param type	form	string	true	"MFA auth type"
+// @Success 200 {object}   The Response object
+// @router /mfa/setup/initiate [post]
+func (c *ApiController) MfaSetupInitiate() {
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	authType := c.Ctx.Request.Form.Get("type")
+	userId := util.GetId(owner, name)
+
+	if len(userId) == 0 {
+		c.ResponseError(http.StatusText(http.StatusBadRequest))
+		return
+	}
+
+	MfaUtil := object.GetMfaUtil(authType, nil)
+	if MfaUtil == nil {
+		c.ResponseError("Invalid auth type")
+	}
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	issuer := beego.AppConfig.String("appname")
+	accountName := user.GetId()
+
+	mfaProps, err := MfaUtil.Initiate(c.Ctx, issuer, accountName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	resp := mfaProps
+	c.ResponseOk(resp)
+}
+
+// MfaSetupVerify
+// @Title MfaSetupVerify
+// @Tag MFA API
+// @Description setup verify totp
+// @param	secret		form	string	true	"MFA secret"
+// @param	passcode	form 	string 	true	"MFA passcode"
+// @Success 200 {object}  Response object
+// @router /mfa/setup/verify [post]
+func (c *ApiController) MfaSetupVerify() {
+	authType := c.Ctx.Request.Form.Get("type")
+	passcode := c.Ctx.Request.Form.Get("passcode")
+
+	if authType == "" || passcode == "" {
+		c.ResponseError("missing auth type or passcode")
+		return
+	}
+	MfaUtil := object.GetMfaUtil(authType, nil)
+
+	err := MfaUtil.SetupVerify(c.Ctx, passcode)
+	if err != nil {
+		c.ResponseError(err.Error())
+	} else {
+		c.ResponseOk(http.StatusText(http.StatusOK))
+	}
+}
+
+// MfaSetupEnable
+// @Title MfaSetupEnable
+// @Tag MFA API
+// @Description enable totp
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param type	form	string	true	"MFA auth type"
+// @Success 200 {object}  Response object
+// @router /mfa/setup/enable [post]
+func (c *ApiController) MfaSetupEnable() {
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	authType := c.Ctx.Request.Form.Get("type")
+
+	user, err := object.GetUser(util.GetId(owner, name))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	twoFactor := object.GetMfaUtil(authType, nil)
+	err = twoFactor.Enable(c.Ctx, user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(http.StatusText(http.StatusOK))
+}
+
+// DeleteMfa
+// @Title DeleteMfa
+// @Tag MFA API
+// @Description: Delete MFA
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param id	form	string	true	"id of user's MFA props"
+// @Success 200 {object}  Response object
+// @router /delete-mfa/ [post]
+func (c *ApiController) DeleteMfa() {
+	id := c.Ctx.Request.Form.Get("id")
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	userId := util.GetId(owner, name)
+
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	mfaProps := user.MultiFactorAuths[:0]
+	i := 0
+	for _, mfaProp := range mfaProps {
+		if mfaProp.Id != id {
+			mfaProps[i] = mfaProp
+			i++
+		}
+	}
+	user.MultiFactorAuths = mfaProps
+	_, err = object.UpdateUser(userId, user, []string{"multi_factor_auths"}, user.IsAdminUser())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(user.MultiFactorAuths)
+}
+
+// SetPreferredMfa
+// @Title SetPreferredMfa
+// @Tag MFA API
+// @Description: Set specific Mfa Preferred
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param id	form	string	true	"id of user's MFA props"
+// @Success 200 {object}  Response object
+// @router /set-preferred-mfa [post]
+func (c *ApiController) SetPreferredMfa() {
+	id := c.Ctx.Request.Form.Get("id")
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	userId := util.GetId(owner, name)
+
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	mfaProps := user.MultiFactorAuths
+	for i, mfaProp := range user.MultiFactorAuths {
+		if mfaProp.Id == id {
+			mfaProps[i].IsPreferred = true
+		} else {
+			mfaProps[i].IsPreferred = false
+		}
+	}
+
+	_, err = object.UpdateUser(userId, user, []string{"multi_factor_auths"}, user.IsAdminUser())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	for i, mfaProp := range mfaProps {
+		mfaProps[i] = object.GetMaskedProps(mfaProp)
+	}
+	c.ResponseOk(mfaProps)
+}
--- a/controllers/model.go
+++ b/controllers/model.go
@ -37,13 +37,30 @@ func (c *ApiController) GetModels() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetModels(owner)
+		models, err := object.GetModels(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = models
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetModelCount(owner, field, value)))
-		models := object.GetPaginationModels(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetModelCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		models, err := object.GetPaginationModels(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(models, paginator.Nums())
 	}
 }
@ -58,7 +75,12 @@ func (c *ApiController) GetModels() {
 func (c *ApiController) GetModel() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetModel(id)
+	model, err := object.GetModel(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = model
 	c.ServeJSON()
 }

--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -37,13 +37,30 @@ func (c *ApiController) GetOrganizations() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetMaskedOrganizations(object.GetOrganizations(owner))
+		maskedOrganizations, err := object.GetMaskedOrganizations(object.GetOrganizations(owner))
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = maskedOrganizations
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetOrganizationCount(owner, field, value)))
-		organizations := object.GetMaskedOrganizations(object.GetPaginationOrganizations(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		count, err := object.GetOrganizationCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		organizations, err := object.GetMaskedOrganizations(object.GetPaginationOrganizations(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(organizations, paginator.Nums())
 	}
 }
@ -58,7 +75,12 @@ func (c *ApiController) GetOrganizations() {
 func (c *ApiController) GetOrganization() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetMaskedOrganization(object.GetOrganization(id))
+	maskedOrganization, err := object.GetMaskedOrganization(object.GetOrganization(id))
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = maskedOrganization
 	c.ServeJSON()
 }

@ -99,8 +121,13 @@ func (c *ApiController) AddOrganization() {
 		return
 	}

-	count := object.GetOrganizationCount("", "", "")
-	if err := checkQuotaForOrganization(count); err != nil {
+	count, err := object.GetOrganizationCount("", "", "")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if err = checkQuotaForOrganization(int(count)); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
@ -148,3 +175,21 @@ func (c *ApiController) GetDefaultApplication() {
 	maskedApplication := object.GetMaskedApplication(application, userId)
 	c.ResponseOk(maskedApplication)
 }
+
+// GetOrganizationNames ...
+// @Title GetOrganizationNames
+// @Tag Organization API
+// @Param   owner     query    string    true   "owner"
+// @Description get all organization name and displayName
+// @Success 200 {array} object.Organization The Response object
+// @router /get-organization-names [get]
+func (c *ApiController) GetOrganizationNames() {
+	owner := c.Input().Get("owner")
+	organizationNames, err := object.GetOrganizationsByFields(owner, []string{"name", "display_name"}...)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(organizationNames)
+}
--- a/controllers/payment.go
+++ b/controllers/payment.go
@ -16,7 +16,6 @@ package controllers

 import (
 	"encoding/json"
-	"fmt"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@ -32,19 +31,35 @@ import (
 // @router /get-payments [get]
 func (c *ApiController) GetPayments() {
 	owner := c.Input().Get("owner")
+	organization := c.Input().Get("organization")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
 	field := c.Input().Get("field")
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetPayments(owner)
+		payments, err := object.GetPayments(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = payments
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetPaymentCount(owner, field, value)))
-		payments := object.GetPaginationPayments(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetPaymentCount(owner, organization, field, value)
+		if err != nil {
+			panic(err)
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		payments, err := object.GetPaginationPayments(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			panic(err)
+		}
+
 		c.ResponseOk(payments, paginator.Nums())
 	}
 }
@ -63,7 +78,12 @@ func (c *ApiController) GetUserPayments() {
 	organization := c.Input().Get("organization")
 	user := c.Input().Get("user")

-	payments := object.GetUserPayments(owner, organization, user)
+	payments, err := object.GetUserPayments(owner, organization, user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.ResponseOk(payments)
 }

@ -77,7 +97,12 @@ func (c *ApiController) GetUserPayments() {
 func (c *ApiController) GetPayment() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetPayment(id)
+	payment, err := object.GetPayment(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = payment
 	c.ServeJSON()
 }

@ -153,18 +178,19 @@ func (c *ApiController) NotifyPayment() {
 	providerName := c.Ctx.Input.Param(":provider")
 	productName := c.Ctx.Input.Param(":product")
 	paymentName := c.Ctx.Input.Param(":payment")
+	orderId := c.Ctx.Input.Param("order")

 	body := c.Ctx.Input.RequestBody

-	ok := object.NotifyPayment(c.Ctx.Request, body, owner, providerName, productName, paymentName)
-	if ok {
-		_, err := c.Ctx.ResponseWriter.Write([]byte("success"))
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-	} else {
-		panic(fmt.Errorf("NotifyPayment() failed: %v", ok))
+	err, errorResponse := object.NotifyPayment(c.Ctx.Request, body, owner, providerName, productName, paymentName, orderId)
+
+	_, err2 := c.Ctx.ResponseWriter.Write([]byte(errorResponse))
+	if err2 != nil {
+		panic(err2)
+	}
+
+	if err != nil {
+		panic(err)
 	}
 }

@ -178,7 +204,12 @@ func (c *ApiController) NotifyPayment() {
 func (c *ApiController) InvoicePayment() {
 	id := c.Input().Get("id")

-	payment := object.GetPayment(id)
+	payment, err := object.GetPayment(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	invoiceUrl, err := object.InvoicePayment(payment)
 	if err != nil {
 		c.ResponseError(err.Error())
--- a/controllers/permission.go
+++ b/controllers/permission.go
@ -37,13 +37,28 @@ func (c *ApiController) GetPermissions() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetPermissions(owner)
+		permissions, err := object.GetPermissions(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = permissions
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetPermissionCount(owner, field, value)))
-		permissions := object.GetPaginationPermissions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetPermissionCount(owner, field, value)
+		if err != nil {
+			panic(err)
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		permissions, err := object.GetPaginationPermissions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			panic(err)
+		}
+
 		c.ResponseOk(permissions, paginator.Nums())
 	}
 }
@ -60,7 +75,12 @@ func (c *ApiController) GetPermissionsBySubmitter() {
 		return
 	}

-	permissions := object.GetPermissionsBySubmitter(user.Owner, user.Name)
+	permissions, err := object.GetPermissionsBySubmitter(user.Owner, user.Name)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.ResponseOk(permissions, len(permissions))
 	return
 }
@ -74,7 +94,12 @@ func (c *ApiController) GetPermissionsBySubmitter() {
 // @router /get-permissions-by-role [get]
 func (c *ApiController) GetPermissionsByRole() {
 	id := c.Input().Get("id")
-	permissions := object.GetPermissionsByRole(id)
+	permissions, err := object.GetPermissionsByRole(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.ResponseOk(permissions, len(permissions))
 	return
 }
@ -89,7 +114,12 @@ func (c *ApiController) GetPermissionsByRole() {
 func (c *ApiController) GetPermission() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetPermission(id)
+	permission, err := object.GetPermission(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = permission
 	c.ServeJSON()
 }

--- a/controllers/permission_upload.go
+++ b/controllers/permission_upload.go
@ -0,0 +1,54 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+func (c *ApiController) UploadPermissions() {
+	userId := c.GetSessionUsername()
+	owner, user := util.GetOwnerAndNameFromId(userId)
+
+	file, header, err := c.Ctx.Request.FormFile("file")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
+
+	path := util.GetUploadXlsxPath(fileId)
+	util.EnsureFileFolderExists(path)
+	err = saveFile(path, &file)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.UploadPermissions(owner, fileId)
+	if err != nil {
+		c.ResponseError(err.Error())
+	}
+
+	if affected {
+		c.ResponseOk()
+	} else {
+		c.ResponseError(c.T("user_upload:Failed to import users"))
+	}
+}
--- a/controllers/plan.go
+++ b/controllers/plan.go
@ -0,0 +1,160 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetPlans
+// @Title GetPlans
+// @Tag Plan API
+// @Description get plans
+// @Param   owner     query    string  true        "The owner of plans"
+// @Success 200 {array} object.Plan The Response object
+// @router /get-plans [get]
+func (c *ApiController) GetPlans() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	if limit == "" || page == "" {
+		plans, err := object.GetPlans(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = plans
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetPlanCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		plan, err := object.GetPaginatedPlans(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(plan, paginator.Nums())
+	}
+}
+
+// GetPlan
+// @Title GetPlan
+// @Tag Plan API
+// @Description get plan
+// @Param   id     query    string  true        "The id ( owner/name ) of the plan"
+// @Param   includeOption     query    bool  false        "Should include plan's option"
+// @Success 200 {object} object.Plan The Response object
+// @router /get-plan [get]
+func (c *ApiController) GetPlan() {
+	id := c.Input().Get("id")
+	includeOption := c.Input().Get("includeOption") == "true"
+
+	plan, err := object.GetPlan(id)
+	if err != nil {
+		panic(err)
+	}
+
+	if includeOption {
+		options, err := object.GetPermissionsByRole(plan.Role)
+		if err != nil {
+			panic(err)
+		}
+
+		for _, option := range options {
+			plan.Options = append(plan.Options, option.DisplayName)
+		}
+
+		c.Data["json"] = plan
+	} else {
+		c.Data["json"] = plan
+	}
+	c.ServeJSON()
+}
+
+// UpdatePlan
+// @Title UpdatePlan
+// @Tag Plan API
+// @Description update plan
+// @Param   id     query    string  true        "The id ( owner/name ) of the plan"
+// @Param   body    body   object.Plan  true        "The details of the plan"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-plan [post]
+func (c *ApiController) UpdatePlan() {
+	id := c.Input().Get("id")
+
+	var plan object.Plan
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &plan)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdatePlan(id, &plan))
+	c.ServeJSON()
+}
+
+// AddPlan
+// @Title AddPlan
+// @Tag Plan API
+// @Description add plan
+// @Param   body    body   object.Plan  true        "The details of the plan"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-plan [post]
+func (c *ApiController) AddPlan() {
+	var plan object.Plan
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &plan)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddPlan(&plan))
+	c.ServeJSON()
+}
+
+// DeletePlan
+// @Title DeletePlan
+// @Tag Plan API
+// @Description delete plan
+// @Param   body    body   object.Plan  true        "The details of the plan"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-plan [post]
+func (c *ApiController) DeletePlan() {
+	var plan object.Plan
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &plan)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeletePlan(&plan))
+	c.ServeJSON()
+}
--- a/controllers/pricing.go
+++ b/controllers/pricing.go
@ -0,0 +1,145 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetPricings
+// @Title GetPricings
+// @Tag Pricing API
+// @Description get pricings
+// @Param   owner     query    string  true        "The owner of pricings"
+// @Success 200 {array} object.Pricing The Response object
+// @router /get-pricings [get]
+func (c *ApiController) GetPricings() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	if limit == "" || page == "" {
+		pricings, err := object.GetPricings(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = pricings
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetPricingCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		pricing, err := object.GetPaginatedPricings(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(pricing, paginator.Nums())
+	}
+}
+
+// GetPricing
+// @Title GetPricing
+// @Tag Pricing API
+// @Description get pricing
+// @Param   id     query    string  true        "The id ( owner/name ) of the pricing"
+// @Success 200 {object} object.pricing The Response object
+// @router /get-pricing [get]
+func (c *ApiController) GetPricing() {
+	id := c.Input().Get("id")
+
+	pricing, err := object.GetPricing(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = pricing
+	c.ServeJSON()
+}
+
+// UpdatePricing
+// @Title UpdatePricing
+// @Tag Pricing API
+// @Description update pricing
+// @Param   id     query    string  true        "The id ( owner/name ) of the pricing"
+// @Param   body    body   object.Pricing  true        "The details of the pricing"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-pricing [post]
+func (c *ApiController) UpdatePricing() {
+	id := c.Input().Get("id")
+
+	var pricing object.Pricing
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &pricing)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdatePricing(id, &pricing))
+	c.ServeJSON()
+}
+
+// AddPricing
+// @Title AddPricing
+// @Tag Pricing API
+// @Description add pricing
+// @Param   body    body   object.Pricing  true        "The details of the pricing"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-pricing [post]
+func (c *ApiController) AddPricing() {
+	var pricing object.Pricing
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &pricing)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddPricing(&pricing))
+	c.ServeJSON()
+}
+
+// DeletePricing
+// @Title DeletePricing
+// @Tag Pricing API
+// @Description delete pricing
+// @Param   body    body   object.Pricing  true        "The details of the pricing"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-pricing [post]
+func (c *ApiController) DeletePricing() {
+	var pricing object.Pricing
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &pricing)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeletePricing(&pricing))
+	c.ServeJSON()
+}
--- a/controllers/product.go
+++ b/controllers/product.go
@ -38,13 +38,30 @@ func (c *ApiController) GetProducts() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetProducts(owner)
+		products, err := object.GetProducts(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = products
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetProductCount(owner, field, value)))
-		products := object.GetPaginationProducts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetProductCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		products, err := object.GetPaginationProducts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(products, paginator.Nums())
 	}
 }
@ -59,8 +76,15 @@ func (c *ApiController) GetProducts() {
 func (c *ApiController) GetProduct() {
 	id := c.Input().Get("id")

-	product := object.GetProduct(id)
-	object.ExtendProductWithProviders(product)
+	product, err := object.GetProduct(id)
+	if err != nil {
+		panic(err)
+	}
+
+	err = object.ExtendProductWithProviders(product)
+	if err != nil {
+		panic(err)
+	}

 	c.Data["json"] = product
 	c.ServeJSON()
@ -145,17 +169,22 @@ func (c *ApiController) BuyProduct() {
 		return
 	}

-	user := object.GetUser(userId)
-	if user == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
-		return
-	}
-
-	payUrl, err := object.BuyProduct(id, providerName, user, host)
+	user, err := object.GetUser(userId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(payUrl)
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+		return
+	}
+
+	payUrl, orderId, err := object.BuyProduct(id, providerName, user, host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(payUrl, orderId)
 }
--- a/controllers/prometheus.go
+++ b/controllers/prometheus.go
@ -0,0 +1,39 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"github.com/casdoor/casdoor/object"
+)
+
+// GetPrometheusInfo
+// @Title GetPrometheusInfo
+// @Tag Prometheus API
+// @Description get Prometheus Info
+// @Success 200 {object} object.PrometheusInfo The Response object
+// @router /get-prometheus-info [get]
+func (c *ApiController) GetPrometheusInfo() {
+	_, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+	prometheusInfo, err := object.GetPrometheusInfo()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(prometheusInfo)
+}
--- a/controllers/provider.go
+++ b/controllers/provider.go
@ -37,13 +37,35 @@ func (c *ApiController) GetProviders() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
+	ok, isMaskEnabled := c.IsMaskedEnabled()
+	if !ok {
+		return
+	}
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetMaskedProviders(object.GetProviders(owner))
-		c.ServeJSON()
+		providers, err := object.GetProviders(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.ResponseOk(object.GetMaskedProviders(providers, isMaskEnabled))
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetProviderCount(owner, field, value)))
-		providers := object.GetMaskedProviders(object.GetPaginationProviders(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		count, err := object.GetProviderCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginationProviders, err := object.GetPaginationProviders(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		providers := object.GetMaskedProviders(paginationProviders, isMaskEnabled)
 		c.ResponseOk(providers, paginator.Nums())
 	}
 }
@ -61,13 +83,35 @@ func (c *ApiController) GetGlobalProviders() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
+	ok, isMaskEnabled := c.IsMaskedEnabled()
+	if !ok {
+		return
+	}
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetMaskedProviders(object.GetGlobalProviders())
-		c.ServeJSON()
+		globalProviders, err := object.GetGlobalProviders()
+		if err != nil {
+			panic(err)
+		}
+
+		c.ResponseOk(object.GetMaskedProviders(globalProviders, isMaskEnabled))
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalProviderCount(field, value)))
-		providers := object.GetMaskedProviders(object.GetPaginationGlobalProviders(paginator.Offset(), limit, field, value, sortField, sortOrder))
+		count, err := object.GetGlobalProviderCount(field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginationGlobalProviders, err := object.GetPaginationGlobalProviders(paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		providers := object.GetMaskedProviders(paginationGlobalProviders, isMaskEnabled)
 		c.ResponseOk(providers, paginator.Nums())
 	}
 }
@ -81,8 +125,18 @@ func (c *ApiController) GetGlobalProviders() {
 // @router /get-provider [get]
 func (c *ApiController) GetProvider() {
 	id := c.Input().Get("id")
-	c.Data["json"] = object.GetMaskedProvider(object.GetProvider(id))
-	c.ServeJSON()
+
+	ok, isMaskEnabled := c.IsMaskedEnabled()
+	if !ok {
+		return
+	}
+	provider, err := object.GetProvider(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(object.GetMaskedProvider(provider, isMaskEnabled))
 }

 // UpdateProvider
@ -122,8 +176,13 @@ func (c *ApiController) AddProvider() {
 		return
 	}

-	count := object.GetProviderCount("", "", "")
-	if err := checkQuotaForProvider(count); err != nil {
+	count, err := object.GetProviderCount("", "", "")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if err := checkQuotaForProvider(int(count)); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
--- a/controllers/record.go
+++ b/controllers/record.go
@ -42,14 +42,31 @@ func (c *ApiController) GetRecords() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetRecords()
+		records, err := object.GetRecords()
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = records
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
 		filterRecord := &object.Record{Organization: organization}
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetRecordCount(field, value, filterRecord)))
-		records := object.GetPaginationRecords(paginator.Offset(), limit, field, value, sortField, sortOrder, filterRecord)
+		count, err := object.GetRecordCount(field, value, filterRecord)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		records, err := object.GetPaginationRecords(paginator.Offset(), limit, field, value, sortField, sortOrder, filterRecord)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(records, paginator.Nums())
 	}
 }
@ -67,11 +84,15 @@ func (c *ApiController) GetRecordsByFilter() {
 	record := &object.Record{}
 	err := util.JsonToStruct(body, record)
 	if err != nil {
-		c.ResponseError(err.Error())
-		return
+		panic(err)
 	}

-	c.Data["json"] = object.GetRecordsByField(record)
+	records, err := object.GetRecordsByField(record)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = records
 	c.ServeJSON()
 }

--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -21,6 +21,7 @@ import (
 	"io"
 	"mime"
 	"path/filepath"
+	"strings"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@ -50,12 +51,28 @@ func (c *ApiController) GetResources() {
 	}

 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetResources(owner, user)
+		resources, err := object.GetResources(owner, user)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = resources
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetResourceCount(owner, user, field, value)))
-		resources := object.GetPaginationResources(owner, user, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetResourceCount(owner, user, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		resources, err := object.GetPaginationResources(owner, user, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(resources, paginator.Nums())
 	}
 }
@ -67,7 +84,12 @@ func (c *ApiController) GetResources() {
 func (c *ApiController) GetResource() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetResource(id)
+	resource, err := object.GetResource(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = resource
 	c.ServeJSON()
 }

@ -117,8 +139,9 @@ func (c *ApiController) DeleteResource() {
 		return
 	}

-	provider, _, ok := c.GetProviderFromContext("Storage")
-	if !ok {
+	provider, err := c.GetProviderFromContext("Storage")
+	if err != nil {
+		c.ResponseError(err.Error())
 		return
 	}

@ -165,8 +188,9 @@ func (c *ApiController) UploadResource() {
 		return
 	}

-	provider, _, ok := c.GetProviderFromContext("Storage")
-	if !ok {
+	provider, err := c.GetProviderFromContext("Storage")
+	if err != nil {
+		c.ResponseError(err.Error())
 		return
 	}

@ -186,7 +210,10 @@ func (c *ApiController) UploadResource() {
 		index := len(fullFilePath) - len(ext)
 		for i := 1; ; i++ {
 			_, objectKey := object.GetUploadFileUrl(provider, fullFilePath, true)
-			if object.GetResourceCount(owner, username, "name", objectKey) == 0 {
+			if count, err := object.GetResourceCount(owner, username, "name", objectKey); err != nil {
+				c.ResponseError(err.Error())
+				return
+			} else if count == 0 {
 				break
 			}

@ -222,23 +249,62 @@ func (c *ApiController) UploadResource() {
 		Url:         fileUrl,
 		Description: description,
 	}
-	object.AddOrUpdateResource(resource)
+	_, err = object.AddOrUpdateResource(resource)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	switch tag {
 	case "avatar":
-		user := object.GetUserNoCheck(util.GetId(owner, username))
+		user, err := object.GetUserNoCheck(util.GetId(owner, username))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		if user == nil {
 			c.ResponseError(c.T("resource:User is nil for tag: avatar"))
 			return
 		}

 		user.Avatar = fileUrl
-		object.UpdateUser(user.GetId(), user, []string{"avatar"}, false)
+		_, err = object.UpdateUser(user.GetId(), user, []string{"avatar"}, false)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 	case "termsOfUse":
-		applicationId := fmt.Sprintf("admin/%s", parent)
-		app := object.GetApplication(applicationId)
-		app.TermsOfUse = fileUrl
-		object.UpdateApplication(applicationId, app)
+		user, err := object.GetUserNoCheck(util.GetId(owner, username))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if user == nil {
+			c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(owner, username)))
+			return
+		}
+
+		if !user.IsAdminUser() {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+
+		_, applicationId := util.GetOwnerAndNameFromIdNoCheck(strings.TrimRight(fullFilePath, ".html"))
+		applicationObj, err := object.GetApplication(applicationId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		applicationObj.TermsOfUse = fileUrl
+		_, err = object.UpdateApplication(applicationId, applicationObj)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}

 	c.ResponseOk(fileUrl, objectKey)
--- a/controllers/role.go
+++ b/controllers/role.go
@ -37,13 +37,30 @@ func (c *ApiController) GetRoles() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetRoles(owner)
+		roles, err := object.GetRoles(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = roles
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetRoleCount(owner, field, value)))
-		roles := object.GetPaginationRoles(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetRoleCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		roles, err := object.GetPaginationRoles(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(roles, paginator.Nums())
 	}
 }
@ -58,7 +75,12 @@ func (c *ApiController) GetRoles() {
 func (c *ApiController) GetRole() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetRole(id)
+	role, err := object.GetRole(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = role
 	c.ServeJSON()
 }

--- a/controllers/role_upload.go
+++ b/controllers/role_upload.go
@ -0,0 +1,54 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+func (c *ApiController) UploadRoles() {
+	userId := c.GetSessionUsername()
+	owner, user := util.GetOwnerAndNameFromId(userId)
+
+	file, header, err := c.Ctx.Request.FormFile("file")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
+
+	path := util.GetUploadXlsxPath(fileId)
+	util.EnsureFileFolderExists(path)
+	err = saveFile(path, &file)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.UploadRoles(owner, fileId)
+	if err != nil {
+		c.ResponseError(err.Error())
+	}
+
+	if affected {
+		c.ResponseOk()
+	} else {
+		c.ResponseError(c.T("user_upload:Failed to import users"))
+	}
+}
--- a/controllers/saml.go
+++ b/controllers/saml.go
@ -23,7 +23,12 @@ import (
 func (c *ApiController) GetSamlMeta() {
 	host := c.Ctx.Request.Host
 	paramApp := c.Input().Get("application")
-	application := object.GetApplication(paramApp)
+	application, err := object.GetApplication(paramApp)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	if application == nil {
 		c.ResponseError(fmt.Sprintf(c.T("saml:Application %s not found"), paramApp))
 		return
--- a/controllers/service.go
+++ b/controllers/service.go
@ -61,12 +61,17 @@ func (c *ApiController) SendEmail() {
 	var provider *object.Provider
 	if emailForm.Provider != "" {
 		// called by frontend's TestEmailWidget, provider name is set by frontend
-		provider = object.GetProvider(util.GetId("admin", emailForm.Provider))
+		provider, err = object.GetProvider(util.GetId("admin", emailForm.Provider))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 	} else {
 		// called by Casdoor SDK via Client ID & Client Secret, so the used Email provider will be the application' Email provider or the default Email provider
-		var ok bool
-		provider, _, ok = c.GetProviderFromContext("Email")
-		if !ok {
+		provider, err = c.GetProviderFromContext("Email")
+		if err != nil {
+			c.ResponseError(err.Error())
 			return
 		}
 	}
@ -122,13 +127,14 @@ func (c *ApiController) SendEmail() {
 // @Success 200 {object}  Response object
 // @router /api/send-sms [post]
 func (c *ApiController) SendSms() {
-	provider, _, ok := c.GetProviderFromContext("SMS")
-	if !ok {
+	provider, err := c.GetProviderFromContext("SMS")
+	if err != nil {
+		c.ResponseError(err.Error())
 		return
 	}

 	var smsForm SmsForm
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &smsForm)
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &smsForm)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/session.go
+++ b/controllers/session.go
@ -37,13 +37,29 @@ func (c *ApiController) GetSessions() {
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
 	owner := c.Input().Get("owner")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetSessions(owner)
+		sessions, err := object.GetSessions(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = sessions
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetSessionCount(owner, field, value)))
-		sessions := object.GetPaginationSessions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetSessionCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		sessions, err := object.GetPaginationSessions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(sessions, paginator.Nums())
 	}
 }
@ -58,7 +74,12 @@ func (c *ApiController) GetSessions() {
 func (c *ApiController) GetSingleSession() {
 	id := c.Input().Get("sessionPkId")

-	c.Data["json"] = object.GetSingleSession(id)
+	session, err := object.GetSingleSession(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = session
 	c.ServeJSON()
 }

@ -132,7 +153,11 @@ func (c *ApiController) IsSessionDuplicated() {
 	id := c.Input().Get("sessionPkId")
 	sessionId := c.Input().Get("sessionId")

