feat: fix bugs in MFA (#2033)

* fix: prompt mfa binding

* fix: clean session when leave promptpage

* fix: css

* fix: force enable mfa

* fix: add prompt rule

* fix: refactor directory structure

* fix: prompt notification

* fix: fix some bug and clean code

* fix: rebase

* fix: improve notification

* fix: i18n

* fix: router

* fix: prompt

* fix: remove localStorage

README.md

@@ -37,8 +37,8 @@
   <a href="https://crowdin.com/project/casdoor-site">
     <img alt="Crowdin" src="https://badges.crowdin.net/casdoor-site/localized.svg">
   </a>
-  <a href="https://gitter.im/casbin/casdoor">
-    <img alt="Gitter" src="https://badges.gitter.im/casbin/casdoor.svg">
+  <a href="https://discord.gg/5rPsrAzK7S">
+    <img alt="Discord" src="https://img.shields.io/discord/1022748306096537660?style=flat-square&logo=discord&label=discord&color=5865F2">
   </a>
 </p>
 
@@ -71,7 +71,7 @@ https://casdoor.org/docs/category/integrations
 
 ## How to contact?
 
-- Gitter: https://gitter.im/casbin/casdoor
+- Discord: https://discord.gg/5rPsrAzK7S
 - Forum: https://forum.casbin.com
 - Contact: https://tawk.to/chat/623352fea34c2456412b8c51/1fuc7od6e
 

controllers/auth.go

@@ -69,10 +69,13 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		return
 	}
 
-	if form.Password != "" && user.IsMfaEnabled() {
-		c.setMfaSessionData(&object.MfaSessionData{UserId: userId})
-		resp = &Response{Status: object.NextMfa, Data: user.GetPreferredMfaProps(true)}
-		return
+	// check user's tag
+	if !user.IsGlobalAdmin && !user.IsAdmin && len(application.Tags) > 0 {
+		// only users with the tag that is listed in the application tags can login
+		if !util.InSlice(application.Tags, user.Tag) {
+			c.ResponseError(fmt.Sprintf(c.T("auth:User's tag: %s is not listed in the application's tags"), user.Tag))
+			return
+		}
 	}
 
 	if form.Type == ResponseTypeLogin {
@@ -238,7 +241,7 @@ func isProxyProviderType(providerType string) bool {
 // @Param code_challenge_method   query    string  false code_challenge_method
 // @Param code_challenge          query    string  false code_challenge
 // @Param   form   body   controllers.AuthForm  true        "Login information"
-// @Success 200 {object} Response The Response object
+// @Success 200 {object} controllers.Response The Response object
 // @router /login [post]
 func (c *ApiController) Login() {
 	resp := &Response{}
@@ -344,17 +347,26 @@ func (c *ApiController) Login() {
 				return
 			}
 
-			resp = c.HandleLoggedIn(application, user, &authForm)
-
 			organization, err := object.GetOrganizationByUser(user)
 			if err != nil {
 				c.ResponseError(err.Error())
 			}
 
-			if user != nil && organization.HasRequiredMfa() && !user.IsMfaEnabled() {
-				resp.Msg = object.RequiredMfa
+			if object.IsNeedPromptMfa(organization, user) {
+				// The prompt page needs the user to be signed in
+				c.SetSessionUsername(user.GetId())
+				c.ResponseOk(object.RequiredMfa)
+				return
 			}
 
+			if user.IsMfaEnabled() {
+				c.setMfaUserSession(user.GetId())
+				c.ResponseOk(object.NextMfa, user.GetPreferredMfaProps(true))
+				return
+			}
+
+			resp = c.HandleLoggedIn(application, user, &authForm)
+
 			record := object.NewRecord(c.Ctx)
 			record.Organization = application.Organization
 			record.User = user.Name
@@ -407,15 +419,8 @@ func (c *ApiController) Login() {
 			}
 		} else if provider.Category == "OAuth" {
 			// OAuth
-
-			clientId := provider.ClientId
-			clientSecret := provider.ClientSecret
-			if provider.Type == "WeChat" && strings.Contains(c.Ctx.Request.UserAgent(), "MicroMessenger") {
-				clientId = provider.ClientId2
-				clientSecret = provider.ClientSecret2
-			}
-
-			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, authForm.RedirectUri, provider.Domain, provider.CustomAuthUrl, provider.CustomTokenUrl, provider.CustomUserInfoUrl)
+			idpInfo := object.FromProviderToIdpInfo(c.Ctx, provider)
+			idProvider := idp.GetIdProvider(idpInfo, authForm.RedirectUri)
 			if idProvider == nil {
 				c.ResponseError(fmt.Sprintf(c.T("storage:The provider type: %s is not supported"), provider.Type))
 				return
@@ -647,13 +652,16 @@ func (c *ApiController) Login() {
 				resp = &Response{Status: "error", Msg: "Failed to link user account", Data: isLinked}
 			}
 		}
-	} else if c.getMfaSessionData() != nil {
-		mfaSession := c.getMfaSessionData()
-		user, err := object.GetUser(mfaSession.UserId)
+	} else if c.getMfaUserSession() != "" {
+		user, err := object.GetUser(c.getMfaUserSession())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
+		if user == nil {
+			c.ResponseError("expired user session")
+			return
+		}
 
 		if authForm.Passcode != "" {
 			mfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferredMfaProps(false))
@@ -667,13 +675,15 @@ func (c *ApiController) Login() {
 				c.ResponseError(err.Error())
 				return
 			}
-		}
-		if authForm.RecoveryCode != "" {
+		} else if authForm.RecoveryCode != "" {
 			err = object.MfaRecover(user, authForm.RecoveryCode)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
 			}
+		} else {
+			c.ResponseError("missing passcode or recovery code")
+			return
 		}
 
 		application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
@@ -688,6 +698,7 @@ func (c *ApiController) Login() {
 		}
 
 		resp = c.HandleLoggedIn(application, user, &authForm)
+		c.setMfaUserSession("")
 
 		record := object.NewRecord(c.Ctx)
 		record.Organization = application.Organization

controllers/base.go

@@ -178,24 +178,16 @@ func (c *ApiController) SetSessionData(s *SessionData) {
 	c.SetSession("SessionData", util.StructToJson(s))
 }
 
-func (c *ApiController) setMfaSessionData(data *object.MfaSessionData) {
-	if data == nil {
-		c.SetSession(object.MfaSessionUserId, nil)
-		return
-	}
-	c.SetSession(object.MfaSessionUserId, data.UserId)
+func (c *ApiController) setMfaUserSession(userId string) {
+	c.SetSession(object.MfaSessionUserId, userId)
 }
 
-func (c *ApiController) getMfaSessionData() *object.MfaSessionData {
-	userId := c.GetSession(object.MfaSessionUserId)
+func (c *ApiController) getMfaUserSession() string {
+	userId := c.Ctx.Input.CruSession.Get(object.MfaSessionUserId)
 	if userId == nil {
-		return nil
+		return ""
 	}
-
-	data := &object.MfaSessionData{
-		UserId: userId.(string),
-	}
-	return data
+	return userId.(string)
 }
 
 func (c *ApiController) setExpireForSession() {

controllers/mfa.go

@@ -28,7 +28,7 @@ import (
 // @param owner	form	string	true	"owner of user"
 // @param name	form	string	true	"name of user"
 // @param type	form	string	true	"MFA auth type"
-// @Success 200 {object}   The Response object
+// @Success 200 {object} controllers.Response The Response object
 // @router /mfa/setup/initiate [post]
 func (c *ApiController) MfaSetupInitiate() {
 	owner := c.Ctx.Request.Form.Get("owner")

controllers/organization.go

@@ -37,9 +37,19 @@ func (c *ApiController) GetOrganizations() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+	organizationName := c.Input().Get("organizationName")
 
+	isGlobalAdmin := c.IsGlobalAdmin()
 	if limit == "" || page == "" {
-		maskedOrganizations, err := object.GetMaskedOrganizations(object.GetOrganizations(owner))
+		var maskedOrganizations []*object.Organization
+		var err error
+
+		if isGlobalAdmin {
+			maskedOrganizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner))
+		} else {
+			maskedOrganizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
+		}
+
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -48,7 +58,6 @@ func (c *ApiController) GetOrganizations() {
 		c.Data["json"] = maskedOrganizations
 		c.ServeJSON()
 	} else {
-		isGlobalAdmin := c.IsGlobalAdmin()
 		if !isGlobalAdmin {
 			maskedOrganizations, err := object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
 			if err != nil {
@@ -65,7 +74,7 @@ func (c *ApiController) GetOrganizations() {
 			}
 
 			paginator := pagination.SetPaginator(c.Ctx, limit, count)
-			organizations, err := object.GetMaskedOrganizations(object.GetPaginationOrganizations(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+			organizations, err := object.GetMaskedOrganizations(object.GetPaginationOrganizations(owner, organizationName, paginator.Offset(), limit, field, value, sortField, sortOrder))
 			if err != nil {
 				c.ResponseError(err.Error())
 				return

controllers/pricing.go

@@ -71,7 +71,7 @@ func (c *ApiController) GetPricings() {
 // @Tag Pricing API
 // @Description get pricing
 // @Param   id     query    string  true        "The id ( owner/name ) of the pricing"
-// @Success 200 {object} object.pricing The Response object
+// @Success 200 {object} object.Pricing The Response object
 // @router /get-pricing [get]
 func (c *ApiController) GetPricing() {
 	id := c.Input().Get("id")

controllers/record.go

@@ -42,6 +42,7 @@ func (c *ApiController) GetRecords() {
 	value := c.Input().Get("value")
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
+	organizationName := c.Input().Get("organizationName")
 
 	if limit == "" || page == "" {
 		records, err := object.GetRecords()
@@ -54,6 +55,9 @@ func (c *ApiController) GetRecords() {
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
+		if c.IsGlobalAdmin() && organizationName != "" {
+			organization = organizationName
+		}
 		filterRecord := &object.Record{Organization: organization}
 		count, err := object.GetRecordCount(field, value, filterRecord)
 		if err != nil {

controllers/resource.go

@@ -207,7 +207,7 @@ func (c *ApiController) UploadResource() {
 	}
 
 	fullFilePath = object.GetTruncatedPath(provider, fullFilePath, 175)
-	if tag != "avatar" && tag != "termsOfUse" {
+	if tag != "avatar" && tag != "termsOfUse" && !strings.HasPrefix(tag, "idCard") {
 		ext := filepath.Ext(filepath.Base(fullFilePath))
 		index := len(fullFilePath) - len(ext)
 		for i := 1; ; i++ {
@@ -294,7 +294,7 @@ func (c *ApiController) UploadResource() {
 			return
 		}
 
-		_, applicationId := util.GetOwnerAndNameFromIdNoCheck(strings.TrimRight(fullFilePath, ".html"))
+		_, applicationId := util.GetOwnerAndNameFromIdNoCheck(strings.TrimSuffix(fullFilePath, ".html"))
 		applicationObj, err := object.GetApplication(applicationId)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -307,6 +307,25 @@ func (c *ApiController) UploadResource() {
 			c.ResponseError(err.Error())
 			return
 		}
+	case "idCardFront", "idCardBack", "idCardWithPerson":
+		user, err := object.GetUserNoCheck(util.GetId(owner, username))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if user == nil {
+			c.ResponseError(c.T("resource:User is nil for tag: avatar"))
+			return
+		}
+
+		user.Properties[tag] = fileUrl
+		user.Properties["isIdCardVerified"] = "false"
+		_, err = object.UpdateUser(user.GetId(), user, []string{"properties"}, false)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}
 
 	c.ResponseOk(fileUrl, objectKey)

controllers/subscription.go

@@ -71,7 +71,7 @@ func (c *ApiController) GetSubscriptions() {
 // @Tag Subscription API
 // @Description get subscription
 // @Param   id     query    string  true        "The id ( owner/name ) of the subscription"
-// @Success 200 {object} object.subscription The Response object
+// @Success 200 {object} object.Subscription The Response object
 // @router /get-subscription [get]
 func (c *ApiController) GetSubscription() {
 	id := c.Input().Get("id")

controllers/token.go

@@ -325,7 +325,7 @@ func (c *ApiController) IntrospectToken() {
 		Sub:       jwtToken.Subject,
 		Aud:       jwtToken.Audience,
 		Iss:       jwtToken.Issuer,
-		Jti:       jwtToken.Id,
+		Jti:       jwtToken.ID,
 	}
 	c.ServeJSON()
 }

controllers/verification.go

@@ -93,10 +93,9 @@ func (c *ApiController) SendVerificationCode() {
 		}
 	}
 
-	// mfaSessionData != nil, means method is MfaAuthVerification
-	if mfaSessionData := c.getMfaSessionData(); mfaSessionData != nil {
-		user, err = object.GetUser(mfaSessionData.UserId)
-		c.setMfaSessionData(nil)
+	// mfaUserSession != "", means method is MfaAuthVerification
+	if mfaUserSession := c.getMfaUserSession(); mfaUserSession != "" {
+		user, err = object.GetUser(mfaUserSession)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -134,6 +133,8 @@ func (c *ApiController) SendVerificationCode() {
 			if user != nil && util.GetMaskedEmail(mfaProps.Secret) == vform.Dest {
 				vform.Dest = mfaProps.Secret
 			}
+		} else if vform.Method == MfaSetupVerification {
+			c.SetSession(object.MfaDestSession, vform.Dest)
 		}
 
 		provider, err := application.GetEmailProvider()
@@ -164,6 +165,11 @@ func (c *ApiController) SendVerificationCode() {
 					vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 				}
 			}
+
+			if vform.Method == MfaSetupVerification {
+				c.SetSession(object.MfaCountryCodeSession, vform.CountryCode)
+				c.SetSession(object.MfaDestSession, vform.Dest)
+			}
 		} else if vform.Method == MfaAuthVerification {
 			mfaProps := user.GetPreferredMfaProps(false)
 			if user != nil && util.GetMaskedPhone(mfaProps.Secret) == vform.Dest {
@@ -187,11 +193,6 @@ func (c *ApiController) SendVerificationCode() {
 		}
 	}
 
-	if vform.Method == MfaSetupVerification {
-		c.SetSession(object.MfaSmsCountryCodeSession, vform.CountryCode)
-		c.SetSession(object.MfaSmsDestSession, vform.Dest)
-	}
-
 	if sendResp != nil {
 		c.ResponseError(sendResp.Error())
 	} else {

controllers/webauthn.go

@@ -66,7 +66,7 @@ func (c *ApiController) WebAuthnSignupBegin() {
 // @Tag User API
 // @Description WebAuthn Registration Flow 2nd stage
 // @Param   body    body   protocol.CredentialCreationResponse  true        "authenticator attestation Response"
-// @Success 200 {object} Response "The Response object"
+// @Success 200 {object} controllers.Response "The Response object"
 // @router /webauthn/signup/finish [post]
 func (c *ApiController) WebAuthnSignupFinish() {
 	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
@@ -150,7 +150,7 @@ func (c *ApiController) WebAuthnSigninBegin() {
 // @Tag Login API
 // @Description WebAuthn Login Flow 2nd stage
 // @Param   body    body   protocol.CredentialAssertionResponse  true        "authenticator assertion Response"
-// @Success 200 {object} Response "The Response object"
+// @Success 200 {object} controllers.Response "The Response object"
 // @router /webauthn/signin/finish [post]
 func (c *ApiController) WebAuthnSigninFinish() {
 	responseType := c.Input().Get("responseType")

go.mod

@@ -39,6 +39,7 @@ require (
 	github.com/lib/pq v1.10.2
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
 	github.com/markbates/goth v1.75.2
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/nyaruka/phonenumbers v1.1.5
 	github.com/pkoukk/tiktoken-go v0.1.1
@@ -49,7 +50,7 @@ require (
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
-	github.com/sashabaranov/go-openai v1.9.1
+	github.com/sashabaranov/go-openai v1.12.0
 	github.com/satori/go.uuid v1.2.0
 	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible

go.sum

@@ -548,6 +548,8 @@ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sashabaranov/go-openai v1.9.1 h1:3N52HkJKo9Zlo/oe1AVv5ZkCOny0ra58/ACvAxkN3MM=
 github.com/sashabaranov/go-openai v1.9.1/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
+github.com/sashabaranov/go-openai v1.12.0 h1:aRNHH0gtVfrpIaEolD0sWrLLRnYQNK4cH/bIAHwL8Rk=
+github.com/sashabaranov/go-openai v1.12.0/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=

i18n/locales/de/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "Die Anmeldeart \"Anmeldung mit Passwort\" ist für die Anwendung nicht aktiviert",
     "The provider: %s is not enabled for the application": "Der Anbieter: %s ist nicht für die Anwendung aktiviert",
     "Unauthorized operation": "Nicht autorisierte Operation",
-    "Unknown authentication type (not password or provider), form = %s": "Unbekannter Authentifizierungstyp (nicht Passwort oder Anbieter), Formular = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Unbekannter Authentifizierungstyp (nicht Passwort oder Anbieter), Formular = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Service %s und %s stimmen nicht überein"

i18n/locales/en/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
     "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
     "Unauthorized operation": "Unauthorized operation",
-    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Service %s and %s do not match"

i18n/locales/es/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "El método de inicio de sesión: inicio de sesión con contraseña no está habilitado para la aplicación",
     "The provider: %s is not enabled for the application": "El proveedor: %s no está habilitado para la aplicación",
     "Unauthorized operation": "Operación no autorizada",
-    "Unknown authentication type (not password or provider), form = %s": "Tipo de autenticación desconocido (no es contraseña o proveedor), formulario = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Tipo de autenticación desconocido (no es contraseña o proveedor), formulario = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Los servicios %s y %s no coinciden"

