fix: sign In button in the result page has broken (#646)

* fix: sign In button in the result page has broken

Signed-off-by: Steve0x2a <stevesough@gmail.com>

* fix: code format

Signed-off-by: Steve0x2a <stevesough@gmail.com>

authz/authz.go

@@ -101,6 +101,7 @@ p, *, *, GET, /.well-known/openid-configuration, *, *
 p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
+p, *, *, *, /cas, *, *
 `
 
 		sa := stringadapter.NewAdapter(ruleText)

controllers/account.go

@@ -29,6 +29,7 @@ const (
 	ResponseTypeCode    = "code"
 	ResponseTypeToken   = "token"
 	ResponseTypeIdToken = "id_token"
+	ResponseTypeCas     = "cas"
 )
 
 type RequestForm struct {

controllers/auth.go

@@ -83,8 +83,25 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			resp = tokenToResponse(token)
 		}
 
+	} else if form.Type == ResponseTypeCas {
+		//not oauth but CAS SSO protocol
+		service := c.Input().Get("service")
+		resp = wrapErrorResponse(nil)
+		if service != "" {
+			st, err := object.GenerateCasToken(userId, service)
+			if err != nil {
+				resp = wrapErrorResponse(err)
+			} else {
+				resp.Data = st
+			}
+		}
+		if application.EnableSigninSession || application.HasPromptPage() {
+			// The prompt page needs the user to be signed in
+			c.SetSessionUsername(userId)
+		}
+
 	} else {
-		resp = &Response{Status: "error", Msg: fmt.Sprintf("Unknown response type: %s", form.Type)}
+		resp = wrapErrorResponse(fmt.Errorf("Unknown response type: %s", form.Type))
 	}
 
 	// if user did not check auto signin

controllers/cas.go

@@ -0,0 +1,204 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+const (
+	InvalidRequest           string = "INVALID_REQUEST"
+	InvalidTicketSpec        string = "INVALID_TICKET_SPEC"
+	UnauthorizedServiceProxy string = "UNAUTHORIZED_SERVICE_PROXY"
+	InvalidProxyCallback     string = "INVALID_PROXY_CALLBACK"
+	InvalidTicket            string = "INVALID_TICKET"
+	InvalidService           string = "INVALID_SERVICE"
+	InteralError             string = "INTERNAL_ERROR"
+	UnauthorizedService      string = "UNAUTHORIZED_SERVICE"
+)
+
+func (c *RootController) CasValidate() {
+	ticket := c.Input().Get("ticket")
+	service := c.Input().Get("service")
+	c.Ctx.Output.Header("Content-Type", "text/html; charset=utf-8")
+	if service == "" || ticket == "" {
+		c.Ctx.Output.Body([]byte("no\n"))
+		return
+	}
+	if ok, response, issuedService := object.GetCasTokenByTicket(ticket); ok {
+		//check whether service is the one for which we previously issued token
+		if issuedService == service {
+			c.Ctx.Output.Body([]byte(fmt.Sprintf("yes\n%s\n", response.User)))
+			return
+		}
+
+	}
+	//token not found
+	c.Ctx.Output.Body([]byte("no\n"))
+}
+
+func (c *RootController) CasServiceAndProxyValidate() {
+	ticket := c.Input().Get("ticket")
+	format := c.Input().Get("format")
+	service := c.Input().Get("service")
+	pgtUrl := c.Input().Get("pgtUrl")
+
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+	}
+
+	//check whether all required parameters are met
+	if service == "" || ticket == "" {
+		c.sendCasAuthenticationResponseErr(InvalidRequest, "service and ticket must exist", format)
+		return
+	}
+
+	//find the token
+	if ok, response, issuedService := object.GetCasTokenByTicket(ticket); ok {
+
+		//check whether service is the one for which we previously issued token
+		if strings.HasPrefix(service, issuedService) {
+			serviceResponse.Success = response
+		} else {
+			//service not match
+			c.sendCasAuthenticationResponseErr(InvalidService, fmt.Sprintf("service %s and %s does not match", service, issuedService), format)
+			return
+		}
+	} else {
+		//token not found
+		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
+		return
+	}
+
+	if pgtUrl != "" && serviceResponse.Failure == nil {
+		//that means we are in proxy web flow
+		pgt := object.StoreCasTokenForPgt(serviceResponse.Success, service)
+		pgtiou := serviceResponse.Success.ProxyGrantingTicket
+		//todo: check whether it is https
+		pgtUrlObj, err := url.Parse(pgtUrl)
+		if pgtUrlObj.Scheme != "https" {
+			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, "callback is not https", format)
+			return
+		}
+		//make a request to pgturl passing pgt and pgtiou
+		if err != nil {
+			c.sendCasAuthenticationResponseErr(InteralError, err.Error(), format)
+			return
+		}
+		param := pgtUrlObj.Query()
+		param.Add("pgtId", pgt)
+		param.Add("pgtIou", pgtiou)
+		pgtUrlObj.RawQuery = param.Encode()
+
+		request, err := http.NewRequest("GET", pgtUrlObj.String(), nil)
+		if err != nil {
+			c.sendCasAuthenticationResponseErr(InteralError, err.Error(), format)
+			return
+		}
+
+		resp, err := http.DefaultClient.Do(request)
+		if err != nil || !(resp.StatusCode >= 200 && resp.StatusCode < 400) {
+			//failed to send request
+			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, err.Error(), format)
+			return
+		}
+	}
+	// everything is ok, send the response
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+}
+
+func (c *RootController) CasProxy() {
+	pgt := c.Input().Get("pgt")
+	targetService := c.Input().Get("targetService")
+	format := c.Input().Get("format")
+	if pgt == "" || targetService == "" {
+		c.sendCasProxyResponseErr(InvalidRequest, "pgt and targetService must exist", format)
+		return
+	}
+
+	ok, authenticationSuccess, issuedService := object.GetCasTokenByPgt(pgt)
+	if !ok {
+		c.sendCasProxyResponseErr(UnauthorizedService, "service not authorized", format)
+		return
+	}
+
+	newAuthenticationSuccess := authenticationSuccess.DeepCopy()
+	if newAuthenticationSuccess.Proxies == nil {
+		newAuthenticationSuccess.Proxies = &object.CasProxies{}
+	}
+	newAuthenticationSuccess.Proxies.Proxies = append(newAuthenticationSuccess.Proxies.Proxies, issuedService)
+	proxyTicket := object.StoreCasTokenForProxyTicket(&newAuthenticationSuccess, targetService)
+
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+		ProxySuccess: &object.CasProxySuccess{
+			ProxyTicket: proxyTicket,
+		},
+	}
+
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+
+}
+func (c *RootController) sendCasProxyResponseErr(code, msg, format string) {
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+		ProxyFailure: &object.CasProxyFailure{
+			Code:    code,
+			Message: msg,
+		},
+	}
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+}
+
+func (c *RootController) sendCasAuthenticationResponseErr(code, msg, format string) {
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+		Failure: &object.CasAuthenticationFailure{
+			Code:    code,
+			Message: msg,
+		},
+	}
+
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+}

controllers/token.go

@@ -179,6 +179,20 @@ func (c *ApiController) GetOAuthToken() {
 	if clientId == "" && clientSecret == "" {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
 	}
+	if clientId == "" {
+		// If clientID is empty, try to read data from RequestBody
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			clientId = tokenRequest.ClientId
+			clientSecret = tokenRequest.ClientSecret
+			grantType = tokenRequest.GrantType
+			code = tokenRequest.Code
+			verifier = tokenRequest.Verifier
+			scope = tokenRequest.Scope
+			username = tokenRequest.Username
+			password = tokenRequest.Password
+		}
+	}
 	host := c.Ctx.Request.Host
 