-	isUserSessionDuplicated := object.IsSessionDuplicated(id, sessionId)
+	isUserSessionDuplicated, err := object.IsSessionDuplicated(id, sessionId)
+	if err != nil {
+		panic(err)
+	}
+
 	c.Data["json"] = &Response{Status: "ok", Msg: "", Data: isUserSessionDuplicated}

 	c.ServeJSON()
--- a/controllers/subscription.go
+++ b/controllers/subscription.go
@ -0,0 +1,145 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetSubscriptions
+// @Title GetSubscriptions
+// @Tag Subscription API
+// @Description get subscriptions
+// @Param   owner     query    string  true        "The owner of subscriptions"
+// @Success 200 {array} object.Subscription The Response object
+// @router /get-subscriptions [get]
+func (c *ApiController) GetSubscriptions() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	if limit == "" || page == "" {
+		subscriptions, err := object.GetSubscriptions(owner)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = subscriptions
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetSubscriptionCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		subscription, err := object.GetPaginationSubscriptions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(subscription, paginator.Nums())
+	}
+}
+
+// GetSubscription
+// @Title GetSubscription
+// @Tag Subscription API
+// @Description get subscription
+// @Param   id     query    string  true        "The id ( owner/name ) of the subscription"
+// @Success 200 {object} object.subscription The Response object
+// @router /get-subscription [get]
+func (c *ApiController) GetSubscription() {
+	id := c.Input().Get("id")
+
+	subscription, err := object.GetSubscription(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = subscription
+	c.ServeJSON()
+}
+
+// UpdateSubscription
+// @Title UpdateSubscription
+// @Tag Subscription API
+// @Description update subscription
+// @Param   id     query    string  true        "The id ( owner/name ) of the subscription"
+// @Param   body    body   object.Subscription  true        "The details of the subscription"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-subscription [post]
+func (c *ApiController) UpdateSubscription() {
+	id := c.Input().Get("id")
+
+	var subscription object.Subscription
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &subscription)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateSubscription(id, &subscription))
+	c.ServeJSON()
+}
+
+// AddSubscription
+// @Title AddSubscription
+// @Tag Subscription API
+// @Description add subscription
+// @Param   body    body   object.Subscription  true        "The details of the subscription"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-subscription [post]
+func (c *ApiController) AddSubscription() {
+	var subscription object.Subscription
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &subscription)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddSubscription(&subscription))
+	c.ServeJSON()
+}
+
+// DeleteSubscription
+// @Title DeleteSubscription
+// @Tag Subscription API
+// @Description delete subscription
+// @Param   body    body   object.Subscription  true        "The details of the subscription"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-subscription [post]
+func (c *ApiController) DeleteSubscription() {
+	var subscription object.Subscription
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &subscription)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteSubscription(&subscription))
+	c.ServeJSON()
+}
--- a/controllers/syncer.go
+++ b/controllers/syncer.go
@ -37,13 +37,31 @@ func (c *ApiController) GetSyncers() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+	organization := c.Input().Get("organization")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetSyncers(owner)
+		organizationSyncers, err := object.GetOrganizationSyncers(owner, organization)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = organizationSyncers
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetSyncerCount(owner, field, value)))
-		syncers := object.GetPaginationSyncers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetSyncerCount(owner, organization, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		syncers, err := object.GetPaginationSyncers(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(syncers, paginator.Nums())
 	}
 }
@ -58,7 +76,12 @@ func (c *ApiController) GetSyncers() {
 func (c *ApiController) GetSyncer() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetSyncer(id)
+	syncer, err := object.GetSyncer(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = syncer
 	c.ServeJSON()
 }

@ -131,7 +154,11 @@ func (c *ApiController) DeleteSyncer() {
 // @router /run-syncer [get]
 func (c *ApiController) RunSyncer() {
 	id := c.Input().Get("id")
-	syncer := object.GetSyncer(id)
+	syncer, err := object.GetSyncer(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	object.RunSyncer(syncer)

--- a/controllers/system_info.go
+++ b/controllers/system_info.go
@ -59,3 +59,13 @@ func (c *ApiController) GetVersionInfo() {

 	c.ResponseOk(versionInfo)
 }
+
+// Health
+// @Title Health
+// @Tag System API
+// @Description check if the system is live
+// @Success 200 {object} controllers.Response The Response object
+// @router /health [get]
+func (c *ApiController) Health() {
+	c.ResponseOk()
+}
--- a/controllers/token.go
+++ b/controllers/token.go
@ -39,13 +39,30 @@ func (c *ApiController) GetTokens() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+	organization := c.Input().Get("organization")
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetTokens(owner)
+		token, err := object.GetTokens(owner, organization)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = token
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetTokenCount(owner, field, value)))
-		tokens := object.GetPaginationTokens(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetTokenCount(owner, organization, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		tokens, err := object.GetPaginationTokens(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(tokens, paginator.Nums())
 	}
 }
@ -59,8 +76,12 @@ func (c *ApiController) GetTokens() {
 // @router /get-token [get]
 func (c *ApiController) GetToken() {
 	id := c.Input().Get("id")
+	token, err := object.GetToken(id)
+	if err != nil {
+		panic(err)
+	}

-	c.Data["json"] = object.GetToken(id)
+	c.Data["json"] = token
 	c.ServeJSON()
 }

@ -124,40 +145,6 @@ func (c *ApiController) DeleteToken() {
 	c.ServeJSON()
 }

-// GetOAuthCode
-// @Title GetOAuthCode
-// @Tag Token API
-// @Description get OAuth code
-// @Param   user_id     query    string  true        "The id ( owner/name ) of user"
-// @Param   client_id     query    string  true        "OAuth client id"
-// @Param   response_type     query    string  true        "OAuth response type"
-// @Param   redirect_uri     query    string  true        "OAuth redirect URI"
-// @Param   scope     query    string  true        "OAuth scope"
-// @Param   state     query    string  true        "OAuth state"
-// @Success 200 {object} object.TokenWrapper The Response object
-// @router /login/oauth/code [post]
-func (c *ApiController) GetOAuthCode() {
-	userId := c.Input().Get("user_id")
-	clientId := c.Input().Get("client_id")
-	responseType := c.Input().Get("response_type")
-	redirectUri := c.Input().Get("redirect_uri")
-	scope := c.Input().Get("scope")
-	state := c.Input().Get("state")
-	nonce := c.Input().Get("nonce")
-
-	challengeMethod := c.Input().Get("code_challenge_method")
-	codeChallenge := c.Input().Get("code_challenge")
-
-	if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
-		c.ResponseError(c.T("auth:Challenge method should be S256"))
-		return
-	}
-	host := c.Ctx.Request.Host
-
-	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, host, c.GetAcceptLanguage())
-	c.ServeJSON()
-}
-
 // GetOAuthToken
 // @Title GetOAuthToken
 // @Tag Token API
@ -204,8 +191,12 @@ func (c *ApiController) GetOAuthToken() {
 		}
 	}
 	host := c.Ctx.Request.Host
+	oAuthtoken, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage())
+	if err != nil {
+		panic(err)
+	}

-	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage())
+	c.Data["json"] = oAuthtoken
 	c.SetTokenErrorHttpStatus()
 	c.ServeJSON()
 }
@ -243,7 +234,12 @@ func (c *ApiController) RefreshToken() {
 		}
 	}

-	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+	refreshToken2, err := object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = refreshToken2
 	c.SetTokenErrorHttpStatus()
 	c.ServeJSON()
 }
@ -278,7 +274,11 @@ func (c *ApiController) IntrospectToken() {
 			return
 		}
 	}
-	application := object.GetApplicationByClientId(clientId)
+	application, err := object.GetApplicationByClientId(clientId)
+	if err != nil {
+		panic(err)
+	}
+
 	if application == nil || application.ClientSecret != clientSecret {
 		c.ResponseError(c.T("token:Invalid application or wrong clientSecret"))
 		c.Data["json"] = &object.TokenError{
@ -287,7 +287,11 @@ func (c *ApiController) IntrospectToken() {
 		c.SetTokenErrorHttpStatus()
 		return
 	}
-	token := object.GetTokenByTokenAndApplication(tokenValue, application.Name)
+	token, err := object.GetTokenByTokenAndApplication(tokenValue, application.Name)
+	if err != nil {
+		panic(err)
+	}
+
 	if token == nil {
 		c.Data["json"] = &object.IntrospectionResponse{Active: false}
 		c.ServeJSON()
--- a/controllers/user.go
+++ b/controllers/user.go
@ -37,14 +37,36 @@ func (c *ApiController) GetGlobalUsers() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetMaskedUsers(object.GetGlobalUsers())
+		maskedUsers, err := object.GetMaskedUsers(object.GetGlobalUsers())
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = maskedUsers
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalUserCount(field, value)))
-		users := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder)
-		users = object.GetMaskedUsers(users)
+		count, err := object.GetGlobalUserCount(field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		users, err := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		users, err = object.GetMaskedUsers(users)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(users, paginator.Nums())
 	}
 }
@ -58,20 +80,53 @@ func (c *ApiController) GetGlobalUsers() {
 // @router /get-users [get]
 func (c *ApiController) GetUsers() {
 	owner := c.Input().Get("owner")
+	groupId := c.Input().Get("groupId")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
 	field := c.Input().Get("field")
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetMaskedUsers(object.GetUsers(owner))
+		if groupId != "" {
+			maskedUsers, err := object.GetMaskedUsers(object.GetUsersByGroup(groupId))
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			c.ResponseOk(maskedUsers)
+			return
+		}
+
+		maskedUsers, err := object.GetMaskedUsers(object.GetUsers(owner))
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = maskedUsers
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetUserCount(owner, field, value)))
-		users := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
-		users = object.GetMaskedUsers(users)
+		count, err := object.GetUserCount(owner, field, value, groupId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		users, err := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder, groupId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		users, err = object.GetMaskedUsers(users)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(users, paginator.Nums())
 	}
 }
@ -80,7 +135,7 @@ func (c *ApiController) GetUsers() {
 // @Title GetUser
 // @Tag User API
 // @Description get user
-// @Param   id     query    string  true        "The id ( owner/name ) of the user"
+// @Param   id     query    string  false        "The id ( owner/name ) of the user"
 // @Param   owner  query    string  false        "The owner of the user"
 // @Param   email  query    string  false 	     "The email of the user"
 // @Param   phone  query    string  false 	     "The phone of the user"
@ -92,13 +147,27 @@ func (c *ApiController) GetUser() {
 	email := c.Input().Get("email")
 	phone := c.Input().Get("phone")
 	userId := c.Input().Get("userId")
-
 	owner := c.Input().Get("owner")
+	var err error
+	var userFromUserId *object.User
+	if userId != "" && owner != "" {
+		userFromUserId, err = object.GetUserByUserId(owner, userId)
+		if err != nil {
+			panic(err)
+		}
+
+		id = util.GetId(userFromUserId.Owner, userFromUserId.Name)
+	}
+
 	if owner == "" {
 		owner = util.GetOwnerFromId(id)
 	}

-	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", owner))
+	organization, err := object.GetOrganization(util.GetId("admin", owner))
+	if err != nil {
+		panic(err)
+	}
+
 	if !organization.IsProfilePublic {
 		requestUserId := c.GetSessionUsername()
 		hasPermission, err := object.CheckUserPermission(requestUserId, id, false, c.GetAcceptLanguage())
@ -111,18 +180,30 @@ func (c *ApiController) GetUser() {
 	var user *object.User
 	switch {
 	case email != "":
-		user = object.GetUserByEmail(owner, email)
+		user, err = object.GetUserByEmail(owner, email)
 	case phone != "":
-		user = object.GetUserByPhone(owner, phone)
+		user, err = object.GetUserByPhone(owner, phone)
 	case userId != "":
-		user = object.GetUserByUserId(owner, userId)
+		user = userFromUserId
 	default:
-		user = object.GetUser(id)
+		user, err = object.GetUser(id)
 	}

-	object.ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		panic(err)
+	}

-	c.Data["json"] = object.GetMaskedUser(user)
+	err = object.ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		panic(err)
+	}
+
+	maskedUser, err := object.GetMaskedUser(user)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = maskedUser
 	c.ServeJSON()
 }

@ -152,17 +233,29 @@ func (c *ApiController) UpdateUser() {
 			return
 		}
 	}
-	oldUser := object.GetUser(id)
+	oldUser, err := object.GetUser(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	if oldUser == nil {
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), id))
 		return
 	}

+	if oldUser.Owner == "built-in" && oldUser.Name == "admin" && (user.Owner != "built-in" || user.Name != "admin") {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
 	if msg := object.CheckUpdateUser(oldUser, &user, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
 		return
 	}
-	if pass, err := checkPermissionForUpdateUser(oldUser, &user, c); !pass {
+
+	isAdmin := c.IsAdmin()
+	if pass, err := object.CheckPermissionForUpdateUser(oldUser, &user, isAdmin, c.GetAcceptLanguage()); !pass {
 		c.ResponseError(err)
 		return
 	}
@ -172,11 +265,18 @@ func (c *ApiController) UpdateUser() {
 		columns = strings.Split(columnsStr, ",")
 	}

-	isGlobalAdmin := c.IsGlobalAdmin()
+	affected, err := object.UpdateUser(id, &user, columns, isAdmin)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

-	affected := object.UpdateUser(id, &user, columns, isGlobalAdmin)
 	if affected {
-		object.UpdateUserToOriginalDatabase(&user)
+		err = object.UpdateUserToOriginalDatabase(&user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}

 	c.Data["json"] = wrapActionResponse(affected)
@ -198,8 +298,13 @@ func (c *ApiController) AddUser() {
 		return
 	}

-	count := object.GetUserCount("", "", "")
-	if err := checkQuotaForUser(count); err != nil {
+	count, err := object.GetUserCount("", "", "", "")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if err := checkQuotaForUser(int(count)); err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
@ -229,6 +334,11 @@ func (c *ApiController) DeleteUser() {
 		return
 	}

+	if user.Owner == "built-in" && user.Name == "admin" {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.DeleteUser(&user))
 	c.ServeJSON()
 }
@ -245,7 +355,12 @@ func (c *ApiController) GetEmailAndPhone() {
 	organization := c.Ctx.Request.Form.Get("organization")
 	username := c.Ctx.Request.Form.Get("username")

-	user := object.GetUserByFields(organization, username)
+	user, err := object.GetUserByFields(organization, username)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	if user == nil {
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(organization, username)))
 		return
@ -286,6 +401,11 @@ func (c *ApiController) SetPassword() {
 	newPassword := c.Ctx.Request.Form.Get("newPassword")
 	code := c.Ctx.Request.Form.Get("code")

+	//if userOwner == "built-in" && userName == "admin" {
+	//	c.ResponseError(c.T("auth:Unauthorized operation"))
+	//	return
+	//}
+
 	if strings.Contains(newPassword, " ") {
 		c.ResponseError(c.T("user:New password cannot contain blank space."))
 		return
@ -314,7 +434,11 @@ func (c *ApiController) SetPassword() {
 		c.SetSession("verifiedCode", "")
 	}

-	targetUser := object.GetUser(userId)
+	targetUser, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	if oldPassword != "" {
 		msg := object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
@ -325,7 +449,12 @@ func (c *ApiController) SetPassword() {
 	}

 	targetUser.Password = newPassword
-	object.SetUserField(targetUser, "password", targetUser.Password)
+	_, err = object.SetUserField(targetUser, "password", targetUser.Password)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.ResponseOk()
 }

@ -363,7 +492,12 @@ func (c *ApiController) GetSortedUsers() {
 	sorter := c.Input().Get("sorter")
 	limit := util.ParseInt(c.Input().Get("limit"))

-	c.Data["json"] = object.GetMaskedUsers(object.GetSortedUsers(owner, sorter, limit))
+	maskedUsers, err := object.GetMaskedUsers(object.GetSortedUsers(owner, sorter, limit))
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = maskedUsers
 	c.ServeJSON()
 }

@ -379,11 +513,16 @@ func (c *ApiController) GetUserCount() {
 	owner := c.Input().Get("owner")
 	isOnline := c.Input().Get("isOnline")

-	count := 0
+	var count int64
+	var err error
 	if isOnline == "" {
-		count = object.GetUserCount(owner, "", "")
+		count, err = object.GetUserCount(owner, "", "", "")
 	} else {
-		count = object.GetOnlineUserCount(owner, util.ParseInt(isOnline))
+		count, err = object.GetOnlineUserCount(owner, util.ParseInt(isOnline))
+	}
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = count
--- a/controllers/user_upload.go
+++ b/controllers/user_upload.go
@ -57,7 +57,12 @@ func (c *ApiController) UploadUsers() {
 		return
 	}

-	affected := object.UploadUsers(owner, fileId)
+	affected, err := object.UploadUsers(owner, fileId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	if affected {
 		c.ResponseOk()
 	} else {
--- a/controllers/user_util.go
+++ b/controllers/user_util.go
@ -1,138 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/casdoor/casdoor/object"
-)
-
-func checkPermissionForUpdateUser(oldUser, newUser *object.User, c *ApiController) (bool, string) {
-	organization := object.GetOrganizationByUser(oldUser)
-	var itemsChanged []*object.AccountItem
-
-	if oldUser.Owner != newUser.Owner {
-		item := object.GetAccountItemByName("Organization", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Name != newUser.Name {
-		item := object.GetAccountItemByName("Name", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Id != newUser.Id {
-		item := object.GetAccountItemByName("ID", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.DisplayName != newUser.DisplayName {
-		item := object.GetAccountItemByName("Display name", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Avatar != newUser.Avatar {
-		item := object.GetAccountItemByName("Avatar", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Type != newUser.Type {
-		item := object.GetAccountItemByName("User type", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	// The password is *** when not modified
-	if oldUser.Password != newUser.Password && newUser.Password != "***" {
-		item := object.GetAccountItemByName("Password", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Email != newUser.Email {
-		item := object.GetAccountItemByName("Email", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Phone != newUser.Phone {
-		item := object.GetAccountItemByName("Phone", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.CountryCode != newUser.CountryCode {
-		item := object.GetAccountItemByName("Country code", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Region != newUser.Region {
-		item := object.GetAccountItemByName("Country/Region", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Location != newUser.Location {
-		item := object.GetAccountItemByName("Location", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Affiliation != newUser.Affiliation {
-		item := object.GetAccountItemByName("Affiliation", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Title != newUser.Title {
-		item := object.GetAccountItemByName("Title", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Homepage != newUser.Homepage {
-		item := object.GetAccountItemByName("Homepage", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Bio != newUser.Bio {
-		item := object.GetAccountItemByName("Bio", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.Tag != newUser.Tag {
-		item := object.GetAccountItemByName("Tag", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.SignupApplication != newUser.SignupApplication {
-		item := object.GetAccountItemByName("Signup application", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-
-	oldUserPropertiesJson, _ := json.Marshal(oldUser.Properties)
-	newUserPropertiesJson, _ := json.Marshal(newUser.Properties)
-	if string(oldUserPropertiesJson) != string(newUserPropertiesJson) {
-		item := object.GetAccountItemByName("Properties", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-
-	if oldUser.IsAdmin != newUser.IsAdmin {
-		item := object.GetAccountItemByName("Is admin", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.IsGlobalAdmin != newUser.IsGlobalAdmin {
-		item := object.GetAccountItemByName("Is global admin", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.IsForbidden != newUser.IsForbidden {
-		item := object.GetAccountItemByName("Is forbidden", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-	if oldUser.IsDeleted != newUser.IsDeleted {
-		item := object.GetAccountItemByName("Is deleted", organization)
-		itemsChanged = append(itemsChanged, item)
-	}
-
-	currentUser := c.getCurrentUser()
-	if currentUser == nil && c.IsGlobalAdmin() {
-		currentUser = &object.User{
-			IsGlobalAdmin: true,
-		}
-	}
-
-	for i := range itemsChanged {
-		if pass, err := object.CheckAccountItemModifyRule(itemsChanged[i], currentUser, c.GetAcceptLanguage()); !pass {
-			return pass, err
-		}
-	}
-	return true, ""
-}
--- a/controllers/util.go
+++ b/controllers/util.go
@ -16,7 +16,6 @@ package controllers

 import (
 	"fmt"
-	"strconv"

 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/i18n"
@ -93,7 +92,11 @@ func (c *ApiController) RequireSignedInUser() (*object.User, bool) {
 		return nil, false
 	}

-	user := object.GetUser(userId)
+	user, err := object.GetUser(userId)
+	if err != nil {
+		panic(err)
+	}
+
 	if user == nil {
 		c.ClearUserSession()
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
@ -115,43 +118,67 @@ func (c *ApiController) RequireAdmin() (string, bool) {
 	return user.Owner, true
 }

-func getInitScore(organization *object.Organization) (int, error) {
-	if organization != nil {
-		return organization.InitScore, nil
-	} else {
-		return strconv.Atoi(conf.GetConfigString("initScore"))
+// IsMaskedEnabled ...
+func (c *ApiController) IsMaskedEnabled() (bool, bool) {
+	isMaskEnabled := true
+	withSecret := c.Input().Get("withSecret")
+	if withSecret == "1" {
+		isMaskEnabled = false
+
+		if conf.IsDemoMode() {
+			c.ResponseError(c.T("general:this operation is not allowed in demo mode"))
+			return false, isMaskEnabled
+		}
+
+		_, ok := c.RequireAdmin()
+		if !ok {
+			return false, isMaskEnabled
+		}
 	}
+
+	return true, isMaskEnabled
 }

-func (c *ApiController) GetProviderFromContext(category string) (*object.Provider, *object.User, bool) {
+func (c *ApiController) GetProviderFromContext(category string) (*object.Provider, error) {
 	providerName := c.Input().Get("provider")
 	if providerName != "" {
-		provider := object.GetProvider(util.GetId("admin", providerName))
-		if provider == nil {
-			c.ResponseError(c.T("util:The provider: %s is not found"), providerName)
-			return nil, nil, false
+		provider, err := object.GetProvider(util.GetId("admin", providerName))
+		if err != nil {
+			return nil, err
 		}
-		return provider, nil, true
+
+		if provider == nil {
+			err = fmt.Errorf(c.T("util:The provider: %s is not found"), providerName)
+			return nil, err
+		}
+
+		return provider, nil
 	}

 	userId, ok := c.RequireSignedIn()
 	if !ok {
-		return nil, nil, false
+		return nil, fmt.Errorf(c.T("general:Please login first"))
+	}
+
+	application, err := object.GetApplicationByUserId(userId)
+	if err != nil {
+		return nil, err
 	}

-	application, user := object.GetApplicationByUserId(userId)
 	if application == nil {
-		c.ResponseError(fmt.Sprintf(c.T("util:No application is found for userId: %s"), userId))
-		return nil, nil, false
+		return nil, fmt.Errorf(c.T("util:No application is found for userId: %s"), userId)
+	}
+
+	provider, err := application.GetProviderByCategory(category)
+	if err != nil {
+		return nil, err
 	}

-	provider := application.GetProviderByCategory(category)
 	if provider == nil {
-		c.ResponseError(fmt.Sprintf(c.T("util:No provider for category: %s is found for application: %s"), category, application.Name))
-		return nil, nil, false
+		return nil, fmt.Errorf(c.T("util:No provider for category: %s is found for application: %s"), category, application.Name)
 	}

-	return provider, user, true
+	return provider, nil
 }

 func checkQuotaForApplication(count int) error {
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -21,71 +21,43 @@ import (
 	"strings"

 	"github.com/casdoor/casdoor/captcha"
+	"github.com/casdoor/casdoor/form"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )

 const (
-	SignupVerification = "signup"
-	ResetVerification  = "reset"
-	LoginVerification  = "login"
-	ForgetVerification = "forget"
+	SignupVerification   = "signup"
+	ResetVerification    = "reset"
+	LoginVerification    = "login"
+	ForgetVerification   = "forget"
+	MfaSetupVerification = "mfaSetup"
+	MfaAuthVerification  = "mfaAuth"
 )

-func (c *ApiController) getCurrentUser() *object.User {
-	var user *object.User
-	userId := c.GetSessionUsername()
-	if userId == "" {
-		user = nil
-	} else {
-		user = object.GetUser(userId)
-	}
-	return user
-}
-
 // SendVerificationCode ...
 // @Title SendVerificationCode
 // @Tag Verification API
 // @router /send-verification-code [post]
 func (c *ApiController) SendVerificationCode() {
-	destType := c.Ctx.Request.Form.Get("type")
-	dest := c.Ctx.Request.Form.Get("dest")
-	countryCode := c.Ctx.Request.Form.Get("countryCode")
-	checkType := c.Ctx.Request.Form.Get("checkType")
-	clientSecret := c.Ctx.Request.Form.Get("clientSecret")
-	captchaToken := c.Ctx.Request.Form.Get("captchaToken")
-	applicationId := c.Ctx.Request.Form.Get("applicationId")
-	method := c.Ctx.Request.Form.Get("method")
-	checkUser := c.Ctx.Request.Form.Get("checkUser")
+	var vform form.VerificationForm
+	err := c.ParseForm(&vform)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	remoteAddr := util.GetIPFromRequest(c.Ctx.Request)

-	if dest == "" {
-		c.ResponseError(c.T("general:Missing parameter") + ": dest.")
-		return
-	}
-	if applicationId == "" {
-		c.ResponseError(c.T("general:Missing parameter") + ": applicationId.")
-		return
-	}
-	if checkType == "" {
-		c.ResponseError(c.T("general:Missing parameter") + ": checkType.")
-		return
-	}
-	if !strings.Contains(applicationId, "/") {
-		c.ResponseError(c.T("verification:Wrong parameter") + ": applicationId.")
+	if msg := vform.CheckParameter(form.SendVerifyCode, c.GetAcceptLanguage()); msg != "" {
+		c.ResponseError(msg)
 		return
 	}

-	if checkType != "none" {
-		if captchaToken == "" {
-			c.ResponseError(c.T("general:Missing parameter") + ": captchaToken.")
+	if vform.CaptchaType != "none" {
+		if captchaProvider := captcha.GetCaptchaProvider(vform.CaptchaType); captchaProvider == nil {
+			c.ResponseError(c.T("general:don't support captchaProvider: ") + vform.CaptchaType)
 			return
-		}
-
-		if captchaProvider := captcha.GetCaptchaProvider(checkType); captchaProvider == nil {
-			c.ResponseError(c.T("general:don't support captchaProvider: ") + checkType)
-			return
-		} else if isHuman, err := captchaProvider.VerifyCaptcha(captchaToken, clientSecret); err != nil {
+		} else if isHuman, err := captchaProvider.VerifyCaptcha(vform.CaptchaToken, vform.ClientSecret); err != nil {
 			c.ResponseError(err.Error())
 			return
 		} else if !isHuman {
@ -94,8 +66,17 @@ func (c *ApiController) SendVerificationCode() {
 		}
 	}

-	application := object.GetApplication(applicationId)
-	organization := object.GetOrganization(util.GetId(application.Owner, application.Organization))
+	application, err := object.GetApplication(vform.ApplicationId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	organization, err := object.GetOrganization(util.GetId(application.Owner, application.Organization))
+	if err != nil {
+		c.ResponseError(c.T(err.Error()))
+	}
+
 	if organization == nil {
 		c.ResponseError(c.T("check:Organization does not exist"))
 		return
@ -103,63 +84,111 @@ func (c *ApiController) SendVerificationCode() {

 	var user *object.User
 	// checkUser != "", means method is ForgetVerification
-	if checkUser != "" {
+	if vform.CheckUser != "" {
 		owner := application.Organization
-		user = object.GetUser(util.GetId(owner, checkUser))
+		user, err = object.GetUser(util.GetId(owner, vform.CheckUser))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
+	// mfaSessionData != nil, means method is MfaSetupVerification
+	if mfaSessionData := c.getMfaSessionData(); mfaSessionData != nil {
+		user, err = object.GetUser(mfaSessionData.UserId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}

 	sendResp := errors.New("invalid dest type")

-	switch destType {
+	switch vform.Type {
 	case object.VerifyTypeEmail:
-		if !util.IsEmailValid(dest) {
+		if !util.IsEmailValid(vform.Dest) {
 			c.ResponseError(c.T("check:Email is invalid"))
 			return
 		}

-		if method == LoginVerification || method == ForgetVerification {
-			if user != nil && util.GetMaskedEmail(user.Email) == dest {
-				dest = user.Email
+		if vform.Method == LoginVerification || vform.Method == ForgetVerification {
+			if user != nil && util.GetMaskedEmail(user.Email) == vform.Dest {
+				vform.Dest = user.Email
+			}
+
+			user, err = object.GetUserByEmail(organization.Name, vform.Dest)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
 			}

-			user = object.GetUserByEmail(organization.Name, dest)
 			if user == nil {
 				c.ResponseError(c.T("verification:the user does not exist, please sign up first"))
 				return
 			}
-		} else if method == ResetVerification {
+		} else if vform.Method == ResetVerification {
 			user = c.getCurrentUser()
+		} else if vform.Method == MfaAuthVerification {
+			mfaProps := user.GetPreferMfa(false)
+			if user != nil && util.GetMaskedEmail(mfaProps.Secret) == vform.Dest {
+				vform.Dest = mfaProps.Secret
+			}
 		}

-		provider := application.GetEmailProvider()
-		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, dest)
+		provider, err := application.GetEmailProvider()
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, vform.Dest)
 	case object.VerifyTypePhone:
-		if method == LoginVerification || method == ForgetVerification {
-			if user != nil && util.GetMaskedPhone(user.Phone) == dest {
-				dest = user.Phone
+		if vform.Method == LoginVerification || vform.Method == ForgetVerification {
+			if user != nil && util.GetMaskedPhone(user.Phone) == vform.Dest {
+				vform.Dest = user.Phone
 			}

-			if user = object.GetUserByPhone(organization.Name, dest); user == nil {
+			if user, err = object.GetUserByPhone(organization.Name, vform.Dest); err != nil {
+				c.ResponseError(err.Error())
+				return
+			} else if user == nil {
 				c.ResponseError(c.T("verification:the user does not exist, please sign up first"))
 				return
 			}