i18n/locales/fr/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "La méthode de connexion : connexion avec mot de passe n'est pas activée pour l'application",
     "The provider: %s is not enabled for the application": "Le fournisseur :%s n'est pas activé pour l'application",
     "Unauthorized operation": "Opération non autorisée",
-    "Unknown authentication type (not password or provider), form = %s": "Type d'authentification inconnu (pas de mot de passe ou de fournisseur), formulaire = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Type d'authentification inconnu (pas de mot de passe ou de fournisseur), formulaire = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Les services %s et %s ne correspondent pas"

i18n/locales/id/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "Metode login: login dengan kata sandi tidak diaktifkan untuk aplikasi tersebut",
     "The provider: %s is not enabled for the application": "Penyedia: %s tidak diaktifkan untuk aplikasi ini",
     "Unauthorized operation": "Operasi tidak sah",
-    "Unknown authentication type (not password or provider), form = %s": "Jenis otentikasi tidak diketahui (bukan kata sandi atau pemberi), formulir = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Jenis otentikasi tidak diketahui (bukan kata sandi atau pemberi), formulir = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Layanan %s dan %s tidak cocok"

i18n/locales/ja/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "ログイン方法：パスワードでのログインはアプリケーションで有効になっていません",
     "The provider: %s is not enabled for the application": "プロバイダー：%sはアプリケーションでは有効化されていません",
     "Unauthorized operation": "不正操作",
-    "Unknown authentication type (not password or provider), form = %s": "不明な認証タイプ（パスワードまたはプロバイダーではない）フォーム=%s"
+    "Unknown authentication type (not password or provider), form = %s": "不明な認証タイプ（パスワードまたはプロバイダーではない）フォーム=%s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "サービス%sと%sは一致しません"

i18n/locales/ko/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "어플리케이션에서는 암호를 사용한 로그인 방법이 활성화되어 있지 않습니다",
     "The provider: %s is not enabled for the application": "제공자 %s은(는) 응용 프로그램에서 활성화되어 있지 않습니다",
     "Unauthorized operation": "무단 조작",
-    "Unknown authentication type (not password or provider), form = %s": "알 수 없는 인증 유형(암호 또는 공급자가 아님), 폼 = %s"
+    "Unknown authentication type (not password or provider), form = %s": "알 수 없는 인증 유형(암호 또는 공급자가 아님), 폼 = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "서비스 %s와 %s는 일치하지 않습니다"

i18n/locales/pt/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
     "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
     "Unauthorized operation": "Unauthorized operation",
-    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Service %s and %s do not match"

i18n/locales/ru/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
     "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
     "Unauthorized operation": "Несанкционированная операция",
-    "Unknown authentication type (not password or provider), form = %s": "Неизвестный тип аутентификации (не пароль и не провайдер), форма = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Неизвестный тип аутентификации (не пароль и не провайдер), форма = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Сервисы %s и %s не совпадают"

i18n/locales/vi/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "Phương thức đăng nhập: đăng nhập bằng mật khẩu không được kích hoạt cho ứng dụng",
     "The provider: %s is not enabled for the application": "Nhà cung cấp: %s không được kích hoạt cho ứng dụng",
     "Unauthorized operation": "Hoạt động không được ủy quyền",
-    "Unknown authentication type (not password or provider), form = %s": "Loại xác thực không xác định (không phải mật khẩu hoặc nhà cung cấp), biểu mẫu = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Loại xác thực không xác định (không phải mật khẩu hoặc nhà cung cấp), biểu mẫu = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
   },
   "cas": {
     "Service %s and %s do not match": "Dịch sang tiếng Việt: Dịch vụ %s và %s không khớp"

i18n/locales/zh/data.json

@@ -18,7 +18,8 @@
     "The login method: login with password is not enabled for the application": "该应用禁止采用密码登录方式",
     "The provider: %s is not enabled for the application": "该应用的提供商: %s未被启用",
     "Unauthorized operation": "未授权的操作",
-    "Unknown authentication type (not password or provider), form = %s": "未知的认证类型（非密码或第三方提供商）：%s"
+    "Unknown authentication type (not password or provider), form = %s": "未知的认证类型（非密码或第三方提供商）：%s",
+    "User's tag: %s is not listed in the application's tags": "用户的标签: %s不在该应用的标签列表中"
   },
   "cas": {
     "Service %s and %s do not match": "服务%s与%s不匹配"

idp/custom.go

@@ -20,32 +20,37 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	_ "net/url"
-	_ "time"
 
+	"github.com/casdoor/casdoor/util"
+	"github.com/mitchellh/mapstructure"
 	"golang.org/x/oauth2"
 )
 
 type CustomIdProvider struct {
-	Client      *http.Client
-	Config      *oauth2.Config
-	UserInfoUrl string
+	Client *http.Client
+	Config *oauth2.Config
+
+	UserInfoURL string
+	TokenURL    string
+	AuthURL     string
+	UserMapping map[string]string
+	Scopes      []string
 }
 
-func NewCustomIdProvider(clientId string, clientSecret string, redirectUrl string, authUrl string, tokenUrl string, userInfoUrl string) *CustomIdProvider {
+func NewCustomIdProvider(idpInfo *ProviderInfo, redirectUrl string) *CustomIdProvider {
 	idp := &CustomIdProvider{}
-	idp.UserInfoUrl = userInfoUrl
 
-	config := &oauth2.Config{
-		ClientID:     clientId,
-		ClientSecret: clientSecret,
+	idp.Config = &oauth2.Config{
+		ClientID:     idpInfo.ClientId,
+		ClientSecret: idpInfo.ClientSecret,
 		RedirectURL:  redirectUrl,
 		Endpoint: oauth2.Endpoint{
-			AuthURL:  authUrl,
-			TokenURL: tokenUrl,
+			AuthURL:  idpInfo.AuthURL,
+			TokenURL: idpInfo.TokenURL,
 		},
 	}
-	idp.Config = config
+	idp.UserInfoURL = idpInfo.UserInfoURL
+	idp.UserMapping = idpInfo.UserMapping
 
 	return idp
 }
@@ -60,22 +65,20 @@ func (idp *CustomIdProvider) GetToken(code string) (*oauth2.Token, error) {
 }
 
 type CustomUserInfo struct {
-	Id          string `json:"sub"`
-	Name        string `json:"preferred_username,omitempty"`
-	DisplayName string `json:"name"`
-	Email       string `json:"email"`
-	AvatarUrl   string `json:"picture"`
-	Status      string `json:"status"`
-	Msg         string `json:"msg"`
+	Id          string `mapstructure:"id"`
+	Username    string `mapstructure:"username"`
+	DisplayName string `mapstructure:"displayName"`
+	Email       string `mapstructure:"email"`
+	AvatarUrl   string `mapstructure:"avatarUrl"`
 }
 
 func (idp *CustomIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
-	ctUserinfo := &CustomUserInfo{}
 	accessToken := token.AccessToken
-	request, err := http.NewRequest("GET", idp.UserInfoUrl, nil)
+	request, err := http.NewRequest("GET", idp.UserInfoURL, nil)
 	if err != nil {
 		return nil, err
 	}
+
 	// add accessToken to request header
 	request.Header.Add("Authorization", fmt.Sprintf("Bearer %s", accessToken))
 	resp, err := idp.Client.Do(request)
@@ -89,21 +92,40 @@ func (idp *CustomIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		return nil, err
 	}
 
-	err = json.Unmarshal(data, ctUserinfo)
+	var dataMap map[string]interface{}
+	err = json.Unmarshal(data, &dataMap)
 	if err != nil {
 		return nil, err
 	}
 
-	if ctUserinfo.Status != "" {
-		return nil, fmt.Errorf("err: %s", ctUserinfo.Msg)
+	// map user info
+	for k, v := range idp.UserMapping {
+		_, ok := dataMap[v]
+		if !ok {
+			return nil, fmt.Errorf("cannot find %s in user from castom provider", v)
+		}
+		dataMap[k] = dataMap[v]
+	}
+
+	// try to parse id to string
+	id, err := util.ParseIdToString(dataMap["id"])
+	if err != nil {
+		return nil, err
+	}
+	dataMap["id"] = id
+
+	customUserinfo := &CustomUserInfo{}
+	err = mapstructure.Decode(dataMap, customUserinfo)
+	if err != nil {
+		return nil, err
 	}
 
 	userInfo := &UserInfo{
-		Id:          ctUserinfo.Id,
-		Username:    ctUserinfo.Name,
-		DisplayName: ctUserinfo.DisplayName,
-		Email:       ctUserinfo.Email,
-		AvatarUrl:   ctUserinfo.AvatarUrl,
+		Id:          customUserinfo.Id,
+		Username:    customUserinfo.Username,
+		DisplayName: customUserinfo.DisplayName,
+		Email:       customUserinfo.Email,
+		AvatarUrl:   customUserinfo.AvatarUrl,
 	}
 	return userInfo, nil
 }

idp/provider.go

@@ -32,72 +32,89 @@ type UserInfo struct {
 	AvatarUrl   string
 }
 
+type ProviderInfo struct {
+	Type         string
+	SubType      string
+	ClientId     string
+	ClientSecret string
+	AppId        string
+	HostUrl      string
+	RedirectUrl  string
+
+	TokenURL    string
+	AuthURL     string
+	UserInfoURL string
+	UserMapping map[string]string
+}
+
 type IdProvider interface {
 	SetHttpClient(client *http.Client)
 	GetToken(code string) (*oauth2.Token, error)
 	GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 }
 
-func GetIdProvider(typ string, subType string, clientId string, clientSecret string, appId string, redirectUrl string, hostUrl string, authUrl string, tokenUrl string, userInfoUrl string) IdProvider {
-	if typ == "GitHub" {
-		return NewGithubIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "Google" {
-		return NewGoogleIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "QQ" {
-		return NewQqIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "WeChat" {
-		return NewWeChatIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "Facebook" {
-		return NewFacebookIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "DingTalk" {
-		return NewDingTalkIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "Weibo" {
-		return NewWeiBoIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "Gitee" {
-		return NewGiteeIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "LinkedIn" {
-		return NewLinkedInIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "WeCom" {
-		if subType == "Internal" {
-			return NewWeComInternalIdProvider(clientId, clientSecret, redirectUrl)
-		} else if subType == "Third-party" {
-			return NewWeComIdProvider(clientId, clientSecret, redirectUrl)
+func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) IdProvider {
+	switch idpInfo.Type {
+	case "GitHub":
+		return NewGithubIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Google":
+		return NewGoogleIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "QQ":
+		return NewQqIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "WeChat":
+		return NewWeChatIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Facebook":
+		return NewFacebookIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "DingTalk":
+		return NewDingTalkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Weibo":
+		return NewWeiBoIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Gitee":
+		return NewGiteeIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "LinkedIn":
+		return NewLinkedInIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "WeCom":
+		if idpInfo.SubType == "Internal" {
+			return NewWeComInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		} else if idpInfo.SubType == "Third-party" {
+			return NewWeComIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
 		} else {
 			return nil
 		}
-	} else if typ == "Lark" {
-		return NewLarkIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "GitLab" {
-		return NewGitlabIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "Adfs" {
-		return NewAdfsIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
-	} else if typ == "Baidu" {
-		return NewBaiduIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "Alipay" {
-		return NewAlipayIdProvider(clientId, clientSecret, redirectUrl)
-	} else if typ == "Custom" {
-		return NewCustomIdProvider(clientId, clientSecret, redirectUrl, authUrl, tokenUrl, userInfoUrl)
-	} else if typ == "Infoflow" {
-		if subType == "Internal" {
-			return NewInfoflowInternalIdProvider(clientId, clientSecret, appId, redirectUrl)
-		} else if subType == "Third-party" {
-			return NewInfoflowIdProvider(clientId, clientSecret, appId, redirectUrl)
+	case "Lark":
+		return NewLarkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "GitLab":
+		return NewGitlabIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Adfs":
+		return NewAdfsIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+	case "Baidu":
+		return NewBaiduIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Alipay":
+		return NewAlipayIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Custom":
+		return NewCustomIdProvider(idpInfo, redirectUrl)
+	case "Infoflow":
+		if idpInfo.SubType == "Internal" {
+			return NewInfoflowInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.AppId, redirectUrl)
+		} else if idpInfo.SubType == "Third-party" {
+			return NewInfoflowIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.AppId, redirectUrl)
 		} else {
 			return nil
 		}
-	} else if typ == "Casdoor" {
-		return NewCasdoorIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
-	} else if typ == "Okta" {
-		return NewOktaIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
-	} else if typ == "Douyin" {
-		return NewDouyinIdProvider(clientId, clientSecret, redirectUrl)
-	} else if isGothSupport(typ) {
-		return NewGothIdProvider(typ, clientId, clientSecret, redirectUrl, hostUrl)
-	} else if typ == "Bilibili" {
-		return NewBilibiliIdProvider(clientId, clientSecret, redirectUrl)
+	case "Casdoor":
+		return NewCasdoorIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+	case "Okta":
+		return NewOktaIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+	case "Douyin":
+		return NewDouyinIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	case "Bilibili":
+		return NewBilibiliIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+	default:
+		if isGothSupport(idpInfo.Type) {
+			return NewGothIdProvider(idpInfo.Type, idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+		}
+		return nil
 	}
-
-	return nil
 }
 
 var gothList = []string{

idp/wechat.go

@@ -198,12 +198,22 @@ func (idp *WeChatIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 func GetWechatOfficialAccountAccessToken(clientId string, clientSecret string) (string, error) {
 	accessTokenUrl := fmt.Sprintf("https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=%s&secret=%s", clientId, clientSecret)
 	request, err := http.NewRequest("GET", accessTokenUrl, nil)
+	if err != nil {
+		return "", err
+	}
+
 	client := new(http.Client)
 	resp, err := client.Do(request)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
 	respBytes, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
+
 	var data struct {
 		ExpireIn    int    `json:"expires_in"`
 		AccessToken string `json:"access_token"`
@@ -212,20 +222,30 @@ func GetWechatOfficialAccountAccessToken(clientId string, clientSecret string) (
 	if err != nil {
 		return "", err
 	}
+
 	return data.AccessToken, nil
 }
 
 func GetWechatOfficialAccountQRCode(clientId string, clientSecret string) (string, error) {
 	accessToken, err := GetWechatOfficialAccountAccessToken(clientId, clientSecret)
 	client := new(http.Client)
-	params := "{\"action_name\": \"QR_LIMIT_STR_SCENE\", \"action_info\": {\"scene\": {\"scene_str\": \"test\"}}}"
+
+	weChatEndpoint := "https://api.weixin.qq.com/cgi-bin/qrcode/create"
+	qrCodeUrl := fmt.Sprintf("%s?access_token=%s", weChatEndpoint, accessToken)
+	params := `{"action_name": "QR_LIMIT_STR_SCENE", "action_info": {"scene": {"scene_str": "test"}}}`
+
 	bodyData := bytes.NewReader([]byte(params))
-	qrCodeUrl := fmt.Sprintf("https://api.weixin.qq.com/cgi-bin/qrcode/create?access_token=%s", accessToken)
 	requeset, err := http.NewRequest("POST", qrCodeUrl, bodyData)
+	if err != nil {
+		return "", err
+	}
+
 	resp, err := client.Do(requeset)
 	if err != nil {
 		return "", err
 	}
+	defer resp.Body.Close()
+
 	respBytes, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err

object/adapter.go

@@ -275,7 +275,7 @@ func GetSession(owner string, offset, limit int, field, value, sortField, sortOr
 		session = session.And("owner=?", owner)
 	}
 	if field != "" && value != "" {
-		if filterField(field) {
+		if util.FilterField(field) {
 			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
 		}
 	}
@@ -303,7 +303,7 @@ func GetSessionForUser(owner string, offset, limit int, field, value, sortField,
 		}
 	}
 	if field != "" && value != "" {
-		if filterField(field) {
+		if util.FilterField(field) {
 			if offset != -1 {
 				field = fmt.Sprintf("a.%s", field)
 			}

object/application.go

@@ -57,6 +57,7 @@ type Application struct {
 	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
 	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`
+	Tags                []string        `xorm:"mediumtext" json:"tags"`
 
 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`

object/check.go

@@ -16,7 +16,6 @@ package object
 
 import (
 	"fmt"
-	"regexp"
 	"strings"
 	"time"
 	"unicode"
@@ -28,21 +27,11 @@ import (
 	goldap "github.com/go-ldap/ldap/v3"
 )
 
-var (
-	reWhiteSpace     *regexp.Regexp
-	reFieldWhiteList *regexp.Regexp
-)
-
 const (
 	SigninWrongTimesLimit     = 5
 	LastSignWrongTimeDuration = time.Minute * 15
 )
 
-func init() {
-	reWhiteSpace, _ = regexp.Compile(`\s`)
-	reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
-}
-
 func CheckUserSignup(application *Application, organization *Organization, form *form.AuthForm, lang string) string {
 	if organization == nil {
 		return i18n.Translate(lang, "check:Organization does not exist")
@@ -58,7 +47,7 @@ func CheckUserSignup(application *Application, organization *Organization, form
 		if util.IsEmailValid(form.Username) {
 			return i18n.Translate(lang, "check:Username cannot be an email address")
 		}
-		if reWhiteSpace.MatchString(form.Username) {
+		if util.ReWhiteSpace.MatchString(form.Username) {
 			return i18n.Translate(lang, "check:Username cannot contain white spaces")
 		}
 
@@ -294,10 +283,6 @@ func CheckUserPassword(organization string, username string, password string, la
 	return user, ""
 }
 
-func filterField(field string) bool {
-	return reFieldWhiteList.MatchString(field)
-}
-
 func CheckUserPermission(requestUserId, userId string, strict bool, lang string) (bool, error) {
 	if requestUserId == "" {
 		return false, fmt.Errorf(i18n.Translate(lang, "general:Please login first"))
@@ -397,8 +382,8 @@ func CheckUsername(username string, lang string) string {
 	}
 