 	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host)
@@ -204,6 +218,18 @@ func (c *ApiController) RefreshToken() {
 	clientSecret := c.Input().Get("client_secret")
 	host := c.Ctx.Request.Host
 
+	if clientId == "" {
+		// If clientID is empty, try to read data from RequestBody
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			clientId = tokenRequest.ClientId
+			clientSecret = tokenRequest.ClientSecret
+			grantType = tokenRequest.GrantType
+			scope = tokenRequest.Scope
+
+		}
+	}
+
 	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
 	c.ServeJSON()
 }

controllers/types.go

@@ -0,0 +1,26 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+type TokenRequest struct {
+	GrantType    string `json:"grant_type"`
+	Code         string `json:"code"`
+	ClientId     string `json:"client_id"`
+	ClientSecret string `json:"client_secret"`
+	Verifier     string `json:"code_verifier"`
+	Scope        string `json:"scope"`
+	Username     string `json:"username"`
+	Password     string `json:"password"`
+}

go.mod

@@ -10,22 +10,21 @@ require (
 	github.com/casbin/casbin/v2 v2.30.1
 	github.com/casbin/xorm-adapter/v2 v2.5.1
 	github.com/casdoor/go-sms-sender v0.2.0
+	github.com/casdoor/goth v1.69.0-FIX1
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/go-gomail/gomail v0.0.0-20160411212932-81ebce5c23df
 	github.com/go-ldap/ldap/v3 v3.3.0
 	github.com/go-pay/gopay v1.5.72
 	github.com/go-sql-driver/mysql v1.5.0
-	github.com/golang-jwt/jwt/v4 v4.1.0
+	github.com/golang-jwt/jwt/v4 v4.2.0
 	github.com/google/uuid v1.2.0
 	github.com/jinzhu/configor v1.2.1 // indirect
 	github.com/lestrrat-go/jwx v0.9.0
-	github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/qor/oss v0.0.0-20191031055114-aef9ba66bf76
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.6.0
 	github.com/russellhaering/goxmldsig v1.1.1
-	github.com/satori/go.uuid v1.2.0 // indirect
 	github.com/smartystreets/goconvey v1.6.4 // indirect
 	github.com/stretchr/testify v1.7.0
 	github.com/tealeg/xlsx v1.0.5

go.sum

@@ -79,10 +79,10 @@ github.com/casbin/casbin/v2 v2.30.1 h1:P5HWadDL7olwUXNdcuKUBk+x75Y2eitFxYTcLNKeK
 github.com/casbin/casbin/v2 v2.30.1/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/xorm-adapter/v2 v2.5.1 h1:BkpIxRHKa0s3bSMx173PpuU7oTs+Zw7XmD0BIta0HGM=
 github.com/casbin/xorm-adapter/v2 v2.5.1/go.mod h1:AeH4dBKHC9/zYxzdPVHhPDzF8LYLqjDdb767CWJoV54=
-github.com/casdoor/go-sms-sender v0.0.5 h1:9qhlMM+UoSOvvY7puUULqSHBBA7fbe02Px/tzchQboo=
-github.com/casdoor/go-sms-sender v0.0.5/go.mod h1:TMM/BsZQAa+7JVDXl2KqgxnzZgCjmHEX5MBN662mM5M=
 github.com/casdoor/go-sms-sender v0.2.0 h1:52bin4EBOPzOee64s9UK7jxd22FODvT9/+Y/Z+PSHpg=
 github.com/casdoor/go-sms-sender v0.2.0/go.mod h1:fsZsNnALvFIo+HFcE1U/oCQv4ZT42FdglXKMsEm3WSk=
+github.com/casdoor/goth v1.69.0-FIX1 h1:24Y3tfaJxWGJbxickGe3F9y2c8X1PgsQynhxGXV1f9Q=
+github.com/casdoor/goth v1.69.0-FIX1/go.mod h1:Om55nRo8CkeDkPSNBbzXW4G5uI28ZUkSk5S69dPek3s=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -135,10 +135,8 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
-github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
+github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
-github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.1.0 h1:XUgk2Ex5veyVFVeLm0xhusUTQybEbexJXrvPNOKkSY0=
-github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -258,8 +256,6 @@ github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/markbates/going v1.0.0 h1:DQw0ZP7NbNlFGcKbcE/IVSOAFzScxRtLpd0rLMzLhq0=
 github.com/markbates/going v1.0.0/go.mod h1:I6mnB4BPnEeqo85ynXIx1ZFLLbtiLHNXVgWeFO9OGOA=
-github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8 h1:JibQrkJapVsb0pweJ5T14jZuuYZZTjll0PZBw4XfSCI=
-github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8/go.mod h1:V2VcDMzDiMHW+YmqYl7i0cMiAUeCkAe4QE6jRKBhXZw=
 github.com/mattermost/xml-roundtrip-validator v0.0.0-20201208211235-fe770d50d911 h1:erppMjjp69Rertg1zlgRbLJH1u+eCmRPxKjMZ5I8/Ro=
 github.com/mattermost/xml-roundtrip-validator v0.0.0-20201208211235-fe770d50d911/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=