-			countryCode = user.GetCountryCode(countryCode)
-		} else if method == ResetVerification {
+			vform.CountryCode = user.GetCountryCode(vform.CountryCode)
+		} else if vform.Method == ResetVerification {
 			if user = c.getCurrentUser(); user != nil {
-				countryCode = user.GetCountryCode(countryCode)
+				vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 			}
+		} else if vform.Method == MfaAuthVerification {
+			mfaProps := user.GetPreferMfa(false)
+			if user != nil && util.GetMaskedPhone(mfaProps.Secret) == vform.Dest {
+				vform.Dest = mfaProps.Secret
+			}
+
+			vform.CountryCode = mfaProps.CountryCode
 		}

-		provider := application.GetSmsProvider()
-		if phone, ok := util.GetE164Number(dest, countryCode); !ok {
-			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), countryCode))
+		provider, err := application.GetSmsProvider()
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if phone, ok := util.GetE164Number(vform.Dest, vform.CountryCode); !ok {
+			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), vform.CountryCode))
 			return
 		} else {
 			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, remoteAddr, phone)
 		}
 	}

+	if vform.Method == MfaSetupVerification {
+		c.SetSession(object.MfaSmsCountryCodeSession, vform.CountryCode)
+		c.SetSession(object.MfaSmsDestSession, vform.Dest)
+	}
+
 	if sendResp != nil {
 		c.ResponseError(sendResp.Error())
 	} else {
@ -167,6 +196,38 @@ func (c *ApiController) SendVerificationCode() {
 	}
 }

+// VerifyCaptcha ...
+// @Title VerifyCaptcha
+// @Tag Verification API
+// @router /verify-captcha [post]
+func (c *ApiController) VerifyCaptcha() {
+	var vform form.VerificationForm
+	err := c.ParseForm(&vform)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if msg := vform.CheckParameter(form.VerifyCaptcha, c.GetAcceptLanguage()); msg != "" {
+		c.ResponseError(msg)
+		return
+	}
+
+	provider := captcha.GetCaptchaProvider(vform.CaptchaType)
+	if provider == nil {
+		c.ResponseError(c.T("verification:Invalid captcha provider."))
+		return
+	}
+
+	isValid, err := provider.VerifyCaptcha(vform.CaptchaToken, vform.ClientSecret)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(isValid)
+}
+
 // ResetEmailOrPhone ...
 // @Tag Account API
 // @Title ResetEmailOrPhone
@ -187,7 +248,12 @@ func (c *ApiController) ResetEmailOrPhone() {
 	}

 	checkDest := dest
-	organization := object.GetOrganizationByUser(user)
+	organization, err := object.GetOrganizationByUser(user)
+	if err != nil {
+		c.ResponseError(c.T(err.Error()))
+		return
+	}
+
 	if destType == object.VerifyTypePhone {
 		if object.HasUserByField(user.Owner, "phone", dest) {
 			c.ResponseError(c.T("check:Phone already exists"))
@ -200,7 +266,7 @@ func (c *ApiController) ResetEmailOrPhone() {
 			return
 		}

-		if pass, errMsg := object.CheckAccountItemModifyRule(phoneItem, user, c.GetAcceptLanguage()); !pass {
+		if pass, errMsg := object.CheckAccountItemModifyRule(phoneItem, user.IsAdminUser(), c.GetAcceptLanguage()); !pass {
 			c.ResponseError(errMsg)
 			return
 		}
@ -220,11 +286,12 @@ func (c *ApiController) ResetEmailOrPhone() {
 			return
 		}

-		if pass, errMsg := object.CheckAccountItemModifyRule(emailItem, user, c.GetAcceptLanguage()); !pass {
+		if pass, errMsg := object.CheckAccountItemModifyRule(emailItem, user.IsAdminUser(), c.GetAcceptLanguage()); !pass {
 			c.ResponseError(errMsg)
 			return
 		}
 	}
+
 	if result := object.CheckVerificationCode(checkDest, code, c.GetAcceptLanguage()); result.Code != object.VerificationSuccess {
 		c.ResponseError(result.Msg)
 		return
@ -233,102 +300,89 @@ func (c *ApiController) ResetEmailOrPhone() {
 	switch destType {
 	case object.VerifyTypeEmail:
 		user.Email = dest
-		object.SetUserField(user, "email", user.Email)
+		_, err = object.SetUserField(user, "email", user.Email)
 	case object.VerifyTypePhone:
 		user.Phone = dest
-		object.SetUserField(user, "phone", user.Phone)
+		_, err = object.SetUserField(user, "phone", user.Phone)
 	default:
 		c.ResponseError(c.T("verification:Unknown type"))
 		return
 	}
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	err = object.DisableVerificationCode(checkDest)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

-	object.DisableVerificationCode(checkDest)
 	c.ResponseOk()
 }

 // VerifyCode
-// @Tag Account API
+// @Tag Verification API
 // @Title VerifyCode
 // @router /api/verify-code [post]
 func (c *ApiController) VerifyCode() {
-	var form RequestForm
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &form)
+	var authForm form.AuthForm
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &authForm)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

 	var user *object.User
-	if form.Name != "" {
-		user = object.GetUserByFields(form.Organization, form.Name)
-	}
-
-	var checkDest string
-	if strings.Contains(form.Username, "@") {
-		if user != nil && util.GetMaskedEmail(user.Email) == form.Username {
-			form.Username = user.Email
-		}
-		checkDest = form.Username
-	} else {
-		if user != nil && util.GetMaskedPhone(user.Phone) == form.Username {
-			form.Username = user.Phone
-		}
-	}
-
-	if user = object.GetUserByFields(form.Organization, form.Username); user == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(form.Organization, form.Username)))
-		return
-	}
-
-	verificationCodeType := object.GetVerifyType(form.Username)
-	if verificationCodeType == object.VerifyTypePhone {
-		form.CountryCode = user.GetCountryCode(form.CountryCode)
-		var ok bool
-		if checkDest, ok = util.GetE164Number(form.Username, form.CountryCode); !ok {
-			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), form.CountryCode))
+	if authForm.Name != "" {
+		user, err = object.GetUserByFields(authForm.Organization, authForm.Name)
+		if err != nil {
+			c.ResponseError(err.Error())
 			return
 		}
 	}

-	if result := object.CheckVerificationCode(checkDest, form.Code, c.GetAcceptLanguage()); result.Code != object.VerificationSuccess {
+	var checkDest string
+	if strings.Contains(authForm.Username, "@") {
+		if user != nil && util.GetMaskedEmail(user.Email) == authForm.Username {
+			authForm.Username = user.Email
+		}
+		checkDest = authForm.Username
+	} else {
+		if user != nil && util.GetMaskedPhone(user.Phone) == authForm.Username {
+			authForm.Username = user.Phone
+		}
+	}
+
+	if user, err = object.GetUserByFields(authForm.Organization, authForm.Username); err != nil {
+		c.ResponseError(err.Error())
+		return
+	} else if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(authForm.Organization, authForm.Username)))
+		return
+	}
+
+	verificationCodeType := object.GetVerifyType(authForm.Username)
+	if verificationCodeType == object.VerifyTypePhone {
+		authForm.CountryCode = user.GetCountryCode(authForm.CountryCode)
+		var ok bool
+		if checkDest, ok = util.GetE164Number(authForm.Username, authForm.CountryCode); !ok {
+			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), authForm.CountryCode))
+			return
+		}
+	}
+
+	if result := object.CheckVerificationCode(checkDest, authForm.Code, c.GetAcceptLanguage()); result.Code != object.VerificationSuccess {
 		c.ResponseError(result.Msg)
 		return
 	}
-	object.DisableVerificationCode(checkDest)
-	c.SetSession("verifiedCode", form.Code)
-
-	c.ResponseOk()
-}
-
-// VerifyCaptcha ...
-// @Title VerifyCaptcha
-// @Tag Verification API
-// @router /verify-captcha [post]
-func (c *ApiController) VerifyCaptcha() {
-	captchaType := c.Ctx.Request.Form.Get("captchaType")
-
-	captchaToken := c.Ctx.Request.Form.Get("captchaToken")
-	clientSecret := c.Ctx.Request.Form.Get("clientSecret")
-	if captchaToken == "" {
-		c.ResponseError(c.T("general:Missing parameter") + ": captchaToken.")
-		return
-	}
-	if clientSecret == "" {
-		c.ResponseError(c.T("general:Missing parameter") + ": clientSecret.")
-		return
-	}
-
-	provider := captcha.GetCaptchaProvider(captchaType)
-	if provider == nil {
-		c.ResponseError(c.T("verification:Invalid captcha provider."))
-		return
-	}
-
-	isValid, err := provider.VerifyCaptcha(captchaToken, clientSecret)
+	err = object.DisableVerificationCode(checkDest)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	c.SetSession("verifiedCode", authForm.Code)

-	c.ResponseOk(isValid)
+	c.ResponseOk()
 }
--- a/controllers/webauthn.go
+++ b/controllers/webauthn.go
@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"

+	"github.com/casdoor/casdoor/form"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 	"github.com/go-webauthn/webauthn/protocol"
@ -32,7 +33,12 @@ import (
 // @Success 200 {object} protocol.CredentialCreation The CredentialCreationOptions object
 // @router /webauthn/signup/begin [get]
 func (c *ApiController) WebAuthnSignupBegin() {
-	webauthnObj := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	user := c.getCurrentUser()
 	if user == nil {
 		c.ResponseError(c.T("general:Please login first"))
@ -63,7 +69,12 @@ func (c *ApiController) WebAuthnSignupBegin() {
 // @Success 200 {object} Response "The Response object"
 // @router /webauthn/signup/finish [post]
 func (c *ApiController) WebAuthnSignupFinish() {
-	webauthnObj := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	user := c.getCurrentUser()
 	if user == nil {
 		c.ResponseError(c.T("general:Please login first"))
@ -83,7 +94,12 @@ func (c *ApiController) WebAuthnSignupFinish() {
 		return
 	}
 	isGlobalAdmin := c.IsGlobalAdmin()
-	user.AddCredentials(*credential, isGlobalAdmin)
+	_, err = user.AddCredentials(*credential, isGlobalAdmin)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.ResponseOk()
 }

@ -96,10 +112,20 @@ func (c *ApiController) WebAuthnSignupFinish() {
 // @Success 200 {object} protocol.CredentialAssertion The CredentialAssertion object
 // @router /webauthn/signin/begin [get]
 func (c *ApiController) WebAuthnSigninBegin() {
-	webauthnObj := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	userOwner := c.Input().Get("owner")
 	userName := c.Input().Get("name")
-	user := object.GetUserByFields(userOwner, userName)
+	user, err := object.GetUserByFields(userOwner, userName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	if user == nil {
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(userOwner, userName)))
 		return
@ -128,7 +154,12 @@ func (c *ApiController) WebAuthnSigninBegin() {
 // @router /webauthn/signin/finish [post]
 func (c *ApiController) WebAuthnSigninFinish() {
 	responseType := c.Input().Get("responseType")
-	webauthnObj := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	sessionObj := c.GetSession("authentication")
 	sessionData, ok := sessionObj.(webauthn.SessionData)
 	if !ok {
@ -137,8 +168,13 @@ func (c *ApiController) WebAuthnSigninFinish() {
 	}
 	c.Ctx.Request.Body = io.NopCloser(bytes.NewBuffer(c.Ctx.Input.RequestBody))
 	userId := string(sessionData.UserID)
-	user := object.GetUser(userId)
-	_, err := webauthnObj.FinishLogin(user, sessionData, c.Ctx.Request)
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	_, err = webauthnObj.FinishLogin(user, sessionData, c.Ctx.Request)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -146,10 +182,15 @@ func (c *ApiController) WebAuthnSigninFinish() {
 	c.SetSessionUsername(userId)
 	util.LogInfo(c.Ctx, "API: [%s] signed in", userId)

-	application := object.GetApplicationByUser(user)
-	var form RequestForm
-	form.Type = responseType
-	resp := c.HandleLoggedIn(application, user, &form)
+	application, err := object.GetApplicationByUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var authForm form.AuthForm
+	authForm.Type = responseType
+	resp := c.HandleLoggedIn(application, user, &authForm)
 	c.Data["json"] = resp
 	c.ServeJSON()
 }
--- a/controllers/webhook.go
+++ b/controllers/webhook.go
@ -37,13 +37,32 @@ func (c *ApiController) GetWebhooks() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+	organization := c.Input().Get("organization")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetWebhooks(owner)
+		webhooks, err := object.GetWebhooks(owner, organization)
+		if err != nil {
+			panic(err)
+		}
+
+		c.Data["json"] = webhooks
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetWebhookCount(owner, field, value)))
-		webhooks := object.GetPaginationWebhooks(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		count, err := object.GetWebhookCount(owner, organization, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+
+		webhooks, err := object.GetPaginationWebhooks(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(webhooks, paginator.Nums())
 	}
 }
@ -58,7 +77,12 @@ func (c *ApiController) GetWebhooks() {
 func (c *ApiController) GetWebhook() {
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetWebhook(id)
+	webhook, err := object.GetWebhook(id)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = webhook
 	c.ServeJSON()
 }

--- a/form/auth.go
+++ b/form/auth.go
@ -0,0 +1,60 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package form
+
+type AuthForm struct {
+	Type string `json:"type"`
+
+	Organization string `json:"organization"`
+	Username     string `json:"username"`
+	Password     string `json:"password"`
+	Name         string `json:"name"`
+	FirstName    string `json:"firstName"`
+	LastName     string `json:"lastName"`
+	Email        string `json:"email"`
+	Phone        string `json:"phone"`
+	Affiliation  string `json:"affiliation"`
+	IdCard       string `json:"idCard"`
+	Region       string `json:"region"`
+
+	Application string `json:"application"`
+	ClientId    string `json:"clientId"`
+	Provider    string `json:"provider"`
+	Code        string `json:"code"`
+	State       string `json:"state"`
+	RedirectUri string `json:"redirectUri"`
+	Method      string `json:"method"`
+
+	EmailCode   string `json:"emailCode"`
+	PhoneCode   string `json:"phoneCode"`
+	CountryCode string `json:"countryCode"`
+
+	AutoSignin bool `json:"autoSignin"`
+
+	RelayState   string `json:"relayState"`
+	SamlRequest  string `json:"samlRequest"`
+	SamlResponse string `json:"samlResponse"`
+
+	CaptchaType  string `json:"captchaType"`
+	CaptchaToken string `json:"captchaToken"`
+	ClientSecret string `json:"clientSecret"`
+
+	MfaType      string `json:"mfaType"`
+	Passcode     string `json:"passcode"`
+	RecoveryCode string `json:"recoveryCode"`
+
+	Plan    string `json:"plan"`
+	Pricing string `json:"pricing"`
+}
--- a/form/verification.go
+++ b/form/verification.go
@ -0,0 +1,67 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package form
+
+import (
+	"strings"
+
+	"github.com/casdoor/casdoor/i18n"
+)
+
+type VerificationForm struct {
+	Dest          string `form:"dest"`
+	Type          string `form:"type"`
+	CountryCode   string `form:"countryCode"`
+	ApplicationId string `form:"applicationId"`
+	Method        string `form:"method"`
+	CheckUser     string `form:"checkUser"`
+
+	CaptchaType  string `form:"captchaType"`
+	ClientSecret string `form:"clientSecret"`
+	CaptchaToken string `form:"captchaToken"`
+}
+
+const (
+	SendVerifyCode = 0
+	VerifyCaptcha  = 1
+)
+
+func (form *VerificationForm) CheckParameter(checkType int, lang string) string {
+	if checkType == SendVerifyCode {
+		if form.Type == "" {
+			return i18n.Translate(lang, "general:Missing parameter") + ": type."
+		}
+		if form.Dest == "" {
+			return i18n.Translate(lang, "general:Missing parameter") + ": dest."
+		}
+		if form.CaptchaType == "" {
+			return i18n.Translate(lang, "general:Missing parameter") + ": checkType."
+		}
+		if !strings.Contains(form.ApplicationId, "/") {
+			return i18n.Translate(lang, "verification:Wrong parameter") + ": applicationId."
+		}
+	}
+
+	if form.CaptchaType != "none" {
+		if form.CaptchaToken == "" {
+			return i18n.Translate(lang, "general:Missing parameter") + ": captchaToken."
+		}
+		if form.ClientSecret == "" {
+			return i18n.Translate(lang, "general:Missing parameter") + ": clientSecret."
+		}
+	}
+
+	return ""
+}
--- a/go.mod
+++ b/go.mod
@ -8,8 +8,9 @@ require (
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
 	github.com/aliyun/alibaba-cloud-sdk-go v1.62.188 // indirect
 	github.com/aws/aws-sdk-go v1.44.4
-	github.com/beego/beego v1.12.11
+	github.com/beego/beego v1.12.12
 	github.com/beevik/etree v1.1.0
+	github.com/casbin/casbin v1.9.1 // indirect
 	github.com/casbin/casbin/v2 v2.30.1
 	github.com/casdoor/go-sms-sender v0.6.1
 	github.com/casdoor/gomail/v2 v2.0.1
@ -17,6 +18,8 @@ require (
 	github.com/casdoor/xorm-adapter/v3 v3.0.4
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/denisenkom/go-mssqldb v0.9.0
+	github.com/dlclark/regexp2 v1.9.0 // indirect
+	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
 	github.com/fogleman/gg v1.3.0
 	github.com/forestmgy/ldapserver v1.1.0
 	github.com/go-git/go-git/v5 v5.6.0
@ -27,24 +30,32 @@ require (
 	github.com/go-webauthn/webauthn v0.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/uuid v1.3.0
+	github.com/gorilla/mux v1.7.3 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/lestrrat-go/jwx v1.2.21
-	github.com/lib/pq v1.8.0
+	github.com/lib/pq v1.10.2
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
 	github.com/markbates/goth v1.75.2
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/nyaruka/phonenumbers v1.1.5
+	github.com/pkoukk/tiktoken-go v0.1.1
+	github.com/plutov/paypal/v4 v4.7.0
+	github.com/prometheus/client_golang v1.11.1
+	github.com/prometheus/client_model v0.2.0
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/russellhaering/gosaml2 v0.6.0
-	github.com/russellhaering/goxmldsig v1.1.1
+	github.com/russellhaering/gosaml2 v0.9.0
+	github.com/russellhaering/goxmldsig v1.2.0
+	github.com/sashabaranov/go-openai v1.9.1
 	github.com/satori/go.uuid v1.2.0
+	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/siddontang/go-log v0.0.0-20190221022429-1e957dd83bed
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.2
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
@ -52,10 +63,11 @@ require (
 	github.com/xorm-io/xorm v1.1.6
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
 	golang.org/x/crypto v0.6.0
-	golang.org/x/net v0.6.0
+	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
+	golang.org/x/net v0.7.0
 	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0
-	gopkg.in/yaml.v2 v2.3.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	modernc.org/sqlite v1.10.1-0.20210314190707-798bbeb9bb84
 )
--- a/go.sum
+++ b/go.sum
@ -73,6 +73,7 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387 h1:loy0fjI90vF44BPW4ZYOkE3tDkGTy7yHURusOJimt+I=
 github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387/go.mod h1:GuR5j/NW7AU7tDAQUDGCtpiPxWIOy/c3kiRDnlwiCHc=
 github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
@ -92,8 +93,8 @@ github.com/aws/aws-sdk-go v1.44.4 h1:ePN0CVJMdiz2vYUcJH96eyxRrtKGSDMgyhP6rah2OgE
 github.com/aws/aws-sdk-go v1.44.4/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f h1:ZNv7On9kyUzm7fvRZumSyy/IUiSC7AzL0I1jKKtwooA=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
-github.com/beego/beego v1.12.11 h1:MWKcnpavb7iAIS0m6uuEq6pHKkYvGNw/5umIUKqL7jM=
-github.com/beego/beego v1.12.11/go.mod h1:QURFL1HldOcCZAxnc1cZ7wrplsYR5dKPHFjmk6WkLAs=
+github.com/beego/beego v1.12.12 h1:ARY1sNVSS23N0mEQIhSqRDTyyDlx95JY0V3GogBbZbQ=
+github.com/beego/beego v1.12.12/go.mod h1:QURFL1HldOcCZAxnc1cZ7wrplsYR5dKPHFjmk6WkLAs=
 github.com/beego/goyaml2 v0.0.0-20130207012346-5545475820dd/go.mod h1:1b+Y/CofkYwXMUU0OhQqGvsY2Bvgr4j6jfT699wyZKQ=
 github.com/beego/x2j v0.0.0-20131220205130-a0352aadc542/go.mod h1:kSeGC/p1AbBiEp5kat81+DSQrZenVBZXklMLaELspWU=
 github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
@ -106,8 +107,9 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bradfitz/gomemcache v0.0.0-20180710155616-bc664df96737/go.mod h1:PmM6Mmwb0LSuEubjR8N7PtNe1KxZLtOUHtbeikc5h60=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/casbin/casbin v1.7.0 h1:PuzlE8w0JBg/DhIqnkF1Dewf3z+qmUZMVN07PonvVUQ=
 github.com/casbin/casbin v1.7.0/go.mod h1:c67qKN6Oum3UF5Q1+BByfFxkwKvhwW57ITjqwtzR1KE=
+github.com/casbin/casbin v1.9.1 h1:ucjbS5zTrmSLtH4XogqOG920Poe6QatdXtz1FEbApeM=
+github.com/casbin/casbin v1.9.1/go.mod h1:z8uPsfBJGUsnkagrt3G8QvjgTKFMBJ32UP8HpZllfog=
 github.com/casbin/casbin/v2 v2.1.0/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
 github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.30.1 h1:P5HWadDL7olwUXNdcuKUBk+x75Y2eitFxYTcLNKeKF0=
@ -161,12 +163,16 @@ github.com/denisenkom/go-mssqldb v0.9.0 h1:RSohk2RsiZqLZ0zCjtfn3S4Gp4exhpBWHyQ7D
 github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/dlclark/regexp2 v1.8.1/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.9.0 h1:pTK/l/3qYIKaRXuHnEnIf7Y5NxfRPfpb7dis6/gdlVI=
+github.com/dlclark/regexp2 v1.9.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/edsrzf/mmap-go v0.0.0-20170320065105-0bce6a688712/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/elastic/go-elasticsearch/v6 v6.8.5/go.mod h1:UwaDJsD3rWLM5rKNFzv9hgox93HoX8utj1kxD9aFUcI=
-github.com/elazarl/go-bindata-assetfs v1.0.0 h1:G/bYguwHIzWq9ZoyUQqrjTmJbbYn3j3CKKpKinvZLFk=
 github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
+github.com/elazarl/go-bindata-assetfs v1.0.1 h1:m0kkaHRKEu7tUIUFVwhGGGYClXvyl4RE03qmvRTNfbw=
+github.com/elazarl/go-bindata-assetfs v1.0.1/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@ -202,10 +208,12 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-ldap/ldap/v3 v3.3.0 h1:lwx+SJpgOHd8tG6SumBQZXCmNX51zM8B1cfxJ5gv4tQ=
 github.com/go-ldap/ldap/v3 v3.3.0/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-mysql-org/go-mysql v1.7.0 h1:qE5FTRb3ZeTQmlk3pjE+/m2ravGxxRDrVDTyDe9tvqI=
 github.com/go-mysql-org/go-mysql v1.7.0/go.mod h1:9cRWLtuXNKhamUPMkrDVzBhaomGvqLRLtBiyjvjc4pk=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
@ -270,8 +278,10 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.0-20170215233205-553a64147049/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
@ -289,6 +299,8 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
@ -318,8 +330,9 @@ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5m
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
+github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1 h1:LqbZZ9sNMWVjeXS4NN5oVvhMjDyLhmA1LG86oSo+IqY=
 github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1/go.mod h1:YeAe0gNeiNT5hoiZRI4yiOky6jVdNvfO2N6Kav/HmxY=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
@ -353,9 +366,9 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmoiron/sqlx v1.3.3/go.mod h1:2BljVx/86SuTyjE+aPYlHCTNvZrnJXghYGpNiXLBMCQ=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@ -365,6 +378,7 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 h1:iQTw/8FWTuc7uiaSepXwyf3o52HaUYcV+Tu66S3F5GA=
 github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
@ -374,6 +388,7 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@ -405,8 +420,9 @@ github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmt
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.7.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
+github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 h1:wIONC+HMNRqmWBjuMxhatuSzHaljStc4gjDeKycxy0A=
 github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3/go.mod h1:37YR9jabpiIxsb8X9VCIx8qFOjTDIIrIHHODa8C4gz0=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@ -416,8 +432,8 @@ github.com/markbates/goth v1.75.2 h1:C7KloBMMk50JyXaHhzfqWYLW6+bDcSVIvUGHXneLWro
 github.com/markbates/goth v1.75.2/go.mod h1:X6xdNgpapSENS0O35iTBBcMHoJDQDfI9bJl+APCkYMc=
 github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
-github.com/mattermost/xml-roundtrip-validator v0.0.0-20201208211235-fe770d50d911 h1:erppMjjp69Rertg1zlgRbLJH1u+eCmRPxKjMZ5I8/Ro=
-github.com/mattermost/xml-roundtrip-validator v0.0.0-20201208211235-fe770d50d911/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
+github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
+github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqfI=
 github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
 github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
@ -442,6 +458,7 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb
 github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c h1:3wkDRdxK92dF+c1ke2dtj7ZzemFWBHB9plnJOtlwdFA=
 github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c/go.mod h1:skjdDftzkFALcuGzYSklqYd8gvat6F1gZJ4YPVbkZpM=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ=
 github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
@ -476,13 +493,19 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkoukk/tiktoken-go v0.1.1 h1:jtkYlIECjyM9OW1w4rjPmTohK4arORP9V25y6TM6nXo=
+github.com/pkoukk/tiktoken-go v0.1.1/go.mod h1:boMWvk9pQCOTx11pgu0DrIdrAKgQzzJKUP6vLXaz7Rw=
+github.com/plutov/paypal/v4 v4.7.0 h1:6TRvYD4ny6yQfHaABeStNf43GFM1wpW5jU/XEDGQmq0=
+github.com/plutov/paypal/v4 v4.7.0/go.mod h1:D56boafCRGcF/fEM0w282kj0fCDKIyrwOPX/Te1jCmw=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.7.0 h1:wCi7urQOGBsYcQROHqpUUX4ct84xp40t9R9JX0FuA/U=
 github.com/prometheus/client_golang v1.7.0/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.11.1 h1:+4eQaD7vAZ6DsfsxB15hbE0odUjGI5ARs9yskGu1v4s=
+github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@ -491,13 +514,15 @@ github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6T
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.10.0 h1:RyRA7RzGXQZiW+tGMr7sxa85G1z0yOpM1qq5c8lNawc=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
+github.com/prometheus/common v0.26.0 h1:iMAkS2TDoNWnKM+Kopnx/8tnEStIfpYA0ur0xQzzhMQ=
+github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/qiangmzsx/string-adapter/v2 v2.1.0 h1:q0y8TPa/sTwtriJPRe8gWL++PuZ+XbOUuvKU+hvtTYs=
 github.com/qiangmzsx/string-adapter/v2 v2.1.0/go.mod h1:PElPB7b7HnGKTsuADAffFpOQXHqjEGJz1+U1a6yR5wA=
@ -513,19 +538,21 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
-github.com/russellhaering/gosaml2 v0.6.0 h1:OED8FLgczXxXAPlKhnJHQfmEig52tDX2qeXdPtZRIKc=
-github.com/russellhaering/gosaml2 v0.6.0/go.mod h1:CtzxpPr4+bevsATaqR0rw3aqrNlX274b+3C6vFTLCk8=
-github.com/russellhaering/goxmldsig v1.1.0/go.mod h1:QK8GhXPB3+AfuCrfo0oRISa9NfzeCpWmxeGnqEpDF9o=
-github.com/russellhaering/goxmldsig v1.1.1 h1:vI0r2osGF1A9PLvsGdPUAGwEIrKa4Pj5sesSBsebIxM=
-github.com/russellhaering/goxmldsig v1.1.1/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
+github.com/russellhaering/gosaml2 v0.9.0 h1:CNMnH42z/GirrKjdmNrSS6bAAs47F9bPdl4PfRmVOIk=
+github.com/russellhaering/gosaml2 v0.9.0/go.mod h1:byViER/1YPUa0Puj9ROZblpoq2jsE7h/CJmitzX0geU=
+github.com/russellhaering/goxmldsig v1.2.0 h1:Y6GTTc9Un5hCxSzVz4UIWQ/zuVwDvzJk80guqzwx6Vg=
+github.com/russellhaering/goxmldsig v1.2.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sashabaranov/go-openai v1.9.1 h1:3N52HkJKo9Zlo/oe1AVv5ZkCOny0ra58/ACvAxkN3MM=
+github.com/sashabaranov/go-openai v1.9.1/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/shiena/ansicolor v0.0.0-20151119151921-a422bbe96644 h1:X+yvsM2yrEktyI+b2qND5gpH8YhURn0k8OCaeRnkINo=
 github.com/shiena/ansicolor v0.0.0-20151119151921-a422bbe96644/go.mod h1:nkxAfR/5quYxwPZhyDxgasBMnRtBZd0FCEpawpjMUFg=
+github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 h1:DAYUYH5869yV94zvCES9F51oYtN5oGlwjxJJz7ZCnik=
+github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18/go.mod h1:nkxAfR/5quYxwPZhyDxgasBMnRtBZd0FCEpawpjMUFg=
 github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=
 github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 h1:pntxY8Ary0t43dCZ5dqY4YTJCObLY1kIXl0uzMv+7DE=
@ -541,6 +568,7 @@ github.com/siddontang/goredis v0.0.0-20150324035039-760763f78400/go.mod h1:DDcKz
 github.com/siddontang/rdb v0.0.0-20150307021120-fc89ed2e418d/go.mod h1:AMEsy7v5z92TR1JKMkLLoaOQk++LVnOKL3ScbJ8GNGA=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.1.0 h1:Wvr9V0MxhjRbl3f9nMnKnFfiWTJmtECJ9Njkea3ysW0=
 github.com/skeema/knownhosts v1.1.0/go.mod h1:sKFq3RD6/TKZkSWn8boUbDC7Qkgcv+8XXijpFO6roag=
@ -567,12 +595,14 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/syndtr/goleveldb v0.0.0-20160425020131-cfa635847112/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
@ -692,8 +722,9 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@ -750,8 +781,9 @@ golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfS
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -809,6 +841,7 @@ golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -819,6 +852,7 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@ -997,8 +1031,10 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
@ -1031,8 +1067,9 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/i18n/generate_test.go
+++ b/i18n/generate_test.go
@ -32,6 +32,7 @@ func TestGenerateI18nFrontend(t *testing.T) {
 	applyToOtherLanguage("frontend", "ko", data)
 	applyToOtherLanguage("frontend", "ru", data)
 	applyToOtherLanguage("frontend", "vi", data)
+	applyToOtherLanguage("frontend", "pt", data)
 }