 	// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
-	re, _ := regexp.Compile("^[a-zA-Z0-9]+((?:-[a-zA-Z0-9]+)|(?:_[a-zA-Z0-9]+))*$")
-	if !re.MatchString(username) {
+
+	if !util.ReUserName.MatchString(username) {
 		return i18n.Translate(lang, "check:The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.")
 	}
 

object/init.go

@@ -93,7 +93,7 @@ func initBuiltInOrganization() bool {
 		Favicon:            fmt.Sprintf("%s/img/casbin/favicon.ico", conf.GetConfigString("staticBaseUrl")),
 		PasswordType:       "plain",
 		PasswordOptions:    []string{"AtLeast6"},
-		CountryCodes:       []string{"US", "ES", "CN", "FR", "DE", "GB", "JP", "KR", "VN", "ID", "SG", "IN"},
+		CountryCodes:       []string{"US", "ES", "FR", "DE", "GB", "CN", "JP", "KR", "VN", "ID", "SG", "IN"},
 		DefaultAvatar:      fmt.Sprintf("%s/img/casbin.svg", conf.GetConfigString("staticBaseUrl")),
 		Tags:               []string{},
 		Languages:          []string{"en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi", "pt"},
@@ -130,7 +130,7 @@ func initBuiltInUser() {
 		Avatar:            fmt.Sprintf("%s/img/casbin.svg", conf.GetConfigString("staticBaseUrl")),
 		Email:             "admin@example.com",
 		Phone:             "12345678910",
-		CountryCode:       "CN",
+		CountryCode:       "US",
 		Address:           []string{},
 		Affiliation:       "Example Inc.",
 		Tag:               "staff",
@@ -184,6 +184,7 @@ func initBuiltInApplication() {
 			{Name: "Phone", Visible: true, Required: true, Prompted: false, Rule: "None"},
 			{Name: "Agreement", Visible: true, Required: true, Prompted: false, Rule: "None"},
 		},
+		Tags:          []string{},
 		RedirectUris:  []string{},
 		ExpireInHours: 168,
 		FormOffset:    2,

object/init_data.go

@@ -145,6 +145,9 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 		if application.RedirectUris == nil {
 			application.RedirectUris = []string{}
 		}
+		if application.Tags == nil {
+			application.Tags = []string{}
+		}
 	}
 	for _, permission := range data.Permissions {
 		if permission.Actions == nil {

object/mfa.go

@@ -24,10 +24,6 @@ import (
 
 const MfaRecoveryCodesSession = "mfa_recovery_codes"
 
-type MfaSessionData struct {
-	UserId string
-}
-
 type MfaProps struct {
 	Enabled       bool     `json:"enabled"`
 	IsPreferred   bool     `json:"isPreferred"`

object/mfa_sms.go

@@ -24,8 +24,8 @@ import (
 )
 
 const (
-	MfaSmsCountryCodeSession = "mfa_country_code"
-	MfaSmsDestSession        = "mfa_dest"
+	MfaCountryCodeSession = "mfa_country_code"
+	MfaDestSession        = "mfa_dest"
 )
 
 type SmsMfa struct {
@@ -48,9 +48,19 @@ func (mfa *SmsMfa) Initiate(ctx *context.Context, userId string) (*MfaProps, err
 }
 
 func (mfa *SmsMfa) SetupVerify(ctx *context.Context, passCode string) error {
-	dest := ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
-	countryCode := ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
+	destSession := ctx.Input.CruSession.Get(MfaDestSession)
+	if destSession == nil {
+		return errors.New("dest session is missing")
+	}
+	dest := destSession.(string)
+
 	if !util.IsEmailValid(dest) {
+		countryCodeSession := ctx.Input.CruSession.Get(MfaCountryCodeSession)
+		if countryCodeSession == nil {
+			return errors.New("country code is missing")
+		}
+		countryCode := countryCodeSession.(string)
+
 		dest, _ = util.GetE164Number(dest, countryCode)
 	}
 
@@ -78,8 +88,8 @@ func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
 		columns = append(columns, "mfa_phone_enabled")
 
 		if user.Phone == "" {
-			user.Phone = ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
-			user.CountryCode = ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
+			user.Phone = ctx.Input.CruSession.Get(MfaDestSession).(string)
+			user.CountryCode = ctx.Input.CruSession.Get(MfaCountryCodeSession).(string)
 			columns = append(columns, "phone", "country_code")
 		}
 	} else if mfa.Config.MfaType == EmailType {
@@ -87,7 +97,7 @@ func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
 		columns = append(columns, "mfa_email_enabled")
 
 		if user.Email == "" {
-			user.Email = ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
+			user.Email = ctx.Input.CruSession.Get(MfaDestSession).(string)
 			columns = append(columns, "email")
 		}
 	}
@@ -96,6 +106,11 @@ func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
 	if err != nil {
 		return err
 	}
+
+	ctx.Input.CruSession.Delete(MfaRecoveryCodesSession)
+	ctx.Input.CruSession.Delete(MfaDestSession)
+	ctx.Input.CruSession.Delete(MfaCountryCodeSession)
+
 	return nil
 }
 

object/mfa_totp.go

@@ -72,8 +72,11 @@ func (mfa *TotpMfa) Initiate(ctx *context.Context, userId string) (*MfaProps, er
 }
 
 func (mfa *TotpMfa) SetupVerify(ctx *context.Context, passcode string) error {
-	secret := ctx.Input.CruSession.Get(MfaTotpSecretSession).(string)
-	result := totp.Validate(passcode, secret)
+	secret := ctx.Input.CruSession.Get(MfaTotpSecretSession)
+	if secret == nil {
+		return errors.New("totp secret is missing")
+	}
+	result := totp.Validate(passcode, secret.(string))
 
 	if result {
 		return nil
@@ -104,6 +107,10 @@ func (mfa *TotpMfa) Enable(ctx *context.Context, user *User) error {
 	if err != nil {
 		return err
 	}
+
+	ctx.Input.CruSession.Delete(MfaRecoveryCodesSession)
+	ctx.Input.CruSession.Delete(MfaTotpSecretSession)
+
 	return nil
 }
 

object/oidc_discovery.go

@@ -65,10 +65,13 @@ func getOriginFromHost(host string) (string, string) {
 		return origin, origin
 	}
 
+	// "door.casdoor.com"
 	protocol := "https://"
-	if strings.HasPrefix(host, "localhost") {
+	if !strings.Contains(host, ".") {
+		// "localhost:8000" or "computer-name:80"
 		protocol = "http://"
 	} else if isIpAddress(host) {
+		// "192.168.0.10"
 		protocol = "http://"
 	}
 

object/organization.go

@@ -69,7 +69,7 @@ type Organization struct {
 	IsProfilePublic    bool       `json:"isProfilePublic"`
 
 	MfaItems     []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
-	AccountItems []*AccountItem `xorm:"varchar(3000)" json:"accountItems"`
+	AccountItems []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
 }
 
 func GetOrganizationCount(owner, field, value string) (int64, error) {
@@ -104,10 +104,15 @@ func GetOrganizationsByFields(owner string, fields ...string) ([]*Organization,
 	return organizations, nil
 }
 
-func GetPaginationOrganizations(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Organization, error) {
+func GetPaginationOrganizations(owner string, name string, offset, limit int, field, value, sortField, sortOrder string) ([]*Organization, error) {
 	organizations := []*Organization{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&organizations)
+	var err error
+	if name != "" {
+		err = session.Find(&organizations, &Organization{Name: name})
+	} else {
+		err = session.Find(&organizations)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -231,6 +236,10 @@ func DeleteOrganization(organization *Organization) (bool, error) {
 }
 
 func GetOrganizationByUser(user *User) (*Organization, error) {
+	if user == nil {
+		return nil, nil
+	}
+
 	return getOrganization("admin", user.Owner)
 }
 
@@ -467,10 +476,21 @@ func organizationChangeTrigger(oldName string, newName string) error {
 	return session.Commit()
 }
 
-func (org *Organization) HasRequiredMfa() bool {
+func IsNeedPromptMfa(org *Organization, user *User) bool {
+	if org == nil || user == nil {
+		return false
+	}
 	for _, item := range org.MfaItems {
 		if item.Rule == "Required" {
-			return true
+			if item.Name == EmailType && !user.MfaEmailEnabled {
+				return true
+			}
+			if item.Name == SmsType && !user.MfaPhoneEnabled {
+				return true
+			}
+			if item.Name == TotpType && user.TotpSecret == "" {
+				return true
+			}
 		}
 	}
 	return false

object/provider.go

@@ -16,8 +16,11 @@ package object
 
 import (
 	"fmt"
+	"strings"
 
+	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/i18n"
+	"github.com/casdoor/casdoor/idp"
 	"github.com/casdoor/casdoor/pp"
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
@@ -28,21 +31,22 @@ type Provider struct {
 	Name        string `xorm:"varchar(100) notnull pk unique" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 
-	DisplayName       string `xorm:"varchar(100)" json:"displayName"`
-	Category          string `xorm:"varchar(100)" json:"category"`
-	Type              string `xorm:"varchar(100)" json:"type"`
-	SubType           string `xorm:"varchar(100)" json:"subType"`
-	Method            string `xorm:"varchar(100)" json:"method"`
-	ClientId          string `xorm:"varchar(100)" json:"clientId"`
-	ClientSecret      string `xorm:"varchar(2000)" json:"clientSecret"`
-	ClientId2         string `xorm:"varchar(100)" json:"clientId2"`
-	ClientSecret2     string `xorm:"varchar(100)" json:"clientSecret2"`
-	Cert              string `xorm:"varchar(100)" json:"cert"`
-	CustomAuthUrl     string `xorm:"varchar(200)" json:"customAuthUrl"`
-	CustomScope       string `xorm:"varchar(200)" json:"customScope"`
-	CustomTokenUrl    string `xorm:"varchar(200)" json:"customTokenUrl"`
-	CustomUserInfoUrl string `xorm:"varchar(200)" json:"customUserInfoUrl"`
-	CustomLogo        string `xorm:"varchar(200)" json:"customLogo"`
+	DisplayName       string            `xorm:"varchar(100)" json:"displayName"`
+	Category          string            `xorm:"varchar(100)" json:"category"`
+	Type              string            `xorm:"varchar(100)" json:"type"`
+	SubType           string            `xorm:"varchar(100)" json:"subType"`
+	Method            string            `xorm:"varchar(100)" json:"method"`
+	ClientId          string            `xorm:"varchar(100)" json:"clientId"`
+	ClientSecret      string            `xorm:"varchar(2000)" json:"clientSecret"`
+	ClientId2         string            `xorm:"varchar(100)" json:"clientId2"`
+	ClientSecret2     string            `xorm:"varchar(100)" json:"clientSecret2"`
+	Cert              string            `xorm:"varchar(100)" json:"cert"`
+	CustomAuthUrl     string            `xorm:"varchar(200)" json:"customAuthUrl"`
+	CustomTokenUrl    string            `xorm:"varchar(200)" json:"customTokenUrl"`
+	CustomUserInfoUrl string            `xorm:"varchar(200)" json:"customUserInfoUrl"`
+	CustomLogo        string            `xorm:"varchar(200)" json:"customLogo"`
+	Scopes            string            `xorm:"varchar(100)" json:"scopes"`
+	UserMapping       map[string]string `xorm:"varchar(500)" json:"userMapping"`
 
 	Host       string `xorm:"varchar(100)" json:"host"`
 	Port       int    `json:"port"`
@@ -365,3 +369,27 @@ func providerChangeTrigger(oldName string, newName string) error {
 
 	return session.Commit()
 }
+
+func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.ProviderInfo {
+	providerInfo := &idp.ProviderInfo{
+		Type:         provider.Type,
+		SubType:      provider.SubType,
+		ClientId:     provider.ClientId,
+		ClientSecret: provider.ClientSecret,
+		AppId:        provider.AppId,
+		HostUrl:      provider.Host,
+		TokenURL:     provider.CustomTokenUrl,
+		AuthURL:      provider.CustomAuthUrl,
+		UserInfoURL:  provider.CustomUserInfoUrl,
+		UserMapping:  provider.UserMapping,
+	}
+
+	if provider.Type == "WeChat" {
+		if ctx != nil && strings.Contains(ctx.Request.UserAgent(), "MicroMessenger") {
+			providerInfo.ClientId = provider.ClientId2
+			providerInfo.ClientSecret = provider.ClientSecret2
+		}
+	}
+
+	return providerInfo
+}

object/user.go

@@ -160,8 +160,8 @@ type User struct {
 
 	WebauthnCredentials []webauthn.Credential `xorm:"webauthnCredentials blob" json:"webauthnCredentials"`
 	PreferredMfaType    string                `xorm:"varchar(100)" json:"preferredMfaType"`
-	RecoveryCodes       []string              `xorm:"varchar(1000)" json:"recoveryCodes,omitempty"`
-	TotpSecret          string                `xorm:"varchar(100)" json:"totpSecret,omitempty"`
+	RecoveryCodes       []string              `xorm:"varchar(1000)" json:"recoveryCodes"`
+	TotpSecret          string                `xorm:"varchar(100)" json:"totpSecret"`
 	MfaPhoneEnabled     bool                  `json:"mfaPhoneEnabled"`
 	MfaEmailEnabled     bool                  `json:"mfaEmailEnabled"`
 	MultiFactorAuths    []*MfaProps           `xorm:"-" json:"multiFactorAuths,omitempty"`
@@ -832,11 +832,14 @@ func userChangeTrigger(oldName string, newName string) error {
 }
 
 func (user *User) IsMfaEnabled() bool {
+	if user == nil {
+		return false
+	}
 	return user.PreferredMfaType != ""
 }
 
 func (user *User) GetPreferredMfaProps(masked bool) *MfaProps {
-	if user.PreferredMfaType == "" {
+	if user == nil || user.PreferredMfaType == "" {
 		return nil
 	}
 	return user.GetMfaProps(user.PreferredMfaType, masked)

routers/static_filter.go

@@ -55,7 +55,7 @@ func StaticFilter(ctx *context.Context) {
 		path += urlPath
 	}
 
-	path2 := strings.TrimLeft(path, "web/build/images/")
+	path2 := strings.TrimPrefix(path, "web/build/images/")
 	if util.FileExist(path2) {
 		makeGzipResponse(ctx.ResponseWriter, ctx.Request, path2)
 		return