idp/alipay.go

@@ -0,0 +1,292 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"sort"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type AlipayIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+// NewAlipayIdProvider ...
+func NewAlipayIdProvider(clientId string, clientSecret string, redirectUrl string) *AlipayIdProvider {
+	idp := &AlipayIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+
+	return idp
+}
+
+// SetHttpClient ...
+func (idp *AlipayIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+// getConfig return a point of Config, which describes a typical 3-legged OAuth2 flow
+func (idp *AlipayIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		AuthURL:  "https://openauth.alipay.com/oauth2/publicAppAuthorize.htm",
+		TokenURL: "https://openapi.alipay.com/gateway.do",
+	}
+
+	var config = &oauth2.Config{
+		Scopes:       []string{"", ""},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type AlipayAccessToken struct {
+	Response AlipaySystemOauthTokenResponse `json:"alipay_system_oauth_token_response"`
+	Sign     string                         `json:"sign"`
+}
+
+type AlipaySystemOauthTokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	AlipayUserId string `json:"alipay_user_id"`
+	ExpiresIn    int    `json:"expires_in"`
+	ReExpiresIn  int    `json:"re_expires_in"`
+	RefreshToken string `json:"refresh_token"`
+	UserId       string `json:"user_id"`
+}
+
+// GetToken use code to get access_token
+func (idp *AlipayIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	pTokenParams := &struct {
+		ClientId  string `json:"app_id"`
+		CharSet   string `json:"charset"`
+		Code      string `json:"code"`
+		GrantType string `json:"grant_type"`
+		Method    string `json:"method"`
+		SignType  string `json:"sign_type"`
+		TimeStamp string `json:"timestamp"`
+		Version   string `json:"version"`
+	}{idp.Config.ClientID, "utf-8", code, "authorization_code", "alipay.system.oauth.token", "RSA2", time.Now().Format("2006-01-02 15:04:05"), "1.0"}
+
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+
+	pToken := &AlipayAccessToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, err
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.Response.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.Response.ExpiresIn), 0),
+	}
+	return token, nil
+}
+
+/*
+{
+    "alipay_user_info_share_response":{
+        "code":"10000",
+        "msg":"Success",
+        "avatar":"https:\/\/tfs.alipayobjects.com\/images\/partner\/T1.QxFXk4aXXXXXXXX",
+        "nick_name":"zhangsan",
+        "user_id":"2099222233334444"
+    },
+    "sign":"m8rWJeqfoa5tDQRRVnPhRHcpX7NZEgjIPTPF1QBxos6XXXXXXXXXXXXXXXXXXXXXXXXXX"
+}
+*/
+
+type AlipayUserResponse struct {
+	AlipayUserInfoShareResponse AlipayUserInfoShareResponse `json:"alipay_user_info_share_response"`
+	Sign                        string                      `json:"sign"`
+}
+
+type AlipayUserInfoShareResponse struct {
+	Code     string `json:"code"`
+	Msg      string `json:"msg"`
+	Avatar   string `json:"avatar"`
+	NickName string `json:"nick_name"`
+	UserId   string `json:"user_id"`
+}
+
+// GetUserInfo Use access_token to get UserInfo
+func (idp *AlipayIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	atUserInfo := &AlipayUserResponse{}
+	accessToken := token.AccessToken
+
+	pTokenParams := &struct {
+		ClientId  string `json:"app_id"`
+		CharSet   string `json:"charset"`
+		AuthToken string `json:"auth_token"`
+		Method    string `json:"method"`
+		SignType  string `json:"sign_type"`
+		TimeStamp string `json:"timestamp"`
+		Version   string `json:"version"`
+	}{idp.Config.ClientID, "utf-8", accessToken, "alipay.user.info.share", "RSA2", time.Now().Format("2006-01-02 15:04:05"), "1.0"}
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(data, atUserInfo)
+	if err != nil {
+		return nil, err
+	}
+
+	userInfo := UserInfo{
+		Id:          atUserInfo.AlipayUserInfoShareResponse.UserId,
+		Username:    atUserInfo.AlipayUserInfoShareResponse.NickName,
+		DisplayName: atUserInfo.AlipayUserInfoShareResponse.NickName,
+		AvatarUrl:   atUserInfo.AlipayUserInfoShareResponse.Avatar,
+	}
+
+	return &userInfo, nil
+}
+
+func (idp *AlipayIdProvider) postWithBody(body interface{}, targetUrl string) ([]byte, error) {
+	bs, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+
+	bodyJson := make(map[string]interface{})
+	err = json.Unmarshal(bs, &bodyJson)
+	if err != nil {
+		return nil, err
+	}
+
+	formData := url.Values{}
+	for k := range bodyJson {
+		formData.Set(k, bodyJson[k].(string))
+	}
+
+	sign, err := rsaSignWithRSA256(getStringToSign(formData), idp.Config.ClientSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	formData.Set("sign", sign)
+
+	resp, err := idp.Client.PostForm(targetUrl, formData)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	return data, nil
+}
+
+// get the string to sign, see https://opendocs.alipay.com/common/02kf5q
+func getStringToSign(formData url.Values) string {
+	keys := make([]string, 0, len(formData))
+	for k := range formData {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	str := ""
+	for _, k := range keys {
+		if k == "sign" || formData[k][0] == "" {
+			continue
+		} else {
+			str += "&" + k + "=" + formData[k][0]
+		}
+	}
+	str = strings.Trim(str, "&")
+	return str
+}
+
+// use privateKey to sign the content
+func rsaSignWithRSA256(signContent string, privateKey string) (string, error) {
+	privateKey = formatPrivateKey(privateKey)
+	block, _ := pem.Decode([]byte(privateKey))
+	if block == nil {
+		panic("fail to parse privateKey")
+	}
+
+	h := sha256.New()
+	h.Write([]byte(signContent))
+	hashed := h.Sum(nil)
+
+	privateKeyRSA, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return "", err
+	}
+
+	signature, err := rsa.SignPKCS1v15(rand.Reader, privateKeyRSA.(*rsa.PrivateKey), crypto.SHA256, hashed)
+	if err != nil {
+		return "", err
+	}
+
+	return base64.StdEncoding.EncodeToString(signature), nil
+}
+
+// privateKey in database is a string, format it to PEM style
+func formatPrivateKey(privateKey string) string {
+	// each line length is 64
+	preFmtPrivateKey := ""
+	for i := 0; ; {
+		if i+64 <= len(privateKey) {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:i+64] + "\n"
+			i += 64
+		} else {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:]
+			break
+		}
+	}
+	privateKey = strings.Trim(preFmtPrivateKey, "\n")
+
+	// add pkcs#8 BEGIN and END
+	PemBegin := "-----BEGIN PRIVATE KEY-----\n"
+	PemEnd := "\n-----END PRIVATE KEY-----"
+	if !strings.HasPrefix(privateKey, PemBegin) {
+		privateKey = PemBegin + privateKey
+	}
+	if !strings.HasSuffix(privateKey, PemEnd) {
+		privateKey = privateKey + PemEnd
+	}
+	return privateKey
+}

idp/goth.go

@@ -22,35 +22,35 @@ import (
 	"time"
 
 	"github.com/casdoor/casdoor/util"
-	"github.com/markbates/goth"
+	"github.com/casdoor/goth"
-	"github.com/markbates/goth/providers/amazon"
+	"github.com/casdoor/goth/providers/amazon"
-	"github.com/markbates/goth/providers/apple"
+	"github.com/casdoor/goth/providers/apple"
-	"github.com/markbates/goth/providers/azuread"
+	"github.com/casdoor/goth/providers/azuread"
-	"github.com/markbates/goth/providers/bitbucket"
+	"github.com/casdoor/goth/providers/bitbucket"
-	"github.com/markbates/goth/providers/digitalocean"
+	"github.com/casdoor/goth/providers/digitalocean"
-	"github.com/markbates/goth/providers/discord"
+	"github.com/casdoor/goth/providers/discord"
-	"github.com/markbates/goth/providers/dropbox"
+	"github.com/casdoor/goth/providers/dropbox"
-	"github.com/markbates/goth/providers/facebook"
+	"github.com/casdoor/goth/providers/facebook"
-	"github.com/markbates/goth/providers/gitea"
+	"github.com/casdoor/goth/providers/gitea"
-	"github.com/markbates/goth/providers/github"
+	"github.com/casdoor/goth/providers/github"
-	"github.com/markbates/goth/providers/gitlab"
+	"github.com/casdoor/goth/providers/gitlab"
-	"github.com/markbates/goth/providers/google"
+	"github.com/casdoor/goth/providers/google"
-	"github.com/markbates/goth/providers/heroku"
+	"github.com/casdoor/goth/providers/heroku"
-	"github.com/markbates/goth/providers/instagram"
+	"github.com/casdoor/goth/providers/instagram"
-	"github.com/markbates/goth/providers/kakao"
+	"github.com/casdoor/goth/providers/kakao"
-	"github.com/markbates/goth/providers/line"
+	"github.com/casdoor/goth/providers/line"
-	"github.com/markbates/goth/providers/linkedin"
+	"github.com/casdoor/goth/providers/linkedin"
-	"github.com/markbates/goth/providers/microsoftonline"
+	"github.com/casdoor/goth/providers/microsoftonline"
-	"github.com/markbates/goth/providers/paypal"
+	"github.com/casdoor/goth/providers/paypal"
-	"github.com/markbates/goth/providers/salesforce"
+	"github.com/casdoor/goth/providers/salesforce"
-	"github.com/markbates/goth/providers/shopify"
+	"github.com/casdoor/goth/providers/shopify"
-	"github.com/markbates/goth/providers/slack"
+	"github.com/casdoor/goth/providers/slack"
-	"github.com/markbates/goth/providers/steam"
+	"github.com/casdoor/goth/providers/steam"
-	"github.com/markbates/goth/providers/tumblr"
+	"github.com/casdoor/goth/providers/tumblr"
-	"github.com/markbates/goth/providers/twitter"
+	"github.com/casdoor/goth/providers/twitter"
-	"github.com/markbates/goth/providers/yahoo"
+	"github.com/casdoor/goth/providers/yahoo"
-	"github.com/markbates/goth/providers/yandex"
+	"github.com/casdoor/goth/providers/yandex"
-	"github.com/markbates/goth/providers/zoom"
+	"github.com/casdoor/goth/providers/zoom"
 	"golang.org/x/oauth2"
 )
 