 func TestGenerateI18nBackend(t *testing.T) {
@ -47,4 +48,5 @@ func TestGenerateI18nBackend(t *testing.T) {
 	applyToOtherLanguage("backend", "ko", data)
 	applyToOtherLanguage("backend", "ru", data)
 	applyToOtherLanguage("backend", "vi", data)
+	applyToOtherLanguage("backend", "pt", data)
 }
--- a/i18n/locales/de/data.json
+++ b/i18n/locales/de/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "Service %s und %s stimmen nicht überein"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "Zugehörigkeit darf nicht leer sein",
    "DisplayName cannot be blank": "Anzeigename kann nicht leer sein",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "Benutzername muss mindestens 2 Zeichen lang sein",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Sie haben zu oft das falsche Passwort oder den falschen Code eingegeben. Bitte warten Sie %d Minuten und versuchen Sie es erneut",
    "Your region is not allow to signup by phone": "Ihre Region ist nicht berechtigt, sich telefonisch anzumelden",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "Das Passwort oder der Code ist falsch. Du hast noch %d Versuche übrig",
    "unsupported password type: %s": "Nicht unterstützter Passworttyp: %s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "Nicht in der Lage, die E-Mail-Änderungsregel zu erhalten.",
    "Unable to get the phone modify rule.": "Nicht in der Lage, die Telefon-Änderungsregel zu erhalten.",
    "Unknown type": "Unbekannter Typ",
-    "Wrong parameter": "Falscher Parameter",
    "Wrong verification code!": "Falscher Bestätigungscode!",
    "You should verify your code in %d min!": "Du solltest deinen Code in %d Minuten verifizieren!",
    "the user does not exist, please sign up first": "Der Benutzer existiert nicht, bitte zuerst anmelden"
--- a/i18n/locales/en/data.json
+++ b/i18n/locales/en/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "Affiliation cannot be blank",
    "DisplayName cannot be blank": "DisplayName cannot be blank",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "Username must have at least 2 characters",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
    "unsupported password type: %s": "unsupported password type: %s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
    "Unknown type": "Unknown type",
-    "Wrong parameter": "Wrong parameter",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
--- a/i18n/locales/es/data.json
+++ b/i18n/locales/es/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "Los servicios %s y %s no coinciden"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "Afiliación no puede estar en blanco",
    "DisplayName cannot be blank": "El nombre de visualización no puede estar en blanco",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "Nombre de usuario debe tener al menos 2 caracteres",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Has ingresado la contraseña o código incorrecto demasiadas veces, por favor espera %d minutos e intenta de nuevo",
    "Your region is not allow to signup by phone": "Tu región no está permitida para registrarse por teléfono",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "Contraseña o código incorrecto, tienes %d intentos restantes",
    "unsupported password type: %s": "Tipo de contraseña no compatible: %s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "No se puede obtener la regla de modificación de correo electrónico.",
    "Unable to get the phone modify rule.": "No se pudo obtener la regla de modificación del teléfono.",
    "Unknown type": "Tipo desconocido",
-    "Wrong parameter": "Parámetro incorrecto",
    "Wrong verification code!": "¡Código de verificación incorrecto!",
    "You should verify your code in %d min!": "¡Deberías verificar tu código en %d minutos!",
    "the user does not exist, please sign up first": "El usuario no existe, por favor regístrese primero"
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "Les services %s et %s ne correspondent pas"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "Affiliation ne peut pas être vide",
    "DisplayName cannot be blank": "Le nom d'affichage ne peut pas être vide",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "Le nom d'utilisateur doit comporter au moins 2 caractères",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Vous avez entré le mauvais mot de passe ou code plusieurs fois, veuillez attendre %d minutes et réessayer",
    "Your region is not allow to signup by phone": "Votre région n'est pas autorisée à s'inscrire par téléphone",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "Le mot de passe ou le code est incorrect, il vous reste %d chances",
    "unsupported password type: %s": "Type de mot de passe non pris en charge : %s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "Incapable d'obtenir la règle de modification de courriel.",
    "Unable to get the phone modify rule.": "Impossible d'obtenir la règle de modification de téléphone.",
    "Unknown type": "Type inconnu",
-    "Wrong parameter": "Mauvais paramètre",
    "Wrong verification code!": "Mauvais code de vérification !",
    "You should verify your code in %d min!": "Vous devriez vérifier votre code en %d min !",
    "the user does not exist, please sign up first": "L'utilisateur n'existe pas, veuillez vous inscrire d'abord"
--- a/i18n/locales/id/data.json
+++ b/i18n/locales/id/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "Layanan %s dan %s tidak cocok"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "Keterkaitan tidak boleh kosong",
    "DisplayName cannot be blank": "Nama Pengguna tidak boleh kosong",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "Nama pengguna harus memiliki setidaknya 2 karakter",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Anda telah memasukkan kata sandi atau kode yang salah terlalu banyak kali, mohon tunggu selama %d menit dan coba lagi",
    "Your region is not allow to signup by phone": "Wilayah Anda tidak diizinkan untuk mendaftar melalui telepon",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "Kata sandi atau kode salah, Anda memiliki %d kesempatan tersisa",
    "unsupported password type: %s": "jenis sandi tidak didukung: %s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "Tidak dapat memperoleh aturan modifikasi email.",
    "Unable to get the phone modify rule.": "Tidak dapat memodifikasi aturan telepon.",
    "Unknown type": "Tipe tidak diketahui",
-    "Wrong parameter": "Parameter yang salah",
    "Wrong verification code!": "Kode verifikasi salah!",
    "You should verify your code in %d min!": "Anda harus memverifikasi kode Anda dalam %d menit!",
    "the user does not exist, please sign up first": "Pengguna tidak ada, silakan daftar terlebih dahulu"
--- a/i18n/locales/ja/data.json
+++ b/i18n/locales/ja/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "サービス%sと%sは一致しません"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "所属は空白にできません",
    "DisplayName cannot be blank": "表示名は空白にできません",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "ユーザー名は少なくとも2文字必要です",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "あなたは間違ったパスワードまたはコードを何度も入力しました。%d 分間待ってから再度お試しください",
    "Your region is not allow to signup by phone": "あなたの地域は電話でサインアップすることができません",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "パスワードまたはコードが間違っています。あと%d回の試行機会があります",
    "unsupported password type: %s": "サポートされていないパスワードタイプ：%s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "電子メール変更規則を取得できません。",
    "Unable to get the phone modify rule.": "電話の変更ルールを取得できません。",
    "Unknown type": "不明なタイプ",
-    "Wrong parameter": "誤ったパラメータ",
    "Wrong verification code!": "誤った検証コードです！",
    "You should verify your code in %d min!": "あなたは%d分であなたのコードを確認する必要があります！",
    "the user does not exist, please sign up first": "ユーザーは存在しません。まず登録してください"
--- a/i18n/locales/ko/data.json
+++ b/i18n/locales/ko/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "서비스 %s와 %s는 일치하지 않습니다"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "소속은 비워 둘 수 없습니다",
    "DisplayName cannot be blank": "DisplayName는 비어 있을 수 없습니다",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "사용자 이름은 적어도 2개의 문자가 있어야 합니다",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "올바르지 않은 비밀번호나 코드를 여러 번 입력했습니다. %d분 동안 기다리신 후 다시 시도해주세요",
    "Your region is not allow to signup by phone": "당신의 지역은 전화로 가입할 수 없습니다",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "암호 또는 코드가 올바르지 않습니다. %d번의 기회가 남아 있습니다",
    "unsupported password type: %s": "지원되지 않는 암호 유형: %s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "이메일 수정 규칙을 가져올 수 없습니다.",
    "Unable to get the phone modify rule.": "전화 수정 규칙을 가져올 수 없습니다.",
    "Unknown type": "알 수 없는 유형",
-    "Wrong parameter": "잘못된 매개 변수입니다",
    "Wrong verification code!": "잘못된 인증 코드입니다!",
    "You should verify your code in %d min!": "당신은 %d분 안에 코드를 검증해야 합니다!",
    "the user does not exist, please sign up first": "사용자가 존재하지 않습니다. 먼저 회원 가입 해주세요"
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "Сервисы %s и %s не совпадают"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "Принадлежность не может быть пустым значением",
    "DisplayName cannot be blank": "Имя отображения не может быть пустым",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "Имя пользователя должно содержать не менее 2 символов",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Вы ввели неправильный пароль или код слишком много раз, пожалуйста, подождите %d минут и попробуйте снова",
    "Your region is not allow to signup by phone": "Ваш регион не разрешает регистрацию по телефону",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "Неправильный пароль или код, у вас осталось %d попыток",
    "unsupported password type: %s": "неподдерживаемый тип пароля: %s"
  },
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "Невозможно получить правило изменения электронной почты.",
    "Unable to get the phone modify rule.": "Невозможно получить правило изменения телефона.",
    "Unknown type": "Неизвестный тип",
-    "Wrong parameter": "Неправильный параметр",
    "Wrong verification code!": "Неправильный код подтверждения!",
    "You should verify your code in %d min!": "Вы должны проверить свой код через %d минут!",
    "the user does not exist, please sign up first": "Пользователь не существует, пожалуйста, сначала зарегистрируйтесь"
--- a/i18n/locales/vi/data.json
+++ b/i18n/locales/vi/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "Dịch sang tiếng Việt: Dịch vụ %s và %s không khớp"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "Tình trạng liên kết không thể để trống",
    "DisplayName cannot be blank": "Tên hiển thị không thể để trống",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "Tên đăng nhập phải có ít nhất 2 ký tự",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Bạn đã nhập sai mật khẩu hoặc mã quá nhiều lần, vui lòng đợi %d phút và thử lại",
    "Your region is not allow to signup by phone": "Vùng của bạn không được phép đăng ký bằng điện thoại",
+    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %d remaining chances": "Mật khẩu hoặc mã không chính xác, bạn còn %d lần cơ hội",
    "unsupported password type: %s": "Loại mật khẩu không được hỗ trợ: %s"
  },
@ -59,10 +68,10 @@
    "Missing parameter": "Thiếu tham số",
    "Please login first": "Vui lòng đăng nhập trước",
    "The user: %s doesn't exist": "Người dùng: %s không tồn tại",
-    "don't support captchaProvider: ": "Không hỗ trợ captchaProvider:"
+    "don't support captchaProvider: ": "không hỗ trợ captchaProvider: "
  },
  "ldap": {
-    "Ldap server exist": "Máy chủ Ldap tồn tại"
+    "Ldap server exist": "Máy chủ LDAP tồn tại"
  },
  "link": {
    "Please link first": "Vui lòng kết nối trước tiên",
@ -129,7 +138,6 @@
    "Unable to get the email modify rule.": "Không thể lấy quy tắc sửa đổi email.",
    "Unable to get the phone modify rule.": "Không thể thay đổi quy tắc trên điện thoại.",
    "Unknown type": "Loại không xác định",
-    "Wrong parameter": "Tham số không đúng",
    "Wrong verification code!": "Mã xác thực sai!",
    "You should verify your code in %d min!": "Bạn nên kiểm tra mã của mình trong %d phút!",
    "the user does not exist, please sign up first": "Người dùng không tồn tại, vui lòng đăng ký trước"
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@ -23,6 +23,14 @@
  "cas": {
    "Service %s and %s do not match": "服务%s与%s不匹配"
  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
  "check": {
    "Affiliation cannot be blank": "工作单位不可为空",
    "DisplayName cannot be blank": "显示名称不可为空",
@ -52,6 +60,7 @@
    "Username must have at least 2 characters": "用户名至少要有2个字符",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "密码错误次数已达上限，请在 %d 分后重试",
    "Your region is not allow to signup by phone": "所在地区不支持手机号注册",
+    "password or code is incorrect": "密码错误",
    "password or code is incorrect, you have %d remaining chances": "密码错误，您还有 %d 次尝试的机会",
    "unsupported password type: %s": "不支持的密码类型: %s"
  },
@ -74,7 +83,7 @@
  },
  "organization": {
    "Only admin can modify the %s.": "仅允许管理员可以修改%s",
-    "The %s is immutable.": "%s是不可变的",
+    "The %s is immutable.": "%s 是不可变的",
    "Unknown modify rule %s.": "未知的修改规则: %s"
  },
  "provider": {
@ -129,13 +138,12 @@
    "Unable to get the email modify rule.": "无法获取邮箱修改规则",
    "Unable to get the phone modify rule.": "无法获取手机号修改规则",
    "Unknown type": "未知类型",
-    "Wrong parameter": "参数错误",
    "Wrong verification code!": "验证码错误!",
    "You should verify your code in %d min!": "请在 %d 分钟内输入正确验证码",
    "the user does not exist, please sign up first": "用户不存在，请先注册"
  },
  "webauthn": {
-    "Found no credentials for this user": "该用户没有WebAuthn凭据",
+    "Found no credentials for this user": "该用户没有 WebAuthn 凭据",
    "Please call WebAuthnSigninBegin first": "请先调用WebAuthnSigninBegin函数"
  }
 }
--- a/i18n/util.go
+++ b/i18n/util.go
@ -73,21 +73,29 @@ func applyData(data1 *I18nData, data2 *I18nData) {
 	}
 }

-func Translate(lang string, error string) string {
-	parts := strings.SplitN(error, ":", 2)
-	if !strings.Contains(error, ":") || len(parts) != 2 {
-		return "Translate Error: " + error
+func Translate(language string, errorText string) string {
+	tokens := strings.SplitN(errorText, ":", 2)
+	if !strings.Contains(errorText, ":") || len(tokens) != 2 {
+		return fmt.Sprintf("Translate error: the error text doesn't contain \":\", errorText = %s", errorText)
 	}
-	if langMap[lang] != nil {
-		return langMap[lang][parts[0]][parts[1]]
-	} else {
-		file, _ := f.ReadFile("locales/" + lang + "/data.json")
+
+	if langMap[language] == nil {
+		file, err := f.ReadFile(fmt.Sprintf("locales/%s/data.json", language))
+		if err != nil {
+			return fmt.Sprintf("Translate error: the language \"%s\" is not supported, err = %s", language, err.Error())
+		}
+
 		data := I18nData{}
-		err := util.JsonToStruct(string(file), &data)
+		err = util.JsonToStruct(string(file), &data)
 		if err != nil {
 			panic(err)
 		}
-		langMap[lang] = data
-		return langMap[lang][parts[0]][parts[1]]
+		langMap[language] = data
 	}
+
+	res := langMap[language][tokens[0]][tokens[1]]
+	if res == "" {
+		res = tokens[1]
+	}
+	return res
 }
--- a/idp/casdoor.go
+++ b/idp/casdoor.go
@ -16,6 +16,7 @@ package idp

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@ -83,7 +84,7 @@ func (idp *CasdoorIdProvider) GetToken(code string) (*oauth2.Token, error) {

 	// check if token is expired
 	if pToken.ExpiresIn <= 0 {
-		return nil, fmt.Errorf("%s", pToken.AccessToken)
+		return nil, errors.New(pToken.AccessToken)
 	}
 	token := &oauth2.Token{
 		AccessToken: pToken.AccessToken,
--- a/idp/dingtalk.go
+++ b/idp/dingtalk.go
@ -23,6 +23,7 @@ import (
 	"strings"
 	"time"

+	"github.com/casdoor/casdoor/util"
 	"golang.org/x/oauth2"
 )

@ -125,8 +126,8 @@ type DingTalkUserResponse struct {
 	UnionId   string `json:"unionId"`
 	AvatarUrl string `json:"avatarUrl"`
 	Email     string `json:"email"`
-	Errmsg    string `json:"message"`
-	Errcode   string `json:"code"`
+	Mobile    string `json:"mobile"`
+	StateCode string `json:"stateCode"`
 }

 // GetUserInfo Use  access_token to get UserInfo
@ -156,8 +157,9 @@ func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		return nil, err
 	}

-	if dtUserInfo.Errmsg != "" {
-		return nil, fmt.Errorf("userIdResp.Errcode = %s, userIdResp.Errmsg = %s", dtUserInfo.Errcode, dtUserInfo.Errmsg)
+	countryCode, err := util.GetCountryCode(dtUserInfo.StateCode, dtUserInfo.Mobile)
+	if err != nil {
+		return nil, err
 	}

 	userInfo := UserInfo{
@ -166,6 +168,8 @@ func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		DisplayName: dtUserInfo.Nick,
 		UnionId:     dtUserInfo.UnionId,
 		Email:       dtUserInfo.Email,
+		Phone:       dtUserInfo.Mobile,
+		CountryCode: countryCode,
 		AvatarUrl:   dtUserInfo.AvatarUrl,
 	}

@ -175,9 +179,19 @@ func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		return nil, err
 	}

-	corpEmail, err := idp.getUserCorpEmail(userId, corpAccessToken)
-	if err == nil && corpEmail != "" {
-		userInfo.Email = corpEmail
+	corpMobile, corpEmail, jobNumber, err := idp.getUserCorpEmail(userId, corpAccessToken)
+	if err == nil {
+		if corpMobile != "" {
+			userInfo.Phone = corpMobile
+		}
+
+		if corpEmail != "" {
+			userInfo.Email = corpEmail
+		}
+
+		if jobNumber != "" {
+			userInfo.Username = jobNumber
+		}
 	}

 	return &userInfo, nil
@ -247,33 +261,36 @@ func (idp *DingTalkIdProvider) getUserId(unionId string, accessToken string) (st
 		return "", err
 	}
 	if data.ErrCode == 60121 {
-		return "", fmt.Errorf("the user is not found in the organization where clientId and clientSecret belong")
+		return "", fmt.Errorf("该应用只允许本企业内部用户登录，您不属于该企业，无法登录")
 	} else if data.ErrCode != 0 {
 		return "", fmt.Errorf(data.ErrMessage)
 	}
 	return data.Result.UserId, nil
 }

-func (idp *DingTalkIdProvider) getUserCorpEmail(userId string, accessToken string) (string, error) {
+func (idp *DingTalkIdProvider) getUserCorpEmail(userId string, accessToken string) (string, string, string, error) {
+	// https://open.dingtalk.com/document/isvapp/query-user-details
 	body := make(map[string]string)
 	body["userid"] = userId
 	respBytes, err := idp.postWithBody(body, "https://oapi.dingtalk.com/topapi/v2/user/get?access_token="+accessToken)
 	if err != nil {
-		return "", err
+		return "", "", "", err
 	}

 	var data struct {
 		ErrMessage string `json:"errmsg"`
 		Result     struct {
-			Email string `json:"email"`
+			Mobile    string `json:"mobile"`
+			Email     string `json:"email"`
+			JobNumber string `json:"job_number"`
 		} `json:"result"`
 	}
 	err = json.Unmarshal(respBytes, &data)
 	if err != nil {
-		return "", err
+		return "", "", "", err
 	}
 	if data.ErrMessage != "ok" {
-		return "", fmt.Errorf(data.ErrMessage)
+		return "", "", "", fmt.Errorf(data.ErrMessage)
 	}
-	return data.Result.Email, nil
+	return data.Result.Mobile, data.Result.Email, data.Result.JobNumber, nil
 }
--- a/idp/provider.go
+++ b/idp/provider.go
@ -27,6 +27,8 @@ type UserInfo struct {
 	DisplayName string
 	UnionId     string
 	Email       string
+	Phone       string
+	CountryCode string
 	AvatarUrl   string
 }

--- a/idp/wecom_third_party.go
+++ b/idp/wecom_third_party.go
@ -75,7 +75,9 @@ func (idp *WeComIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		ProviderSecret string `json:"provider_secret"`
 	}{idp.Config.ClientID, idp.Config.ClientSecret}
 	data, err := idp.postWithBody(pTokenParams, "https://qyapi.weixin.qq.com/cgi-bin/service/get_provider_token")
-
+	if err != nil {
+		return nil, err
+	}
 	pToken := &WeComProviderToken{}
 	err = json.Unmarshal(data, pToken)
 	if err != nil {
--- a/ldap/server.go
+++ b/ldap/server.go
@ -53,7 +53,7 @@ func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
 		}

 		bindPassword := string(r.AuthenticationSimple())
-		bindUser, err := object.CheckUserPassword(object.CasdoorOrganization, bindUsername, bindPassword, "en")
+		bindUser, err := object.CheckUserPassword(bindOrg, bindUsername, bindPassword, "en")
 		if err != "" {
 			log.Printf("Bind failed User=%s, Pass=%#v, ErrMsg=%s", string(r.Name()), r.Authentication(), err)
 			res.SetResultCode(ldap.LDAPResultInvalidCredentials)
@ -113,6 +113,9 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {

 		for _, attr := range r.Attributes() {
 			e.AddAttribute(message.AttributeDescription(attr), getAttribute(string(attr), user))
+			if string(attr) == "cn" {
+				e.AddAttribute(message.AttributeDescription(attr), getAttribute("title", user))
+			}
 		}

 		w.Write(e)
--- a/ldap/util.go
+++ b/ldap/util.go
@ -57,17 +57,34 @@ func getNameAndOrgFromFilter(baseDN, filter string) (string, string, int) {
 func getUsername(filter string) string {
 	nameIndex := strings.Index(filter, "cn=")
 	if nameIndex == -1 {
-		return "*"
+		nameIndex = strings.Index(filter, "uid=")
+		if nameIndex == -1 {
+			return "*"
+		} else {
+			nameIndex += 4
+		}
+	} else {
+		nameIndex += 3
 	}

 	var name string
-	for i := nameIndex + 3; filter[i] != ')'; i++ {
+	for i := nameIndex; filter[i] != ')'; i++ {
 		name = name + string(filter[i])
 	}
 	return name
 }

+func stringInSlice(value string, list []string) bool {
+	for _, item := range list {
+		if item == value {
+			return true
+		}
+	}
+	return false
+}
+
 func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int) {
+	var err error
 	r := m.GetSearchRequest()

 	name, org, code := getNameAndOrgFromFilter(string(r.BaseObject()), r.FilterString())
@ -77,23 +94,62 @@ func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int)

 	if name == "*" && m.Client.IsOrgAdmin { // get all users from organization 'org'
 		if m.Client.IsGlobalAdmin && org == "*" {
-			filteredUsers = object.GetGlobalUsers()
+
+			filteredUsers, err = object.GetGlobalUsers()
+			if err != nil {
+				panic(err)
+			}
 			return filteredUsers, ldap.LDAPResultSuccess
 		}
 		if m.Client.IsGlobalAdmin || org == m.Client.OrgName {
-			filteredUsers = object.GetUsers(org)
+			filteredUsers, err = object.GetUsers(org)
+			if err != nil {
+				panic(err)
+			}
+
 			return filteredUsers, ldap.LDAPResultSuccess
 		} else {
 			return nil, ldap.LDAPResultInsufficientAccessRights
 		}
 	} else {
-		hasPermission, err := object.CheckUserPermission(fmt.Sprintf("%s/%s", m.Client.OrgName, m.Client.UserName), fmt.Sprintf("%s/%s", org, name), true, "en")
+		requestUserId := util.GetId(m.Client.OrgName, m.Client.UserName)
+		userId := util.GetId(org, name)
+
+		hasPermission, err := object.CheckUserPermission(requestUserId, userId, true, "en")
 		if !hasPermission {
 			log.Printf("ErrMsg = %v", err.Error())
 			return nil, ldap.LDAPResultInsufficientAccessRights
 		}
-		user := object.GetUser(util.GetId(org, name))
-		filteredUsers = append(filteredUsers, user)
+
+		user, err := object.GetUser(userId)
+		if err != nil {
+			panic(err)
+		}
+
+		if user != nil {
+			filteredUsers = append(filteredUsers, user)
+			return filteredUsers, ldap.LDAPResultSuccess
+		}
+
+		organization, err := object.GetOrganization(util.GetId("admin", org))
+		if err != nil {
+			panic(err)
+		}
+
+		if organization == nil {
+			return nil, ldap.LDAPResultNoSuchObject
+		}
+
+		if !stringInSlice(name, organization.Tags) {
+			return nil, ldap.LDAPResultNoSuchObject
+		}
+
+		users, err := object.GetUsersByTag(org, name)
+		if err != nil {
+			panic(err)
+		}
+
+		filteredUsers = append(filteredUsers, users...)
 		return filteredUsers, ldap.LDAPResultSuccess
 	}
 }
@ -102,7 +158,11 @@ func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int)
 // TODO not handle salt yet
 // @return {md5}5f4dcc3b5aa765d61d8327deb882cf99
 func getUserPasswordWithType(user *object.User) string {
-	org := object.GetOrganizationByUser(user)
+	org, err := object.GetOrganizationByUser(user)
+	if err != nil {
+		panic(err)
+	}
+
 	if org.PasswordType == "" || org.PasswordType == "plain" {
 		return user.Password
 	}
@ -123,10 +183,16 @@ func getAttribute(attributeName string, user *object.User) message.AttributeValu
 		return message.AttributeValue(user.Name)
 	case "uid":
 		return message.AttributeValue(user.Name)
+	case "displayname":
+		return message.AttributeValue(user.DisplayName)
 	case "email":
 		return message.AttributeValue(user.Email)
+	case "mail":
+		return message.AttributeValue(user.Email)
 	case "mobile":
 		return message.AttributeValue(user.Phone)
+	case "title":
+		return message.AttributeValue(user.Tag)
 	case "userPassword":
 		return message.AttributeValue(getUserPasswordWithType(user))
 	default:
--- a/main.go
+++ b/main.go
@ -27,17 +27,21 @@ import (
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
 	"github.com/casdoor/casdoor/routers"
-	_ "github.com/casdoor/casdoor/routers"
 	"github.com/casdoor/casdoor/util"
 )

-func main() {
-	createDatabase := flag.Bool("createDatabase", false, "true if you need Casdoor to create database")
+func getCreateDatabaseFlag() bool {
+	res := flag.Bool("createDatabase", false, "true if you need Casdoor to create database")
 	flag.Parse()
+	return *res
+}
+
+func main() {
+	createDatabase := getCreateDatabaseFlag()

 	object.InitAdapter()
+	object.CreateTables(createDatabase)
 	object.DoMigration()
-	object.CreateTables(*createDatabase)

 	object.InitDb()
 	object.InitFromFile()
@ -59,6 +63,7 @@ func main() {
 	beego.InsertFilter("*", beego.BeforeRouter, routers.AutoSigninFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.CorsFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.AuthzFilter)
+	beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)

 	beego.BConfig.WebConfig.Session.SessionOn = true
@ -73,7 +78,7 @@ func main() {
 	beego.BConfig.WebConfig.Session.SessionCookieLifeTime = 3600 * 24 * 30
 	// beego.BConfig.WebConfig.Session.SessionCookieSameSite = http.SameSiteNoneMode

-	err := logs.SetLogger("file", `{"filename":"logs/casdoor.log","maxdays":99999,"perm":"0770"}`)
+	err := logs.SetLogger(logs.AdapterFile, conf.GetConfigString("logConfig"))
 	if err != nil {
 		panic(err)
 	}
@ -82,6 +87,7 @@ func main() {
 	logs.SetLogFuncCall(false)

 	go ldap.StartLdapServer()
+	go object.ClearThroughputPerSecond()

 	beego.Run(fmt.Sprintf(":%v", port))
 }
--- a/object/adapter.go
+++ b/object/adapter.go
@ -41,18 +41,26 @@ func InitConfig() {
 	beego.BConfig.WebConfig.Session.SessionOn = true

 	InitAdapter()
-	DoMigration()
 	CreateTables(true)
+	DoMigration()
 }

 func InitAdapter() {
 	adapter = NewAdapter(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
+
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
+	adapter.Engine.SetTableMapper(tbMapper)
 }

 func CreateTables(createDatabase bool) {
 	if createDatabase {
-		adapter.CreateDatabase()
+		err := adapter.CreateDatabase()
+		if err != nil {
+			panic(err)
+		}
 	}
+
 	adapter.createTable()
 }

@ -119,13 +127,9 @@ func (a *Adapter) close() {
 }

 func (a *Adapter) createTable() {
-	showSql, _ := conf.GetConfigBool("showSql")
+	showSql := conf.GetConfigBool("showSql")
 	a.Engine.ShowSQL(showSql)

-	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
-	a.Engine.SetTableMapper(tbMapper)
-
 	err := a.Engine.Sync2(new(Organization))
 	if err != nil {
 		panic(err)
@ -136,6 +140,16 @@ func (a *Adapter) createTable() {
 		panic(err)
 	}