swagger/swagger.json

@@ -43,6 +43,34 @@
                 }
             }
         },
+        "/api/add-adapter": {
+            "post": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "add adapter",
+                "operationId": "ApiController.AddCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the adapter",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
         "/api/add-application": {
             "post": {
                 "tags": [
@@ -127,6 +155,34 @@
                 }
             }
         },
+        "/api/add-group": {
+            "post": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "add group",
+                "operationId": "ApiController.AddGroup",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the group",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
         "/api/add-ldap": {
             "post": {
                 "tags": [
@@ -599,6 +655,14 @@
                 }
             }
         },
+        "/api/add-user-keys": {
+            "post": {
+                "tags": [
+                    "User API"
+                ],
+                "operationId": "ApiController.AddUserkeys"
+            }
+        },
         "/api/add-webhook": {
             "post": {
                 "tags": [
@@ -782,13 +846,13 @@
                 "tags": [
                     "Enforce API"
                 ],
-                "description": "perform enforce",
+                "description": "Call Casbin BatchEnforce API",
                 "operationId": "ApiController.BatchEnforce",
                 "parameters": [
                     {
                         "in": "body",
                         "name": "body",
-                        "description": "casbin request array",
+                        "description": "array of casbin requests",
                         "required": true,
                         "schema": {
                             "$ref": "#/definitions/object.CasbinRequest"
@@ -858,6 +922,34 @@
                 "operationId": "ApiController.CheckUserPassword"
             }
         },
+        "/api/delete-adapter": {
+            "post": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "delete adapter",
+                "operationId": "ApiController.DeleteCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the adapter",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
         "/api/delete-application": {
             "post": {
                 "tags": [
@@ -942,6 +1034,34 @@
                 }
             }
         },
+        "/api/delete-group": {
+            "post": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "delete group",
+                "operationId": "ApiController.DeleteGroup",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the group",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
         "/api/delete-ldap": {
             "post": {
                 "tags": [
@@ -1429,13 +1549,13 @@
                 "tags": [
                     "Enforce API"
                 ],
-                "description": "perform enforce",
+                "description": "Call Casbin Enforce API",
                 "operationId": "ApiController.Enforce",
                 "parameters": [
                     {
                         "in": "body",
                         "name": "body",
-                        "description": "casbin request",
+                        "description": "Casbin request",
                         "required": true,
                         "schema": {
                             "$ref": "#/definitions/object.CasbinRequest"
@@ -1487,6 +1607,61 @@
                 }
             }
         },
+        "/api/get-adapter": {
+            "get": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "get adapter",
+                "operationId": "ApiController.GetCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the adapter",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/get-adapters": {
+            "get": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "get adapters",
+                "operationId": "ApiController.GetCasbinAdapters",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "owner",
+                        "description": "The owner of adapters",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/object.Adapter"
+                            }
+                        }
+                    }
+                }
+            }
+        },
         "/api/get-app-login": {
             "get": {
                 "tags": [
@@ -1825,6 +2000,61 @@
                 }
             }
         },
+        "/api/get-group": {
+            "get": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "get group",
+                "operationId": "ApiController.GetGroup",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the group",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/get-groups": {
+            "get": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "get groups",
+                "operationId": "ApiController.GetGroups",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "owner",
+                        "description": "The owner of groups",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/object.Group"
+                            }
+                        }
+                    }
+                }
+            }
+        },
         "/api/get-ldap": {
             "get": {
                 "tags": [
@@ -2045,7 +2275,7 @@
                 "tags": [
                     "Organization API"
                 ],
-                "description": "get all organization names",
+                "description": "get all organization name and displayName",
                 "operationId": "ApiController.GetOrganizationNames",
                 "parameters": [
                     {
@@ -2338,7 +2568,7 @@
                     "200": {
                         "description": "The Response object",
                         "schema": {
-                            "$ref": "#/definitions/object.pricing"
+                            "$ref": "#/definitions/object.Pricing"
                         }
                     }
                 }
@@ -2753,7 +2983,7 @@
                     "200": {
                         "description": "The Response object",
                         "schema": {
-                            "$ref": "#/definitions/object.subscription"
+                            "$ref": "#/definitions/object.Subscription"
                         }
                     }
                 }
@@ -3328,7 +3558,7 @@
                     "200": {
                         "description": "The Response object",
                         "schema": {
-                            "$ref": "#/definitions/Response"
+                            "$ref": "#/definitions/controllers.Response"
                         }
                     }
                 }
@@ -3598,9 +3828,9 @@
                 "operationId": "ApiController.MfaSetupInitiate",
                 "responses": {
                     "200": {
-                        "description": "Response object",
+                        "description": "The Response object",
                         "schema": {
-                            "$ref": "#/definitions/The"
+                            "$ref": "#/definitions/controllers.Response"
                         }
                     }
                 }
@@ -3799,6 +4029,41 @@
                 ]
             }
         },
+        "/api/update-adapter": {
+            "post": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "update adapter",
+                "operationId": "ApiController.UpdateCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the adapter",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the adapter",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
         "/api/update-application": {
             "post": {
                 "tags": [
@@ -3904,6 +4169,41 @@
                 }
             }
         },
+        "/api/update-group": {
+            "post": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "update group",
+                "operationId": "ApiController.UpdateGroup",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the group",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the group",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
         "/api/update-ldap": {
             "post": {
                 "tags": [
@@ -4579,7 +4879,7 @@
                     "200": {
                         "description": "\"The Response object\"",
                         "schema": {
-                            "$ref": "#/definitions/Response"
+                            "$ref": "#/definitions/controllers.Response"
                         }
                     }
                 }
@@ -4624,7 +4924,7 @@
                     "200": {
                         "description": "\"The Response object\"",
                         "schema": {
-                            "$ref": "#/definitions/Response"
+                            "$ref": "#/definitions/controllers.Response"
                         }
                     }
                 }
@@ -4632,14 +4932,6 @@
         }
     },
     "definitions": {
-        "1225.0xc0002e2ae0.false": {
-            "title": "false",
-            "type": "object"
-        },
-        "1260.0xc0002e2b10.false": {
-            "title": "false",
-            "type": "object"
-        },
         "LaravelResponse": {
             "title": "LaravelResponse",
             "type": "object"
@@ -4648,10 +4940,6 @@
             "title": "Response",
             "type": "object"
         },
-        "The": {
-            "title": "The",
-            "type": "object"
-        },
         "controllers.AuthForm": {
             "title": "AuthForm",
             "type": "object"
@@ -4685,10 +4973,16 @@
             "type": "object",
             "properties": {
                 "data": {
-                    "$ref": "#/definitions/1225.0xc0002e2ae0.false"
+                    "additionalProperties": {
+                        "description": "support string | class | List\u003cclass\u003e and os on",
+                        "type": "string"
+                    }
                 },
                 "data2": {
-                    "$ref": "#/definitions/1260.0xc0002e2b10.false"
+                    "additionalProperties": {
+                        "description": "support string | class | List\u003cclass\u003e and os on",
+                        "type": "string"
+                    }
                 },
                 "msg": {
                     "type": "string"
@@ -4726,8 +5020,8 @@
             "title": "JSONWebKey",
             "type": "object"
         },
-        "object.\u0026{179844 0xc000a02f90 false}": {
-            "title": "\u0026{179844 0xc000a02f90 false}",
+        "object": {
+            "title": "object",
             "type": "object"
         },
         "object.AccountItem": {
@@ -4917,7 +5211,7 @@
             "title": "CasbinRequest",
             "type": "array",
             "items": {
-                "$ref": "#/definitions/object.\u0026{179844 0xc000a02f90 false}"
+                "$ref": "#/definitions/object.CasbinRequest"
             }
         },
         "object.Cert": {
@@ -5029,6 +5323,63 @@
                 }
             }
         },
+        "object.Group": {
+            "title": "Group",
+            "type": "object",
+            "properties": {
+                "children": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.Group"
+                    }
+                },
+                "contactEmail": {
+                    "type": "string"
+                },
+                "createdTime": {
+                    "type": "string"
+                },
+                "displayName": {
+                    "type": "string"
+                },
+                "isEnabled": {
+                    "type": "boolean"
+                },
+                "isTopGroup": {
+                    "type": "boolean"
+                },
+                "key": {
+                    "type": "string"
+                },
+                "manager": {
+                    "type": "string"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "owner": {
+                    "type": "string"
+                },
+                "parentId": {
+                    "type": "string"
+                },
+                "title": {
+                    "type": "string"
+                },
+                "type": {
+                    "type": "string"
+                },
+                "updatedTime": {
+                    "type": "string"
+                },
+                "users": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.User"
+                    }
+                }
+            }
+        },
         "object.Header": {
             "title": "Header",
             "type": "object",
@@ -5175,12 +5526,15 @@
                 "countryCode": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
+                "enabled": {
+                    "type": "boolean"
                 },
                 "isPreferred": {
                     "type": "boolean"
                 },
+                "mfaType": {
+                    "type": "string"
+                },
                 "recoveryCodes": {
                     "type": "array",
                     "items": {
@@ -5190,9 +5544,6 @@
                 "secret": {
                     "type": "string"
                 },
-                "type": {
-                    "type": "string"
-                },
                 "url": {
                     "type": "string"
                 }
@@ -5205,6 +5556,9 @@
                 "createdTime": {
                     "type": "string"
                 },
+                "description": {
+                    "type": "string"
+                },
                 "displayName": {
                     "type": "string"
                 },
@@ -5362,6 +5716,12 @@
                 "owner": {
                     "type": "string"
                 },
+                "passwordOptions": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "passwordSalt": {
                     "type": "string"
                 },
@@ -5492,6 +5852,9 @@
                 "createdTime": {
                     "type": "string"
                 },
+                "description": {
+                    "type": "string"
+                },
                 "displayName": {
                     "type": "string"
                 },
@@ -5611,9 +5974,6 @@
                 "displayName": {
                     "type": "string"
                 },
-                "hasTrial": {
-                    "type": "boolean"
-                },
                 "isEnabled": {
                     "type": "boolean"
                 },
@@ -5766,7 +6126,7 @@
                 "customLogo": {
                     "type": "string"
                 },
-                "customScope": {
+                "scopes": {
                     "type": "string"
                 },
                 "customTokenUrl": {
@@ -5933,6 +6293,9 @@
                 "createdTime": {
                     "type": "string"
                 },
+                "description": {
+                    "type": "string"
+                },
                 "displayName": {
                     "type": "string"
                 },
@@ -6068,6 +6431,9 @@
                 "isEnabled": {
                     "type": "boolean"
                 },
+                "isReadOnly": {
+                    "type": "boolean"
+                },
                 "name": {
                     "type": "string"
                 },
@@ -6248,6 +6614,12 @@
             "title": "User",
             "type": "object",
             "properties": {
+                "accessKey": {
+                    "type": "string"
+                },
+                "accessSecret": {
+                    "type": "string"
+                },
                 "address": {
                     "type": "array",
                     "items": {
@@ -6275,6 +6647,9 @@
                 "avatar": {
                     "type": "string"
                 },
+                "avatarType": {
+                    "type": "string"
+                },
                 "azuread": {
                     "type": "string"
                 },
@@ -6380,6 +6755,12 @@
                 "google": {
                     "type": "string"
                 },
+                "groups": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "hash": {
                     "type": "string"
                 },
@@ -6480,6 +6861,12 @@
                 "meetup": {
                     "type": "string"
                 },
+                "mfaEmailEnabled": {
+                    "type": "boolean"
+                },
+                "mfaPhoneEnabled": {
+                    "type": "boolean"
+                },
                 "microsoftonline": {
                     "type": "string"
                 },
@@ -6540,6 +6927,9 @@
                 "preHash": {
                     "type": "string"
                 },
+                "preferredMfaType": {
+                    "type": "string"
+                },
                 "properties": {
                     "additionalProperties": {
                         "type": "string"
@@ -6552,6 +6942,12 @@
                     "type": "integer",
                     "format": "int64"
                 },
+                "recoveryCodes": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "region": {
                     "type": "string"
                 },
@@ -6605,6 +7001,9 @@
                 "title": {
                     "type": "string"
                 },
+                "totpSecret": {
+                    "type": "string"
+                },
                 "tumblr": {
                     "type": "string"
                 },
@@ -6677,15 +7076,18 @@
                 "email": {
                     "type": "string"
                 },
+                "groups": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "iss": {
                     "type": "string"
                 },
                 "name": {
                     "type": "string"
                 },
-                "organization": {
-                    "type": "string"
-                },
                 "phone": {
                     "type": "string"
                 },
@@ -6745,14 +7147,6 @@
                 }
             }
         },
-        "object.pricing": {
-            "title": "pricing",
-            "type": "object"
-        },
-        "object.subscription": {
-            "title": "subscription",
-            "type": "object"
-        },
         "protocol.CredentialAssertion": {
             "title": "CredentialAssertion",
             "type": "object"

swagger/swagger.yml

@@ -28,6 +28,24 @@ paths:
           description: ""
           schema:
             $ref: '#/definitions/object.OidcDiscovery'
+  /api/add-adapter:
+    post:
+      tags:
+      - Adapter API
+      description: add adapter
+      operationId: ApiController.AddCasbinAdapter
+      parameters:
+      - in: body
+        name: body
+        description: The details of the adapter
+        required: true
+        schema:
+          $ref: '#/definitions/object.Adapter'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
   /api/add-application:
     post:
       tags:
@@ -82,6 +100,24 @@ paths:
           description: The Response object
           schema:
             $ref: '#/definitions/controllers.Response'
+  /api/add-group:
+    post:
+      tags:
+      - Group API
+      description: add group
+      operationId: ApiController.AddGroup
+      parameters:
+      - in: body
+        name: body
+        description: The details of the group
+        required: true
+        schema:
+          $ref: '#/definitions/object.Group'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
   /api/add-ldap:
     post:
       tags:
@@ -386,6 +422,11 @@ paths:
           description: The Response object
           schema:
             $ref: '#/definitions/controllers.Response'
+  /api/add-user-keys:
+    post:
+      tags:
+      - User API
+      operationId: ApiController.AddUserkeys
   /api/add-webhook:
     post:
       tags:
@@ -506,12 +547,12 @@ paths:
     post:
       tags:
       - Enforce API
-      description: perform enforce
+      description: Call Casbin BatchEnforce API
       operationId: ApiController.BatchEnforce
       parameters:
       - in: body
         name: body
-        description: casbin request array
+        description: array of casbin requests
         required: true
         schema:
           $ref: '#/definitions/object.CasbinRequest'
@@ -555,6 +596,24 @@ paths:
       tags:
       - User API
       operationId: ApiController.CheckUserPassword
+  /api/delete-adapter:
+    post:
+      tags:
+      - Adapter API
+      description: delete adapter
+      operationId: ApiController.DeleteCasbinAdapter
+      parameters:
+      - in: body
+        name: body
+        description: The details of the adapter
+        required: true
+        schema:
+          $ref: '#/definitions/object.Adapter'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
   /api/delete-application:
     post:
       tags:
@@ -609,6 +668,24 @@ paths:
           description: The Response object
           schema:
             $ref: '#/definitions/controllers.Response'
+  /api/delete-group:
+    post:
+      tags:
+      - Group API
+      description: delete group
+      operationId: ApiController.DeleteGroup
+      parameters:
+      - in: body
+        name: body
+        description: The details of the group
+        required: true
+        schema:
+          $ref: '#/definitions/object.Group'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
   /api/delete-ldap:
     post:
       tags:
@@ -923,12 +1000,12 @@ paths:
     post:
       tags:
       - Enforce API
-      description: perform enforce
+      description: Call Casbin Enforce API
       operationId: ApiController.Enforce
       parameters:
       - in: body
         name: body
-        description: casbin request
+        description: Casbin request
         required: true
         schema:
           $ref: '#/definitions/object.CasbinRequest'
@@ -960,6 +1037,42 @@ paths:
           description: The Response object
           schema:
             $ref: '#/definitions/controllers.Response'
+  /api/get-adapter:
+    get:
+      tags:
+      - Adapter API
+      description: get adapter
+      operationId: ApiController.GetCasbinAdapter
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the adapter
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Adapter'
+  /api/get-adapters:
+    get:
+      tags:
+      - Adapter API
+      description: get adapters
+      operationId: ApiController.GetCasbinAdapters
+      parameters:
+      - in: query
+        name: owner
+        description: The owner of adapters
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/object.Adapter'
   /api/get-app-login:
     get:
       tags:
@@ -1183,6 +1296,42 @@ paths:
             type: array
             items:
               $ref: '#/definitions/object.Cert'
+  /api/get-group:
+    get:
+      tags:
+      - Group API
+      description: get group
+      operationId: ApiController.GetGroup
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the group
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Group'
+  /api/get-groups:
+    get:
+      tags:
+      - Group API
+      description: get groups
+      operationId: ApiController.GetGroups
+      parameters:
+      - in: query
+        name: owner
+        description: The owner of groups
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/object.Group'
   /api/get-ldap:
     get:
       tags:
@@ -1327,7 +1476,7 @@ paths:
     get:
       tags:
       - Organization API
-      description: get all organization names
+      description: get all organization name and displayName
       operationId: ApiController.GetOrganizationNames
       parameters:
       - in: query
@@ -1521,7 +1670,7 @@ paths:
         "200":
           description: The Response object
           schema:
-            $ref: '#/definitions/object.pricing'
+            $ref: '#/definitions/object.Pricing'
   /api/get-pricings:
     get:
       tags:
@@ -1793,7 +1942,7 @@ paths:
         "200":
           description: The Response object
           schema:
-            $ref: '#/definitions/object.subscription'
+            $ref: '#/definitions/object.Subscription'
   /api/get-subscriptions:
     get:
       tags:
@@ -2172,7 +2321,7 @@ paths:
         "200":
           description: The Response object
           schema:
-            $ref: '#/definitions/Response'
+            $ref: '#/definitions/controllers.Response'
   /api/login/oauth/access_token:
     post:
       tags:
@@ -2351,9 +2500,9 @@ paths:
       operationId: ApiController.MfaSetupInitiate
       responses:
         "200":
-          description: Response object
+          description: The Response object
           schema:
-            $ref: '#/definitions/The'
+            $ref: '#/definitions/controllers.Response'
   /api/mfa/setup/verify:
     post:
       tags:
@@ -2480,6 +2629,29 @@ paths:
     post:
       tags:
       - Login API
+  /api/update-adapter:
+    post:
+      tags:
+      - Adapter API
+      description: update adapter
+      operationId: ApiController.UpdateCasbinAdapter
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the adapter
+        required: true
+        type: string
+      - in: body
+        name: body
+        description: The details of the adapter
+        required: true
+        schema:
+          $ref: '#/definitions/object.Adapter'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
   /api/update-application:
     post:
       tags:
@@ -2549,6 +2721,29 @@ paths:
           description: The Response object
           schema:
             $ref: '#/definitions/controllers.Response'
+  /api/update-group:
+    post:
+      tags:
+      - Group API
+      description: update group
+      operationId: ApiController.UpdateGroup
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the group
+        required: true
+        type: string
+      - in: body
+        name: body
+        description: The details of the group
+        required: true
+        schema:
+          $ref: '#/definitions/object.Group'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
   /api/update-ldap:
     post:
       tags:
@@ -2994,7 +3189,7 @@ paths:
         "200":
           description: '"The Response object"'
           schema:
-            $ref: '#/definitions/Response'
+            $ref: '#/definitions/controllers.Response'
   /api/webauthn/signup/begin:
     get:
       tags:
@@ -3023,23 +3218,14 @@ paths:
         "200":
           description: '"The Response object"'
           schema:
-            $ref: '#/definitions/Response'
+            $ref: '#/definitions/controllers.Response'
 definitions:
-  1225.0xc0002e2ae0.false:
-    title: "false"
-    type: object
-  1260.0xc0002e2b10.false:
-    title: "false"
-    type: object
   LaravelResponse:
     title: LaravelResponse
     type: object
   Response:
     title: Response
     type: object
-  The:
-    title: The
-    type: object
   controllers.AuthForm:
     title: AuthForm
     type: object
@@ -3064,9 +3250,13 @@ definitions:
     type: object
     properties:
       data:
-        $ref: '#/definitions/1225.0xc0002e2ae0.false'
+        additionalProperties:
+          description: support string | class | List<class> and os on
+          type: string
       data2:
-        $ref: '#/definitions/1260.0xc0002e2b10.false'
+        additionalProperties:
+          description: support string | class | List<class> and os on
+          type: string
       msg:
         type: string
       name:
@@ -3090,8 +3280,8 @@ definitions:
   jose.JSONWebKey:
     title: JSONWebKey
     type: object
-  object.&{179844 0xc000a02f90 false}:
-    title: '&{179844 0xc000a02f90 false}'
+  object:
+    title: object
     type: object
   object.AccountItem:
     title: AccountItem
@@ -3220,7 +3410,7 @@ definitions:
     title: CasbinRequest
     type: array
     items:
-      $ref: '#/definitions/object.&{179844 0xc000a02f90 false}'
+      $ref: '#/definitions/object.CasbinRequest'
   object.Cert:
     title: Cert
     type: object
@@ -3295,6 +3485,44 @@ definitions:
       throughput:
         type: number
         format: double
+  object.Group:
+    title: Group
+    type: object
+    properties:
+      children:
+        type: array
+        items:
+          $ref: '#/definitions/object.Group'
+      contactEmail:
+        type: string
+      createdTime:
+        type: string
+      displayName:
+        type: string
+      isEnabled:
+        type: boolean
+      isTopGroup:
+        type: boolean
+      key:
+        type: string
+      manager:
+        type: string
+      name:
+        type: string
+      owner:
+        type: string
+      parentId:
+        type: string
+      title:
+        type: string
+      type:
+        type: string
+      updatedTime:
+        type: string
+      users:
+        type: array
+        items:
+          $ref: '#/definitions/object.User'
   object.Header:
     title: Header
     type: object
@@ -3395,18 +3623,18 @@ definitions:
     properties:
       countryCode:
         type: string
-      id:
-        type: string
+      enabled:
+        type: boolean
       isPreferred:
         type: boolean
+      mfaType:
+        type: string
       recoveryCodes:
         type: array
         items:
           type: string
       secret:
         type: string
-      type:
-        type: string
       url:
         type: string
   object.Model:
@@ -3415,6 +3643,8 @@ definitions:
     properties:
       createdTime:
         type: string
+      description:
+        type: string
       displayName:
         type: string
       isEnabled:
@@ -3520,6 +3750,10 @@ definitions:
         type: string
       owner:
         type: string
+      passwordOptions:
+        type: array
+        items:
+          type: string
       passwordSalt:
         type: string
       passwordType:
@@ -3607,6 +3841,8 @@ definitions:
         type: string
       createdTime:
         type: string
+      description:
+        type: string
       displayName:
         type: string
       domains:
@@ -3687,8 +3923,6 @@ definitions:
         type: string
       displayName:
         type: string
-      hasTrial:
-        type: boolean
       isEnabled:
         type: boolean
       name:
@@ -3792,7 +4026,7 @@ definitions:
         type: string
       customLogo:
         type: string
-      customScope:
+      scopes:
         type: string
       customTokenUrl:
         type: string
@@ -3904,6 +4138,8 @@ definitions:
     properties:
       createdTime:
         type: string
+      description:
+        type: string
       displayName:
         type: string
       domains:
@@ -3995,6 +4231,8 @@ definitions:
         type: string
       isEnabled:
         type: boolean
+      isReadOnly:
+        type: boolean
       name:
         type: string
       organization:
@@ -4117,6 +4355,10 @@ definitions:
     title: User
     type: object
     properties:
+      accessKey:
+        type: string
+      accessSecret:
+        type: string
       address:
         type: array
         items:
@@ -4135,6 +4377,8 @@ definitions:
         type: string
       avatar:
         type: string
+      avatarType:
+        type: string
       azuread:
         type: string
       baidu:
@@ -4205,6 +4449,10 @@ definitions:
         type: string
       google:
         type: string
+      groups:
+        type: array
+        items:
+          type: string
       hash:
         type: string
       heroku:
@@ -4272,6 +4520,10 @@ definitions:
           $ref: '#/definitions/object.ManagedAccount'
       meetup:
         type: string
+      mfaEmailEnabled:
+        type: boolean
+      mfaPhoneEnabled:
+        type: boolean
       microsoftonline:
         type: string
       multiFactorAuths:
@@ -4312,6 +4564,8 @@ definitions:
         type: string
       preHash:
         type: string
+      preferredMfaType:
+        type: string
       properties:
         additionalProperties:
           type: string
@@ -4320,6 +4574,10 @@ definitions:
       ranking:
         type: integer
         format: int64
+      recoveryCodes:
+        type: array
+        items:
+          type: string
       region:
         type: string
       roles:
@@ -4356,6 +4614,8 @@ definitions:
         type: string
       title:
         type: string
+      totpSecret:
+        type: string
       tumblr:
         type: string
       twitch:
@@ -4404,12 +4664,14 @@ definitions:
         type: string
       email:
         type: string
+      groups:
+        type: array
+        items:
+          type: string
       iss:
         type: string
       name:
         type: string
-      organization:
-        type: string
       phone:
         type: string
       picture:
@@ -4448,12 +4710,6 @@ definitions:
         type: string
       url:
         type: string
-  object.pricing:
-    title: pricing
-    type: object
-  object.subscription:
-    title: subscription
-    type: object
   protocol.CredentialAssertion:
     title: CredentialAssertion
     type: object