idp/provider.go

@@ -70,6 +70,8 @@ func GetIdProvider(typ string, subType string, clientId string, clientSecret str
 		return NewAdfsIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
 	} else if typ == "Baidu" {
 		return NewBaiduIdProvider(clientId, clientSecret, redirectUrl)
+	} else if typ == "Alipay" {
+		return NewAlipayIdProvider(clientId, clientSecret, redirectUrl)
 	} else if typ == "Infoflow" {
 		if subType == "Internal" {
 			return NewInfoflowInternalIdProvider(clientId, clientSecret, appId, redirectUrl)

idp/qq.go

@@ -76,6 +76,9 @@ func (idp *QqIdProvider) GetToken(code string) (*oauth2.Token, error) {
 
 	defer resp.Body.Close()
 	tokenContent, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
 
 	re := regexp.MustCompile("token=(.*?)&")
 	matched := re.FindAllStringSubmatch(string(tokenContent), -1)
@@ -146,6 +149,9 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 
 	defer resp.Body.Close()
 	openIdBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
 
 	re := regexp.MustCompile("\"openid\":\"(.*?)\"}")
 	matched := re.FindAllStringSubmatch(string(openIdBody), -1)
@@ -178,6 +184,7 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 
 	userInfo := UserInfo{
 		Id:          openId,
+		Username:    qqUserInfo.Nickname,
 		DisplayName: qqUserInfo.Nickname,
 		AvatarUrl:   qqUserInfo.FigureurlQq1,
 	}

object/check.go

@@ -180,16 +180,15 @@ func CheckUserPassword(organization string, username string, password string) (*
 		return nil, "the user is forbidden to sign in, please contact the administrator"
 	}
 
-	msg := CheckPassword(user, password)
+	if user.Ldap != "" {
-	if msg != "" {
+		//ONLY for ldap users
-		//for ldap users
+		return checkLdapUserPassword(user, password)
-		if user.Ldap != "" {
+	} else {
-			return checkLdapUserPassword(user, password)
+		msg := CheckPassword(user, password)
+		if msg != "" {
+			return nil, msg
 		}
-
-		return nil, msg
 	}
-
 	return user, ""
 }
 

object/init.go

@@ -21,17 +21,19 @@ import (
 )
 
 func InitDb() {
-	initBuiltInOrganization()
+	existed := initBuiltInOrganization()
-	initBuiltInUser()
+	if !existed {
-	initBuiltInApplication()
+		initBuiltInUser()
-	initBuiltInCert()
+		initBuiltInApplication()
-	initBuiltInLdap()
+		initBuiltInCert()
+		initBuiltInLdap()
+	}
 }
 
-func initBuiltInOrganization() {
+func initBuiltInOrganization() bool {
 	organization := getOrganization("admin", "built-in")
 	if organization != nil {
-		return
+		return true
 	}
 
 	organization = &Organization{
@@ -47,6 +49,7 @@ func initBuiltInOrganization() {
 		Tags:          []string{},
 	}
 	AddOrganization(organization)
+	return false
 }
 
 func initBuiltInUser() {

object/provider.go

@@ -33,7 +33,7 @@ type Provider struct {
 	SubType       string `xorm:"varchar(100)" json:"subType"`
 	Method        string `xorm:"varchar(100)" json:"method"`
 	ClientId      string `xorm:"varchar(100)" json:"clientId"`
-	ClientSecret  string `xorm:"varchar(100)" json:"clientSecret"`
+	ClientSecret  string `xorm:"varchar(2000)" json:"clientSecret"`
 	ClientId2     string `xorm:"varchar(100)" json:"clientId2"`
 	ClientSecret2 string `xorm:"varchar(100)" json:"clientSecret2"`
 	Cert          string `xorm:"varchar(100)" json:"cert"`

object/token.go

@@ -442,12 +442,12 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 	DeleteToken(&token)
 
 	tokenWrapper := &TokenWrapper{
-		AccessToken:  token.AccessToken,
+		AccessToken:  newToken.AccessToken,
-		IdToken:      token.AccessToken,
+		IdToken:      newToken.AccessToken,
-		RefreshToken: token.RefreshToken,
+		RefreshToken: newToken.RefreshToken,
-		TokenType:    token.TokenType,
+		TokenType:    newToken.TokenType,
-		ExpiresIn:    token.ExpiresIn,
+		ExpiresIn:    newToken.ExpiresIn,
-		Scope:        token.Scope,
+		Scope:        newToken.Scope,
 	}
 
 	return tokenWrapper
@@ -522,7 +522,8 @@ func GetPasswordToken(application *Application, username string, password string
 	if user == nil {
 		return nil, errors.New("error: the user does not exist")
 	}
-	if user.Password != password {
+	msg := CheckPassword(user, password)
+	if msg != "" {
 		return nil, errors.New("error: invalid username or password")
 	}
 	if user.IsForbidden {