+	err = a.Engine.Sync2(new(Group))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(UserGroupRelation))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(Role))
 	if err != nil {
 		panic(err)
@ -240,6 +254,21 @@ func (a *Adapter) createTable() {
 	if err != nil {
 		panic(err)
 	}
+
+	err = a.Engine.Sync2(new(Subscription))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Plan))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Pricing))
+	if err != nil {
+		panic(err)
+	}
 }

 func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
@ -265,3 +294,52 @@ func GetSession(owner string, offset, limit int, field, value, sortField, sortOr
 	}
 	return session
 }
+
+func GetSessionForUser(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
+	session := adapter.Engine.Prepare()
+	if offset != -1 && limit != -1 {
+		session.Limit(limit, offset)
+	}
+	if owner != "" {
+		if offset == -1 {
+			session = session.And("owner=?", owner)
+		} else {
+			session = session.And("a.owner=?", owner)
+		}
+	}
+	if field != "" && value != "" {
+		if filterField(field) {
+			if offset != -1 {
+				field = fmt.Sprintf("a.%s", field)
+			}
+			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
+		}
+	}
+	if sortField == "" || sortOrder == "" {
+		sortField = "created_time"
+	}
+
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	tableName := tableNamePrefix + "user"
+	if offset == -1 {
+		if sortOrder == "ascend" {
+			session = session.Asc(util.SnakeString(sortField))
+		} else {
+			session = session.Desc(util.SnakeString(sortField))
+		}
+	} else {
+		if sortOrder == "ascend" {
+			session = session.Alias("a").
+				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
+				Select("b.*").
+				Asc("a." + util.SnakeString(sortField))
+		} else {
+			session = session.Alias("a").
+				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
+				Select("b.*").
+				Desc("a." + util.SnakeString(sortField))
+		}
+	}
+
+	return session
+}
--- a/object/application.go
+++ b/object/application.go
@ -38,7 +38,7 @@ type Application struct {
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`

 	DisplayName         string          `xorm:"varchar(100)" json:"displayName"`
-	Logo                string          `xorm:"varchar(100)" json:"logo"`
+	Logo                string          `xorm:"varchar(200)" json:"logo"`
 	HomepageUrl         string          `xorm:"varchar(100)" json:"homepageUrl"`
 	Description         string          `xorm:"varchar(100)" json:"description"`
 	Organization        string          `xorm:"varchar(100)" json:"organization"`
@ -51,6 +51,7 @@ type Application struct {
 	EnableSamlCompress  bool            `json:"enableSamlCompress"`
 	EnableWebAuthn      bool            `json:"enableWebAuthn"`
 	EnableLinkWithEmail bool            `json:"enableLinkWithEmail"`
+	OrgChoiceMode       string          `json:"orgChoiceMode"`
 	SamlReplyUrl        string          `xorm:"varchar(100)" json:"samlReplyUrl"`
 	Providers           []*ProviderItem `xorm:"mediumtext" json:"providers"`
 	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
@ -72,139 +73,161 @@ type Application struct {
 	SigninHtml           string     `xorm:"mediumtext" json:"signinHtml"`
 	ThemeData            *ThemeData `xorm:"json" json:"themeData"`
 	FormCss              string     `xorm:"text" json:"formCss"`
+	FormCssMobile        string     `xorm:"text" json:"formCssMobile"`
 	FormOffset           int        `json:"formOffset"`
 	FormSideHtml         string     `xorm:"mediumtext" json:"formSideHtml"`
 	FormBackgroundUrl    string     `xorm:"varchar(200)" json:"formBackgroundUrl"`
 }

-func GetApplicationCount(owner, field, value string) int {
+func GetApplicationCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	count, err := session.Count(&Application{})
-	if err != nil {
-		panic(err)
-	}
-
-	return int(count)
+	return session.Count(&Application{})
 }

-func GetOrganizationApplicationCount(owner, Organization, field, value string) int {
+func GetOrganizationApplicationCount(owner, Organization, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	count, err := session.Count(&Application{Organization: Organization})
-	if err != nil {
-		panic(err)
-	}
-
-	return int(count)
+	return session.Count(&Application{Organization: Organization})
 }

-func GetApplications(owner string) []*Application {
+func GetApplications(owner string) ([]*Application, error) {
 	applications := []*Application{}
 	err := adapter.Engine.Desc("created_time").Find(&applications, &Application{Owner: owner})
 	if err != nil {
-		panic(err)
+		return applications, err
 	}

-	return applications
+	return applications, nil
 }

-func GetOrganizationApplications(owner string, organization string) []*Application {
+func GetOrganizationApplications(owner string, organization string) ([]*Application, error) {
 	applications := []*Application{}
-	err := adapter.Engine.Desc("created_time").Find(&applications, &Application{Owner: owner, Organization: organization})
+	err := adapter.Engine.Desc("created_time").Find(&applications, &Application{Organization: organization})
 	if err != nil {
-		panic(err)
+		return applications, err
 	}

-	return applications
+	return applications, nil
 }

-func GetPaginationApplications(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Application {
+func GetPaginationApplications(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Application, error) {
 	var applications []*Application
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
 	err := session.Find(&applications)
 	if err != nil {
-		panic(err)
+		return applications, err
 	}

-	return applications
+	return applications, nil
 }

-func GetPaginationOrganizationApplications(owner, organization string, offset, limit int, field, value, sortField, sortOrder string) []*Application {
+func GetPaginationOrganizationApplications(owner, organization string, offset, limit int, field, value, sortField, sortOrder string) ([]*Application, error) {
 	applications := []*Application{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&applications, &Application{Owner: owner, Organization: organization})
+	err := session.Find(&applications, &Application{Organization: organization})
 	if err != nil {
-		panic(err)
+		return applications, err
 	}

-	return applications
+	return applications, nil
 }

-func getProviderMap(owner string) map[string]*Provider {
-	providers := GetProviders(owner)
-	m := map[string]*Provider{}
+func getProviderMap(owner string) (m map[string]*Provider, err error) {
+	providers, err := GetProviders(owner)
+	if err != nil {
+		return nil, err
+	}
+
+	m = map[string]*Provider{}
 	for _, provider := range providers {
 		// Get QRCode only once
-		if provider.Type == "WeChat" && provider.DisableSsl == true && provider.Content == "" {
-			provider.Content, _ = idp.GetWechatOfficialAccountQRCode(provider.ClientId2, provider.ClientSecret2)
+		if provider.Type == "WeChat" && provider.DisableSsl && provider.Content == "" {
+			provider.Content, err = idp.GetWechatOfficialAccountQRCode(provider.ClientId2, provider.ClientSecret2)
+			if err != nil {
+				return
+			}
 			UpdateProvider(provider.Owner+"/"+provider.Name, provider)
 		}

-		m[provider.Name] = GetMaskedProvider(provider)
+		m[provider.Name] = GetMaskedProvider(provider, true)
 	}
-	return m
+
+	return m, err
 }

-func extendApplicationWithProviders(application *Application) {
-	m := getProviderMap(application.Organization)
+func extendApplicationWithProviders(application *Application) (err error) {
+	m, err := getProviderMap(application.Organization)
+	if err != nil {
+		return err
+	}
+
 	for _, providerItem := range application.Providers {
 		if provider, ok := m[providerItem.Name]; ok {
 			providerItem.Provider = provider
 		}
 	}
+
+	return
 }

-func extendApplicationWithOrg(application *Application) {
-	organization := getOrganization(application.Owner, application.Organization)
+func extendApplicationWithOrg(application *Application) (err error) {
+	organization, err := getOrganization(application.Owner, application.Organization)
 	application.OrganizationObj = organization
+	return
 }

-func getApplication(owner string, name string) *Application {
+func getApplication(owner string, name string) (*Application, error) {
 	if owner == "" || name == "" {
-		return nil
+		return nil, nil
 	}

 	application := Application{Owner: owner, Name: name}
 	existed, err := adapter.Engine.Get(&application)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	if existed {
-		extendApplicationWithProviders(&application)
-		extendApplicationWithOrg(&application)
-		return &application
+		err = extendApplicationWithProviders(&application)
+		if err != nil {
+			return nil, err
+		}
+
+		err = extendApplicationWithOrg(&application)
+		if err != nil {
+			return nil, err
+		}
+
+		return &application, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetApplicationByOrganizationName(organization string) *Application {
+func GetApplicationByOrganizationName(organization string) (*Application, error) {
 	application := Application{}
 	existed, err := adapter.Engine.Where("organization=?", organization).Get(&application)
 	if err != nil {
-		panic(err)
+		return nil, nil
 	}

 	if existed {
-		extendApplicationWithProviders(&application)
-		extendApplicationWithOrg(&application)
-		return &application
+		err = extendApplicationWithProviders(&application)
+		if err != nil {
+			return nil, err
+		}
+
+		err = extendApplicationWithOrg(&application)
+		if err != nil {
+			return nil, err
+		}
+
+		return &application, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetApplicationByUser(user *User) *Application {
+func GetApplicationByUser(user *User) (*Application, error) {
 	if user.SignupApplication != "" {
 		return getApplication("admin", user.SignupApplication)
 	} else {
@ -212,38 +235,46 @@ func GetApplicationByUser(user *User) *Application {
 	}
 }

-func GetApplicationByUserId(userId string) (*Application, *User) {
-	var application *Application
-
+func GetApplicationByUserId(userId string) (application *Application, err error) {
 	owner, name := util.GetOwnerAndNameFromId(userId)
 	if owner == "app" {
-		application = getApplication("admin", name)
-		return application, nil
+		application, err = getApplication("admin", name)
+		return
 	}

-	user := GetUser(userId)
-	application = GetApplicationByUser(user)
-
-	return application, user
+	user, err := GetUser(userId)
+	if err != nil {
+		return nil, err
+	}
+	application, err = GetApplicationByUser(user)
+	return
 }

-func GetApplicationByClientId(clientId string) *Application {
+func GetApplicationByClientId(clientId string) (*Application, error) {
 	application := Application{}
 	existed, err := adapter.Engine.Where("client_id=?", clientId).Get(&application)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	if existed {
-		extendApplicationWithProviders(&application)
-		extendApplicationWithOrg(&application)
-		return &application
+		err = extendApplicationWithProviders(&application)
+		if err != nil {
+			return nil, err
+		}
+
+		err = extendApplicationWithOrg(&application)
+		if err != nil {
+			return nil, err
+		}
+
+		return &application, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetApplication(id string) *Application {
+func GetApplication(id string) (*Application, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getApplication(owner, name)
 }
@ -286,11 +317,11 @@ func GetMaskedApplications(applications []*Application, userId string) []*Applic
 	return applications
 }

-func UpdateApplication(id string, application *Application) bool {
+func UpdateApplication(id string, application *Application) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	oldApplication := getApplication(owner, name)
+	oldApplication, err := getApplication(owner, name)
 	if oldApplication == nil {
-		return false
+		return false, err
 	}

 	if name == "app-built-in" {
@ -298,14 +329,19 @@ func UpdateApplication(id string, application *Application) bool {
 	}

 	if name != application.Name {
-		err := applicationChangeTrigger(name, application.Name)
+		err = applicationChangeTrigger(name, application.Name)
 		if err != nil {
-			return false
+			return false, err
 		}
 	}

-	if oldApplication.ClientId != application.ClientId && GetApplicationByClientId(application.ClientId) != nil {
-		return false
+	applicationByClientId, err := GetApplicationByClientId(application.ClientId)
+	if err != nil {
+		return false, err
+	}
+
+	if oldApplication.ClientId != application.ClientId && applicationByClientId != nil {
+		return false, err
 	}

 	for _, providerItem := range application.Providers {
@ -318,45 +354,58 @@ func UpdateApplication(id string, application *Application) bool {
 	}
 	affected, err := session.Update(application)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func AddApplication(application *Application) bool {
+func AddApplication(application *Application) (bool, error) {
+	if application.Owner == "" {
+		application.Owner = "admin"
+	}
+	if application.Organization == "" {
+		application.Organization = "built-in"
+	}
 	if application.ClientId == "" {
 		application.ClientId = util.GenerateClientId()
 	}
 	if application.ClientSecret == "" {
 		application.ClientSecret = util.GenerateClientSecret()
 	}
-	if GetApplicationByClientId(application.ClientId) != nil {
-		return false
+
+	app, err := GetApplicationByClientId(application.ClientId)
+	if err != nil {
+		return false, err
 	}
+
+	if app != nil {
+		return false, nil
+	}
+
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}

 	affected, err := adapter.Engine.Insert(application)
 	if err != nil {
-		panic(err)
+		return false, nil
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func DeleteApplication(application *Application) bool {
+func DeleteApplication(application *Application) (bool, error) {
 	if application.Name == "app-built-in" {
-		return false
+		return false, nil
 	}

 	affected, err := adapter.Engine.ID(core.PK{application.Owner, application.Name}).Delete(&Application{})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

 func (application *Application) GetId() string {
@ -375,33 +424,43 @@ func (application *Application) IsRedirectUriValid(redirectUri string) bool {
 	return isValid
 }

-func IsOriginAllowed(origin string) bool {
-	applications := GetApplications("")
+func IsOriginAllowed(origin string) (bool, error) {
+	applications, err := GetApplications("")
+	if err != nil {
+		return false, err
+	}
+
 	for _, application := range applications {
 		if application.IsRedirectUriValid(origin) {
-			return true
+			return true, nil
 		}
 	}
-	return false
+	return false, nil
 }

-func getApplicationMap(organization string) map[string]*Application {
-	applications := GetOrganizationApplications("admin", organization)
-
+func getApplicationMap(organization string) (map[string]*Application, error) {
 	applicationMap := make(map[string]*Application)
+	applications, err := GetOrganizationApplications("admin", organization)
+	if err != nil {
+		return applicationMap, err
+	}
+
 	for _, application := range applications {
 		applicationMap[application.Name] = application
 	}

-	return applicationMap
+	return applicationMap, nil
 }

-func ExtendManagedAccountsWithUser(user *User) *User {
+func ExtendManagedAccountsWithUser(user *User) (*User, error) {
 	if user.ManagedAccounts == nil || len(user.ManagedAccounts) == 0 {
-		return user
+		return user, nil
 	}

-	applicationMap := getApplicationMap(user.Owner)
+	applicationMap, err := getApplicationMap(user.Owner)
+	if err != nil {
+		return user, err
+	}

 	var managedAccounts []ManagedAccount
 	for _, managedAccount := range user.ManagedAccounts {
@ -413,7 +472,7 @@ func ExtendManagedAccountsWithUser(user *User) *User {
 	}
 	user.ManagedAccounts = managedAccounts

-	return user
+	return user, nil
 }

 func applicationChangeTrigger(oldName string, newName string) error {
--- a/object/application_item.go
+++ b/object/application_item.go
@ -14,8 +14,12 @@

 package object

-func (application *Application) GetProviderByCategory(category string) *Provider {
-	providers := GetProviders(application.Organization)
+func (application *Application) GetProviderByCategory(category string) (*Provider, error) {
+	providers, err := GetProviders(application.Organization)
+	if err != nil {
+		return nil, err
+	}
+
 	m := map[string]*Provider{}
 	for _, provider := range providers {
 		if provider.Category != category {
@ -27,22 +31,22 @@ func (application *Application) GetProviderByCategory(category string) *Provider

 	for _, providerItem := range application.Providers {
 		if provider, ok := m[providerItem.Name]; ok {
-			return provider
+			return provider, nil
 		}
 	}

-	return nil
+	return nil, nil
 }

-func (application *Application) GetEmailProvider() *Provider {
+func (application *Application) GetEmailProvider() (*Provider, error) {
 	return application.GetProviderByCategory("Email")
 }

-func (application *Application) GetSmsProvider() *Provider {
+func (application *Application) GetSmsProvider() (*Provider, error) {
 	return application.GetProviderByCategory("SMS")
 }

-func (application *Application) GetStorageProvider() *Provider {
+func (application *Application) GetStorageProvider() (*Provider, error) {
 	return application.GetProviderByCategory("Storage")
 }

--- a/object/avatar.go
+++ b/object/avatar.go
@ -28,7 +28,11 @@ var defaultStorageProvider *Provider = nil
 func InitDefaultStorageProvider() {
 	defaultStorageProviderStr := conf.GetConfigString("defaultStorageProvider")
 	if defaultStorageProviderStr != "" {
-		defaultStorageProvider = getProvider("admin", defaultStorageProviderStr)
+		var err error
+		defaultStorageProvider, err = getProvider("admin", defaultStorageProviderStr)
+		if err != nil {
+			panic(err)
+		}
 	}
 }

@ -50,40 +54,44 @@ func downloadFile(url string) (*bytes.Buffer, error) {
 	return fileBuffer, nil
 }

-func getPermanentAvatarUrl(organization string, username string, url string, upload bool) string {
+func getPermanentAvatarUrl(organization string, username string, url string, upload bool) (string, error) {
 	if url == "" {
-		return ""
+		return "", nil
 	}

 	if defaultStorageProvider == nil {
-		return ""
+		return "", nil
 	}

 	fullFilePath := fmt.Sprintf("/avatar/%s/%s.png", organization, username)
 	uploadedFileUrl, _ := GetUploadFileUrl(defaultStorageProvider, fullFilePath, false)

 	if upload {
-		DownloadAndUpload(url, fullFilePath, "en")
+		if err := DownloadAndUpload(url, fullFilePath, "en"); err != nil {
+			return "", err
+		}
 	}

-	return uploadedFileUrl
+	return uploadedFileUrl, nil
 }

-func DownloadAndUpload(url string, fullFilePath string, lang string) {
+func DownloadAndUpload(url string, fullFilePath string, lang string) (err error) {
 	fileBuffer, err := downloadFile(url)
 	if err != nil {
-		panic(err)
+		return
 	}

 	_, _, err = UploadFileSafe(defaultStorageProvider, fullFilePath, fileBuffer, lang)
 	if err != nil {
-		panic(err)
+		return
 	}
+
+	return
 }

-func getPermanentAvatarUrlFromBuffer(organization string, username string, fileBuffer *bytes.Buffer, ext string, upload bool) string {
+func getPermanentAvatarUrlFromBuffer(organization string, username string, fileBuffer *bytes.Buffer, ext string, upload bool) (string, error) {
 	if defaultStorageProvider == nil {
-		return ""
+		return "", nil
 	}

 	fullFilePath := fmt.Sprintf("/avatar/%s/%s%s", organization, username, ext)
@ -92,9 +100,9 @@ func getPermanentAvatarUrlFromBuffer(organization string, username string, fileB
 	if upload {
 		_, _, err := UploadFileSafe(defaultStorageProvider, fullFilePath, fileBuffer, "en")
 		if err != nil {
-			panic(err)
+			return "", err
 		}
 	}

-	return uploadedFileUrl
+	return uploadedFileUrl, nil
 }
--- a/object/avatar_test.go
+++ b/object/avatar_test.go
@ -27,13 +27,21 @@ func TestSyncPermanentAvatars(t *testing.T) {
 	InitDefaultStorageProvider()
 	proxy.InitHttpClient()

-	users := GetGlobalUsers()
+	users, err := GetGlobalUsers()
+	if err != nil {
+		panic(err)
+	}
+
 	for i, user := range users {
 		if user.Avatar == "" {
 			continue
 		}

-		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
+		user.PermanentAvatar, err = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
+		if err != nil {
+			panic(err)
+		}
+
 		updateUserColumn("permanent_avatar", user)
 		fmt.Printf("[%d/%d]: Update user: [%s]'s permanent avatar: %s\n", i, len(users), user.GetId(), user.PermanentAvatar)
 	}
@ -44,16 +52,27 @@ func TestUpdateAvatars(t *testing.T) {
 	InitDefaultStorageProvider()
 	proxy.InitHttpClient()

-	users := GetUsers("casdoor")
+	users, err := GetUsers("casdoor")
+	if err != nil {
+		panic(err)
+	}
+
 	for _, user := range users {
 		if strings.HasPrefix(user.Avatar, "http") {
 			continue
 		}

-		updated := user.refreshAvatar()
+		updated, err := user.refreshAvatar()
+		if err != nil {
+			panic(err)
+		}
+
 		if updated {
 			user.PermanentAvatar = "*"
-			UpdateUser(user.GetId(), user, []string{"avatar"}, true)
+			_, err = UpdateUser(user.GetId(), user, []string{"avatar"}, true)
+			if err != nil {
+				panic(err)
+			}
 		}
 	}
 }
--- a/object/captcha.go
+++ b/object/captcha.go
@ -20,17 +20,17 @@ import (
 	"github.com/dchest/captcha"
 )

-func GetCaptcha() (string, []byte) {
+func GetCaptcha() (string, []byte, error) {
 	id := captcha.NewLen(5)

 	var buffer bytes.Buffer

 	err := captcha.WriteImage(&buffer, id, 200, 80)
 	if err != nil {
-		panic(err)
+		return "", nil, err
 	}

-	return id, buffer.Bytes()
+	return id, buffer.Bytes(), nil
 }

 func VerifyCaptcha(id string, digits string) bool {
--- a/object/casbin_adapter.go
+++ b/object/casbin_adapter.go
@ -46,64 +46,59 @@ type CasbinAdapter struct {
 	Adapter *xormadapter.Adapter `xorm:"-" json:"-"`
 }

-func GetCasbinAdapterCount(owner, field, value string) int {
+func GetCasbinAdapterCount(owner, organization, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	count, err := session.Count(&CasbinAdapter{})
-	if err != nil {
-		panic(err)
-	}
-
-	return int(count)
+	return session.Count(&CasbinAdapter{Organization: organization})
 }

-func GetCasbinAdapters(owner string) []*CasbinAdapter {
+func GetCasbinAdapters(owner string, organization string) ([]*CasbinAdapter, error) {
 	adapters := []*CasbinAdapter{}
-	err := adapter.Engine.Where("owner = ?", owner).Find(&adapters)
+	err := adapter.Engine.Where("owner = ? and organization = ?", owner, organization).Find(&adapters)
 	if err != nil {
-		panic(err)
+		return adapters, err
 	}

-	return adapters
+	return adapters, nil
 }

-func GetPaginationCasbinAdapters(owner string, page, limit int, field, value, sort, order string) []*CasbinAdapter {
+func GetPaginationCasbinAdapters(owner, organization string, page, limit int, field, value, sort, order string) ([]*CasbinAdapter, error) {
 	session := GetSession(owner, page, limit, field, value, sort, order)
 	adapters := []*CasbinAdapter{}
-	err := session.Find(&adapters)
+	err := session.Find(&adapters, &CasbinAdapter{Organization: organization})
 	if err != nil {
-		panic(err)
+		return adapters, err
 	}

-	return adapters
+	return adapters, nil
 }

-func getCasbinAdapter(owner, name string) *CasbinAdapter {
+func getCasbinAdapter(owner, name string) (*CasbinAdapter, error) {
 	if owner == "" || name == "" {
-		return nil
+		return nil, nil
 	}

 	casbinAdapter := CasbinAdapter{Owner: owner, Name: name}
 	existed, err := adapter.Engine.Get(&casbinAdapter)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	if existed {
-		return &casbinAdapter
+		return &casbinAdapter, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetCasbinAdapter(id string) *CasbinAdapter {
+func GetCasbinAdapter(id string) (*CasbinAdapter, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getCasbinAdapter(owner, name)
 }

-func UpdateCasbinAdapter(id string, casbinAdapter *CasbinAdapter) bool {
+func UpdateCasbinAdapter(id string, casbinAdapter *CasbinAdapter) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	if getCasbinAdapter(owner, name) == nil {
-		return false
+	if casbinAdapter, err := getCasbinAdapter(owner, name); casbinAdapter == nil {
+		return false, err
 	}

 	session := adapter.Engine.ID(core.PK{owner, name}).AllCols()
@ -112,28 +107,28 @@ func UpdateCasbinAdapter(id string, casbinAdapter *CasbinAdapter) bool {
 	}
 	affected, err := session.Update(casbinAdapter)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func AddCasbinAdapter(casbinAdapter *CasbinAdapter) bool {
+func AddCasbinAdapter(casbinAdapter *CasbinAdapter) (bool, error) {
 	affected, err := adapter.Engine.Insert(casbinAdapter)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func DeleteCasbinAdapter(casbinAdapter *CasbinAdapter) bool {
+func DeleteCasbinAdapter(casbinAdapter *CasbinAdapter) (bool, error) {
 	affected, err := adapter.Engine.ID(core.PK{casbinAdapter.Owner, casbinAdapter.Name}).Delete(&CasbinAdapter{})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

 func (casbinAdapter *CasbinAdapter) GetId() string {
@ -214,7 +209,11 @@ func matrixToCasbinRules(Ptype string, policies [][]string) []*xormadapter.Casbi
 }

 func SyncPolicies(casbinAdapter *CasbinAdapter) ([]*xormadapter.CasbinRule, error) {
-	modelObj := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	if err != nil {
+		return nil, err
+	}
+
 	enforcer, err := initEnforcer(modelObj, casbinAdapter)
 	if err != nil {
 		return nil, err
@ -229,7 +228,11 @@ func SyncPolicies(casbinAdapter *CasbinAdapter) ([]*xormadapter.CasbinRule, erro
 }

 func UpdatePolicy(oldPolicy, newPolicy []string, casbinAdapter *CasbinAdapter) (bool, error) {
-	modelObj := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	if err != nil {
+		return false, err
+	}
+
 	enforcer, err := initEnforcer(modelObj, casbinAdapter)
 	if err != nil {
 		return false, err
@ -243,7 +246,11 @@ func UpdatePolicy(oldPolicy, newPolicy []string, casbinAdapter *CasbinAdapter) (
 }

 func AddPolicy(policy []string, casbinAdapter *CasbinAdapter) (bool, error) {
-	modelObj := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	if err != nil {
+		return false, err
+	}
+
 	enforcer, err := initEnforcer(modelObj, casbinAdapter)
 	if err != nil {
 		return false, err
@ -257,7 +264,11 @@ func AddPolicy(policy []string, casbinAdapter *CasbinAdapter) (bool, error) {
 }

 func RemovePolicy(policy []string, casbinAdapter *CasbinAdapter) (bool, error) {
-	modelObj := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
+	if err != nil {
+		return false, err
+	}
+
 	enforcer, err := initEnforcer(modelObj, casbinAdapter)
 	if err != nil {
 		return false, err
--- a/object/cert.go
+++ b/object/cert.go
@ -47,88 +47,133 @@ func GetMaskedCert(cert *Cert) *Cert {
 	return cert
 }

-func GetMaskedCerts(certs []*Cert) []*Cert {
+func GetMaskedCerts(certs []*Cert, err error) ([]*Cert, error) {
+	if err != nil {
+		return nil, err
+	}
+
 	for _, cert := range certs {
 		cert = GetMaskedCert(cert)
 	}
-	return certs
+	return certs, nil
 }

-func GetCertCount(owner, field, value string) int {
-	session := GetSession(owner, -1, -1, field, value, "", "")
-	count, err := session.Count(&Cert{})
+func GetCertCount(owner, field, value string) (int64, error) {
+	session := GetSession("", -1, -1, field, value, "", "")
+	return session.Where("owner = ? or owner = ? ", "admin", owner).Count(&Cert{})
+}
+
+func GetCerts(owner string) ([]*Cert, error) {
+	certs := []*Cert{}
+	err := adapter.Engine.Where("owner = ? or owner = ? ", "admin", owner).Desc("created_time").Find(&certs, &Cert{})
 	if err != nil {
-		panic(err)
+		return certs, err
 	}

-	return int(count)
+	return certs, nil
 }

-func GetCerts(owner string) []*Cert {
+func GetPaginationCerts(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Cert, error) {
 	certs := []*Cert{}
-	err := adapter.Engine.Desc("created_time").Find(&certs, &Cert{Owner: owner})
+	session := GetSession("", offset, limit, field, value, sortField, sortOrder)
+	err := session.Where("owner = ? or owner = ? ", "admin", owner).Find(&certs)
 	if err != nil {
-		panic(err)
+		return certs, err
 	}

-	return certs
+	return certs, nil
 }

-func GetPaginationCerts(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Cert {
+func GetGlobalCertsCount(field, value string) (int64, error) {
+	session := GetSession("", -1, -1, field, value, "", "")
+	return session.Count(&Cert{})
+}
+
+func GetGlobleCerts() ([]*Cert, error) {
 	certs := []*Cert{}
-	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := adapter.Engine.Desc("created_time").Find(&certs)
+	if err != nil {
+		return certs, err
+	}
+
+	return certs, nil
+}
+
+func GetPaginationGlobalCerts(offset, limit int, field, value, sortField, sortOrder string) ([]*Cert, error) {
+	certs := []*Cert{}
+	session := GetSession("", offset, limit, field, value, sortField, sortOrder)
 	err := session.Find(&certs)
 	if err != nil {
-		panic(err)
+		return certs, err
 	}

-	return certs
+	return certs, nil
 }

-func getCert(owner string, name string) *Cert {
+func getCert(owner string, name string) (*Cert, error) {
 	if owner == "" || name == "" {
-		return nil
+		return nil, nil
 	}

 	cert := Cert{Owner: owner, Name: name}
 	existed, err := adapter.Engine.Get(&cert)
 	if err != nil {
-		panic(err)
+		return &cert, err
 	}

 	if existed {
-		return &cert
+		return &cert, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetCert(id string) *Cert {
+func getCertByName(name string) (*Cert, error) {
+	if name == "" {
+		return nil, nil
+	}
+
+	cert := Cert{Name: name}
+	existed, err := adapter.Engine.Get(&cert)
+	if err != nil {
+		return &cert, nil
+	}
+
+	if existed {
+		return &cert, nil
+	} else {
+		return nil, nil
+	}
+}
+
+func GetCert(id string) (*Cert, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getCert(owner, name)
 }

-func UpdateCert(id string, cert *Cert) bool {
+func UpdateCert(id string, cert *Cert) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	if getCert(owner, name) == nil {
-		return false
+	if c, err := getCert(owner, name); err != nil {
+		return false, err
+	} else if c == nil {
+		return false, nil
 	}

 	if name != cert.Name {
 		err := certChangeTrigger(name, cert.Name)
 		if err != nil {
-			return false
+			return false, nil
 		}
 	}
 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(cert)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func AddCert(cert *Cert) bool {
+func AddCert(cert *Cert) (bool, error) {
 	if cert.Certificate == "" || cert.PrivateKey == "" {
 		certificate, privateKey := generateRsaKeys(cert.BitSize, cert.ExpireInYears, cert.Name, cert.Owner)
 		cert.Certificate = certificate
@ -137,34 +182,34 @@ func AddCert(cert *Cert) bool {

 	affected, err := adapter.Engine.Insert(cert)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func DeleteCert(cert *Cert) bool {
+func DeleteCert(cert *Cert) (bool, error) {
 	affected, err := adapter.Engine.ID(core.PK{cert.Owner, cert.Name}).Delete(&Cert{})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

 func (p *Cert) GetId() string {
 	return fmt.Sprintf("%s/%s", p.Owner, p.Name)
 }