util/path.go

@@ -72,6 +72,9 @@ func UrlJoin(base string, path string) string {
 
 func GetUrlPath(urlString string) string {
 	u, _ := url.Parse(urlString)
+	if u == nil {
+		return ""
+	}
 	return u.Path
 }
 

util/slice.go

@@ -43,6 +43,15 @@ func ContainsString(values []string, val string) bool {
 	return sort.SearchStrings(values, val) != len(values)
 }
 
+func InSlice(slice []string, elem string) bool {
+	for _, val := range slice {
+		if val == elem {
+			return true
+		}
+	}
+	return false
+}
+
 func ReturnAnyNotEmpty(strs ...string) string {
 	for _, str := range strs {
 		if str != "" {

util/string.go

@@ -289,3 +289,18 @@ func HasString(strs []string, str string) bool {
 	}
 	return false
 }
+
+func ParseIdToString(input interface{}) (string, error) {
+	switch v := input.(type) {
+	case string:
+		return v, nil
+	case int:
+		return strconv.Itoa(v), nil
+	case int64:
+		return strconv.FormatInt(v, 10), nil
+	case float64:
+		return strconv.FormatFloat(v, 'f', -1, 64), nil
+	default:
+		return "", fmt.Errorf("unsupported id type: %T", input)
+	}
+}

util/string_test.go

@@ -246,3 +246,23 @@ func TestSnakeString(t *testing.T) {
 		})
 	}
 }
+
+func TestParseId(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       interface{}
+		expected    interface{}
+	}{
+		{"Should be return 123456", "123456", "123456"},
+		{"Should be return 123456", 123456, "123456"},
+		{"Should be return 123456", int64(123456), "123456"},
+		{"Should be return 123456", float64(123456), "123456"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual, err := ParseIdToString(scenery.input)
+			assert.Nil(t, err, "The returned value not is expected")
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}

util/validation.go

@@ -22,10 +22,18 @@ import (
 	"github.com/nyaruka/phonenumbers"
 )
 
-var rePhone *regexp.Regexp
+var (
+	rePhone          *regexp.Regexp
+	ReWhiteSpace     *regexp.Regexp
+	ReFieldWhiteList *regexp.Regexp
+	ReUserName       *regexp.Regexp
+)
 
 func init() {
 	rePhone, _ = regexp.Compile(`(\d{3})\d*(\d{4})`)
+	ReWhiteSpace, _ = regexp.Compile(`\s`)
+	ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
+	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+((?:-[a-zA-Z0-9]+)|(?:_[a-zA-Z0-9]+))*$")
 }
 
 func IsEmailValid(email string) bool {
@@ -70,3 +78,7 @@ func GetCountryCode(prefix string, phone string) (string, error) {
 
 	return countryCode, nil
 }
+
+func FilterField(field string) bool {
+	return ReFieldWhiteList.MatchString(field)
+}

web/src/AdapterListPage.js

@@ -25,8 +25,9 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class AdapterListPage extends BaseListPage {
   newAdapter() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
-      owner: this.props.account.owner,
+      owner: owner,
       name: `adapter_${randomName}`,
       createdTime: moment().format(),
       type: "Database",
@@ -87,7 +88,7 @@ class AdapterListPage extends BaseListPage {
         ...this.getColumnSearchProps("name"),
         render: (text, record, index) => {
           return (
-            <Link to={`/adapters/${record.organization}/${text}`}>
+            <Link to={`/adapters/${record.owner}/${text}`}>
               {text}
             </Link>
           );
@@ -246,7 +247,7 @@ class AdapterListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    AdapterBackend.getAdapters(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    AdapterBackend.getAdapters(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/App.js

@@ -15,9 +15,11 @@
 import React, {Component} from "react";
 import "./App.less";
 import {Helmet} from "react-helmet";
+import EnableMfaNotification from "./common/notifaction/EnableMfaNotification";
 import GroupTreePage from "./GroupTreePage";
 import GroupEditPage from "./GroupEdit";
 import GroupListPage from "./GroupList";
+import {MfaRuleRequired} from "./Setting";
 import * as Setting from "./Setting";
 import {StyleProvider, legacyLogicalPropertiesTransformer} from "@ant-design/cssinjs";
 import {BarsOutlined, CommentOutlined, DownOutlined, InfoCircleFilled, LogoutOutlined, SettingOutlined} from "@ant-design/icons";
@@ -64,6 +66,13 @@ import ProductBuyPage from "./ProductBuyPage";
 import PaymentListPage from "./PaymentListPage";
 import PaymentEditPage from "./PaymentEditPage";
 import PaymentResultPage from "./PaymentResultPage";
+import ModelListPage from "./ModelListPage";
+import ModelEditPage from "./ModelEditPage";
+import AdapterListPage from "./AdapterListPage";
+import AdapterEditPage from "./AdapterEditPage";
+import SessionListPage from "./SessionListPage";
+import MfaSetupPage from "./auth/MfaSetupPage";
+import SystemInfo from "./SystemInfo";
 import AccountPage from "./account/AccountPage";
 import HomePage from "./basic/HomePage";
 import CustomGithubCorner from "./common/CustomGithubCorner";
@@ -73,19 +82,13 @@ import * as Auth from "./auth/Auth";
 import EntryPage from "./EntryPage";
 import * as AuthBackend from "./auth/AuthBackend";
 import AuthCallback from "./auth/AuthCallback";
-import LanguageSelect from "./common/select/LanguageSelect";
-import i18next from "i18next";
 import OdicDiscoveryPage from "./auth/OidcDiscoveryPage";
 import SamlCallback from "./auth/SamlCallback";
-import ModelListPage from "./ModelListPage";
-import ModelEditPage from "./ModelEditPage";
-import SystemInfo from "./SystemInfo";
-import AdapterListPage from "./AdapterListPage";
-import AdapterEditPage from "./AdapterEditPage";
+import i18next from "i18next";
 import {withTranslation} from "react-i18next";
+import LanguageSelect from "./common/select/LanguageSelect";
 import ThemeSelect from "./common/select/ThemeSelect";
-import SessionListPage from "./SessionListPage";
-import MfaSetupPage from "./auth/MfaSetupPage";
+import OrganizationSelect from "./common/select/OrganizationSelect";
 
 const {Header, Footer, Content} = Layout;
 
@@ -101,12 +104,13 @@ class App extends Component {
       themeAlgorithm: ["default"],
       themeData: Conf.ThemeDefault,
       logo: this.getLogo(Setting.getAlgorithmNames(Conf.ThemeDefault)),
+      requiredEnableMfa: false,
     };
 
     Setting.initServerUrl();
     Auth.initAuthWithConfig({
       serverUrl: Setting.ServerUrl,
-      appName: "app-built-in", // the application name of Casdoor itself, do not change it
+      appName: Conf.DefaultApplication, // the application used in Casdoor root path: "/"
     });
   }
 
@@ -115,12 +119,28 @@ class App extends Component {
     this.getAccount();
   }
 
-  componentDidUpdate() {
-    // eslint-disable-next-line no-restricted-globals
+  componentDidUpdate(prevProps, prevState, snapshot) {
     const uri = location.pathname;
     if (this.state.uri !== uri) {
       this.updateMenuKey();
     }
+
+    if (this.state.account !== prevState.account) {
+      const requiredEnableMfa = Setting.isRequiredEnableMfa(this.state.account, this.state.account?.organization);
+      this.setState({
+        requiredEnableMfa: requiredEnableMfa,
+      });
+    }
+
+    if (this.state.requiredEnableMfa !== prevState.requiredEnableMfa || this.state.account !== prevState.account) {
+      if (this.state.requiredEnableMfa === true) {
+        const mfaType = Setting.getMfaItemsByRules(this.state.account, this.state.account?.organization, [MfaRuleRequired])
+          .find((item) => item.rule === MfaRuleRequired)?.name;
+        if (mfaType !== undefined) {
+          this.props.history.push(`/mfa/setup?mfaType=${mfaType}`, {from: "/login"});
+        }
+      }
+    }
   }
 
   updateMenuKey() {
@@ -340,13 +360,15 @@ class App extends Component {
 
   renderRightDropdown() {
     const items = [];
-    items.push(Setting.getItem(<><SettingOutlined />&nbsp;&nbsp;{i18next.t("account:My Account")}</>,
-      "/account"
-    ));
-    if (Conf.EnableChatPages) {
-      items.push(Setting.getItem(<><CommentOutlined />&nbsp;&nbsp;{i18next.t("account:Chats & Messages")}</>,
-        "/chat"
+    if (this.state.requiredEnableMfa === false) {
+      items.push(Setting.getItem(<><SettingOutlined />&nbsp;&nbsp;{i18next.t("account:My Account")}</>,
+        "/account"
       ));
+      if (Conf.EnableChatPages) {
+        items.push(Setting.getItem(<><CommentOutlined />&nbsp;&nbsp;{i18next.t("account:Chats & Messages")}</>,
+          "/chat"
+        ));
+      }
     }
     items.push(Setting.getItem(<><LogoutOutlined />&nbsp;&nbsp;{i18next.t("account:Logout")}</>,
       "/logout"));
@@ -398,6 +420,17 @@ class App extends Component {
               });
             }} />
           <LanguageSelect languages={this.state.account.organization.languages} />
+          {Setting.isAdminUser(this.state.account) && !Setting.isMobile() &&
+            <OrganizationSelect
+              initValue={Setting.getOrganization()}
+              withAll={true}
+              style={{marginRight: "20px", width: "180px", display: "flex"}}
+              onChange={(value) => {
+                Setting.setOrganization(value);
+              }}
+              className="select-box"
+            />
+          }
         </React.Fragment>
       );
     }
@@ -535,14 +568,6 @@ class App extends Component {
     return res;
   }
 
-  renderHomeIfLoggedIn(component) {
-    if (this.state.account !== null && this.state.account !== undefined) {
-      return <Redirect to="/" />;
-    } else {
-      return component;
-    }
-  }
-
   renderLoginIfNotLoggedIn(component) {
     if (this.state.account === null) {
       sessionStorage.setItem("from", window.location.pathname);
@@ -554,12 +579,6 @@ class App extends Component {
     }
   }
 
-  isStartPages() {
-    return window.location.pathname.startsWith("/login") ||
-        window.location.pathname.startsWith("/signup") ||
-        window.location.pathname === "/";
-  }
-
   renderRouter() {
     return (
       <Switch>
@@ -611,13 +630,13 @@ class App extends Component {
         <Route exact path="/subscriptions" render={(props) => this.renderLoginIfNotLoggedIn(<SubscriptionListPage account={this.state.account} {...props} />)} />
         <Route exact path="/subscriptions/:organizationName/:subscriptionName" render={(props) => this.renderLoginIfNotLoggedIn(<SubscriptionEditPage account={this.state.account} {...props} />)} />
         <Route exact path="/products" render={(props) => this.renderLoginIfNotLoggedIn(<ProductListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/products/:productName" render={(props) => this.renderLoginIfNotLoggedIn(<ProductEditPage account={this.state.account} {...props} />)} />
+        <Route exact path="/products/:organizationName/:productName" render={(props) => this.renderLoginIfNotLoggedIn(<ProductEditPage account={this.state.account} {...props} />)} />
         <Route exact path="/products/:productName/buy" render={(props) => this.renderLoginIfNotLoggedIn(<ProductBuyPage account={this.state.account} {...props} />)} />
         <Route exact path="/payments" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentListPage account={this.state.account} {...props} />)} />
         <Route exact path="/payments/:paymentName" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentEditPage account={this.state.account} {...props} />)} />
         <Route exact path="/payments/:paymentName/result" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentResultPage account={this.state.account} {...props} />)} />
         <Route exact path="/records" render={(props) => this.renderLoginIfNotLoggedIn(<RecordListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/mfa-authentication/setup" render={(props) => this.renderLoginIfNotLoggedIn(<MfaSetupPage account={this.state.account} {...props} />)} />
+        <Route exact path="/mfa/setup" render={(props) => this.renderLoginIfNotLoggedIn(<MfaSetupPage account={this.state.account} onfinish={result => this.setState({requiredEnableMfa: result})} {...props} />)} />
         <Route exact path="/.well-known/openid-configuration" render={(props) => <OdicDiscoveryPage />} />
         <Route exact path="/sysinfo" render={(props) => this.renderLoginIfNotLoggedIn(<SystemInfo account={this.state.account} {...props} />)} />
         <Route path="" render={() => <Result status="404" title="404 NOT FOUND" subTitle={i18next.t("general:Sorry, the page you visited does not exist.")}
@@ -648,18 +667,24 @@ class App extends Component {
       if (key === "/swagger") {
         window.open(Setting.isLocalhost() ? `${Setting.ServerUrl}/swagger` : "/swagger", "_blank");
       } else {
-        this.props.history.push(key);
+        if (this.state.requiredEnableMfa) {
+          Setting.showMessage("info", "Please enable MFA first!");
+        } else {
+          this.props.history.push(key);
+        }
       }
     };
+    const menuStyleRight = Setting.isAdminUser(this.state.account) && !Setting.isMobile() ? "calc(180px + 260px)" : "260px";
     return (
       <Layout id="parent-area">
-        <Header style={{padding: "0", marginBottom: "3px", backgroundColor: this.state.themeAlgorithm.includes("dark") ? "black" : "white"}}>
+        <EnableMfaNotification account={this.state.account} />
+        <Header style={{padding: "0", marginBottom: "3px", backgroundColor: this.state.themeAlgorithm.includes("dark") ? "black" : "white"}} >
           {Setting.isMobile() ? null : (
             <Link to={"/"}>
               <div className="logo" style={{background: `url(${this.state.logo})`}} />
             </Link>
           )}
-          {Setting.isMobile() ?
+          {this.state.requiredEnableMfa || (Setting.isMobile() ?
             <React.Fragment>
               <Drawer title={i18next.t("general:Close")} placement="left" visible={this.state.menuVisible} onClose={this.onClose}>
                 <Menu
@@ -680,9 +705,9 @@ class App extends Component {
               items={this.getMenuItems()}
               mode={"horizontal"}
               selectedKeys={[this.state.selectedMenuKey]}
-              style={{position: "absolute", left: "145px", right: "260px"}}
+              style={{position: "absolute", left: "145px", right: menuStyleRight}}
             />
-          }
+          )}
           {
             this.renderAccountMenu()
           }
@@ -746,9 +771,11 @@ class App extends Component {
                 <EntryPage
                   account={this.state.account}
                   theme={this.state.themeData}
-                  onUpdateAccount={(account) => {
-                    this.onUpdateAccount(account);
+                  onLoginSuccess={(redirectUrl) => {
+                    localStorage.setItem("mfaRedirectUrl", redirectUrl);
+                    this.getAccount();
                   }}
+                  onUpdateAccount={(account) => this.onUpdateAccount(account)}
                   updataThemeData={this.setTheme}
                 /> :
                 <Switch>

web/src/ApplicationEditPage.js

@@ -132,6 +132,11 @@ class ApplicationEditPage extends React.Component {
         if (res.grantTypes === null || res.grantTypes === undefined || res.grantTypes.length === 0) {
           res.grantTypes = ["authorization_code"];
         }
+
+        if (res.tags === null || res.tags === undefined) {
+          res.tags = [];
+        }
+
         this.setState({
           application: res,
         });
@@ -312,6 +317,18 @@ class ApplicationEditPage extends React.Component {
             </Select>
           </Col>
         </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("organization:Tags"), i18next.t("application:Tags - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} mode="tags" style={{width: "100%"}} value={this.state.application.tags} onChange={(value => {this.updateApplicationField("tags", value);})}>
+              {
+                this.state.application.tags?.map((item, index) => <Option key={index} value={item}>{item}</Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"))} :

web/src/ApplicationListPage.js

@@ -28,18 +28,13 @@ class ApplicationListPage extends BaseListPage {
     super(props);
   }
 