object/token_cas.go

@@ -0,0 +1,236 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"encoding/json"
+	"encoding/xml"
+	"fmt"
+	"math/rand"
+	"sync"
+	"time"
+
+	"github.com/casdoor/casdoor/util"
+)
+
+type CasServiceResponse struct {
+	XMLName      xml.Name `xml:"cas:serviceResponse" json:"-"`
+	Xmlns        string   `xml:"xmlns:cas,attr"`
+	Failure      *CasAuthenticationFailure
+	Success      *CasAuthenticationSuccess
+	ProxySuccess *CasProxySuccess
+	ProxyFailure *CasProxyFailure
+}
+
+type CasAuthenticationFailure struct {
+	XMLName xml.Name `xml:"cas:authenticationFailure" json:"-"`
+	Code    string   `xml:"code,attr"`
+	Message string   `xml:",innerxml"`
+}
+
+type CasAuthenticationSuccess struct {
+	XMLName             xml.Name           `xml:"cas:authenticationSuccess" json:"-"`
+	User                string             `xml:"cas:user"`
+	ProxyGrantingTicket string             `xml:"cas:proxyGrantingTicket,omitempty"`
+	Proxies             *CasProxies        `xml:"cas:proxies"`
+	Attributes          *CasAttributes     `xml:"cas:attributes"`
+	ExtraAttributes     []*CasAnyAttribute `xml:",any"`
+}
+
+type CasProxies struct {
+	XMLName xml.Name `xml:"cas:proxies" json:"-"`
+	Proxies []string `xml:"cas:proxy"`
+}
+
+type CasAttributes struct {
+	XMLName                                xml.Name  `xml:"cas:attributes" json:"-"`
+	AuthenticationDate                     time.Time `xml:"cas:authenticationDate"`
+	LongTermAuthenticationRequestTokenUsed bool      `xml:"cas:longTermAuthenticationRequestTokenUsed"`
+	IsFromNewLogin                         bool      `xml:"cas:isFromNewLogin"`
+	MemberOf                               []string  `xml:"cas:memberOf"`
+	UserAttributes                         *CasUserAttributes
+	ExtraAttributes                        []*CasAnyAttribute `xml:",any"`
+}
+
+type CasUserAttributes struct {
+	XMLName       xml.Name             `xml:"cas:userAttributes" json:"-"`
+	Attributes    []*CasNamedAttribute `xml:"cas:attribute"`
+	AnyAttributes []*CasAnyAttribute   `xml:",any"`
+}
+
+type CasNamedAttribute struct {
+	XMLName xml.Name `xml:"cas:attribute" json:"-"`
+	Name    string   `xml:"name,attr,omitempty"`
+	Value   string   `xml:",innerxml"`
+}
+
+type CasAnyAttribute struct {
+	XMLName xml.Name
+	Value   string `xml:",chardata"`
+}
+
+type CasAuthenticationSuccessWrapper struct {
+	AuthenticationSuccess *CasAuthenticationSuccess // the token we issued
+	Service               string                    //to which service this token is issued
+}
+
+type CasProxySuccess struct {
+	XMLName     xml.Name `xml:"cas:proxySuccess" json:"-"`
+	ProxyTicket string   `xml:"cas:proxyTicket"`
+}
+type CasProxyFailure struct {
+	XMLName xml.Name `xml:"cas:proxyFailure" json:"-"`
+	Code    string   `xml:"code,attr"`
+	Message string   `xml:",innerxml"`
+}
+
+//st is short for service ticket
+var stToServiceResponse sync.Map
+
+//pgt is short for proxy granting ticket
+var pgtToServiceResponse sync.Map
+
+func StoreCasTokenForPgt(token *CasAuthenticationSuccess, service string) string {
+	pgt := fmt.Sprintf("PGT-%s", util.GenerateId())
+	pgtToServiceResponse.Store(pgt, &CasAuthenticationSuccessWrapper{
+		AuthenticationSuccess: token,
+		Service:               service,
+	})
+	return pgt
+}
+
+func GenerateId() {
+	panic("unimplemented")
+}
+
+func GetCasTokenByPgt(pgt string) (bool, *CasAuthenticationSuccess, string) {
+	if responseWrapperType, ok := pgtToServiceResponse.LoadAndDelete(pgt); ok {
+		responseWrapperTypeCast := responseWrapperType.(*CasAuthenticationSuccessWrapper)
+		return true, responseWrapperTypeCast.AuthenticationSuccess, responseWrapperTypeCast.Service
+	}
+	return false, nil, ""
+}
+
+func GetCasTokenByTicket(ticket string) (bool, *CasAuthenticationSuccess, string) {
+	if responseWrapperType, ok := stToServiceResponse.LoadAndDelete(ticket); ok {
+		responseWrapperTypeCast := responseWrapperType.(*CasAuthenticationSuccessWrapper)
+		return true, responseWrapperTypeCast.AuthenticationSuccess, responseWrapperTypeCast.Service
+	}
+	return false, nil, ""
+}
+
+func StoreCasTokenForProxyTicket(token *CasAuthenticationSuccess, targetService string) string {
+	proxyTicket := fmt.Sprintf("PT-%s", util.GenerateId())
+	stToServiceResponse.Store(proxyTicket, &CasAuthenticationSuccessWrapper{
+		AuthenticationSuccess: token,
+		Service:               targetService,
+	})
+	return proxyTicket
+}
+
+func GenerateCasToken(userId string, service string) (string, error) {
+
+	if user := GetUser(userId); user != nil {
+		authenticationSuccess := CasAuthenticationSuccess{
+			User: user.Name,
+			Attributes: &CasAttributes{
+				AuthenticationDate: time.Now(),
+				UserAttributes:     &CasUserAttributes{},
+			},
+			ProxyGrantingTicket: fmt.Sprintf("PGTIOU-%s", util.GenerateId()),
+		}
+		data, _ := json.Marshal(user)
+		tmp := map[string]string{}
+		json.Unmarshal(data, &tmp)
+		for k, v := range tmp {
+			if v != "" {
+				authenticationSuccess.Attributes.UserAttributes.Attributes = append(authenticationSuccess.Attributes.UserAttributes.Attributes, &CasNamedAttribute{
+					Name:  k,
+					Value: v,
+				})
+			}
+		}
+		st := fmt.Sprintf("ST-%d", rand.Int())
+		stToServiceResponse.Store(st, &CasAuthenticationSuccessWrapper{
+			AuthenticationSuccess: &authenticationSuccess,
+			Service:               service,
+		})
+		return st, nil
+	} else {
+		return "", fmt.Errorf("invalid user Id")
+	}
+
+}
+
+func (c *CasAuthenticationSuccess) DeepCopy() CasAuthenticationSuccess {
+	res := *c
+	//copy proxy
+	if c.Proxies != nil {
+		tmp := c.Proxies.DeepCopy()
+		res.Proxies = &tmp
+	}
+	if c.Attributes != nil {
+		tmp := c.Attributes.DeepCopy()
+		res.Attributes = &tmp
+	}
+	res.ExtraAttributes = make([]*CasAnyAttribute, len(c.ExtraAttributes))
+	for i, e := range c.ExtraAttributes {
+		tmp := *e
+		res.ExtraAttributes[i] = &tmp
+	}
+	return res
+}
+
+func (c *CasProxies) DeepCopy() CasProxies {
+	res := CasProxies{
+		Proxies: make([]string, len(c.Proxies)),
+	}
+	copy(res.Proxies, c.Proxies)
+	return res
+}
+
+func (c *CasAttributes) DeepCopy() CasAttributes {
+	res := *c
+	if c.MemberOf != nil {
+		res.MemberOf = make([]string, len(c.MemberOf))
+		copy(res.MemberOf, c.MemberOf)
+	}
+	tmp := c.UserAttributes.DeepCopy()
+	res.UserAttributes = &tmp
+
+	res.ExtraAttributes = make([]*CasAnyAttribute, len(c.ExtraAttributes))
+	for i, e := range c.ExtraAttributes {
+		tmp := *e
+		res.ExtraAttributes[i] = &tmp
+	}
+	return res
+
+}
+
+func (c *CasUserAttributes) DeepCopy() CasUserAttributes {
+	res := CasUserAttributes{
+		AnyAttributes: make([]*CasAnyAttribute, len(c.AnyAttributes)),
+		Attributes:    make([]*CasNamedAttribute, len(c.Attributes)),
+	}
+	for i, a := range c.AnyAttributes {
+		var tmp = *a
+		res.AnyAttributes[i] = &tmp
+	}
+	for i, a := range c.Attributes {
+		var tmp = *a
+		res.Attributes[i] = &tmp
+	}
+	return res
+}

object/user.go

@@ -85,6 +85,7 @@ type User struct {
 	Gitlab   string `xorm:"gitlab varchar(100)" json:"gitlab"`
 	Adfs     string `xorm:"adfs varchar(100)" json:"adfs"`
 	Baidu    string `xorm:"baidu varchar(100)" json:"baidu"`
+	Alipay   string `xorm:"alipay varchar(100)" json:"alipay"`
 	Casdoor  string `xorm:"casdoor varchar(100)" json:"casdoor"`
 	Infoflow string `xorm:"infoflow varchar(100)" json:"infoflow"`
 	Apple    string `xorm:"apple varchar(100)" json:"apple"`
@@ -304,7 +305,7 @@ func UpdateUser(id string, user *User, columns []string, isGlobalAdmin bool) boo
 			"is_admin", "is_global_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties"}
 	}
 	if isGlobalAdmin {
-		columns = append(columns, "name")
+		columns = append(columns, "name", "email", "phone")
 	}
 
 	affected, err := adapter.Engine.ID(core.PK{owner, name}).Cols(columns...).Update(user)

routers/authz_filter.go

@@ -100,10 +100,17 @@ func willLog(subOwner string, subName string, method string, urlPath string, obj
 	return true
 }
 