-func getCertByApplication(application *Application) *Cert {
+func getCertByApplication(application *Application) (*Cert, error) {
 	if application.Cert != "" {
-		return getCert("admin", application.Cert)
+		return getCertByName(application.Cert)
 	} else {
 		return GetDefaultCert()
 	}
 }

-func GetDefaultCert() *Cert {
+func GetDefaultCert() (*Cert, error) {
 	return getCert("admin", "cert-built-in")
 }

--- a/object/chat.go
+++ b/object/chat.go
@ -37,105 +37,128 @@ type Chat struct {
 	MessageCount int      `json:"messageCount"`
 }

-func GetMaskedChat(chat *Chat) *Chat {
+func GetMaskedChat(chat *Chat, err ...error) (*Chat, error) {
+	if len(err) > 0 && err[0] != nil {
+		return nil, err[0]
+	}
+
 	if chat == nil {
-		return nil
+		return nil, nil
 	}

-	return chat
+	return chat, nil
 }

-func GetMaskedChats(chats []*Chat) []*Chat {
+func GetMaskedChats(chats []*Chat, errs ...error) ([]*Chat, error) {
+	if len(errs) > 0 && errs[0] != nil {
+		return nil, errs[0]
+	}
+	var err error
 	for _, chat := range chats {
-		chat = GetMaskedChat(chat)
+		chat, err = GetMaskedChat(chat)
+		if err != nil {
+			return nil, err
+		}
 	}
-	return chats
+	return chats, nil
 }

-func GetChatCount(owner, field, value string) int {
+func GetChatCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	count, err := session.Count(&Chat{})
-	if err != nil {
-		panic(err)
-	}
-
-	return int(count)
+	return session.Count(&Chat{})
 }

-func GetChats(owner string) []*Chat {
+func GetChats(owner string) ([]*Chat, error) {
 	chats := []*Chat{}
 	err := adapter.Engine.Desc("created_time").Find(&chats, &Chat{Owner: owner})
 	if err != nil {
-		panic(err)
+		return chats, err
 	}

-	return chats
+	return chats, nil
 }

-func GetPaginationChats(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Chat {
+func GetPaginationChats(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Chat, error) {
 	chats := []*Chat{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
 	err := session.Find(&chats)
 	if err != nil {
-		panic(err)
+		return chats, err
 	}

-	return chats
+	return chats, nil
 }

-func getChat(owner string, name string) *Chat {
+func getChat(owner string, name string) (*Chat, error) {
 	if owner == "" || name == "" {
-		return nil
+		return nil, nil
 	}

 	chat := Chat{Owner: owner, Name: name}
 	existed, err := adapter.Engine.Get(&chat)
 	if err != nil {
-		panic(err)
+		return &chat, err
 	}

 	if existed {
-		return &chat
+		return &chat, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetChat(id string) *Chat {
+func GetChat(id string) (*Chat, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getChat(owner, name)
 }

-func UpdateChat(id string, chat *Chat) bool {
+func UpdateChat(id string, chat *Chat) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	if getChat(owner, name) == nil {
-		return false
+	if c, err := getChat(owner, name); err != nil {
+		return false, err
+	} else if c == nil {
+		return false, nil
 	}

 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(chat)
 	if err != nil {
-		panic(err)
+		return false, nil
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func AddChat(chat *Chat) bool {
+func AddChat(chat *Chat) (bool, error) {
+	if chat.Type == "AI" && chat.User2 == "" {
+		provider, err := getDefaultAiProvider()
+		if err != nil {
+			return false, err
+		}
+
+		if provider != nil {
+			chat.User2 = provider.Name
+		}
+	}
+
 	affected, err := adapter.Engine.Insert(chat)
 	if err != nil {
-		panic(err)
+		return false, nil
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func DeleteChat(chat *Chat) bool {
+func DeleteChat(chat *Chat) (bool, error) {
 	affected, err := adapter.Engine.ID(core.PK{chat.Owner, chat.Name}).Delete(&Chat{})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	if affected != 0 {
+		return DeleteChatMessages(chat.Name)
+	}
+
+	return affected != 0, nil
 }

 func (p *Chat) GetId() string {
--- a/object/check.go
+++ b/object/check.go
@ -22,6 +22,7 @@ import (
 	"unicode"

 	"github.com/casdoor/casdoor/cred"
+	"github.com/casdoor/casdoor/form"
 	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	goldap "github.com/go-ldap/ldap/v3"
@ -42,86 +43,86 @@ func init() {
 	reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 }

-func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, firstName string, lastName string, email string, phone string, countryCode string, affiliation string, lang string) string {
+func CheckUserSignup(application *Application, organization *Organization, form *form.AuthForm, lang string) string {
 	if organization == nil {
 		return i18n.Translate(lang, "check:Organization does not exist")
 	}

 	if application.IsSignupItemVisible("Username") {
-		if len(username) <= 1 {
+		if len(form.Username) <= 1 {
 			return i18n.Translate(lang, "check:Username must have at least 2 characters")
 		}
-		if unicode.IsDigit(rune(username[0])) {
+		if unicode.IsDigit(rune(form.Username[0])) {
 			return i18n.Translate(lang, "check:Username cannot start with a digit")
 		}
-		if util.IsEmailValid(username) {
+		if util.IsEmailValid(form.Username) {
 			return i18n.Translate(lang, "check:Username cannot be an email address")
 		}
-		if reWhiteSpace.MatchString(username) {
+		if reWhiteSpace.MatchString(form.Username) {
 			return i18n.Translate(lang, "check:Username cannot contain white spaces")
 		}

-		if msg := CheckUsername(username, lang); msg != "" {
+		if msg := CheckUsername(form.Username, lang); msg != "" {
 			return msg
 		}

-		if HasUserByField(organization.Name, "name", username) {
+		if HasUserByField(organization.Name, "name", form.Username) {
 			return i18n.Translate(lang, "check:Username already exists")
 		}
-		if HasUserByField(organization.Name, "email", email) {
+		if HasUserByField(organization.Name, "email", form.Email) {
 			return i18n.Translate(lang, "check:Email already exists")
 		}
-		if HasUserByField(organization.Name, "phone", phone) {
+		if HasUserByField(organization.Name, "phone", form.Phone) {
 			return i18n.Translate(lang, "check:Phone already exists")
 		}
 	}

-	if len(password) <= 5 {
+	if len(form.Password) <= 5 {
 		return i18n.Translate(lang, "check:Password must have at least 6 characters")
 	}

 	if application.IsSignupItemVisible("Email") {
-		if email == "" {
+		if form.Email == "" {
 			if application.IsSignupItemRequired("Email") {
 				return i18n.Translate(lang, "check:Email cannot be empty")
 			}
 		} else {
-			if HasUserByField(organization.Name, "email", email) {
+			if HasUserByField(organization.Name, "email", form.Email) {
 				return i18n.Translate(lang, "check:Email already exists")
-			} else if !util.IsEmailValid(email) {
+			} else if !util.IsEmailValid(form.Email) {
 				return i18n.Translate(lang, "check:Email is invalid")
 			}
 		}
 	}

 	if application.IsSignupItemVisible("Phone") {
-		if phone == "" {
+		if form.Phone == "" {
 			if application.IsSignupItemRequired("Phone") {
 				return i18n.Translate(lang, "check:Phone cannot be empty")
 			}
 		} else {
-			if HasUserByField(organization.Name, "phone", phone) {
+			if HasUserByField(organization.Name, "phone", form.Phone) {
 				return i18n.Translate(lang, "check:Phone already exists")
-			} else if !util.IsPhoneAllowInRegin(countryCode, organization.CountryCodes) {
+			} else if !util.IsPhoneAllowInRegin(form.CountryCode, organization.CountryCodes) {
 				return i18n.Translate(lang, "check:Your region is not allow to signup by phone")
-			} else if !util.IsPhoneValid(phone, countryCode) {
+			} else if !util.IsPhoneValid(form.Phone, form.CountryCode) {
 				return i18n.Translate(lang, "check:Phone number is invalid")
 			}
 		}
 	}

 	if application.IsSignupItemVisible("Display name") {
-		if application.GetSignupItemRule("Display name") == "First, last" && (firstName != "" || lastName != "") {
-			if firstName == "" {
+		if application.GetSignupItemRule("Display name") == "First, last" && (form.FirstName != "" || form.LastName != "") {
+			if form.FirstName == "" {
 				return i18n.Translate(lang, "check:FirstName cannot be blank")
-			} else if lastName == "" {
+			} else if form.LastName == "" {
 				return i18n.Translate(lang, "check:LastName cannot be blank")
 			}
 		} else {
-			if displayName == "" {
+			if form.Name == "" {
 				return i18n.Translate(lang, "check:DisplayName cannot be blank")
 			} else if application.GetSignupItemRule("Display name") == "Real name" {
-				if !isValidRealName(displayName) {
+				if !isValidRealName(form.Name) {
 					return i18n.Translate(lang, "check:DisplayName is not valid real name")
 				}
 			}
@ -129,7 +130,7 @@ func CheckUserSignup(application *Application, organization *Organization, usern
 	}

 	if application.IsSignupItemVisible("Affiliation") {
-		if affiliation == "" {
+		if form.Affiliation == "" {
 			return i18n.Translate(lang, "check:Affiliation cannot be blank")
 		}
 	}
@ -157,18 +158,32 @@ func checkSigninErrorTimes(user *User, lang string) string {
 	return ""
 }

-func CheckPassword(user *User, password string, lang string) string {
+func CheckPassword(user *User, password string, lang string, options ...bool) string {
+	enableCaptcha := false
+	if len(options) > 0 {
+		enableCaptcha = options[0]
+	}
 	// check the login error times
-	if msg := checkSigninErrorTimes(user, lang); msg != "" {
-		return msg
+	if !enableCaptcha {
+		if msg := checkSigninErrorTimes(user, lang); msg != "" {
+			return msg
+		}
+	}
+
+	organization, err := GetOrganizationByUser(user)
+	if err != nil {
+		panic(err)
 	}

-	organization := GetOrganizationByUser(user)
 	if organization == nil {
 		return i18n.Translate(lang, "check:Organization does not exist")
 	}

-	credManager := cred.GetCredManager(organization.PasswordType)
+	passwordType := user.PasswordType
+	if passwordType == "" {
+		passwordType = organization.PasswordType
+	}
+	credManager := cred.GetCredManager(passwordType)
 	if credManager != nil {
 		if organization.MasterPassword != "" {
 			if credManager.IsPasswordCorrect(password, organization.MasterPassword, "", organization.PasswordSalt) {
@ -182,14 +197,18 @@ func CheckPassword(user *User, password string, lang string) string {
 			return ""
 		}

-		return recordSigninErrorInfo(user, lang)
+		return recordSigninErrorInfo(user, lang, enableCaptcha)
 	} else {
 		return fmt.Sprintf(i18n.Translate(lang, "check:unsupported password type: %s"), organization.PasswordType)
 	}
 }

 func checkLdapUserPassword(user *User, password string, lang string) string {
-	ldaps := GetLdaps(user.Owner)
+	ldaps, err := GetLdaps(user.Owner)
+	if err != nil {
+		return err.Error()
+	}
+
 	ldapLoginSuccess := false
 	hit := false

@ -200,7 +219,7 @@ func checkLdapUserPassword(user *User, password string, lang string) string {
 		}

 		searchReq := goldap.NewSearchRequest(ldapServer.BaseDn, goldap.ScopeWholeSubtree, goldap.NeverDerefAliases,
-			0, 0, false, ldapServer.buildFilterString(user), []string{}, nil)
+			0, 0, false, ldapServer.buildAuthFilterString(user), []string{}, nil)

 		searchResult, err := conn.Conn.Search(searchReq)
 		if err != nil {
@ -231,9 +250,17 @@ func checkLdapUserPassword(user *User, password string, lang string) string {
 	return ""
 }

-func CheckUserPassword(organization string, username string, password string, lang string) (*User, string) {
-	user := GetUserByFields(organization, username)
-	if user == nil || user.IsDeleted == true {
+func CheckUserPassword(organization string, username string, password string, lang string, options ...bool) (*User, string) {
+	enableCaptcha := false
+	if len(options) > 0 {
+		enableCaptcha = options[0]
+	}
+	user, err := GetUserByFields(organization, username)
+	if err != nil {
+		panic(err)
+	}
+
+	if user == nil || user.IsDeleted {
 		return nil, fmt.Sprintf(i18n.Translate(lang, "general:The user: %s doesn't exist"), util.GetId(organization, username))
 	}

@ -250,7 +277,7 @@ func CheckUserPassword(organization string, username string, password string, la
 			return nil, msg
 		}
 	} else {
-		if msg := CheckPassword(user, password, lang); msg != "" {
+		if msg := CheckPassword(user, password, lang, enableCaptcha); msg != "" {
 			return nil, msg
 		}
 	}
@ -269,8 +296,16 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 	userOwner := util.GetOwnerFromId(userId)

 	if userId != "" {
-		targetUser := GetUser(userId)
+		targetUser, err := GetUser(userId)
+		if err != nil {
+			panic(err)
+		}
+
 		if targetUser == nil {
+			if strings.HasPrefix(requestUserId, "built-in/") {
+				return true, nil
+			}
+
 			return false, fmt.Errorf(i18n.Translate(lang, "general:The user: %s doesn't exist"), userId)
 		}

@ -281,7 +316,11 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 	if strings.HasPrefix(requestUserId, "app/") {
 		hasPermission = true
 	} else {
-		requestUser := GetUser(requestUserId)
+		requestUser, err := GetUser(requestUserId)
+		if err != nil {
+			return false, err
+		}
+
 		if requestUser == nil {
 			return false, fmt.Errorf(i18n.Translate(lang, "check:Session outdated, please login again"))
 		}
@ -302,9 +341,17 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 }

 func CheckAccessPermission(userId string, application *Application) (bool, error) {
-	permissions := GetPermissions(application.Organization)
-	allowed := true
 	var err error
+	if userId == "built-in/admin" {
+		return true, nil
+	}
+
+	permissions, err := GetPermissions(application.Organization)
+	if err != nil {
+		return false, err
+	}
+
+	allowed := true
 	for _, permission := range permissions {
 		if !permission.IsEnabled || len(permission.Users) == 0 {
 			continue
@ -380,9 +427,9 @@ func CheckUpdateUser(oldUser, user *User, lang string) string {
 	return ""
 }

-func CheckToEnableCaptcha(application *Application) bool {
+func CheckToEnableCaptcha(application *Application, organization, username string) (bool, error) {
 	if len(application.Providers) == 0 {
-		return false
+		return false, nil
 	}

 	for _, providerItem := range application.Providers {
@ -390,9 +437,16 @@ func CheckToEnableCaptcha(application *Application) bool {
 			continue
 		}
 		if providerItem.Provider.Category == "Captcha" {
-			return providerItem.Rule == "Always"
+			if providerItem.Rule == "Dynamic" {
+				user, err := GetUserByFields(organization, username)
+				if err != nil {
+					return false, err
+				}
+				return user != nil && user.SigninWrongTimes >= SigninWrongTimesLimit, nil
+			}
+			return providerItem.Rule == "Always", nil
 		}
 	}

-	return false
+	return false, nil
 }
--- a/object/check_util.go
+++ b/object/check_util.go
@ -45,9 +45,15 @@ func resetUserSigninErrorTimes(user *User) {
 	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, user.IsGlobalAdmin)
 }

-func recordSigninErrorInfo(user *User, lang string) string {
+func recordSigninErrorInfo(user *User, lang string, options ...bool) string {
+	enableCaptcha := false
+	if len(options) > 0 {
+		enableCaptcha = options[0]
+	}
 	// increase failed login count
-	user.SigninWrongTimes++
+	if user.SigninWrongTimes < SigninWrongTimesLimit {
+		user.SigninWrongTimes++
+	}

 	if user.SigninWrongTimes >= SigninWrongTimesLimit {
 		// record the latest failed login time
@ -57,10 +63,11 @@ func recordSigninErrorInfo(user *User, lang string) string {
 	// update user
 	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, user.IsGlobalAdmin)
 	leftChances := SigninWrongTimesLimit - user.SigninWrongTimes
-	if leftChances > 0 {
+	if leftChances == 0 && enableCaptcha {
+		return fmt.Sprint(i18n.Translate(lang, "check:password or code is incorrect"))
+	} else if leftChances >= 0 {
 		return fmt.Sprintf(i18n.Translate(lang, "check:password or code is incorrect, you have %d remaining chances"), leftChances)
 	}
-
 	// don't show the chance error message if the user has no chance left
 	return fmt.Sprintf(i18n.Translate(lang, "check:You have entered the wrong password or code too many times, please wait for %d minutes and try again"), int(LastSignWrongTimeDuration.Minutes()))
 }
--- a/object/email.go
+++ b/object/email.go
@ -24,11 +24,9 @@ import (

 func getDialer(provider *Provider) *gomail.Dialer {
 	dialer := &gomail.Dialer{}
+	dialer = gomail.NewDialer(provider.Host, provider.Port, provider.ClientId, provider.ClientSecret)
 	if provider.Type == "SUBMAIL" {
-		dialer = gomail.NewDialer(provider.Host, provider.Port, provider.AppId, provider.ClientSecret)
 		dialer.TLSConfig = &tls.Config{InsecureSkipVerify: true}
-	} else {
-		dialer = gomail.NewDialer(provider.Host, provider.Port, provider.ClientId, provider.ClientSecret)
 	}

 	dialer.SSL = !provider.DisableSsl
@ -40,14 +38,23 @@ func SendEmail(provider *Provider, title string, content string, dest string, se
 	dialer := getDialer(provider)

 	message := gomail.NewMessage()
-	message.SetAddressHeader("From", provider.ClientId, sender)
+
+	fromAddress := provider.ClientId2
+	if fromAddress == "" {
+		fromAddress = provider.ClientId
+	}
+
+	fromName := provider.ClientSecret2
+	if fromName == "" {
+		fromName = sender
+	}
+
+	message.SetAddressHeader("From", fromAddress, fromName)
 	message.SetHeader("To", dest)
 	message.SetHeader("Subject", title)
 	message.SetBody("text/html", content)

-	if provider.Type == "Mailtrap" {
-		message.SkipUsernameCheck = true
-	}
+	message.SkipUsernameCheck = true

 	return dialer.DialAndSend(message)
 }
--- a/object/group.go
+++ b/object/group.go
@ -0,0 +1,193 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/core"
+)
+
+type Group struct {
+	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string `xorm:"varchar(100) notnull pk unique" json:"name"`
+	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
+	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
+
+	Id            string    `xorm:"varchar(100) not null index" json:"id"`
+	DisplayName   string    `xorm:"varchar(100)" json:"displayName"`
+	Manager       string    `xorm:"varchar(100)" json:"manager"`
+	ContactEmail  string    `xorm:"varchar(100)" json:"contactEmail"`
+	Type          string    `xorm:"varchar(100)" json:"type"`
+	ParentGroupId string    `xorm:"varchar(100)" json:"parentGroupId"`
+	IsTopGroup    bool      `xorm:"bool" json:"isTopGroup"`
+	Users         *[]string `xorm:"-" json:"users"`
+
+	Title    string   `json:"title,omitempty"`
+	Key      string   `json:"key,omitempty"`
+	Children []*Group `json:"children,omitempty"`
+
+	IsEnabled bool `json:"isEnabled"`
+}
+
+type GroupNode struct{}
+
+func GetGroupCount(owner, field, value string) (int64, error) {
+	session := GetSession(owner, -1, -1, field, value, "", "")
+	count, err := session.Count(&Group{})
+	if err != nil {
+		return 0, err
+	}
+
+	return count, nil
+}
+
+func GetGroups(owner string) ([]*Group, error) {
+	groups := []*Group{}
+	err := adapter.Engine.Desc("created_time").Find(&groups, &Group{Owner: owner})
+	if err != nil {
+		return nil, err
+	}
+
+	return groups, nil
+}
+
+func GetPaginationGroups(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Group, error) {
+	groups := []*Group{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&groups)
+	if err != nil {
+		return nil, err
+	}
+
+	return groups, nil
+}
+
+func getGroup(owner string, name string) (*Group, error) {
+	if owner == "" || name == "" {
+		return nil, nil
+	}
+
+	group := Group{Owner: owner, Name: name}
+	existed, err := adapter.Engine.Get(&group)
+	if err != nil {
+		return nil, err
+	}
+
+	if existed {
+		return &group, nil
+	} else {
+		return nil, nil
+	}
+}
+
+func getGroupById(id string) (*Group, error) {
+	if id == "" {
+		return nil, nil
+	}
+
+	group := Group{Id: id}
+	existed, err := adapter.Engine.Get(&group)
+	if err != nil {
+		return nil, err
+	}
+
+	if existed {
+		return &group, nil
+	} else {
+		return nil, nil
+	}
+}
+
+func GetGroup(id string) (*Group, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	return getGroup(owner, name)
+}
+
+func UpdateGroup(id string, group *Group) (bool, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	oldGroup, err := getGroup(owner, name)
+	if oldGroup == nil {
+		return false, err
+	}
+
+	group.UpdatedTime = util.GetCurrentTime()
+	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(group)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func AddGroup(group *Group) (bool, error) {
+	if group.Id == "" {
+		group.Id = util.GenerateId()
+	}
+
+	affected, err := adapter.Engine.Insert(group)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func AddGroups(groups []*Group) (bool, error) {
+	if len(groups) == 0 {
+		return false, nil
+	}
+	affected, err := adapter.Engine.Insert(groups)
+	if err != nil {
+		return false, err
+	}
+	return affected != 0, nil
+}
+
+func DeleteGroup(group *Group) (bool, error) {
+	affected, err := adapter.Engine.ID(core.PK{group.Owner, group.Name}).Delete(&Group{})
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func (group *Group) GetId() string {
+	return fmt.Sprintf("%s/%s", group.Owner, group.Name)
+}
+
+func ConvertToTreeData(groups []*Group, parentGroupId string) []*Group {
+	treeData := []*Group{}
+
+	for _, group := range groups {
+		if group.ParentGroupId == parentGroupId {
+			node := &Group{
+				Title: group.DisplayName,
+				Key:   group.Name,
+				Type:  group.Type,
+				Owner: group.Owner,
+				Id:    group.Id,
+			}
+			children := ConvertToTreeData(groups, group.Id)
+			if len(children) > 0 {
+				node.Children = children
+			}
+			treeData = append(treeData, node)
+		}
+	}
+	return treeData
+}
--- a/object/init.go
+++ b/object/init.go
@ -61,19 +61,25 @@ func getBuiltInAccountItems() []*AccountItem {
 		{Name: "Signup application", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
 		{Name: "Roles", Visible: true, ViewRule: "Public", ModifyRule: "Immutable"},
 		{Name: "Permissions", Visible: true, ViewRule: "Public", ModifyRule: "Immutable"},
+		{Name: "Groups", Visible: true, ViewRule: "Public", ModifyRule: "Immutable"},
 		{Name: "3rd-party logins", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Properties", Visible: false, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is admin", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is global admin", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is forbidden", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is deleted", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
+		{Name: "Multi-factor authentication", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "WebAuthn credentials", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Managed accounts", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 	}
 }

 func initBuiltInOrganization() bool {
-	organization := getOrganization("admin", "built-in")
+	organization, err := getOrganization("admin", "built-in")
+	if err != nil {
+		panic(err)
+	}
+
 	if organization != nil {
 		return true
 	}
@ -89,18 +95,25 @@ func initBuiltInOrganization() bool {
 		CountryCodes:       []string{"US", "ES", "CN", "FR", "DE", "GB", "JP", "KR", "VN", "ID", "SG", "IN"},
 		DefaultAvatar:      fmt.Sprintf("%s/img/casbin.svg", conf.GetConfigString("staticBaseUrl")),
 		Tags:               []string{},
-		Languages:          []string{"en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi"},
+		Languages:          []string{"en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi", "pt"},
 		InitScore:          2000,
 		AccountItems:       getBuiltInAccountItems(),
 		EnableSoftDeletion: false,
 		IsProfilePublic:    false,
 	}
-	AddOrganization(organization)
+	_, err = AddOrganization(organization)
+	if err != nil {
+		panic(err)
+	}
+
 	return false
 }

 func initBuiltInUser() {
-	user := getUser("built-in", "admin")
+	user, err := getUser("built-in", "admin")
+	if err != nil {
+		panic(err)
+	}
 	if user != nil {
 		return
 	}
@ -130,11 +143,18 @@ func initBuiltInUser() {
 		CreatedIp:         "127.0.0.1",
 		Properties:        make(map[string]string),
 	}
-	AddUser(user)
+	_, err = AddUser(user)
+	if err != nil {
+		panic(err)
+	}
 }

 func initBuiltInApplication() {
-	application := getApplication("admin", "app-built-in")
+	application, err := getApplication("admin", "app-built-in")
+	if err != nil {
+		panic(err)
+	}
+
 	if application != nil {
 		return
 	}
@ -167,7 +187,10 @@ func initBuiltInApplication() {
 		ExpireInHours: 168,
 		FormOffset:    2,
 	}
-	AddApplication(application)
+	_, err = AddApplication(application)
+	if err != nil {
+		panic(err)
+	}
 }

 func readTokenFromFile() (string, string) {
@ -186,7 +209,11 @@ func readTokenFromFile() (string, string) {

 func initBuiltInCert() {
 	tokenJwtCertificate, tokenJwtPrivateKey := readTokenFromFile()
-	cert := getCert("admin", "cert-built-in")
+	cert, err := getCert("admin", "cert-built-in")
+	if err != nil {
+		panic(err)
+	}
+
 	if cert != nil {
 		return
 	}
@ -204,11 +231,18 @@ func initBuiltInCert() {
 		Certificate:     tokenJwtCertificate,
 		PrivateKey:      tokenJwtPrivateKey,
 	}
-	AddCert(cert)
+	_, err = AddCert(cert)
+	if err != nil {
+		panic(err)
+	}
 }

 func initBuiltInLdap() {
-	ldap := GetLdap("ldap-built-in")
+	ldap, err := GetLdap("ldap-built-in")
+	if err != nil {
+		panic(err)
+	}
+
 	if ldap != nil {
 		return
 	}
@ -225,11 +259,18 @@ func initBuiltInLdap() {
 		AutoSync:   0,
 		LastSync:   "",
 	}
-	AddLdap(ldap)
+	_, err = AddLdap(ldap)
+	if err != nil {
+		panic(err)
+	}
 }

 func initBuiltInProvider() {
-	provider := GetProvider(util.GetId("admin", "provider_captcha_default"))
+	provider, err := GetProvider(util.GetId("admin", "provider_captcha_default"))
+	if err != nil {
+		panic(err)
+	}
+
 	if provider != nil {
 		return
 	}
@ -242,7 +283,10 @@ func initBuiltInProvider() {
 		Category:    "Captcha",
 		Type:        "Default",
 	}
-	AddProvider(provider)
+	_, err = AddProvider(provider)
+	if err != nil {
+		panic(err)
+	}
 }

 func initWebAuthn() {
@ -250,7 +294,11 @@ func initWebAuthn() {
 }

 func initBuiltInModel() {
-	model := GetModel("built-in/model-built-in")
+	model, err := GetModel("built-in/model-built-in")
+	if err != nil {
+		panic(err)
+	}
+
 	if model != nil {
 		return
 	}
@ -273,11 +321,17 @@ e = some(where (p.eft == allow))
 [matchers]
 m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`,
 	}
-	AddModel(model)
+	_, err = AddModel(model)
+	if err != nil {
+		panic(err)
+	}
 }

 func initBuiltInPermission() {
-	permission := GetPermission("built-in/permission-built-in")
+	permission, err := GetPermission("built-in/permission-built-in")
+	if err != nil {
+		panic(err)
+	}
 	if permission != nil {
 		return
 	}
@ -297,5 +351,8 @@ func initBuiltInPermission() {
 		Effect:       "Allow",
 		IsEnabled:    true,
 	}
-	AddPermission(permission)
+	_, err = AddPermission(permission)
+	if err != nil {
+		panic(err)
+	}
 }
--- a/object/init_data.go
+++ b/object/init_data.go
@ -14,7 +14,10 @@

 package object

-import "github.com/casdoor/casdoor/util"
+import (
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/util"
+)

 type InitData struct {
 	Organizations []*Organization `json:"organizations"`
@ -35,7 +38,16 @@ type InitData struct {
 }

 func InitFromFile() {
-	initData := readInitDataFromFile("./init_data.json")
+	initDataFile := conf.GetConfigString("initDataFile")
+	if initDataFile == "" {
+		return
+	}
+
+	initData, err := readInitDataFromFile(initDataFile)
+	if err != nil {
+		panic(err)
+	}
+
 	if initData != nil {
 		for _, organization := range initData.Organizations {
 			initDefinedOrganization(organization)
@ -85,9 +97,9 @@ func InitFromFile() {
 	}
 }

-func readInitDataFromFile(filePath string) *InitData {
+func readInitDataFromFile(filePath string) (*InitData, error) {
 	if !util.FileExist(filePath) {
-		return nil
+		return nil, nil
 	}

 	s := util.ReadStringFromPath(filePath)
@ -111,7 +123,7 @@ func readInitDataFromFile(filePath string) *InitData {
 	}
 	err := util.JsonToStruct(s, data)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	// transform nil slice to empty slice
@ -170,142 +182,246 @@ func readInitDataFromFile(filePath string) *InitData {
 		}
 	}