-  componentDidMount() {
-    this.setState({
-      organizationName: this.props.account.owner,
-    });
-  }
-
   newApplication() {
     const randomName = Setting.getRandomName();
+    const organizationName = Setting.getRequestOrganization(this.props.account);
     return {
       owner: "admin", // this.props.account.applicationName,
       name: `application_${randomName}`,
-      organization: this.state.organizationName,
+      organization: organizationName,
       createdTime: moment().format(),
       displayName: `New Application - ${randomName}`,
       logo: `${Setting.StaticBaseUrl}/img/casdoor-logo_1185x256.png`,
@@ -273,8 +268,8 @@ class ApplicationListPage extends BaseListPage {
     const field = params.searchedColumn, value = params.searchText;
     const sortField = params.sortField, sortOrder = params.sortOrder;
     this.setState({loading: true});
-    (Setting.isAdminUser(this.props.account) ? ApplicationBackend.getApplications("admin", params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder) :
-      ApplicationBackend.getApplicationsByOrganization("admin", this.props.account.organization.name, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
+    (Setting.isDefaultOrganizationSelected(this.props.account) ? ApplicationBackend.getApplications("admin", params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder) :
+      ApplicationBackend.getApplicationsByOrganization("admin", Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
       .then((res) => {
         this.setState({
           loading: false,

web/src/BaseListPage.js

@@ -17,6 +17,7 @@ import {Button, Input, Result, Space} from "antd";
 import {SearchOutlined} from "@ant-design/icons";
 import Highlighter from "react-highlight-words";
 import i18next from "i18next";
+import * as Setting from "./Setting";
 
 class BaseListPage extends React.Component {
   constructor(props) {
@@ -35,6 +36,22 @@ class BaseListPage extends React.Component {
     };
   }
 
+  handleOrganizationChange = () => {
+    const {pagination} = this.state;
+    this.fetch({pagination});
+  };
+
+  componentDidMount() {
+    window.addEventListener("storageOrganizationChanged", this.handleOrganizationChange);
+    if (!Setting.isAdminUser(this.props.account)) {
+      Setting.setOrganization("All");
+    }
+  }
+
+  componentWillUnmount() {
+    window.removeEventListener("storageOrganizationChanged", this.handleOrganizationChange);
+  }
+
   UNSAFE_componentWillMount() {
     const {pagination} = this.state;
     this.fetch({pagination});

web/src/CertListPage.js

@@ -28,6 +28,7 @@ class CertListPage extends BaseListPage {
   }
 
   componentDidMount() {
+    super.componentDidMount();
     this.setState({
       owner: Setting.isAdminUser(this.props.account) ? "admin" : this.props.account.owner,
     });
@@ -35,8 +36,9 @@ class CertListPage extends BaseListPage {
 
   newCert() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.isDefaultOrganizationSelected(this.props.account) ? this.state.owner : Setting.getRequestOrganization(this.props.account);
     return {
-      owner: this.state.owner,
+      owner: owner,
       name: `cert_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Cert - ${randomName}`,
@@ -236,8 +238,8 @@ class CertListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    (Setting.isAdminUser(this.props.account) ? CertBackend.getGlobleCerts(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
-      : CertBackend.getCerts(this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
+    (Setting.isDefaultOrganizationSelected(this.props.account) ? CertBackend.getGlobleCerts(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+      : CertBackend.getCerts(Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
       .then((res) => {
         this.setState({
           loading: false,

web/src/ChatListPage.js

@@ -25,12 +25,13 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class ChatListPage extends BaseListPage {
   newChat() {
     const randomName = Setting.getRandomName();
+    const organizationName = Setting.getRequestOrganization(this.props.account);
     return {
       owner: "admin", // this.props.account.applicationName,
       name: `chat_${randomName}`,
       createdTime: moment().format(),
       updatedTime: moment().format(),
-      organization: this.props.account.owner,
+      organization: organizationName,
       displayName: `New Chat - ${randomName}`,
       type: "Single",
       category: "Chat Category - 1",

web/src/Conf.js

@@ -1,34 +1,34 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-export const ShowGithubCorner = false;
-export const GithubRepo = "https://github.com/casdoor/casdoor";
-export const IsDemoMode = false;
-
-export const ForceLanguage = "";
-export const DefaultLanguage = "en";
-
-export const EnableExtraPages = true;
-
-export const EnableChatPages = true;
-
-export const InitThemeAlgorithm = true;
-export const ThemeDefault = {
-  themeType: "default",
-  colorPrimary: "#5734d3",
-  borderRadius: 6,
-  isCompact: false,
-};
-
-export const CustomFooter = null;
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+export const DefaultApplication = "app-built-in";
+
+export const ShowGithubCorner = false;
+export const IsDemoMode = false;
+
+export const ForceLanguage = "";
+export const DefaultLanguage = "en";
+
+export const EnableExtraPages = true;
+export const EnableChatPages = true;
+
+export const InitThemeAlgorithm = true;
+export const ThemeDefault = {
+  themeType: "default",
+  colorPrimary: "#5734d3",
+  borderRadius: 6,
+  isCompact: false,
+};
+
+export const CustomFooter = null;

web/src/GroupList.js

@@ -49,8 +49,9 @@ class GroupListPage extends BaseListPage {
 
   newGroup() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
-      owner: this.props.account.owner,
+      owner: owner,
       name: `group_${randomName}`,
       createdTime: moment().format(),
       updatedTime: moment().format(),
@@ -251,7 +252,7 @@ class GroupListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    GroupBackend.getGroups(this.state.owner, false, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    GroupBackend.getGroups(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), false, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/MessageListPage.js

@@ -25,11 +25,12 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class MessageListPage extends BaseListPage {
   newMessage() {
     const randomName = Setting.getRandomName();
+    const organizationName = Setting.getRequestOrganization(this.props.account);
     return {
       owner: "admin", // this.props.account.messagename,
       name: `message_${randomName}`,
       createdTime: moment().format(),
-      organization: this.props.account.owner,
+      organization: organizationName,
       chat: "",
       replyTo: "",
       author: `${this.props.account.owner}/${this.props.account.name}`,
@@ -208,7 +209,7 @@ class MessageListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    MessageBackend.getMessages("admin", Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    MessageBackend.getMessages("admin", Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/ModelListPage.js

@@ -40,8 +40,9 @@ m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`;
 class ModelListPage extends BaseListPage {
   newModel() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
-      owner: this.props.account.owner,
+      owner: owner,
       name: `model_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Model - ${randomName}`,
@@ -202,7 +203,7 @@ class ModelListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    ModelBackend.getModels(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    ModelBackend.getModels(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/OrganizationEditPage.js

@@ -427,6 +427,7 @@ class OrganizationEditPage extends React.Component {
           this.setState({
             organizationName: this.state.organization.name,
           });
+          window.dispatchEvent(new Event("storageOrganizationsChanged"));
 
           if (willExist) {
             this.props.history.push("/organizations");
@@ -448,6 +449,7 @@ class OrganizationEditPage extends React.Component {
       .then((res) => {
         if (res.status === "ok") {
           this.props.history.push("/organizations");
+          window.dispatchEvent(new Event("storageOrganizationsChanged"));
         } else {
           Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
         }

web/src/OrganizationListPage.js

@@ -35,7 +35,7 @@ class OrganizationListPage extends BaseListPage {
       passwordType: "plain",
       PasswordSalt: "",
       passwordOptions: [],
-      countryCodes: ["CN"],
+      countryCodes: ["US"],
       defaultAvatar: `${Setting.StaticBaseUrl}/img/casbin.svg`,
       defaultApplication: "",
       tags: [],
@@ -53,25 +53,40 @@ class OrganizationListPage extends BaseListPage {
         {name: "Password", visible: true, viewRule: "Self", modifyRule: "Self"},
         {name: "Email", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Phone", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "Country code", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Country/Region", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Location", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "Address", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Affiliation", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Title", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "ID card type", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "ID card", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "ID card info", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Homepage", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Bio", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Tag", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Language", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Gender", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Birthday", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Education", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Score", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Karma", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Ranking", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Signup application", visible: true, viewRule: "Public", modifyRule: "Admin"},
-        {name: "API key", label: i18next.t("general:API key")},
+        {name: "API key", label: i18next.t("general:API key"), modifyRule: "Self"},
+        {name: "Groups", visible: true, viewRule: "Public", modifyRule: "Immutable"},
         {name: "Roles", visible: true, viewRule: "Public", modifyRule: "Immutable"},
         {name: "Permissions", visible: true, viewRule: "Public", modifyRule: "Immutable"},
-        {name: "Groups", visible: true, viewRule: "Public", modifyRule: "Immutable"},
         {name: "3rd-party logins", visible: true, viewRule: "Self", modifyRule: "Self"},
-        {Name: "Multi-factor authentication", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
         {name: "Properties", visible: false, viewRule: "Admin", modifyRule: "Admin"},
+        {name: "Is online", visible: true, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is admin", visible: true, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is global admin", visible: true, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is forbidden", visible: true, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is deleted", visible: true, viewRule: "Admin", modifyRule: "Admin"},
+        {Name: "Multi-factor authentication", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
+        {Name: "WebAuthn credentials", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
+        {Name: "Managed accounts", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
       ],
     };
   }
@@ -83,6 +98,7 @@ class OrganizationListPage extends BaseListPage {
         if (res.status === "ok") {
           this.props.history.push({pathname: `/organizations/${newOrganization.name}`, mode: "add"});
           Setting.showMessage("success", i18next.t("general:Successfully added"));
+          window.dispatchEvent(new Event("storageOrganizationsChanged"));
         } else {
           Setting.showMessage("error", `${i18next.t("general:Failed to add")}: ${res.msg}`);
         }
@@ -99,8 +115,11 @@ class OrganizationListPage extends BaseListPage {
           Setting.showMessage("success", i18next.t("general:Successfully deleted"));
           this.setState({
             data: Setting.deleteRow(this.state.data, i),
-            pagination: {total: this.state.pagination.total - 1},
+            pagination: {
+              ...this.state.pagination,
+              total: this.state.pagination.total - 1},
           });
+          window.dispatchEvent(new Event("storageOrganizationsChanged"));
         } else {
           Setting.showMessage("error", `${i18next.t("general:Failed to delete")}: ${res.msg}`);
         }
@@ -275,7 +294,7 @@ class OrganizationListPage extends BaseListPage {
       value = params.passwordType;
     }
     this.setState({loading: true});
-    OrganizationBackend.getOrganizations("admin", params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    OrganizationBackend.getOrganizations("admin", Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/PaymentListPage.js

@@ -26,6 +26,7 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class PaymentListPage extends BaseListPage {
   newPayment() {
     const randomName = Setting.getRandomName();
+    const organizationName = Setting.getRequestOrganization(this.props.account);
     return {
       owner: "admin",
       name: `payment_${randomName}`,
@@ -33,7 +34,7 @@ class PaymentListPage extends BaseListPage {
       displayName: `New Payment - ${randomName}`,
       provider: "provider_pay_paypal",
       type: "PayPal",
-      organization: this.props.account.owner,
+      organization: organizationName,
       user: "admin",
       productName: "computer-1",
       productDisplayName: "A notebook computer",
@@ -265,7 +266,7 @@ class PaymentListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    PaymentBackend.getPayments("admin", Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    PaymentBackend.getPayments("admin", Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/PermissionListPage.js

@@ -26,8 +26,9 @@ import {UploadOutlined} from "@ant-design/icons";
 class PermissionListPage extends BaseListPage {
   newPermission() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
-      owner: this.props.account.owner,
+      owner: owner,
       name: `permission_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Permission - ${randomName}`,
@@ -383,7 +384,7 @@ class PermissionListPage extends BaseListPage {
     this.setState({loading: true});
 
     const getPermissions = Setting.isLocalAdminUser(this.props.account) ? PermissionBackend.getPermissions : PermissionBackend.getPermissionsBySubmitter;
-    getPermissions(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    getPermissions(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/PlanListPage.js

@@ -25,8 +25,7 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class PlanListPage extends BaseListPage {
   newPlan() {
     const randomName = Setting.getRandomName();
-    const owner = (this.state.organizationName !== undefined) ? this.state.organizationName : this.props.account.owner;
-
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
       owner: owner,
       name: `plan_${randomName}`,
@@ -219,7 +218,7 @@ class PlanListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    PlanBackend.getPlans(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    PlanBackend.getPlans(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/PricingListPage.js

@@ -25,8 +25,7 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class PricingListPage extends BaseListPage {
   newPricing() {
     const randomName = Setting.getRandomName();
-    const owner = (this.state.organizationName !== undefined) ? this.state.organizationName : this.props.account.owner;
-
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
       owner: owner,
       name: `pricing_${randomName}`,
@@ -188,7 +187,7 @@ class PricingListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    PricingBackend.getPricings(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    PricingBackend.getPricings(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/ProductEditPage.js

@@ -20,6 +20,7 @@ import i18next from "i18next";
 import {LinkOutlined} from "@ant-design/icons";
 import * as ProviderBackend from "./backend/ProviderBackend";
 import ProductBuyPage from "./ProductBuyPage";
+import * as OrganizationBackend from "./backend/OrganizationBackend";
 
 const {Option} = Select;
 
@@ -39,11 +40,12 @@ class ProductEditPage extends React.Component {
 
   UNSAFE_componentWillMount() {
     this.getProduct();
+    this.getOrganizations();
     this.getPaymentProviders();
   }
 
   getProduct() {
-    ProductBackend.getProduct(this.props.account.owner, this.state.productName)
+    ProductBackend.getProduct(this.state.organizationName, this.state.productName)
       .then((product) => {
         if (product === null) {
           this.props.history.push("/404");
@@ -56,6 +58,15 @@ class ProductEditPage extends React.Component {
       });
   }
 
+  getOrganizations() {
+    OrganizationBackend.getOrganizations("admin")
+      .then((res) => {
+        this.setState({
+          organizations: (res.msg === undefined) ? res : [],
+        });
+      });
+  }
+
   getPaymentProviders() {
     ProviderBackend.getProviders(this.props.account.owner)
       .then((res) => {
@@ -312,7 +323,7 @@ class ProductEditPage extends React.Component {
           if (willExist) {
             this.props.history.push("/products");
           } else {
-            this.props.history.push(`/products/${this.state.product.name}`);
+            this.props.history.push(`/products/${this.state.product.owner}/${this.state.product.name}`);
           }
         } else {
           Setting.showMessage("error", `${i18next.t("general:Failed to save")}: ${res.msg}`);

web/src/ProductListPage.js

@@ -26,8 +26,9 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class ProductListPage extends BaseListPage {
   newProduct() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
-      owner: this.props.account.owner,
+      owner: owner,
       name: `product_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Product - ${randomName}`,
@@ -47,7 +48,7 @@ class ProductListPage extends BaseListPage {
     ProductBackend.addProduct(newProduct)
       .then((res) => {
         if (res.status === "ok") {
-          this.props.history.push({pathname: `/products/${newProduct.name}`, mode: "add"});
+          this.props.history.push({pathname: `/products/${newProduct.owner}/${newProduct.name}`, mode: "add"});
           Setting.showMessage("success", i18next.t("general:Successfully added"));
         } else {
           Setting.showMessage("error", `${i18next.t("general:Failed to add")}: ${res.msg}`);
@@ -88,7 +89,7 @@ class ProductListPage extends BaseListPage {
         ...this.getColumnSearchProps("name"),
         render: (text, record, index) => {
           return (
-            <Link to={`/products/${text}`}>
+            <Link to={`/products/${record.owner}/${text}`}>
               {text}
             </Link>
           );
@@ -201,7 +202,7 @@ class ProductListPage extends BaseListPage {
                 size="small"
                 locale={{emptyText: " "}}
                 dataSource={providers}
-                renderItem={(providerName, i) => {
+                renderItem={(providerName, record, i) => {
                   return (
                     <List.Item>
                       <div style={{display: "inline"}}>
@@ -247,7 +248,7 @@ class ProductListPage extends BaseListPage {
           return (
             <div>
               <Button style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} onClick={() => this.props.history.push(`/products/${record.name}/buy`)}>{i18next.t("product:Buy")}</Button>
-              <Button style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} type="primary" onClick={() => this.props.history.push(`/products/${record.name}`)}>{i18next.t("general:Edit")}</Button>
+              <Button style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} type="primary" onClick={() => this.props.history.push(`/products/${record.owner}/${record.name}`)}>{i18next.t("general:Edit")}</Button>
               <PopconfirmModal
                 title={i18next.t("general:Sure to delete") + `: ${record.name} ?`}
                 onConfirm={() => this.deleteProduct(index)}
@@ -268,7 +269,7 @@ class ProductListPage extends BaseListPage {
 
     return (
       <div>
-        <Table scroll={{x: "max-content"}} columns={columns} dataSource={products} rowKey="name" size="middle" bordered pagination={paginationProps}
+        <Table scroll={{x: "max-content"}} columns={columns} dataSource={products} rowKey={(record) => `${record.owner}/${record.name}`} size="middle" bordered pagination={paginationProps}
           title={() => (
             <div>
               {i18next.t("general:Products")}&nbsp;&nbsp;&nbsp;&nbsp;
@@ -290,7 +291,7 @@ class ProductListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    ProductBackend.getProducts(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    ProductBackend.getProducts(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/ProviderEditPage.js