+func getUrlPath(urlPath string) string {
+	if strings.HasPrefix(urlPath, "/cas") && (strings.HasSuffix(urlPath, "/serviceValidate") || strings.HasSuffix(urlPath, "/proxy") || strings.HasSuffix(urlPath, "/proxyValidate") || strings.HasSuffix(urlPath, "/validate")) {
+		return "/cas"
+	}
+	return urlPath
+}
+
 func AuthzFilter(ctx *context.Context) {
 	subOwner, subName := getSubject(ctx)
 	method := ctx.Request.Method
-	urlPath := ctx.Request.URL.Path
+	urlPath := getUrlPath(ctx.Request.URL.Path)
 	objOwner, objName := getObject(ctx)
 
 	isAllowed := authz.IsAllowed(subOwner, subName, method, urlPath, objOwner, objName)

routers/router.go

@@ -171,4 +171,10 @@ func initAPI() {
 
 	beego.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery")
 	beego.Router("/.well-known/jwks", &controllers.RootController{}, "*:GetJwks")
+
+	beego.Router("/cas/:organization/:application/serviceValidate", &controllers.RootController{}, "GET:CasServiceAndProxyValidate")
+	beego.Router("/cas/:organization/:application/proxyValidate", &controllers.RootController{}, "GET:CasServiceAndProxyValidate")
+	beego.Router("/cas/:organization/:application/proxy", &controllers.RootController{}, "GET:CasProxy")
+	beego.Router("/cas/:organization/:application/validate", &controllers.RootController{}, "GET:CasValidate")
+
 }

routers/static_filter.go

@@ -27,6 +27,9 @@ func StaticFilter(ctx *context.Context) {
 	if strings.HasPrefix(urlPath, "/api/") || strings.HasPrefix(urlPath, "/.well-known/") {
 		return
 	}
+	if strings.HasPrefix(urlPath, "/cas") && (strings.HasSuffix(urlPath, "/serviceValidate") || strings.HasSuffix(urlPath, "/proxy") || strings.HasSuffix(urlPath, "/proxyValidate") || strings.HasSuffix(urlPath, "/validate")) {
+		return
+	}
 
 	path := "web/build"
 	if urlPath == "/" {

web/craco.config.js

@@ -18,6 +18,22 @@ module.exports = {
       '/.well-known/openid-configuration': {
         target: 'http://localhost:8000',
         changeOrigin: true,
+      },
+      '/cas/serviceValidate': {
+        target: 'http://localhost:8000',
+        changeOrigin: true,
+      },
+      '/cas/proxyValidate': {
+        target: 'http://localhost:8000',
+        changeOrigin: true,
+      },
+      '/cas/proxy': {
+        target: 'http://localhost:8000',
+        changeOrigin: true,
+      },
+      '/cas/validate': {
+        target: 'http://localhost:8000',
+        changeOrigin: true,
       }
     },
   },

web/src/App.js

@@ -68,6 +68,7 @@ import i18next from 'i18next';
 import PromptPage from "./auth/PromptPage";
 import OdicDiscoveryPage from "./auth/OidcDiscoveryPage";
 import SamlCallback from './auth/SamlCallback';
+import CasLogout from "./auth/CasLogout";
 
 const { Header, Footer } = Layout;
 
@@ -642,7 +643,8 @@ class App extends Component {
       window.location.pathname.startsWith("/login") ||
       window.location.pathname.startsWith("/callback") ||
       window.location.pathname.startsWith("/prompt") ||
-      window.location.pathname.startsWith("/forget");
+      window.location.pathname.startsWith("/forget") ||
+      window.location.pathname.startsWith("/cas");
   }
 
   renderPage() {
@@ -654,6 +656,8 @@ class App extends Component {
           <Route exact path="/login" render={(props) => this.renderHomeIfLoggedIn(<SelfLoginPage account={this.state.account} {...props} />)}/>
           <Route exact path="/signup/oauth/authorize" render={(props) => <LoginPage account={this.state.account} type={"code"} mode={"signup"} {...props} onUpdateAccount={(account) => {this.onUpdateAccount(account)}} />}/>
           <Route exact path="/login/oauth/authorize" render={(props) => <LoginPage account={this.state.account} type={"code"} mode={"signin"} {...props} onUpdateAccount={(account) => {this.onUpdateAccount(account)}} />}/>
+          <Route exact path="/cas/:owner/:casApplicationName/logout" render={(props) => this.renderHomeIfLoggedIn(<CasLogout clearAccount={() => this.setState({account: null})} {...props} />)} />
+          <Route exact path="/cas/:owner/:casApplicationName/login" render={(props) => {return (<LoginPage type={"cas"} mode={"signup"} account={this.state.account} {...props} />)}} />
           <Route exact path="/callback" component={AuthCallback}/>
           <Route exact path="/callback/saml" component={SamlCallback}/>
           <Route exact path="/forget" render={(props) => this.renderHomeIfLoggedIn(<SelfForgetPage {...props} />)}/>

web/src/ProductBuyPage.js

@@ -83,6 +83,10 @@ class ProductBuyPage extends React.Component {
     }
   }
 
+  getPrice(product) {
+    return `${this.getCurrencySymbol(product)}${product?.price} (${this.getCurrencyText(product)})`;
+  }
+
   getProviders(product) {
     if (this.state.providers.length === 0 || product.providers.length === 0) {
       return [];
@@ -207,7 +211,9 @@ class ProductBuyPage extends React.Component {
             </Descriptions.Item>
             <Descriptions.Item label={i18next.t("product:Price")}>
             <span style={{fontSize: 28, color: "red", fontWeight: "bold"}}>
-              {`${this.getCurrencySymbol(product)}${product?.price} (${this.getCurrencyText(product)})`}
+              {
+                this.getPrice(product)
+              }
             </span>
             </Descriptions.Item>
             <Descriptions.Item label={i18next.t("product:Quantity")}><span style={{fontSize: 16}}>{product?.quantity}</span></Descriptions.Item>

web/src/Setting.js

@@ -22,6 +22,7 @@ import copy from "copy-to-clipboard";
 import {authConfig} from "./auth/Auth";
 import {Helmet} from "react-helmet";
 import moment from "moment";
+import * as Conf from "./Conf";
 
 export let ServerUrl = "";
 
@@ -29,12 +30,17 @@ export let ServerUrl = "";
 export const StaticBaseUrl = "https://cdn.casbin.org";
 