-	return data
+	return data, nil
 }

 func initDefinedOrganization(organization *Organization) {
-	existed := getOrganization(organization.Owner, organization.Name)
+	existed, err := getOrganization(organization.Owner, organization.Name)
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	organization.CreatedTime = util.GetCurrentTime()
 	organization.AccountItems = getBuiltInAccountItems()

-	AddOrganization(organization)
+	_, err = AddOrganization(organization)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedApplication(application *Application) {
-	existed := getApplication(application.Owner, application.Name)
+	existed, err := getApplication(application.Owner, application.Name)
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	application.CreatedTime = util.GetCurrentTime()
-	AddApplication(application)
+	_, err = AddApplication(application)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedUser(user *User) {
-	existed := getUser(user.Owner, user.Name)
+	existed, err := getUser(user.Owner, user.Name)
+	if err != nil {
+		panic(err)
+	}
 	if existed != nil {
 		return
 	}
 	user.CreatedTime = util.GetCurrentTime()
 	user.Id = util.GenerateId()
 	user.Properties = make(map[string]string)
-	AddUser(user)
+	_, err = AddUser(user)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedCert(cert *Cert) {
-	existed := getCert(cert.Owner, cert.Name)
+	existed, err := getCert(cert.Owner, cert.Name)
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	cert.CreatedTime = util.GetCurrentTime()
-	AddCert(cert)
+	_, err = AddCert(cert)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedLdap(ldap *Ldap) {
-	existed := GetLdap(ldap.Id)
+	existed, err := GetLdap(ldap.Id)
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
-	AddLdap(ldap)
+	_, err = AddLdap(ldap)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedProvider(provider *Provider) {
-	existed := GetProvider(util.GetId("admin", provider.Name))
+	existed, err := GetProvider(util.GetId("admin", provider.Name))
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
-	AddProvider(provider)
+	_, err = AddProvider(provider)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedModel(model *Model) {
-	existed := GetModel(model.GetId())
+	existed, err := GetModel(model.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	model.CreatedTime = util.GetCurrentTime()
-	AddModel(model)
+	_, err = AddModel(model)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedPermission(permission *Permission) {
-	existed := GetPermission(permission.GetId())
+	existed, err := GetPermission(permission.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	permission.CreatedTime = util.GetCurrentTime()
-	AddPermission(permission)
+	_, err = AddPermission(permission)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedPayment(payment *Payment) {
-	existed := GetPayment(payment.GetId())
+	existed, err := GetPayment(payment.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	payment.CreatedTime = util.GetCurrentTime()
-	AddPayment(payment)
+	_, err = AddPayment(payment)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedProduct(product *Product) {
-	existed := GetProduct(product.GetId())
+	existed, err := GetProduct(product.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	product.CreatedTime = util.GetCurrentTime()
-	AddProduct(product)
+	_, err = AddProduct(product)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedResource(resource *Resource) {
-	existed := GetResource(resource.GetId())
+	existed, err := GetResource(resource.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	resource.CreatedTime = util.GetCurrentTime()
-	AddResource(resource)
+	_, err = AddResource(resource)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedRole(role *Role) {
-	existed := GetRole(role.GetId())
+	existed, err := GetRole(role.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	role.CreatedTime = util.GetCurrentTime()
-	AddRole(role)
+	_, err = AddRole(role)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedSyncer(syncer *Syncer) {
-	existed := GetSyncer(syncer.GetId())
+	existed, err := GetSyncer(syncer.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	syncer.CreatedTime = util.GetCurrentTime()
-	AddSyncer(syncer)
+	_, err = AddSyncer(syncer)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedToken(token *Token) {
-	existed := GetToken(token.GetId())
+	existed, err := GetToken(token.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	token.CreatedTime = util.GetCurrentTime()
-	AddToken(token)
+	_, err = AddToken(token)
+	if err != nil {
+		panic(err)
+	}
 }

 func initDefinedWebhook(webhook *Webhook) {
-	existed := GetWebhook(webhook.GetId())
+	existed, err := GetWebhook(webhook.GetId())
+	if err != nil {
+		panic(err)
+	}
+
 	if existed != nil {
 		return
 	}
 	webhook.CreatedTime = util.GetCurrentTime()
-	AddWebhook(webhook)
+	_, err = AddWebhook(webhook)
+	if err != nil {
+		panic(err)
+	}
 }
--- a/object/ldap.go
+++ b/object/ldap.go
@ -37,7 +37,7 @@ type Ldap struct {
 	LastSync string `xorm:"varchar(100)" json:"lastSync"`
 }

-func AddLdap(ldap *Ldap) bool {
+func AddLdap(ldap *Ldap) (bool, error) {
 	if len(ldap.Id) == 0 {
 		ldap.Id = util.GenerateId()
 	}
@ -48,13 +48,13 @@ func AddLdap(ldap *Ldap) bool {

 	affected, err := adapter.Engine.Insert(ldap)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func CheckLdapExist(ldap *Ldap) bool {
+func CheckLdapExist(ldap *Ldap) (bool, error) {
 	var result []*Ldap
 	err := adapter.Engine.Find(&result, &Ldap{
 		Owner:    ldap.Owner,
@ -65,63 +65,65 @@ func CheckLdapExist(ldap *Ldap) bool {
 		BaseDn:   ldap.BaseDn,
 	})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

 	if len(result) > 0 {
-		return true
+		return true, nil
 	}

-	return false
+	return false, nil
 }

-func GetLdaps(owner string) []*Ldap {
+func GetLdaps(owner string) ([]*Ldap, error) {
 	var ldaps []*Ldap
 	err := adapter.Engine.Desc("created_time").Find(&ldaps, &Ldap{Owner: owner})
 	if err != nil {
-		panic(err)
+		return ldaps, err
 	}

-	return ldaps
+	return ldaps, nil
 }

-func GetLdap(id string) *Ldap {
+func GetLdap(id string) (*Ldap, error) {
 	if util.IsStringsEmpty(id) {
-		return nil
+		return nil, nil
 	}

 	ldap := Ldap{Id: id}
 	existed, err := adapter.Engine.Get(&ldap)
 	if err != nil {
-		panic(err)
+		return &ldap, nil
 	}

 	if existed {
-		return &ldap
+		return &ldap, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func UpdateLdap(ldap *Ldap) bool {
-	if GetLdap(ldap.Id) == nil {
-		return false
+func UpdateLdap(ldap *Ldap) (bool, error) {
+	if l, err := GetLdap(ldap.Id); err != nil {
+		return false, nil
+	} else if l == nil {
+		return false, nil
 	}

 	affected, err := adapter.Engine.ID(ldap.Id).Cols("owner", "server_name", "host",
 		"port", "enable_ssl", "username", "password", "base_dn", "filter", "filter_fields", "auto_sync").Update(ldap)
 	if err != nil {
-		panic(err)
+		return false, nil
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func DeleteLdap(ldap *Ldap) bool {
+func DeleteLdap(ldap *Ldap) (bool, error) {
 	affected, err := adapter.Engine.ID(ldap.Id).Delete(&Ldap{})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }
--- a/object/ldap_autosync.go
+++ b/object/ldap_autosync.go
@ -18,7 +18,10 @@ var globalLdapAutoSynchronizer *LdapAutoSynchronizer

 func InitLdapAutoSynchronizer() {
 	globalLdapAutoSynchronizer = NewLdapAutoSynchronizer()
-	globalLdapAutoSynchronizer.LdapAutoSynchronizerStartUpAll()
+	err := globalLdapAutoSynchronizer.LdapAutoSynchronizerStartUpAll()
+	if err != nil {
+		panic(err)
+	}
 }

 func NewLdapAutoSynchronizer() *LdapAutoSynchronizer {
@ -37,7 +40,11 @@ func (l *LdapAutoSynchronizer) StartAutoSync(ldapId string) error {
 	l.Lock()
 	defer l.Unlock()

-	ldap := GetLdap(ldapId)
+	ldap, err := GetLdap(ldapId)
+	if err != nil {
+		return err
+	}
+
 	if ldap == nil {
 		return fmt.Errorf("ldap %s doesn't exist", ldapId)
 	}
@ -49,7 +56,12 @@ func (l *LdapAutoSynchronizer) StartAutoSync(ldapId string) error {
 	stopChan := make(chan struct{})
 	l.ldapIdToStopChan[ldapId] = stopChan
 	logs.Info(fmt.Sprintf("autoSync started for %s", ldap.Id))
-	util.SafeGoroutine(func() { l.syncRoutine(ldap, stopChan) })
+	util.SafeGoroutine(func() {
+		err := l.syncRoutine(ldap, stopChan)
+		if err != nil {
+			panic(err)
+		}
+	})
 	return nil
 }

@ -63,18 +75,22 @@ func (l *LdapAutoSynchronizer) StopAutoSync(ldapId string) {
 }

 // autosync goroutine
-func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) {
+func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) error {
 	ticker := time.NewTicker(time.Duration(ldap.AutoSync) * time.Minute)
 	defer ticker.Stop()
 	for {
 		select {
 		case <-stopChan:
 			logs.Info(fmt.Sprintf("autoSync goroutine for %s stopped", ldap.Id))
-			return
+			return nil
 		case <-ticker.C:
 		}

-		UpdateLdapSyncTime(ldap.Id)
+		err := UpdateLdapSyncTime(ldap.Id)
+		if err != nil {
+			return err
+		}
+
 		// fetch all users
 		conn, err := ldap.GetLdapConn()
 		if err != nil {
@ -87,35 +103,48 @@ func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) {
 			logs.Warning(fmt.Sprintf("autoSync failed for %s, error %s", ldap.Id, err))
 			continue
 		}
-		existed, failed := SyncLdapUsers(ldap.Owner, LdapUsersToLdapRespUsers(users), ldap.Id)
-		if len(*failed) != 0 {
-			logs.Warning(fmt.Sprintf("ldap autosync,%d new users,but %d user failed during :", len(users)-len(*existed)-len(*failed), len(*failed)), *failed)
+
+		existed, failed, err := SyncLdapUsers(ldap.Owner, AutoAdjustLdapUser(users), ldap.Id)
+		if len(failed) != 0 {
+			logs.Warning(fmt.Sprintf("ldap autosync,%d new users,but %d user failed during :", len(users)-len(existed)-len(failed), len(failed)), failed)
+			logs.Warning(err.Error())
 		} else {
-			logs.Info(fmt.Sprintf("ldap autosync success, %d new users, %d existing users", len(users)-len(*existed), len(*existed)))
+			logs.Info(fmt.Sprintf("ldap autosync success, %d new users, %d existing users", len(users)-len(existed), len(existed)))
 		}
 	}
 }

 // LdapAutoSynchronizerStartUpAll
 // start all autosync goroutine for existing ldap servers in each organizations
-func (l *LdapAutoSynchronizer) LdapAutoSynchronizerStartUpAll() {
+func (l *LdapAutoSynchronizer) LdapAutoSynchronizerStartUpAll() error {
 	organizations := []*Organization{}
 	err := adapter.Engine.Desc("created_time").Find(&organizations)
 	if err != nil {
 		logs.Info("failed to Star up LdapAutoSynchronizer; ")
 	}
 	for _, org := range organizations {
-		for _, ldap := range GetLdaps(org.Name) {
+		ldaps, err := GetLdaps(org.Name)
+		if err != nil {
+			return err
+		}
+
+		for _, ldap := range ldaps {
 			if ldap.AutoSync != 0 {
-				l.StartAutoSync(ldap.Id)
+				err = l.StartAutoSync(ldap.Id)
+				if err != nil {
+					return err
+				}
 			}
 		}
 	}
+	return nil
 }

-func UpdateLdapSyncTime(ldapId string) {
+func UpdateLdapSyncTime(ldapId string) error {
 	_, err := adapter.Engine.ID(ldapId).Update(&Ldap{LastSync: util.GetCurrentTime()})
 	if err != nil {
-		panic(err)
+		return err
 	}
+
+	return nil
 }
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@ -19,7 +19,6 @@ import (
 	"fmt"
 	"strings"

-	"github.com/beego/beego"
 	"github.com/casdoor/casdoor/util"
 	goldap "github.com/go-ldap/ldap/v3"
 	"github.com/thanhpk/randstr"
@ -35,35 +34,26 @@ type LdapConn struct {
 //	Cn        string
 //}

-type ldapUser struct {
-	UidNumber string
-	Uid       string
-	Cn        string
-	GidNumber string
+type LdapUser struct {
+	UidNumber string `json:"uidNumber"`
+	Uid       string `json:"uid"`
+	Cn        string `json:"cn"`
+	GidNumber string `json:"gidNumber"`
 	// Gcn                   string
-	Uuid                  string
-	DisplayName           string
+	Uuid                  string `json:"uuid"`
+	DisplayName           string `json:"displayName"`
 	Mail                  string
-	Email                 string
+	Email                 string `json:"email"`
 	EmailAddress          string
 	TelephoneNumber       string
 	Mobile                string
 	MobileTelephoneNumber string
 	RegisteredAddress     string
 	PostalAddress         string
-}

-type LdapRespUser struct {
-	UidNumber string `json:"uidNumber"`
-	Uid       string `json:"uid"`
-	Cn        string `json:"cn"`
-	GroupId   string `json:"groupId"`
-	// GroupName string `json:"groupName"`
-	Uuid        string `json:"uuid"`
-	DisplayName string `json:"displayName"`
-	Email       string `json:"email"`
-	Phone       string `json:"phone"`
-	Address     string `json:"address"`
+	GroupId string `json:"groupId"`
+	Phone   string `json:"phone"`
+	Address string `json:"address"`
 }

 func (ldap *Ldap) GetLdapConn() (c *LdapConn, err error) {
@ -136,7 +126,7 @@ func isMicrosoftAD(Conn *goldap.Conn) (bool, error) {
 	return isMicrosoft, err
 }

-func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]ldapUser, error) {
+func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]LdapUser, error) {
 	SearchAttributes := []string{
 		"uidNumber", "cn", "sn", "gidNumber", "entryUUID", "displayName", "mail", "email",
 		"emailAddress", "telephoneNumber", "mobile", "mobileTelephoneNumber", "registeredAddress", "postalAddress",
@ -159,9 +149,9 @@ func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]ldapUser, error) {
 		return nil, errors.New("no result")
 	}

-	var ldapUsers []ldapUser
+	var ldapUsers []LdapUser
 	for _, entry := range searchResult.Entries {
-		var user ldapUser
+		var user LdapUser
 		for _, attribute := range entry.Attributes {
 			switch attribute.Name {
 			case "uidNumber":
@ -241,37 +231,36 @@ func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]ldapUser, error) {
 //		return groupMap, nil
 //	}

-func LdapUsersToLdapRespUsers(users []ldapUser) []LdapRespUser {
-	res := make([]LdapRespUser, 0)
-	for _, user := range users {
-		res = append(res, LdapRespUser{
-			UidNumber:   user.UidNumber,
-			Uid:         user.Uid,
-			Cn:          user.Cn,
-			GroupId:     user.GidNumber,
-			Uuid:        user.Uuid,
-			DisplayName: user.DisplayName,
-			Email:       util.ReturnAnyNotEmpty(user.Email, user.EmailAddress, user.Mail),
-			Phone:       util.ReturnAnyNotEmpty(user.Mobile, user.MobileTelephoneNumber, user.TelephoneNumber),
-			Address:     util.ReturnAnyNotEmpty(user.PostalAddress, user.RegisteredAddress),
-		})
+func AutoAdjustLdapUser(users []LdapUser) []LdapUser {
+	res := make([]LdapUser, len(users))
+	for i, user := range users {
+		res[i] = LdapUser{
+			UidNumber:         user.UidNumber,
+			Uid:               user.Uid,
+			Cn:                user.Cn,
+			GroupId:           user.GidNumber,
+			Uuid:              user.GetLdapUuid(),
+			DisplayName:       user.DisplayName,
+			Email:             util.ReturnAnyNotEmpty(user.Email, user.EmailAddress, user.Mail),
+			Mobile:            util.ReturnAnyNotEmpty(user.Mobile, user.MobileTelephoneNumber, user.TelephoneNumber),
+			RegisteredAddress: util.ReturnAnyNotEmpty(user.PostalAddress, user.RegisteredAddress),
+		}
 	}
 	return res
 }

-func SyncLdapUsers(owner string, respUsers []LdapRespUser, ldapId string) (*[]LdapRespUser, *[]LdapRespUser) {
-	var existUsers []LdapRespUser
-	var failedUsers []LdapRespUser
+func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUsers []LdapUser, failedUsers []LdapUser, err error) {
 	var uuids []string
-
-	for _, user := range respUsers {
+	for _, user := range syncUsers {
 		uuids = append(uuids, user.Uuid)
 	}

-	existUuids := GetExistUuids(owner, uuids)
+	organization, err := getOrganization("admin", owner)
+	if err != nil {
+		panic(err)
+	}

-	organization := getOrganization("admin", owner)
-	ldap := GetLdap(ldapId)
+	ldap, err := GetLdap(ldapId)

 	var dc []string
 	for _, basedn := range strings.Split(ldap.BaseDn, ",") {
@ -289,85 +278,98 @@ func SyncLdapUsers(owner string, respUsers []LdapRespUser, ldapId string) (*[]Ld
 	}
 	tag := strings.Join(ou, ".")

-	for _, respUser := range respUsers {
+	for _, syncUser := range syncUsers {
+		existUuids, err := GetExistUuids(owner, uuids)
+		if err != nil {
+			return nil, nil, err
+		}
+
 		found := false
 		if len(existUuids) > 0 {
 			for _, existUuid := range existUuids {
-				if respUser.Uuid == existUuid {
-					existUsers = append(existUsers, respUser)
+				if syncUser.Uuid == existUuid {
+					existUsers = append(existUsers, syncUser)
 					found = true
 				}
 			}
 		}

 		if !found {
-			newUser := &User{
-				Owner:       owner,
-				Name:        respUser.buildLdapUserName(),
-				CreatedTime: util.GetCurrentTime(),
-				DisplayName: respUser.buildLdapDisplayName(),
-				Avatar:      organization.DefaultAvatar,
-				Email:       respUser.Email,
-				Phone:       respUser.Phone,
-				Address:     []string{respUser.Address},
-				Affiliation: affiliation,
-				Tag:         tag,
-				Score:       beego.AppConfig.DefaultInt("initScore", 2000),
-				Ldap:        respUser.Uuid,
+			score, err := organization.GetInitScore()
+			if err != nil {
+				return nil, nil, err
+			}
+
+			name, err := syncUser.buildLdapUserName()
+			if err != nil {
+				return nil, nil, err
+			}
+
+			newUser := &User{
+				Owner:       owner,
+				Name:        name,
+				CreatedTime: util.GetCurrentTime(),
+				DisplayName: syncUser.buildLdapDisplayName(),
+				Avatar:      organization.DefaultAvatar,
+				Email:       syncUser.Email,
+				Phone:       syncUser.Phone,
+				Address:     []string{syncUser.Address},
+				Affiliation: affiliation,
+				Tag:         tag,
+				Score:       score,
+				Ldap:        syncUser.Uuid,
+			}
+
+			affected, err := AddUser(newUser)
+			if err != nil {
+				return nil, nil, err
 			}

-			affected := AddUser(newUser)
 			if !affected {
-				failedUsers = append(failedUsers, respUser)
+				failedUsers = append(failedUsers, syncUser)
 				continue
 			}
 		}
 	}

-	return &existUsers, &failedUsers
+	return existUsers, failedUsers, err
 }

-func GetExistUuids(owner string, uuids []string) []string {
-	var users []User
+func GetExistUuids(owner string, uuids []string) ([]string, error) {
 	var existUuids []string
-	existUuidSet := make(map[string]struct{})

-	err := adapter.Engine.Where(fmt.Sprintf("ldap IN (%s) AND owner = ?", "'"+strings.Join(uuids, "','")+"'"), owner).Find(&users)
+	err := adapter.Engine.Table("user").Where("owner = ?", owner).Cols("ldap").
+		In("ldap", uuids).Select("DISTINCT ldap").Find(&existUuids)
 	if err != nil {
-		panic(err)
+		return existUuids, err
 	}

-	if len(users) > 0 {
-		for _, result := range users {
-			existUuidSet[result.Ldap] = struct{}{}
-		}
-	}
-
-	for uuid := range existUuidSet {
-		existUuids = append(existUuids, uuid)
-	}
-	return existUuids
+	return existUuids, nil
 }

-func (ldapUser *LdapRespUser) buildLdapUserName() string {
+func (ldapUser *LdapUser) buildLdapUserName() (string, error) {
 	user := User{}
 	uidWithNumber := fmt.Sprintf("%s_%s", ldapUser.Uid, ldapUser.UidNumber)
 	has, err := adapter.Engine.Where("name = ? or name = ?", ldapUser.Uid, uidWithNumber).Get(&user)
 	if err != nil {
-		panic(err)
+		return "", err
 	}

 	if has {
 		if user.Name == ldapUser.Uid {
-			return uidWithNumber
+			return uidWithNumber, nil
 		}
-		return fmt.Sprintf("%s_%s", uidWithNumber, randstr.Hex(6))
+		return fmt.Sprintf("%s_%s", uidWithNumber, randstr.Hex(6)), nil
 	}

-	return ldapUser.Uid
+	if ldapUser.Uid != "" {
+		return ldapUser.Uid, nil
+	}
+
+	return ldapUser.Cn, nil
 }

-func (ldapUser *LdapRespUser) buildLdapDisplayName() string {
+func (ldapUser *LdapUser) buildLdapDisplayName() string {
 	if ldapUser.DisplayName != "" {
 		return ldapUser.DisplayName
 	}
@ -375,7 +377,18 @@ func (ldapUser *LdapRespUser) buildLdapDisplayName() string {
 	return ldapUser.Cn
 }

-func (ldap *Ldap) buildFilterString(user *User) string {
+func (ldapUser *LdapUser) GetLdapUuid() string {
+	if ldapUser.Uuid != "" {
+		return ldapUser.Uuid
+	}
+	if ldapUser.Uid != "" {
+		return ldapUser.Uid
+	}
+
+	return ldapUser.Cn
+}
+
+func (ldap *Ldap) buildAuthFilterString(user *User) string {
 	if len(ldap.FilterFields) == 0 {
 		return fmt.Sprintf("(&%s(uid=%s))", ldap.Filter, user.Name)
 	}
@ -393,6 +406,8 @@ func (user *User) getFieldFromLdapAttribute(attribute string) string {
 	switch attribute {
 	case "uid":
 		return user.Name
+	case "sAMAccountName":
+		return user.Name
 	case "mail":
 		return user.Email
 	case "mobile":
--- a/object/message.go
+++ b/object/message.go
@ -28,6 +28,7 @@ type Message struct {

 	Organization string `xorm:"varchar(100)" json:"organization"`
 	Chat         string `xorm:"varchar(100) index" json:"chat"`
+	ReplyTo      string `xorm:"varchar(100) index" json:"replyTo"`
 	Author       string `xorm:"varchar(100)" json:"author"`
 	Text         string `xorm:"mediumtext" json:"text"`
 }
@ -47,100 +48,94 @@ func GetMaskedMessages(messages []*Message) []*Message {
 	return messages
 }

-func GetMessageCount(owner, field, value string) int {
+func GetMessageCount(owner, organization, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	count, err := session.Count(&Message{})
-	if err != nil {
-		panic(err)
-	}
-
-	return int(count)
+	return session.Count(&Message{Organization: organization})
 }

-func GetMessages(owner string) []*Message {
+func GetMessages(owner string) ([]*Message, error) {
 	messages := []*Message{}
 	err := adapter.Engine.Desc("created_time").Find(&messages, &Message{Owner: owner})
-	if err != nil {
-		panic(err)
-	}
-
-	return messages
+	return messages, err
 }

-func GetChatMessages(chat string) []*Message {
+func GetChatMessages(chat string) ([]*Message, error) {
 	messages := []*Message{}
 	err := adapter.Engine.Asc("created_time").Find(&messages, &Message{Chat: chat})
-	if err != nil {
-		panic(err)
-	}
-
-	return messages
+	return messages, err
 }

-func GetPaginationMessages(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Message {
+func GetPaginationMessages(owner, organization string, offset, limit int, field, value, sortField, sortOrder string) ([]*Message, error) {
 	messages := []*Message{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&messages)
-	if err != nil {
-		panic(err)
-	}
-
-	return messages
+	err := session.Find(&messages, &Message{Organization: organization})
+	return messages, err
 }

-func getMessage(owner string, name string) *Message {
+func getMessage(owner string, name string) (*Message, error) {
 	if owner == "" || name == "" {
-		return nil
+		return nil, nil
 	}

 	message := Message{Owner: owner, Name: name}
 	existed, err := adapter.Engine.Get(&message)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	if existed {
-		return &message
+		return &message, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetMessage(id string) *Message {
+func GetMessage(id string) (*Message, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getMessage(owner, name)
 }

-func UpdateMessage(id string, message *Message) bool {
+func UpdateMessage(id string, message *Message) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	if getMessage(owner, name) == nil {
-		return false
+	if m, err := getMessage(owner, name); err != nil {
+		return false, err
+	} else if m == nil {
+		return false, nil
 	}

 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(message)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func AddMessage(message *Message) bool {
+func AddMessage(message *Message) (bool, error) {
 	affected, err := adapter.Engine.Insert(message)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func DeleteMessage(message *Message) bool {
+func DeleteMessage(message *Message) (bool, error) {
 	affected, err := adapter.Engine.ID(core.PK{message.Owner, message.Name}).Delete(&Message{})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
+}
+
+func DeleteChatMessages(chat string) (bool, error) {
+	affected, err := adapter.Engine.Delete(&Message{Chat: chat})
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
 }

 func (p *Message) GetId() string {
--- a/object/mfa.go
+++ b/object/mfa.go
@ -0,0 +1,112 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+
+	"github.com/beego/beego/context"
+)
+
+type MfaSessionData struct {
+	UserId string
+}
+
+type MfaProps struct {
+	Id            string   `json:"id"`
+	IsPreferred   bool     `json:"isPreferred"`
+	AuthType      string   `json:"type" form:"type"`
+	Secret        string   `json:"secret,omitempty"`
+	CountryCode   string   `json:"countryCode,omitempty"`
+	URL           string   `json:"url,omitempty"`
+	RecoveryCodes []string `json:"recoveryCodes,omitempty"`
+}
+
+type MfaInterface interface {
+	SetupVerify(ctx *context.Context, passCode string) error
+	Verify(passCode string) error
+	Initiate(ctx *context.Context, name1 string, name2 string) (*MfaProps, error)
+	Enable(ctx *context.Context, user *User) error
+}
+
+const (
+	SmsType  = "sms"
+	TotpType = "app"
+)
+
+const (
+	MfaSessionUserId = "MfaSessionUserId"
+	NextMfa          = "NextMfa"
+	RequiredMfa      = "RequiredMfa"
+)
+
+func GetMfaUtil(providerType string, config *MfaProps) MfaInterface {
+	switch providerType {
+	case SmsType:
+		return NewSmsTwoFactor(config)
+	case TotpType:
+		return nil
+	}
+
+	return nil
+}
+
+func RecoverTfs(user *User, recoveryCode string) error {
+	hit := false
+
+	twoFactor := user.GetPreferMfa(false)
+	if len(twoFactor.RecoveryCodes) == 0 {
+		return fmt.Errorf("do not have recovery codes")
+	}
+
+	for _, code := range twoFactor.RecoveryCodes {
+		if code == recoveryCode {
+			hit = true
+			break
+		}
+	}
+	if !hit {
+		return fmt.Errorf("recovery code not found")
+	}
+
+	affected, err := UpdateUser(user.GetId(), user, []string{"two_factor_auth"}, user.IsAdminUser())
+	if err != nil {
+		return err
+	}
+
+	if !affected {
+		return fmt.Errorf("")
+	}
+	return nil
+}
+
+func GetMaskedProps(props *MfaProps) *MfaProps {
+	maskedProps := &MfaProps{
+		AuthType:    props.AuthType,
+		Id:          props.Id,
+		IsPreferred: props.IsPreferred,
+	}
+
+	if props.AuthType == SmsType {
+		if !util.IsEmailValid(props.Secret) {
+			maskedProps.Secret = util.GetMaskedPhone(props.Secret)
+		} else {
+			maskedProps.Secret = util.GetMaskedEmail(props.Secret)
+		}
+	}
+	return maskedProps
+}
--- a/object/mfa_sms.go
+++ b/object/mfa_sms.go
@ -0,0 +1,124 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+
+	"github.com/beego/beego/context"
+	"github.com/google/uuid"
+)
+
+const (
+	MfaSmsCountryCodeSession   = "mfa_country_code"
+	MfaSmsDestSession          = "mfa_dest"
+	MfaSmsRecoveryCodesSession = "mfa_recovery_codes"
+)
+
+type SmsMfa struct {
+	Config *MfaProps
+}
+
+func (mfa *SmsMfa) SetupVerify(ctx *context.Context, passCode string) error {
+	dest := ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
+	countryCode := ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
+	if !util.IsEmailValid(dest) {
+		dest, _ = util.GetE164Number(dest, countryCode)
+	}
+
+	if result := CheckVerificationCode(dest, passCode, "en"); result.Code != VerificationSuccess {
+		return errors.New(result.Msg)
+	}
+	return nil
+}
+
+func (mfa *SmsMfa) Verify(passCode string) error {
+	if !util.IsEmailValid(mfa.Config.Secret) {
+		mfa.Config.Secret, _ = util.GetE164Number(mfa.Config.Secret, mfa.Config.CountryCode)
+	}
+	if result := CheckVerificationCode(mfa.Config.Secret, passCode, "en"); result.Code != VerificationSuccess {
+		return errors.New(result.Msg)
+	}
+	return nil
+}
+
+func (mfa *SmsMfa) Initiate(ctx *context.Context, name string, secret string) (*MfaProps, error) {
+	recoveryCode, err := uuid.NewRandom()
+	if err != nil {
+		return nil, err
+	}
+
+	err = ctx.Input.CruSession.Set(MfaSmsRecoveryCodesSession, []string{recoveryCode.String()})
+	if err != nil {
+		return nil, err
+	}
+
+	mfaProps := MfaProps{
+		AuthType:      SmsType,
+		RecoveryCodes: []string{recoveryCode.String()},
+	}
+	return &mfaProps, nil
+}
+
+func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
+	dest := ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
+	recoveryCodes := ctx.Input.CruSession.Get(MfaSmsRecoveryCodesSession).([]string)
+	countryCode := ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
+
+	if dest == "" || len(recoveryCodes) == 0 {
+		return fmt.Errorf("MFA dest or recovery codes is empty")
+	}
+
+	if !util.IsEmailValid(dest) {
+		mfa.Config.CountryCode = countryCode
+	}
+
+	mfa.Config.AuthType = SmsType
+	mfa.Config.Id = uuid.NewString()
+	mfa.Config.Secret = dest
+	mfa.Config.RecoveryCodes = recoveryCodes
+
+	for i, mfaProp := range user.MultiFactorAuths {
+		if mfaProp.Secret == mfa.Config.Secret {
+			user.MultiFactorAuths = append(user.MultiFactorAuths[:i], user.MultiFactorAuths[i+1:]...)
+		}
+	}
+	user.MultiFactorAuths = append(user.MultiFactorAuths, mfa.Config)
+
+	affected, err := UpdateUser(user.GetId(), user, []string{"multi_factor_auths"}, user.IsAdminUser())
+	if err != nil {
+		return err
+	}
+
+	if !affected {
+		return fmt.Errorf("failed to enable two factor authentication")
+	}
+
+	return nil
+}
+
+func NewSmsTwoFactor(config *MfaProps) *SmsMfa {
+	if config == nil {
+		config = &MfaProps{
+			AuthType: SmsType,
+		}
+	}
+	return &SmsMfa{
+		Config: config,
+	}
+}
--- a/object/migrator.go
+++ b/object/migrator.go
@ -26,6 +26,7 @@ func DoMigration() {
 		&Migrator_1_101_0_PR_1083{},
 		&Migrator_1_235_0_PR_1530{},
 		&Migrator_1_240_0_PR_1539{},
+		&Migrator_1_314_0_PR_1841{},
 		// more migrators add here in chronological order...
 	}