@@ -56,8 +56,10 @@ class ProviderEditPage extends React.Component {
         }
 
         if (res.status === "ok") {
+          const provider = res.data;
+          provider.userMapping = provider.userMapping || {};
           this.setState({
-            provider: res.data,
+            provider: provider,
           });
         } else {
           Setting.showMessage("error", res.msg);
@@ -93,6 +95,40 @@ class ProviderEditPage extends React.Component {
     });
   }
 
+  updateUserMappingField(key, value) {
+    const provider = this.state.provider;
+    provider.userMapping[key] = value;
+    this.setState({
+      provider: provider,
+    });
+  }
+
+  renderUserMappingInput() {
+    return (
+      <React.Fragment>
+        {Setting.getLabel(i18next.t("general:ID"), i18next.t("general:ID - Tooltip"))} :
+        <Input value={this.state.provider.userMapping.id} onChange={e => {
+          this.updateUserMappingField("id", e.target.value);
+        }} />
+        {Setting.getLabel(i18next.t("signup:Username"), i18next.t("signup:Username - Tooltip"))} :
+        <Input value={this.state.provider.userMapping.username} onChange={e => {
+          this.updateUserMappingField("username", e.target.value);
+        }} />
+        {Setting.getLabel(i18next.t("general:Display name"), i18next.t("general:Display name - Tooltip"))} :
+        <Input value={this.state.provider.userMapping.displayName} onChange={e => {
+          this.updateUserMappingField("displayName", e.target.value);
+        }} />
+        {Setting.getLabel(i18next.t("general:Email"), i18next.t("general:Email - Tooltip"))} :
+        <Input value={this.state.provider.userMapping.email} onChange={e => {
+          this.updateUserMappingField("email", e.target.value);
+        }} />
+        {Setting.getLabel(i18next.t("general:Avatar"), i18next.t("general:Avatar - Tooltip"))} :
+        <Input value={this.state.provider.userMapping.avatarUrl} onChange={e => {
+          this.updateUserMappingField("avatarUrl", e.target.value);
+        }} />
+      </React.Fragment>
+    );
+  }
   getClientIdLabel(provider) {
     switch (provider.category) {
     case "Email":
@@ -350,7 +386,7 @@ class ProviderEditPage extends React.Component {
               }
               if (value === "Custom") {
                 this.updateProviderField("customAuthUrl", "https://door.casdoor.com/login/oauth/authorize");
-                this.updateProviderField("customScope", "openid profile email");
+                this.updateProviderField("scopes", "openid profile email");
                 this.updateProviderField("customTokenUrl", "https://door.casdoor.com/api/login/oauth/access_token");
                 this.updateProviderField("customUserInfoUrl", "https://door.casdoor.com/api/userinfo");
               }
@@ -416,16 +452,6 @@ class ProviderEditPage extends React.Component {
                   }} />
                 </Col>
               </Row>
-              <Row style={{marginTop: "20px"}} >
-                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                  {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("provider:Scope - Tooltip"))}
-                </Col>
-                <Col span={22} >
-                  <Input value={this.state.provider.customScope} onChange={e => {
-                    this.updateProviderField("customScope", e.target.value);
-                  }} />
-                </Col>
-              </Row>
               <Row style={{marginTop: "20px"}} >
                 <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                   {Setting.getLabel(i18next.t("provider:Token URL"), i18next.t("provider:Token URL - Tooltip"))}
@@ -436,6 +462,16 @@ class ProviderEditPage extends React.Component {
                   }} />
                 </Col>
               </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("provider:Scope - Tooltip"))}
+                </Col>
+                <Col span={22} >
+                  <Input value={this.state.provider.scopes} onChange={e => {
+                    this.updateProviderField("scopes", e.target.value);
+                  }} />
+                </Col>
+              </Row>
               <Row style={{marginTop: "20px"}} >
                 <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                   {Setting.getLabel(i18next.t("provider:UserInfo URL"), i18next.t("provider:UserInfo URL - Tooltip"))}
@@ -446,6 +482,14 @@ class ProviderEditPage extends React.Component {
                   }} />
                 </Col>
               </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("provider:User mapping"), i18next.t("provider:User mapping - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  {this.renderUserMappingInput()}
+                </Col>
+              </Row>
               <Row style={{marginTop: "20px"}} >
                 <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                   {Setting.getLabel(i18next.t("general:Favicon"), i18next.t("general:Favicon - Tooltip"))} :

web/src/ProviderListPage.js

@@ -29,6 +29,7 @@ class ProviderListPage extends BaseListPage {
   }
 
   componentDidMount() {
+    super.componentDidMount();
     this.setState({
       owner: Setting.isAdminUser(this.props.account) ? "admin" : this.props.account.owner,
     });
@@ -36,8 +37,9 @@ class ProviderListPage extends BaseListPage {
 
   newProvider() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.isDefaultOrganizationSelected(this.props.account) ? this.state.owner : Setting.getRequestOrganization();
     return {
-      owner: this.state.owner,
+      owner: owner,
       name: `provider_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Provider - ${randomName}`,
@@ -256,8 +258,8 @@ class ProviderListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    (Setting.isAdminUser(this.props.account) ? ProviderBackend.getGlobalProviders(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
-      : ProviderBackend.getProviders(this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
+    (Setting.isDefaultOrganizationSelected(this.props.account) ? ProviderBackend.getGlobalProviders(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+      : ProviderBackend.getProviders(Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
       .then((res) => {
         this.setState({
           loading: false,

web/src/RecordListPage.js

@@ -209,7 +209,7 @@ class RecordListPage extends BaseListPage {
       value = params.method;
     }
     this.setState({loading: true});
-    RecordBackend.getRecords(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    RecordBackend.getRecords(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/ResourceListPage.js

@@ -309,7 +309,7 @@ class ResourceListPage extends BaseListPage {
     const field = params.searchedColumn, value = params.searchText;
     const sortField = params.sortField, sortOrder = params.sortOrder;
     this.setState({loading: true});
-    ResourceBackend.getResources(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, this.props.account.name, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    ResourceBackend.getResources(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), this.props.account.name, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/RoleListPage.js

@@ -26,8 +26,9 @@ import {UploadOutlined} from "@ant-design/icons";
 class RoleListPage extends BaseListPage {
   newRole() {
     const randomName = Setting.getRandomName();
+    const owner = Setting.getRequestOrganization(this.props.account);
     return {
-      owner: this.props.account.owner,
+      owner: owner,
       name: `role_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Role - ${randomName}`,
@@ -258,7 +259,7 @@ class RoleListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    RoleBackend.getRoles(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    RoleBackend.getRoles(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/SessionListPage.js

@@ -22,7 +22,6 @@ import * as SessionBackend from "./backend/SessionBackend";
 import PopconfirmModal from "./common/modal/PopconfirmModal";
 
 class SessionListPage extends BaseListPage {
-
   deleteSession(i) {
     SessionBackend.deleteSession(this.state.data[i])
       .then((res) => {
@@ -134,7 +133,7 @@ class SessionListPage extends BaseListPage {
       value = params.contentType;
     }
     this.setState({loading: true});
-    SessionBackend.getSessions(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    SessionBackend.getSessions(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/Setting.js

@@ -34,10 +34,10 @@ export const ServerUrl = "";
 export const StaticBaseUrl = "https://cdn.casbin.org";
 
 export const Countries = [{label: "English", key: "en", country: "US", alt: "English"},
-  {label: "中文", key: "zh", country: "CN", alt: "中文"},
   {label: "Español", key: "es", country: "ES", alt: "Español"},
   {label: "Français", key: "fr", country: "FR", alt: "Français"},
   {label: "Deutsch", key: "de", country: "DE", alt: "Deutsch"},
+  {label: "中文", key: "zh", country: "CN", alt: "中文"},
   {label: "Indonesia", key: "id", country: "ID", alt: "Indonesia"},
   {label: "日本語", key: "ja", country: "JP", alt: "日本語"},
   {label: "한국어", key: "ko", country: "KR", alt: "한국어"},
@@ -482,6 +482,26 @@ export function isPromptAnswered(user, application) {
   return true;
 }
 
+export const MfaRuleRequired = "Required";
+export const MfaRulePrompted = "Prompted";
+export const MfaRuleOptional = "Optional";
+
+export function isRequiredEnableMfa(user, organization) {
+  if (!user || !organization || !organization.mfaItems) {
+    return false;
+  }
+  return getMfaItemsByRules(user, organization, [MfaRuleRequired]).length > 0;
+}
+
+export function getMfaItemsByRules(user, organization, mfaRules = []) {
+  if (!user || !organization || !organization.mfaItems) {
+    return [];
+  }
+
+  return organization.mfaItems.filter((mfaItem) => mfaRules.includes(mfaItem.rule))
+    .filter((mfaItem) => user.multiFactorAuths.some((mfa) => mfa.mfaType === mfaItem.name && !mfa.enabled));
+}
+
 export function parseObject(s) {
   try {
     return eval("(" + s + ")");
@@ -1164,3 +1184,27 @@ export function inIframe() {
     return true;
   }
 }
+
+export function getOrganization() {
+  const organization = localStorage.getItem("organization");
+  return organization !== null ? organization : "All";
+}
+
+export function setOrganization(organization) {
+  localStorage.setItem("organization", organization);
+  window.dispatchEvent(new Event("storageOrganizationChanged"));
+}
+
+export function getRequestOrganization(account) {
+  if (isAdminUser(account)) {
+    return getOrganization() === "All" ? account.owner : getOrganization();
+  }
+  return account.owner;
+}
+
+export function isDefaultOrganizationSelected(account) {
+  if (isAdminUser(account)) {
+    return getOrganization() === "All";
+  }
+  return false;
+}

web/src/SubscriptionListPage.js

@@ -25,7 +25,7 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class SubscriptionListPage extends BaseListPage {
   newSubscription() {
     const randomName = Setting.getRandomName();
-    const owner = (this.state.organizationName !== undefined) ? this.state.organizationName : this.props.account.owner;
+    const owner = Setting.getRequestOrganization(this.props.account);
     const defaultDuration = 365;
 
     return {
@@ -237,7 +237,7 @@ class SubscriptionListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    SubscriptionBackend.getSubscriptions(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    SubscriptionBackend.getSubscriptions(Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/SyncerListPage.js

@@ -25,11 +25,12 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class SyncerListPage extends BaseListPage {
   newSyncer() {
     const randomName = Setting.getRandomName();
+    const organizationName = Setting.getRequestOrganization(this.props.account);
     return {
       owner: "admin",
       name: `syncer_${randomName}`,
       createdTime: moment().format(),
-      organization: this.props.account.owner,
+      organization: organizationName,
       type: "Database",
       host: "localhost",
       port: 3306,
@@ -276,7 +277,7 @@ class SyncerListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    SyncerBackend.getSyncers("admin", Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    SyncerBackend.getSyncers("admin", Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/TokenListPage.js

@@ -25,12 +25,13 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class TokenListPage extends BaseListPage {
   newToken() {
     const randomName = Setting.getRandomName();
+    const organizationName = Setting.getRequestOrganization(this.props.account);
     return {
       owner: "admin", // this.props.account.tokenname,
       name: `token_${randomName}`,
       createdTime: moment().format(),
       application: "app-built-in",
-      organization: this.props.account.owner,
+      organization: organizationName,
       user: "admin",
       accessToken: "",
       expiresIn: 7200,
@@ -240,7 +241,7 @@ class TokenListPage extends BaseListPage {
     const field = params.searchedColumn, value = params.searchText;
     const sortField = params.sortField, sortOrder = params.sortOrder;
     this.setState({loading: true});
-    TokenBackend.getTokens("admin", Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    TokenBackend.getTokens("admin", Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/UserEditPage.js

@@ -14,6 +14,7 @@
 
 import React from "react";
 import {Button, Card, Col, Input, InputNumber, List, Result, Row, Select, Space, Spin, Switch, Tag} from "antd";
+import {withRouter} from "react-router-dom";
 import * as GroupBackend from "./backend/GroupBackend";
 import * as UserBackend from "./backend/UserBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
@@ -53,6 +54,7 @@ class UserEditPage extends React.Component {
       mode: props.location.mode !== undefined ? props.location.mode : "edit",
       loading: true,
       returnUrl: null,
+      idCardInfo: ["ID card front", "ID card back", "ID card with person"],
     };
   }
 
@@ -269,6 +271,12 @@ class UserEditPage extends React.Component {
       }
     }
 
+    if (accountItem.name === "ID card info" || accountItem.name === "ID card") {
+      if (this.state.user.properties?.isIdCardVerified === "true") {
+        disabled = true;
+      }
+    }
+
     let isKeysGenerated = false;
     if (this.state.user.accessKey !== "" && this.state.user.accessKey !== "") {
       isKeysGenerated = true;
@@ -365,20 +373,11 @@ class UserEditPage extends React.Component {
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("general:Avatar"), i18next.t("general:Avatar - Tooltip"))} :
           </Col>
-          <Col span={22} >
-            <Row style={{marginTop: "20px"}} >
-              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                {i18next.t("general:Preview")}:
-              </Col>
-              <Col span={22} >
-                <a target="_blank" rel="noreferrer" href={this.state.user.avatar}>
-                  <img src={this.state.user.avatar} alt={this.state.user.avatar} height={90} style={{marginBottom: "20px"}} />
-                </a>
-              </Col>
-            </Row>
-            <Row style={{marginTop: "20px"}}>
-              <CropperDivModal buttonText={`${i18next.t("user:Upload a photo")}...`} title={i18next.t("user:Upload a photo")} user={this.state.user} organization={this.state.organizations.find(organization => organization.name === this.state.organizationName)} />
-            </Row>
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {i18next.t("general:Preview")}:
+          </Col>
+          <Col>
+            {this.renderImage(this.state.user.avatar, i18next.t("user:Upload a photo"), i18next.t("user:Set new profile picture"), "avatar", false)}
           </Col>
         </Row>
       );
@@ -536,12 +535,36 @@ class UserEditPage extends React.Component {
             {Setting.getLabel(i18next.t("user:ID card"), i18next.t("user:ID card - Tooltip"))} :
           </Col>
           <Col span={22} >
-            <Input value={this.state.user.idCard} onChange={e => {
+            <Input value={this.state.user.idCard} disabled={disabled} onChange={e => {
               this.updateUserField("idCard", e.target.value);
             }} />
           </Col>
         </Row>
       );
+    } else if (accountItem.name === "ID card info") {
+      return (
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("user:ID card info"), i18next.t("user:ID card info - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                {i18next.t("general:Preview")}:
+              </Col>
+              {
+                [
+                  {name: "ID card front", value: "idCardFront"},
+                  {name: "ID card back", value: "idCardBack"},
+                  {name: "ID card with person", value: "idCardWithPerson"},
+                ].map((entry) => {
+                  return this.renderImage(this.state.user.properties[entry.value] || "", this.getIdCardType(entry.name), this.getIdCardText(entry.name), entry.value, disabled);
+                })
+              }
+            </Row>
+          </Col>
+        </Row>
+      );
     } else if (accountItem.name === "Homepage") {
       return (
         <Row style={{marginTop: "20px"}} >
@@ -900,7 +923,7 @@ class UserEditPage extends React.Component {
                           }
                         </Space>
                       ) : <Button type={"default"} onClick={() => {
-                        Setting.goToLink(`/mfa-authentication/setup?mfaType=${item.mfaType}`);
+                        this.props.history.push(`/mfa/setup?mfaType=${item.mfaType}`);
                       }}>
                         {i18next.t("mfa:Setup")}
                       </Button>}
@@ -942,6 +965,25 @@ class UserEditPage extends React.Component {
     }
   }
 
+  renderImage(imgUrl, title, set, tag, disabled) {
+    return (
+      <Col span={4} style={{textAlign: "center", margin: "auto"}} key={tag}>
+        {
+          imgUrl ?
+            <a target="_blank" rel="noreferrer" href={imgUrl} style={{marginBottom: "10px"}}>
+              <img src={imgUrl} alt={imgUrl} height={90} style={{marginBottom: "20px"}} />
+            </a>
+            :
+            <Col style={{height: "78%", border: "1px dotted grey", borderRadius: 3, marginBottom: 5}}>
+              <div style={{fontSize: 30, margin: 10}}>+</div>
+              <div style={{verticalAlign: "middle", marginBottom: 10}}>{`请上传${title}...`}</div>
+            </Col>
+        }
+        <CropperDivModal disabled={disabled} tag={tag} setTitle={set} buttonText={`${title}...`} title={title} user={this.state.user} organization={this.state.organizations.find(organization => organization.name === this.state.organizationName)} />
+      </Col>
+    );
+  }
+
   renderUser() {
     return (
       <Card size="small" title={
@@ -967,6 +1009,30 @@ class UserEditPage extends React.Component {
     );
   }
 