 // https://catamphetamine.gitlab.io/country-flag-icons/3x2/index.html
-export const CountryRegionData = getCountryRegionData()
+export const CountryRegionData = getCountryRegionData();
 
 export function getCountryRegionData() {
+  let language = i18next.language;
+  if (language === null || language === "null") {
+    language = Conf.DefaultLanguage;
+  }
+
   var countries = require("i18n-iso-countries");
-  countries.registerLocale(require("i18n-iso-countries/langs/" + i18next.language + ".json"));
+  countries.registerLocale(require("i18n-iso-countries/langs/" + language + ".json"));
-  var data = countries.getNames(i18next.language, {select: "official"});
+  var data = countries.getNames(language, {select: "official"});
   var result = []
   for (var i in data) 
     result.push({code:i, name:data[i]})
@@ -396,6 +402,7 @@ export function getProviderTypeOptions(category) {
         {id: 'GitLab', name: 'GitLab'},
         {id: 'Adfs', name: 'Adfs'},
         {id: 'Baidu', name: 'Baidu'},
+        {id: 'Alipay', name: 'Alipay'},
         {id: 'Casdoor', name: 'Casdoor'},
         {id: 'Infoflow', name: 'Infoflow'},
         {id: 'Apple', name: 'Apple'},

web/src/SyncerListPage.js

@@ -42,7 +42,7 @@ class SyncerListPage extends BaseListPage {
       affiliationTable: "",
       avatarBaseUrl: "",
       syncInterval: 10,
-      isEnabled: true,
+      isEnabled: false,
     }
   }
 

web/src/UserEditPage.js

@@ -224,7 +224,11 @@ class UserEditPage extends React.Component {
             {Setting.getLabel(i18next.t("general:Email"), i18next.t("general:Email - Tooltip"))} :
           </Col>
           <Col style={{paddingRight: '20px'}} span={11} >
-            <Input value={this.state.user.email} disabled />
+            <Input value={this.state.user.email}
+                   disabled={this.state.user.id === this.props.account?.id ? true : !Setting.isAdminUser(this.props.account)}
+                   onChange={e => {
+                      this.updateUserField('email', e.target.value);
+                    }} />
           </Col>
           <Col span={11} >
             { this.state.user.id === this.props.account?.id ? (<ResetModal org={this.state.application?.organizationObj} buttonText={i18next.t("user:Reset Email...")} destType={"email"} />) : null}
@@ -235,7 +239,11 @@ class UserEditPage extends React.Component {
             {Setting.getLabel(i18next.t("general:Phone"), i18next.t("general:Phone - Tooltip"))} :
           </Col>
           <Col style={{paddingRight: '20px'}} span={11} >
-            <Input value={this.state.user.phone} addonBefore={`+${this.state.application?.organizationObj.phonePrefix}`} disabled />
+            <Input value={this.state.user.phone} addonBefore={`+${this.state.application?.organizationObj.phonePrefix}`}
+                   disabled={this.state.user.id === this.props.account?.id ? true : !Setting.isAdminUser(this.props.account)}
+                   onChange={e => {
+                      this.updateUserField('phone', e.target.value);
+                   }}/>
           </Col>
           <Col span={11} >
             { this.state.user.id === this.props.account?.id ? (<ResetModal org={this.state.application?.organizationObj} buttonText={i18next.t("user:Reset Phone...")} destType={"phone"} />) : null}

web/src/auth/AlipayLoginButton.js

@@ -0,0 +1,32 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import {createButton} from "react-social-login-buttons";
+import {StaticBaseUrl} from "../Setting";
+
+function Icon({ width = 24, height = 24, color }) {
+    return <img src={`${StaticBaseUrl}/buttons/alipay.svg`} alt="Sign in with Alipay" style={{width: 24, height: 24}} />;
+}
+
+const config = {
+    text: "Sign in with Alipay",
+    icon: Icon,
+    iconFormat: name => `fa fa-${name}`,
+    style: {background: "#ffffff", color: "#000000"},
+    activeStyle: {background: "#ededee"},
+};
+
+const AlipayLoginButton = createButton(config);
+
+export default AlipayLoginButton;

web/src/auth/AuthBackend.js

@@ -62,6 +62,14 @@ export function login(values, oAuthParams) {
   }).then(res => res.json());
 }
 
+export function loginCas(values, params) {
+  return fetch(`${authConfig.serverUrl}/api/login?service=${params.service}`, {
+    method: 'POST',
+    credentials: "include",
+    body: JSON.stringify(values),
+  }).then(res => res.json());
+}
+
 export function logout() {
   return fetch(`${authConfig.serverUrl}/api/logout`, {
     method: 'POST',

web/src/auth/CasLogout.js

@@ -0,0 +1,68 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React from "react";
+import {Spin} from "antd";
+import {withRouter} from "react-router-dom";
+import * as AuthBackend from "./AuthBackend";
+import * as Setting from "../Setting";
+import i18next from "i18next";
+
+class CasLogout extends React.Component {
+  constructor(props) {
+    super(props);
+    this.state = {
+      classes: props,
+      msg: null,
+    };
+    if (props.match?.params.casApplicationName !== undefined) {
+      this.state.owner = props.match?.params.owner
+      this.state.applicationName = props.match?.params.casApplicationName
+    }
+  }
+
+  UNSAFE_componentWillMount() {
+    const params = new URLSearchParams(this.props.location.search);
+
+    AuthBackend.logout()
+      .then((res) => {
+        if (res.status === 'ok') {
+          Setting.showMessage("success", `Logged out successfully`);
+          this.props.clearAccount()
+          let redirectUri = res.data2;
+          if (redirectUri !== null && redirectUri !== undefined && redirectUri !== "") {
+            Setting.goToLink(redirectUri);
+          } else if (params.has("service")) {
+            Setting.goToLink(params.get("service"))
+          } else {
+            Setting.goToLinkSoft(this, `/cas/${this.state.owner}/${this.state.applicationName}/login`);
+          }
+        } else {
+          Setting.showMessage("error", `Failed to log out: ${res.msg}`);
+        }
+      });
+
+  }
+
+  render() {
+    return (
+      <div style={{textAlign: "center"}}>
+        {
+          <Spin size="large" tip={i18next.t("login:Logging out...")} style={{paddingTop: "10%"}} />
+        }
+      </div>
+    )
+  }
+}
+export default withRouter(CasLogout);

web/src/auth/LoginPage.js

@@ -36,6 +36,7 @@ import LarkLoginButton from "./LarkLoginButton";
 import GitLabLoginButton from "./GitLabLoginButton";
 import AdfsLoginButton from "./AdfsLoginButton";
 import BaiduLoginButton from "./BaiduLoginButton";
+import AlipayLoginButton from "./AlipayLoginButton";
 import CasdoorLoginButton from "./CasdoorLoginButton";
 import InfoflowLoginButton from "./InfoflowLoginButton";
 import AppleLoginButton from "./AppleLoginButton"
@@ -60,11 +61,16 @@ class LoginPage extends React.Component {
       validEmailOrPhone: false,
       validEmail: false,
       validPhone: false,
+      owner: null,
     };
+    if (this.state.type === "cas" && props.match?.params.casApplicationName !== undefined) {
+      this.state.owner = props.match?.params.owner
+      this.state.applicationName = props.match?.params.casApplicationName
+    }
   }
 