@ -43,5 +44,8 @@ func DoMigration() {
 	}

 	m := migrate.New(adapter.Engine, options, migrations)
-	m.Migrate()
+	err := m.Migrate()
+	if err != nil {
+		panic(err)
+	}
 }
--- a/object/migrator_1_235_0_PR_1530.go
+++ b/object/migrator_1_235_0_PR_1530.go
@ -25,10 +25,7 @@ type Migrator_1_235_0_PR_1530 struct{}
 func (*Migrator_1_235_0_PR_1530) IsMigrationNeeded() bool {
 	exist, _ := adapter.Engine.IsTableExist("casbin_rule")

-	if exist {
-		return true
-	}
-	return false
+	return exist
 }

 func (*Migrator_1_235_0_PR_1530) DoMigration() *migrate.Migration {
--- a/object/migrator_1_314_0_PR_1841.go
+++ b/object/migrator_1_314_0_PR_1841.go
@ -0,0 +1,68 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"github.com/xorm-io/xorm"
+	"github.com/xorm-io/xorm/migrate"
+)
+
+type Migrator_1_314_0_PR_1841 struct{}
+
+func (*Migrator_1_314_0_PR_1841) IsMigrationNeeded() bool {
+	count, err := adapter.Engine.Where("password_type=?", "").Count(&User{})
+	if err != nil {
+		// table doesn't exist
+		return false
+	}
+
+	return count > 100
+}
+
+func (*Migrator_1_314_0_PR_1841) DoMigration() *migrate.Migration {
+	migration := migrate.Migration{
+		ID: "20230515MigrateUser--Create a new field 'passwordType' for table `user`",
+		Migrate: func(engine *xorm.Engine) error {
+			tx := engine.NewSession()
+
+			defer tx.Close()
+
+			err := tx.Begin()
+			if err != nil {
+				return err
+			}
+
+			organizations := []*Organization{}
+			err = tx.Table("organization").Find(&organizations)
+			if err != nil {
+				return err
+			}
+
+			for _, organization := range organizations {
+				user := &User{PasswordType: organization.PasswordType}
+				_, err = tx.Where("owner = ?", organization.Name).Cols("password_type").Update(user)
+				if err != nil {
+					return err
+				}
+			}
+
+			tx.Commit()
+
+			return nil
+		},
+	}
+
+	return &migration
+}
--- a/object/model.go
+++ b/object/model.go
@ -27,61 +27,57 @@ type Model struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
+	Description string `xorm:"varchar(100)" json:"description"`

 	ModelText string `xorm:"mediumtext" json:"modelText"`
 	IsEnabled bool   `json:"isEnabled"`
 }

-func GetModelCount(owner, field, value string) int {
+func GetModelCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	count, err := session.Count(&Model{})
-	if err != nil {
-		panic(err)
-	}
-
-	return int(count)
+	return session.Count(&Model{})
 }

-func GetModels(owner string) []*Model {
+func GetModels(owner string) ([]*Model, error) {
 	models := []*Model{}
 	err := adapter.Engine.Desc("created_time").Find(&models, &Model{Owner: owner})
 	if err != nil {
-		panic(err)
+		return models, err
 	}

-	return models
+	return models, nil
 }

-func GetPaginationModels(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Model {
+func GetPaginationModels(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Model, error) {
 	models := []*Model{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
 	err := session.Find(&models)
 	if err != nil {
-		panic(err)
+		return models, err
 	}

-	return models
+	return models, nil
 }

-func getModel(owner string, name string) *Model {
+func getModel(owner string, name string) (*Model, error) {
 	if owner == "" || name == "" {
-		return nil
+		return nil, nil
 	}

 	m := Model{Owner: owner, Name: name}
 	existed, err := adapter.Engine.Get(&m)
 	if err != nil {
-		panic(err)
+		return &m, err
 	}

 	if existed {
-		return &m
+		return &m, nil
 	} else {
-		return nil
+		return nil, nil
 	}
 }

-func GetModel(id string) *Model {
+func GetModel(id string) (*Model, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getModel(owner, name)
 }
@ -92,48 +88,53 @@ func UpdateModelWithCheck(id string, modelObj *Model) error {
 	if err != nil {
 		return err
 	}
-	UpdateModel(id, modelObj)
+	_, err = UpdateModel(id, modelObj)
+	if err != nil {
+		return err
+	}

 	return nil
 }

-func UpdateModel(id string, modelObj *Model) bool {
+func UpdateModel(id string, modelObj *Model) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	if getModel(owner, name) == nil {
-		return false
+	if m, err := getModel(owner, name); err != nil {
+		return false, err
+	} else if m == nil {
+		return false, nil
 	}

 	if name != modelObj.Name {
 		err := modelChangeTrigger(name, modelObj.Name)
 		if err != nil {
-			return false
+			return false, err
 		}
 	}

 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(modelObj)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, err
 }

-func AddModel(model *Model) bool {
+func AddModel(model *Model) (bool, error) {
 	affected, err := adapter.Engine.Insert(model)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

-func DeleteModel(model *Model) bool {
+func DeleteModel(model *Model) (bool, error) {
 	affected, err := adapter.Engine.ID(core.PK{model.Owner, model.Name}).Delete(&Model{})
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

 func (model *Model) GetId() string {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Yaodong Yu	805cf20d04	feat: fix incorrect VerifyTypePhone value (#1968 )	2023-06-13 17:26:37 +08:00
907997375	2a8001f490	fix: clean timeout when componentWillUnmount in PaymentResult page (#1962 )	2023-06-13 02:00:52 +08:00
UsherFall	451fc9034f	fix: fix bug in PayPal payment provider (#1959 )	2023-06-12 13:43:37 +08:00
Yaodong Yu	0e14a2597e	feat: Add tree structure to organization page (#1910 ) * rebase master * feat: add group in userEditPage * feat: use id as the pk * feat: add groups item in user * feat: add tree component * rebase * feat: ui * fix: fix some bug * fix: route * fix: ui * fix: improve ui	2023-06-12 09:27:16 +08:00
Yang Luo	ff87c4ea33	feat: fix createDatabase arg not recognized bug	2023-06-12 01:57:58 +08:00
Yang Luo	4f5396c70e	Check error for CreateDatabase()	2023-06-12 01:47:26 +08:00
Yang Luo	3c30222fce	Fix payment owner issue	2023-06-12 00:34:41 +08:00
Yang Luo	2d04731622	Provide default value for logConfig	2023-06-10 15:59:56 +08:00
Yang Luo	e0d2bc3dc9	Return error in GetProviderFromContext()	2023-06-10 15:51:26 +08:00
Jiawei Chen	0bda29f143	feat: show 404 error for non-existent objects in edit pages	2023-06-10 01:56:15 +08:00
Yang Luo	05703720c5	Add Custom to resourceType	2023-06-09 21:52:30 +08:00
hsluoyz	cc566bf31f	Move DoMigration() after CreateTables()	2023-06-09 09:36:20 +08:00
XDTD	e93d8c19d9	feat: resolve user pages malfunction after using tableNamePrefix (#1945 )	2023-06-08 00:43:05 +08:00
Yang Luo	f2e3182a69	Fix null value in backend Translate()	2023-06-07 02:17:48 +08:00
Yang Luo	f934531083	Fix organization search in some pages	2023-06-06 20:53:45 +08:00
XDTD	e1c0af345f	feat: resolve casdoor as SAML SP with keycloak login not work bug (#1937 ) * fix: resolve casdoor as SAML SP with keycloak login not work * Update provider.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-06-06 15:19:00 +08:00
Yang Luo	3b3bfe39f9	Fix user field bug	2023-06-06 14:59:50 +08:00
Alex OvsInc	18cc952f8e	feat: Customization of the initialization file (#1936 )	2023-06-05 21:00:28 +08:00
Yang Luo	43439bc8c6	Apply tableNamePrefix before migration	2023-06-05 00:30:48 +08:00
Yang Luo	9a2800e3b3	Add error to Enforce()	2023-06-04 17:29:34 +08:00
Yaodong Yu	fdaad2b608	chore: refactor enforce() handler and update Swagger docs (#1931 ) * chore: add swaggerof enforce api * Update enforcer.go * Update string.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-06-04 17:19:58 +08:00
Yang Luo	2d43fe0b39	Fix cert empty issue in GetSamlMeta()	2023-06-04 01:25:18 +08:00
Yaodong Yu	5d776a3ce6	fix: handle error of list in frontend (#1930 )	2023-06-04 01:21:24 +08:00
Yang Luo	5ec7a54bf8	Add description fields to objects	2023-06-04 01:21:17 +08:00
Yang Luo	0c118477e8	Add groups to UserInfo	2023-06-04 01:21:10 +08:00
Yang Luo	c858d0e0b0	Fix model page bug	2023-06-03 10:35:58 +08:00
Yang Luo	9cffb43265	Fix subscription page bugs	2023-06-03 10:15:29 +08:00
Yang Luo	51a76518ad	Init adapter in getEnabledSyncerForOrganization()	2023-06-03 09:23:36 +08:00
hsluoyz	08dbbab70e	feat: revert "feat: fix the bug that sycner does not initialize" (#1926 ) This reverts commit `ec3c24ba68`.	2023-06-03 09:17:34 +08:00
Yang Luo	0ec22ae6ff	Fix null bug in getLanguage()	2023-06-03 00:29:08 +08:00
Yaodong Yu	ec3c24ba68	feat: fix the bug that sycner does not initialize (#1924 )	2023-06-03 00:15:28 +08:00
Yang Luo	ed688efdbb	Fix bug in org user list page	2023-06-02 22:09:18 +08:00
Yang Luo	06543a01d3	Add organization to /userinfo	2023-06-02 21:51:05 +08:00
Yang Luo	70c372c3f7	Fix Provider API responses	2023-06-02 11:49:38 +08:00
Yang Luo	b1b3184e75	Speed up user pagination query	2023-06-01 22:55:44 +08:00
Yang Luo	5349fa7ff3	Speed up object.DoMigration()	2023-06-01 22:25:19 +08:00
907997375	9147225956	feat: fix table sticky columns on chat and message pages (#1917 )	2023-06-01 21:02:21 +08:00
Yang Luo	11f3af1ede	Improve Select modes	2023-05-31 17:36:11 +08:00
Yang Luo	0aa4df40c6	Fix i18n	2023-05-31 11:46:03 +08:00
Yang Luo	7caa885131	Fix subscription bugs	2023-05-31 11:33:01 +08:00
Yang Luo	f4b69cad9b	Add owner to select-plan page	2023-05-31 00:29:54 +08:00
Yang Luo	fb1db7823b	Add DummyPaymentProvider	2023-05-30 23:25:58 +08:00
Sergey Zabodalov	10e66f8020	fix: Get logger configuration from app.conf file (#1907 ) * feat: Get logger configuration from file * feat: Get logger configuration from file * Remove GetConfigLogs()	2023-05-30 21:30:09 +08:00
Yang Luo	4c8648d323	Add PaypalPaymentProvider	2023-05-30 20:32:05 +08:00
yehong	02e692a300	feat: return most backend API errors to frontend (#1836 ) * feat: return most backend API errros to frontend Signed-off-by: yehong <239859435@qq.com> * refactor: reduce int type change Signed-off-by: yehong <239859435@qq.com> * feat: return err backend in token.go Signed-off-by: yehong <239859435@qq.com> --------- Signed-off-by: yehong <239859435@qq.com>	2023-05-30 15:49:39 +08:00
leoil	34151c0095	feat: Support uploading roles and permssions via xlsx files. (#1899 ) * Support uploading roles and permissions via xlsx file. * Template xlsx file for uploading users and permissions. * reformat according to gofumpt. * fix typo.	2023-05-28 11:29:43 +08:00
Yang Luo	c7cea331e2	Improve NewWechatPaymentProvider() arg	2023-05-27 19:28:24 +08:00
Yaodong Yu	8ede4993af	feat: specify login organization	2023-05-27 19:02:54 +08:00
Crowdin Bot	d04dd33d8b	refactor: New Crowdin Backend translations by Github Action	2023-05-27 09:52:47 +00:00
Crowdin Bot	8cb21253f6	refactor: New Crowdin translations by Github Action	2023-05-27 09:52:19 +00:00
UsherFall	7fc697b711	ci: fix bug in WeChat payment provider	2023-05-27 17:50:56 +08:00
Yaodong Yu	80e6e7f0a7	fix: fix bug about updating parent component value in CountryCodeSelect (#1891 )	2023-05-25 10:45:13 +08:00
Yang Luo	d29fc88d68	Add getRawGetParameter()	2023-05-25 09:47:39 +08:00
Yaodong Yu	225e9cf70a	fix: set initial value in CountryCodeSelect (#1890 )	2023-05-24 23:27:04 +08:00
Yang Luo	c57c6e37dd	Fix bug in getRedirectUri()	2023-05-24 23:22:25 +08:00
Yaodong Yu	4d860525bf	feat: fix MFA page bug in OAuth login (#1889 )	2023-05-24 21:31:03 +08:00
Yang Luo	a64263f812	Support "#" in redirectUri	2023-05-24 21:29:45 +08:00
Yang Luo	95ab2472ce	Make logo length to 200	2023-05-23 21:57:35 +08:00
guangwu	54e4747dbc	refactor: code-optimization (#1885 ) * refactor: code-optimization * fix: restoring code style * fix: gofmt	2023-05-23 17:54:51 +08:00
Yang Luo	2389d47c34	Fix getFormattedDate()	2023-05-23 15:09:53 +08:00
guangwu	9c4f0f042e	fix: update Go dependencies (#1880 ) * Vulnerability fix : CVE-2021-30080 CVE-2021-39391 CVE-2022-41723 CVE-2022-21698 CVE-2023-26483 etc. * fix: CVE-2021-30080 CVE-2021-39391 CVE-2022-41723 CVE-2022-21698 CVE-2023-26483 etc.	2023-05-23 14:43:18 +08:00
Yang Luo	e25e210b06	Improve upload resource page	2023-05-23 10:07:59 +08:00
jump2cn	df61a536c1	feat: add gzip support for static filter (#1875 ) * feat: add gzip support for static filter * Update static_filter.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-22 22:40:46 +08:00
XDTD	47da3cdaa0	fix: resolve get resource list problem (#1877 )	2023-05-22 22:35:12 +08:00
hsluoyz	8d246f2d98	ci: revert "feat: fix UI in IE11" (#1879 ) This reverts commit `44cd55e55f`.	2023-05-22 22:21:56 +08:00
Yaodong Yu	44cd55e55f	feat: fix UI in IE11 (#1878 )	2023-05-22 16:59:37 +08:00
Yang Luo	6b42d35223	Fix state encoding for Moodle	2023-05-21 15:47:18 +08:00
Yang Luo	c84150cede	Fix getObject() bug for some API	2023-05-21 11:07:01 +08:00
hsluoyz	de2689ac39	fix: revert "feat: fix UI in IE11" (#1873 ) * Revert "feat: fix UI in IE11 (#1871)" This reverts commit `319031da28`. * Update MfaVerifyForm.js	2023-05-21 00:43:42 +08:00
Ilya Sulimanov	88c0856d17	feat: add subscription managment (#1858 ) * feat: subscription managment * fix: remove console log * fix: webhooks * fix linter * fix: fix via gofumpt * fix: review changes * fix: Copyright 2023 * Update account.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-20 15:56:21 +08:00
Yaodong Yu	319031da28	feat: fix UI in IE11 (#1871 )	2023-05-19 21:47:02 +08:00
June	d20f3eb039	feat: support get user by userId and owner (#1870 ) * feat: support get user by userId and owner * Update user.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-19 21:46:44 +08:00
Yaodong Yu	3e13e61d8f	fix: sdk user is not Global Admin (#1868 )	2023-05-19 21:24:55 +08:00
Yaodong Yu	1260354b36	fix: add sAMAccountName for AD search (#1869 )	2023-05-19 21:16:59 +08:00
Jadson Santos	af79fdedf2	feat: add new language: "pt" (#1837 ) * feat: Added new locales pt-br * fix: Changed pt-br to pt * feat: Updated app.conf * feat: Updated Setting.js * feat: Changed folder locales pt-br to pt --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-19 16:57:44 +08:00
Yang Luo	02333f2f0c	Add "pt" language to backend	2023-05-19 16:42:31 +08:00
Yang Luo	79bd58e0e6	Use util.GetId()	2023-05-19 14:26:32 +08:00
Yang Luo	de73ff0e60	Add IsMaskedEnabled to provider API	2023-05-19 13:09:53 +08:00
Yang Luo	a9d662f1bd	Improve Migrator_1_314_0_PR_1841 speed	2023-05-19 02:55:36 +08:00
Yaodong Yu	65dcbd2236	feat: compatible different uid of LDAP server (#1860 ) * feat: compatible different uid of LDAP server * Update organization.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-19 02:34:25 +08:00
Yaodong Yu	6455734807	fix: fix incorrect LDAP sync status (#1859 )	2023-05-18 22:03:53 +08:00
Trần Thanh Tịnh	2eefeaffa7	feat: enforce by using resourceId (#1855 ) * feat: enforce by using resourceId * Update permission.go * chore: fix cilint for enforcer.go --------- Co-authored-by: tinhtt4 <tinhtt4@vng.com.vn> Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-18 16:36:03 +08:00
Yang Luo	04eaad1c80	Fix getCertByApplication()	2023-05-18 16:32:43 +08:00
Yang Luo	9f084a0799	Can update user with OAuth values	2023-05-18 15:58:41 +08:00
Yang Luo	293b9f1036	Remove languages in app.conf	2023-05-18 15:44:11 +08:00
Yang Luo	437376c472	Fix CheckAccessPermission()	2023-05-18 13:36:16 +08:00
Yang Luo	cc528c5d8c	Add object to webhook	2023-05-17 23:57:14 +08:00
Yang Luo	54e2055ffb	Fix Beego filter: RecordMessage	2023-05-17 23:01:59 +08:00
Yang Luo	983a30a2e0	Dingtalk now supports linking with corpMobile	2023-05-17 22:14:57 +08:00
Yang Luo	37d0157d41	Fix application.EnableSignUp bug	2023-05-17 21:56:36 +08:00
Yang Luo	d4dc236770	Fix refreshExpireInHours zero value issue	2023-05-17 20:47:59 +08:00
Yang Luo	596742d782	Show org column better for admin (shared)	2023-05-17 17:30:47 +08:00
XDTD	ce921c00cd	fix: resolve the problem of cert being unable to be accessed properly (#1850 ) * fix: resolve the problem of cert being unable to be accessed properly * Update CertEditPage.js --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-17 17:17:58 +08:00
Yang Luo	3830e443b0	Put webhook's RecordMessage() to FinishRouter stage	2023-05-17 16:32:12 +08:00
Yaodong Yu	9092cad631	feat: support forced binding MFA after login (#1845 )	2023-05-17 01:13:13 +08:00
Yang Luo	0b5ecca5c8	Support empty application in page	2023-05-16 22:17:39 +08:00
Yang Luo	3d9b305bbb	Add /api/health API	2023-05-16 21:47:34 +08:00
Yang Luo	0217e359e7	Update to Go 1.19.9 and Node 16.18.0 in Dockerfile	2023-05-16 20:33:31 +08:00
Yang Luo	695a612e77	Improve passwordType in CheckPassword()	2023-05-16 20:14:05 +08:00
Alexander Egorov	645d53e2c6	feat: User should have PasswordType like Organization (#1841 ) * fixes #1840: [backend] User should have PasswordType like Organization is * Update migrator.go * Update and rename migrator_1_314_0_PR_1838.go to migrator_1_314_0_PR_1841.go * Update user.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-16 20:11:19 +08:00
Yang Luo	73b9d73f64	Add CustomFooter to Conf.js	2023-05-15 16:49:45 +08:00
1307	c6675ee4e6	feat: AI responses support streaming (#1826 ) Is an AI response that supports streaming return	2023-05-13 11:31:20 +08:00
Yang Luo	6f0b7f3f24	Support modelId arg in Enforce() API	2023-05-12 21:39:57 +08:00
Yang Luo	776a682fae	Improve args of Enforce() API	2023-05-12 21:32:48 +08:00
Yang Luo	96a3db21a1	Support LDAP search by user tag	2023-05-12 13:03:43 +08:00
Yang Luo	c33d537ac1	Add formCssMobile to application	2023-05-12 12:16:03 +08:00
Yang Luo	5214d48486	Fix authorized issue of UploadResource() API	2023-05-12 01:00:06 +08:00
Yang Luo	e360b06d12	Fix termsOfUse upload in application edit page	2023-05-10 23:57:03 +08:00
Yang Luo	3c871c38df	Fix message and chat owner bug	2023-05-10 22:32:32 +08:00
jakiuncle	7df043fb15	fix: fix cypress error (#1817 ) * fix: fix cypress error * fix: fix cypress error * fix: fix cypress error * fix: fix cypress error * fix: fix cypress error * fix: fix cypress error * fix: fix cypress error * fix: fix cypress error * fix: fix cypress error	2023-05-09 20:51:07 +08:00
XDTD	cb542ae46a	feat: fix org admin permissions (#1822 )	2023-05-09 00:06:52 +08:00
imp2002	3699177837	fix: fix URL path in MinIO storage provider(#1818 )	2023-05-08 16:48:56 +08:00
helayzhang	3a6846b32c	feat: fix bug that logging in with account/password cannot redirect successfully (When Casdoor working as a OAuth server) (#1819 )	2023-05-08 16:37:56 +08:00
Yaodong Yu	50586a9716	feat: improve determination about whether dest is mail or phone and mask props (#1814 )	2023-05-07 21:19:51 +08:00
Yang Luo	9201992140	Fix LDAP server bugs	2023-05-06 23:31:46 +08:00
Yaodong Yu	eb39e9e044	feat: add multi-factor authentication (MFA) feature (#1800 ) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-05-05 21:23:59 +08:00
Yang Luo	5b27f939b8	Improve add model initialization	2023-05-05 01:51:34 +08:00
Yang Luo	69ee6a6f7e	Move result page into entry page	2023-05-05 01:08:56 +08:00
Yang Luo	bf6d5e529b	Add "from" to Email provider	2023-05-04 23:41:37 +08:00
Yang Luo	55fd31f575	Disable built-in/admin's unexpected change	2023-05-04 22:12:57 +08:00
Yang Luo	05c063ac24	Set email's SkipUsernameCheck to true	2023-05-04 00:29:12 +08:00
Yang Luo	38da63e73c	Improve answer text	2023-05-02 23:33:09 +08:00
Yang Luo	cb13d693e6	Add getTokenSize()	2023-05-02 10:04:11 +08:00
Yang Luo	d699774179	Improve i18n.Translate()	2023-05-02 01:30:32 +08:00
Yang Luo	84a7fdcd07	Handle message answer	2023-05-02 01:30:06 +08:00
Yang Luo	2cd6f9df8e	Add /api/get-message-answer API	2023-05-01 23:15:51 +08:00
Yang Luo	eea2e1d271	Add ai package	2023-05-01 17:19:45 +08:00
Yang Luo	48c5bd942c	Fix chat UI	2023-05-01 16:23:48 +08:00
Yang Luo	d01d63d82a	Improve chat menu height	2023-05-01 14:11:17 +08:00
Yang Luo	e4fd9cca92	Fix new chat button	2023-05-01 13:27:49 +08:00
Yang Luo	8d531b8880	Fix getStateFromQueryParams() crash when provider name is non-latin	2023-05-01 10:32:08 +08:00
Yang Luo	b1589e11eb	Fix signin preview when there's no redirectUris	2023-05-01 10:31:21 +08:00
Yang Luo	b32a772a77	Add jobNumber to dingtalk provider	2023-04-29 21:48:52 +08:00
Yang Luo	7e4562efe1	Change org.defaultAvatar to 200 length	2023-04-29 08:33:04 +08:00
Yang Luo	3a6ab4cfc6	Support mobile in DingTalk userinfo	2023-04-29 01:24:45 +08:00
Joe Zhang	fba4801a41	feat: make redirectUri token param follow OAuth2 standard (#1796 ) * fix: rename token to access_token in implicit flow; change ? in the redirect uri to & * fix typo	2023-04-28 23:54:48 +08:00
June	da21c92815	feat: support sub role synced update (#1794 )	2023-04-28 22:14:37 +08:00
OutOfEastGate	66c15578b1	feat: fix the order of Method and Name in System Info (#1797 ) * fix: fixed the order of Method and Name in System Info * fix: add i18n for System Info	2023-04-28 22:11:10 +08:00
Yang Luo	f272be67ab	Improve i18n	2023-04-28 18:43:41 +08:00
OutOfEastGate	e4c36d407f	feat: fix prometheus filter bugs (#1792 ) * fix: fix prometheus * fix: count latency with prefix api * fix: latency should not be counted when startTime is nil	2023-04-26 22:18:48 +08:00
June	4c1915b014	fix: make query with like more precise (#1791 )	2023-04-26 18:21:13 +08:00
Yaodong Yu	6c2b172aae	feat: fix function CheckAccountItemModifyRule (#1789 ) * feat: fix function CheckAccountItemModifyRule * fix: admin changes its own username * fix: current user changes its own username * Update user.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-04-26 16:21:58 +08:00
Yaodong Yu	95f4f4cb6d	feat: refactor out form package and optimize verification code module (#1787 ) * refactor: add forms package and optimize verification code module * chore: add license * chore: fix lint * chore: fix lint * chore: fix lint * chore: swagger	2023-04-25 23:05:53 +08:00
Yang Luo	511aefb706	Disable faulty Beego filter	2023-04-25 20:02:13 +08:00
OutOfEastGate	1003639e5b	feat: support for prometheus (#1784 )	2023-04-25 16:06:09 +08:00
Yaodong Yu	fe53e90d37	fix: signup page of the app-built-in failed to load (#1785 )	2023-04-25 16:00:24 +08:00
OutOfEastGate	8c73cb5395	fix: fix golangci-lint (#1775 )	2023-04-23 17:02:29 +08:00
Yang Luo	06ebc04032	Can add/delete chat	2023-04-23 01:19:44 +08:00
Yang Luo	0ee98e2582	Add loading to chat box	2023-04-23 00:25:09 +08:00
Yang Luo	d25508fa56	Improve chat UI	2023-04-22 23:20:40 +08:00
OutOfEastGate	916a55b633	fix: fixed failed to update information when name duplicate (#1773 ) * fix: fixed failed to update information when name duplicate * fix: Use GetOwnerAndNameFromId and GetId functions instead of split * Update organization.go * Update role.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-04-22 21:15:06 +08:00
OutOfEastGate	a6c7b95f97	fix: fixed rows duplicates after sort by column (#1772 )	2023-04-22 20:18:38 +08:00
Yaodong Yu	4f8dd771bc	feat: fix bug that can not get application in signup/oauth/ router (#1766 )	2023-04-22 18:20:45 +08:00
UsherFall	e0028f5eed	fix: add more events to webhooks (#1771 )	2023-04-22 17:11:28 +08:00
XDTD	6d6cbc7e6f	feat: add dynamic mode for provider to enable verification code when the login password is wrong (#1753 ) * fix: update webAuthnBufferDecode to support Base64URL for WebAuthn updates * feat: enable verification code when the login password is wrong * fix: only enable captcha when login in password * fix: disable login error limits when captcha on * fix: pass "enableCaptcha" as an optional param * fix: change enbleCapctah to optional bool param	2023-04-22 16:16:25 +08:00
Yang Luo	ee8c2650c3	Remove useless "/api/login/oauth/code" API and update Swagger	2023-04-22 09:47:52 +08:00
Yang Luo	f3ea39d20c	Fix result page button link	2023-04-21 23:56:33 +08:00
Yang Luo	e78d9e5d2b	Fix local file system storage provider path error	2023-04-21 10:12:09 +08:00