   UNSAFE_componentWillMount() {
-    if (this.state.type === "login") {
+    if (this.state.type === "login" || this.state.type === "cas") {
       this.getApplication();
     } else if (this.state.type === "code") {
       this.getApplicationLogin();
@@ -119,59 +125,85 @@ class LoginPage extends React.Component {
   onFinish(values) {
     const application = this.getApplicationObj();
     const ths = this;
-    const oAuthParams = Util.getOAuthGetParameters();
+
-    if (oAuthParams !== null && oAuthParams.responseType!= null && oAuthParams.responseType !== "") {
+    //here we are supposed to judge whether casdoor is working as a oauth server or CAS server
-      values["type"] = oAuthParams.responseType
+    if (this.state.type === "cas") {
-    }else{
+      //cas
+      const casParams = Util.getCasParameters()
       values["type"] = this.state.type;
-    }
+      AuthBackend.loginCas(values, casParams).then((res) => {
-    values["phonePrefix"] = this.getApplicationObj()?.organizationObj.phonePrefix;
-    
-    AuthBackend.login(values, oAuthParams)
-      .then((res) => {
         if (res.status === 'ok') {
-          const responseType = values["type"];
+          let msg = "Logged in successfully. "
-          if (responseType === "login") {
+          if (casParams.service == "") {
-            Util.showMessage("success", `Logged in successfully`);
+            //If service was not specified, CAS MUST display a message notifying the client that it has successfully initiated a single sign-on session.
-
+            msg += "Now you can visit apps protected by casdoor."
-            const link = Setting.getFromLink();
-            Setting.goToLink(link);
-          } else if (responseType === "code") {
-            const code = res.data;
-            const concatChar = oAuthParams?.redirectUri?.includes('?') ? '&' : '?';
-
-            if (Setting.hasPromptPage(application)) {
-              AuthBackend.getAccount("")
-                .then((res) => {
-                  let account = null;
-                  if (res.status === "ok") {
-                    account = res.data;
-                    account.organization = res.data2;
-
-                    this.onUpdateAccount(account);
-
-                    if (Setting.isPromptAnswered(account, application)) {
-                      Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
-                    } else {
-                      Setting.goToLinkSoft(ths, `/prompt/${application.name}?redirectUri=${oAuthParams.redirectUri}&code=${code}&state=${oAuthParams.state}`);
-                    }
-                  } else {
-                    Setting.showMessage("error", `Failed to sign in: ${res.msg}`);
-                  }
-                });
-            } else {
-              Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
-            }
-
-            // Util.showMessage("success", `Authorization code: ${res.data}`);
-          } else if (responseType === "token" || responseType === "id_token") {
-            const accessToken = res.data;
-            Setting.goToLink(`${oAuthParams.redirectUri}#${responseType}=${accessToken}?state=${oAuthParams.state}&token_type=bearer`);
           }
+          Util.showMessage("success", msg);
+          if (casParams.service !== "") {
+            let st = res.data
+            window.location.href = casParams.service + "?ticket=" + st
+          }
+
         } else {
           Util.showMessage("error", `Failed to log in: ${res.msg}`);
         }
-      });
+      })
+    } else {
+      //oauth
+      const oAuthParams = Util.getOAuthGetParameters();
+      if (oAuthParams !== null && oAuthParams.responseType != null && oAuthParams.responseType !== "") {
+        values["type"] = oAuthParams.responseType
+      }else{
+        values["type"] = this.state.type;
+      }
+      values["phonePrefix"] = this.getApplicationObj()?.organizationObj.phonePrefix;
+      
+      AuthBackend.login(values, oAuthParams)
+        .then((res) => {
+          if (res.status === 'ok') {
+            const responseType = values["type"];
+            if (responseType === "login") {
+              Util.showMessage("success", `Logged in successfully`);
+
+              const link = Setting.getFromLink();
+              Setting.goToLink(link);
+            } else if (responseType === "code") {
+              const code = res.data;
+              const concatChar = oAuthParams?.redirectUri?.includes('?') ? '&' : '?';
+
+              if (Setting.hasPromptPage(application)) {
+                AuthBackend.getAccount("")
+                  .then((res) => {
+                    let account = null;
+                    if (res.status === "ok") {
+                      account = res.data;
+                      account.organization = res.data2;
+
+                      this.onUpdateAccount(account);
+
+                      if (Setting.isPromptAnswered(account, application)) {
+                        Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
+                      } else {
+                        Setting.goToLinkSoft(ths, `/prompt/${application.name}?redirectUri=${oAuthParams.redirectUri}&code=${code}&state=${oAuthParams.state}`);
+                      }
+                    } else {
+                      Setting.showMessage("error", `Failed to sign in: ${res.msg}`);
+                    }
+                  });
+              } else {
+                Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
+              }
+
+              // Util.showMessage("success", `Authorization code: ${res.data}`);
+            } else if (responseType === "token" || responseType === "id_token") {
+              const accessToken = res.data;
+              Setting.goToLink(`${oAuthParams.redirectUri}#${responseType}=${accessToken}?state=${oAuthParams.state}&token_type=bearer`);
+            }
+          } else {
+            Util.showMessage("error", `Failed to log in: ${res.msg}`);
+          }
+        });
+      }
   };
 
   getSigninButton(type) {
@@ -206,6 +238,8 @@ class LoginPage extends React.Component {
       return <CasdoorLoginButton text={text} align={"center"} />
     } else if (type === "Baidu") {
       return <BaiduLoginButton text={text} align={"center"} />
+    } else if (type === "Alipay") {
+      return <AlipayLoginButton text={text} align={"center"} />
     } else if (type === "Infoflow") {
       return <InfoflowLoginButton text={text} align={"center"} />
     } else if (type === "Apple") {

web/src/auth/Provider.js

@@ -78,6 +78,10 @@ const authInfo = {
     scope: "basic",
     endpoint: "http://openapi.baidu.com/oauth/2.0/authorize",
   },
+  Alipay: {
+    scope: "basic",
+    endpoint: "https://openauth.alipay.com/oauth2/publicAppAuthorize.htm",
+  },
   Casdoor: {
     scope: "openid%20profile%20email",
     endpoint: "http://example.com",
@@ -287,6 +291,8 @@ export function getAuthUrl(application, provider, method) {
     return `${provider.domain}/adfs/oauth2/authorize?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&nonce=casdoor&scope=openid`;
   } else if (provider.type === "Baidu") {
     return `${endpoint}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}&display=popup`;
+  } else if (provider.type === "Alipay") {
+    return `${endpoint}?app_id=${provider.clientId}&scope=auth_user&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}&display=popup`;
   } else if (provider.type === "Casdoor") {
     return `${provider.domain}/login/oauth/authorize?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}`;
   } else if (provider.type === "Infoflow"){

web/src/auth/ResultPage.js

@@ -66,7 +66,7 @@ class ResultPage extends React.Component {
           extra={[
             <Button type="primary" key="login" onClick={() => {
               let linkInStorage = sessionStorage.getItem("loginURL")
-              if (linkInStorage != "") {
+              if (linkInStorage !== null && linkInStorage !== "") {
                   Setting.goToLink(linkInStorage)
               } else {
                   Setting.goToLogin(this, application)

web/src/auth/Util.js

@@ -79,6 +79,18 @@ function getRefinedValue(value){
   return (value === null)? "" : value
 }
 
+export function getCasParameters(params){
+  const queries = (params !== undefined) ? params : new URLSearchParams(window.location.search);
+  const service = getRefinedValue(queries.get("service"))
+  const renew = getRefinedValue(queries.get("renew"))
+  const gateway = getRefinedValue(queries.get("gateway"))
+  return {
+    service: service,
+    renew: renew,
+    gateway: gateway,
+  }
+}
+
 export function getOAuthGetParameters(params) {
   const queries = (params !== undefined) ? params : new URLSearchParams(window.location.search);
   const clientId = getRefinedValue(queries.get("client_id"));