+  getIdCardType(key) {
+    if (key === "ID card front") {
+      return i18next.t("user:ID card front");
+    } else if (key === "ID card back") {
+      return i18next.t("user:ID card back");
+    } else if (key === "ID card with person") {
+      return i18next.t("user:ID card with person");
+    } else {
+      return "Unknown Id card name: " + key;
+    }
+  }
+
+  getIdCardText(key) {
+    if (key === "ID card front") {
+      return i18next.t("user:Upload ID card front picture");
+    } else if (key === "ID card back") {
+      return i18next.t("user:Upload ID card back picture");
+    } else if (key === "ID card with person") {
+      return i18next.t("user:Upload ID card with person picture");
+    } else {
+      return "Unknown Id card name: " + key;
+    }
+  }
+
   submitUserEdit(needExit) {
     const user = Setting.deepCopy(this.state.user);
     UserBackend.updateUser(this.state.organizationName, this.state.userName, user)
@@ -1053,4 +1119,4 @@ class UserEditPage extends React.Component {
   }
 }
 
-export default UserEditPage;
+export default withRouter(UserEditPage);

web/src/UserListPage.js

@@ -61,7 +61,7 @@ class UserListPage extends BaseListPage {
 
   newUser() {
     const randomName = Setting.getRandomName();
-    const owner = this.state.organizationName;
+    const owner = Setting.isDefaultOrganizationSelected(this.props.account) ? this.state.organizationName : Setting.getRequestOrganization(this.props.account);
     return {
       owner: owner,
       name: `user_${randomName}`,
@@ -456,7 +456,7 @@ class UserListPage extends BaseListPage {
     const sortField = params.sortField, sortOrder = params.sortOrder;
     this.setState({loading: true});
     if (this.props.match?.path === "/users") {
-      (Setting.isAdminUser(this.props.account) ? UserBackend.getGlobalUsers(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder) : UserBackend.getUsers(this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
+      (Setting.isDefaultOrganizationSelected(this.props.account) ? UserBackend.getGlobalUsers(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder) : UserBackend.getUsers(Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
         .then((res) => {
           this.setState({
             loading: false,

web/src/WebhookListPage.js

@@ -25,11 +25,12 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class WebhookListPage extends BaseListPage {
   newWebhook() {
     const randomName = Setting.getRandomName();
+    const organizationName = Setting.getRequestOrganization(this.props.account);
     return {
       owner: "admin", // this.props.account.webhookname,
       name: `webhook_${randomName}`,
       createdTime: moment().format(),
-      organization: this.props.account.owner,
+      organization: organizationName,
       url: "https://example.com/callback",
       method: "POST",
       contentType: "application/json",
@@ -240,7 +241,7 @@ class WebhookListPage extends BaseListPage {
       value = params.contentType;
     }
     this.setState({loading: true});
-    WebhookBackend.getWebhooks("admin", Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    WebhookBackend.getWebhooks("admin", Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account), params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         this.setState({
           loading: false,

web/src/auth/LoginPage.js

@@ -15,6 +15,7 @@
 import React from "react";
 import {Button, Checkbox, Col, Form, Input, Result, Row, Spin, Tabs} from "antd";
 import {ArrowLeftOutlined, LockOutlined, UserOutlined} from "@ant-design/icons";
+import {withRouter} from "react-router-dom";
 import * as UserWebauthnBackend from "../backend/UserWebauthnBackend";
 import OrganizationSelect from "../common/select/OrganizationSelect";
 import * as Conf from "../Conf";
@@ -34,7 +35,7 @@ import LanguageSelect from "../common/select/LanguageSelect";
 import {CaptchaModal} from "../common/modal/CaptchaModal";
 import {CaptchaRule} from "../common/modal/CaptchaModal";
 import RedirectForm from "../common/RedirectForm";
-import {MfaAuthVerifyForm, NextMfa, RequiredMfa} from "./MfaAuthVerifyForm";
+import {MfaAuthVerifyForm, NextMfa, RequiredMfa} from "./mfa/MfaAuthVerifyForm";
 
 class LoginPage extends React.Component {
   constructor(props) {
@@ -179,6 +180,8 @@ class LoginPage extends React.Component {
           } else {
             this.onUpdateApplication(null);
             Setting.showMessage("error", res.msg);
+
+            this.props.history.push("/404");
           }
         });
     }
@@ -189,13 +192,13 @@ class LoginPage extends React.Component {
   }
 
   getDefaultLoginMethod(application) {
-    if (application.enablePassword) {
+    if (application?.enablePassword) {
       return "password";
     }
-    if (application.enableCodeSignin) {
+    if (application?.enableCodeSignin) {
       return "verificationCode";
     }
-    if (application.enableWebAuthn) {
+    if (application?.enableWebAuthn) {
       return "webAuthn";
     }
 
@@ -252,8 +255,13 @@ class LoginPage extends React.Component {
     const code = resp.data;
     const concatChar = oAuthParams?.redirectUri?.includes("?") ? "&" : "?";
     const noRedirect = oAuthParams.noRedirect;
+    const redirectUrl = `${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`;
+    if (resp.data === RequiredMfa) {
+      this.props.onLoginSuccess(window.location.href);
+      return;
+    }
 
-    if (Setting.hasPromptPage(application) || resp.msg === RequiredMfa) {
+    if (Setting.hasPromptPage(application)) {
       AuthBackend.getAccount()
         .then((res) => {
           if (res.status === "ok") {
@@ -261,13 +269,8 @@ class LoginPage extends React.Component {
             account.organization = res.data2;
             this.onUpdateAccount(account);
 
-            if (resp.msg === RequiredMfa) {
-              Setting.goToLink(`/prompt/${application.name}?redirectUri=${oAuthParams.redirectUri}&code=${code}&state=${oAuthParams.state}&promptType=mfa`);
-              return;
-            }
-
             if (Setting.isPromptAnswered(account, application)) {
-              Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
+              Setting.goToLink(redirectUrl);
             } else {
               Setting.goToLinkSoft(ths, `/prompt/${application.name}?redirectUri=${oAuthParams.redirectUri}&code=${code}&state=${oAuthParams.state}`);
             }
@@ -278,7 +281,7 @@ class LoginPage extends React.Component {
     } else {
       if (noRedirect === "true") {
         window.close();
-        const newWindow = window.open(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
+        const newWindow = window.open(redirectUrl);
         if (newWindow) {
           setInterval(() => {
             if (!newWindow.closed) {
@@ -287,7 +290,7 @@ class LoginPage extends React.Component {
           }, 1000);
         }
       } else {
-        Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
+        Setting.goToLink(redirectUrl);
         this.sendPopupData({type: "loginSuccess", data: {code: code, state: oAuthParams.state}}, oAuthParams.redirectUri);
       }
     }
@@ -353,20 +356,8 @@ class LoginPage extends React.Component {
             const responseType = values["type"];
 
             if (responseType === "login") {
-              if (res.msg === RequiredMfa) {
-                AuthBackend.getAccount().then((res) => {
-                  if (res.status === "ok") {
-                    const account = res.data;
-                    account.organization = res.data2;
-                    this.onUpdateAccount(account);
-                  }
-                });
-                Setting.goToLink(`/prompt/${this.getApplicationObj().name}?promptType=mfa`);
-              } else {
-                Setting.showMessage("success", i18next.t("application:Logged in successfully"));
-                const link = Setting.getFromLink();
-                Setting.goToLink(link);
-              }
+              Setting.showMessage("success", i18next.t("application:Logged in successfully"));
+              this.props.onLoginSuccess();
             } else if (responseType === "code") {
               this.postCodeLoginAction(res);
             } else if (responseType === "token" || responseType === "id_token") {
@@ -389,23 +380,25 @@ class LoginPage extends React.Component {
           };
 
           if (res.status === "ok") {
-            callback(res);
-          } else if (res.status === NextMfa) {
-            this.setState({
-              getVerifyTotp: () => {
-                return (
-                  <MfaAuthVerifyForm
-                    mfaProps={res.data}
-                    formValues={values}
-                    oAuthParams={oAuthParams}
-                    application={this.getApplicationObj()}
-                    onFail={() => {
-                      Setting.showMessage("error", i18next.t("mfa:Verification failed"));
-                    }}
-                    onSuccess={(res) => callback(res)}
-                  />);
-              },
-            });
+            if (res.data === NextMfa) {
+              this.setState({
+                getVerifyTotp: () => {
+                  return (
+                    <MfaAuthVerifyForm
+                      mfaProps={res.data2}
+                      formValues={values}
+                      oAuthParams={oAuthParams}
+                      application={this.getApplicationObj()}
+                      onFail={() => {
+                        Setting.showMessage("error", i18next.t("mfa:Verification failed"));
+                      }}
+                      onSuccess={(res) => callback(res)}
+                    />);
+                },
+              });
+            } else {
+              callback(res);
+            }
           } else {
             Setting.showMessage("error", `${i18next.t("application:Failed to sign in")}: ${res.msg}`);
           }
@@ -996,4 +989,4 @@ class LoginPage extends React.Component {
   }
 }
 
-export default LoginPage;
+export default withRouter(LoginPage);

web/src/auth/MfaSetupPage.js

@@ -12,181 +12,55 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import React, {useState} from "react";
-import {Button, Col, Form, Input, Result, Row, Steps} from "antd";
+import React from "react";
+import {Button, Col, Result, Row, Steps} from "antd";
+import {withRouter} from "react-router-dom";
 import * as ApplicationBackend from "../backend/ApplicationBackend";
 import * as Setting from "../Setting";
 import i18next from "i18next";
 import * as MfaBackend from "../backend/MfaBackend";
-import {CheckOutlined, KeyOutlined, LockOutlined, UserOutlined} from "@ant-design/icons";
-
-import * as UserBackend from "../backend/UserBackend";
-import {MfaSmsVerifyForm, MfaTotpVerifyForm, mfaSetup} from "./MfaVerifyForm";
+import {CheckOutlined, KeyOutlined, UserOutlined} from "@ant-design/icons";
+import CheckPasswordForm from "./mfa/CheckPasswordForm";
+import MfaEnableForm from "./mfa/MfaEnableForm";
+import {MfaVerifyForm} from "./mfa/MfaVerifyForm";
 
 export const EmailMfaType = "email";
 export const SmsMfaType = "sms";
 export const TotpMfaType = "app";
 export const RecoveryMfaType = "recovery";
 
-function CheckPasswordForm({user, onSuccess, onFail}) {
-  const [form] = Form.useForm();
-
-  const onFinish = ({password}) => {
-    const data = {...user, password};
-    UserBackend.checkUserPassword(data)
-      .then((res) => {
-        if (res.status === "ok") {
-          onSuccess(res);
-        } else {
-          onFail(res);
-        }
-      })
-      .finally(() => {
-        form.setFieldsValue({password: ""});
-      });
-  };
-
-  return (
-    <Form
-      form={form}
-      style={{width: "300px", marginTop: "20px"}}
-      onFinish={onFinish}
-    >
-      <Form.Item
-        name="password"
-        rules={[{required: true, message: i18next.t("login:Please input your password!")}]}
-      >
-        <Input.Password
-          prefix={<LockOutlined />}
-          placeholder={i18next.t("general:Password")}
-        />
-      </Form.Item>
-
-      <Form.Item>
-        <Button
-          style={{marginTop: 24}}
-          loading={false}
-          block
-          type="primary"
-          htmlType="submit"
-        >
-          {i18next.t("forget:Next Step")}
-        </Button>
-      </Form.Item>
-    </Form>
-  );
-}
-
-export function MfaVerifyForm({mfaProps, application, user, onSuccess, onFail}) {
-  const [form] = Form.useForm();
-
-  const onFinish = ({passcode}) => {
-    const data = {passcode, mfaType: mfaProps.mfaType, ...user};
-    MfaBackend.MfaSetupVerify(data)
-      .then((res) => {
-        if (res.status === "ok") {
-          onSuccess(res);
-        } else {
-          onFail(res);
-        }
-      })
-      .catch((error) => {
-        Setting.showMessage("error", `${i18next.t("general:Failed to connect to server")}: ${error}`);
-      })
-      .finally(() => {
-        form.setFieldsValue({passcode: ""});
-      });
-  };
-
-  if (mfaProps === undefined || mfaProps === null) {
-    return <div></div>;
-  }
-
-  if (mfaProps.mfaType === SmsMfaType || mfaProps.mfaType === EmailMfaType) {
-    return <MfaSmsVerifyForm mfaProps={mfaProps} onFinish={onFinish} application={application} method={mfaSetup} user={user} />;
-  } else if (mfaProps.mfaType === TotpMfaType) {
-    return <MfaTotpVerifyForm mfaProps={mfaProps} onFinish={onFinish} />;
-  } else {
-    return <div></div>;
-  }
-}
-
-function EnableMfaForm({user, mfaType, recoveryCodes, onSuccess, onFail}) {
-  const [loading, setLoading] = useState(false);
-  const requestEnableTotp = () => {
-    const data = {
-      mfaType,
-      ...user,
-    };
-    setLoading(true);
-    MfaBackend.MfaSetupEnable(data).then(res => {
-      if (res.status === "ok") {
-        onSuccess(res);
-      } else {
-        onFail(res);
-      }
-    }
-    ).finally(() => {
-      setLoading(false);
-    });
-  };
-
-  return (
-    <div style={{width: "400px"}}>
-      <p>{i18next.t("mfa:Please save this recovery code. Once your device cannot provide an authentication code, you can reset mfa authentication by this recovery code")}</p>
-      <br />
-      <code style={{fontStyle: "solid"}}>{recoveryCodes[0]}</code>
-      <Button style={{marginTop: 24}} loading={loading} onClick={() => {
-        requestEnableTotp();
-      }} block type="primary">
-        {i18next.t("general:Enable")}
-      </Button>
-    </div>
-  );
-}
-
 class MfaSetupPage extends React.Component {
   constructor(props) {
     super(props);
+    const params = new URLSearchParams(props.location.search);
+    const {location} = this.props;
     this.state = {
       account: props.account,
-      application: this.props.application ?? null,
+      application: null,
       applicationName: props.account.signupApplication ?? "",
-      isAuthenticated: props.isAuthenticated ?? false,
-      isPromptPage: props.isPromptPage,
-      redirectUri: props.redirectUri,
-      current: props.current ?? 0,
-      mfaType: props.mfaType ?? new URLSearchParams(props.location?.search)?.get("mfaType") ?? SmsMfaType,
+      current: location.state?.from !== undefined ? 1 : 0,
       mfaProps: null,
+      mfaType: params.get("mfaType") ?? SmsMfaType,
+      isPromptPage: props.isPromptPage || location.state?.from !== undefined,
     };
   }
 
   componentDidMount() {
     this.getApplication();
+    if (this.state.current === 1) {
+      this.initMfaProps();
+    }
   }
 
   componentDidUpdate(prevProps, prevState, snapshot) {
-    if (this.state.isAuthenticated === true && (this.state.mfaProps === null || this.state.mfaType !== prevState.mfaType)) {
-      MfaBackend.MfaSetupInitiate({
-        mfaType: this.state.mfaType,
-        ...this.getUser(),
-      }).then((res) => {
-        if (res.status === "ok") {
-          this.setState({
-            mfaProps: res.data,
-          });
-        } else {
-          Setting.showMessage("error", i18next.t("mfa:Failed to initiate MFA"));
-        }
-      });
+    if (this.state.mfaType !== prevState.mfaType || this.state.current !== prevState.current) {
+      if (this.state.current === 1) {
+        this.initMfaProps();
+      }
     }
   }
 
   getApplication() {
-    if (this.state.application !== null) {
-      return;
-    }
-
     ApplicationBackend.getApplication("admin", this.state.applicationName)
       .then((res) => {
         if (res !== null) {
@@ -203,11 +77,75 @@ class MfaSetupPage extends React.Component {
       });
   }
 
+  initMfaProps() {
+    MfaBackend.MfaSetupInitiate({
+      mfaType: this.state.mfaType,
+      ...this.getUser(),
+    }).then((res) => {
+      if (res.status === "ok") {
+        this.setState({
+          mfaProps: res.data,
+        });
+      } else {
+        Setting.showMessage("error", i18next.t("mfa:Failed to initiate MFA"));
+      }
+    });
+  }
+
   getUser() {
-    return {
-      name: this.state.account.name,
-      owner: this.state.account.owner,
+    return this.props.account;
+  }
+
+  renderMfaTypeSwitch() {
+    const renderSmsLink = () => {
+      if (this.state.mfaType === SmsMfaType || this.props.account.mfaPhoneEnabled) {
+        return null;
+      }
+      return (<Button type={"link"} onClick={() => {
+        this.setState({
+          mfaType: SmsMfaType,
+        });
+        this.props.history.push(`/mfa/setup?mfaType=${SmsMfaType}`);
+      }
+      }>{i18next.t("mfa:Use SMS")}</Button>
+      );
     };
+
+    const renderEmailLink = () => {
+      if (this.state.mfaType === EmailMfaType || this.props.account.mfaEmailEnabled) {
+        return null;
+      }
+      return (<Button type={"link"} onClick={() => {
+        this.setState({
+          mfaType: EmailMfaType,
+        });
+        this.props.history.push(`/mfa/setup?mfaType=${EmailMfaType}`);
+      }
+      }>{i18next.t("mfa:Use Email")}</Button>
+      );
+    };
+
+    const renderTotpLink = () => {
+      if (this.state.mfaType === TotpMfaType || this.props.account.totpSecret !== "") {
+        return null;
+      }
+      return (<Button type={"link"} onClick={() => {
+        this.setState({
+          mfaType: TotpMfaType,
+        });
+        this.props.history.push(`/mfa/setup?mfaType=${TotpMfaType}`);
+      }
+      }>{i18next.t("mfa:Use Authenticator App")}</Button>
+      );
+    };
+
+    return !this.state.isPromptPage ? (
+      <React.Fragment>
+        {renderSmsLink()}
+        {renderEmailLink()}
+        {renderTotpLink()}
+      </React.Fragment>
+    ) : null;
   }
 
   renderStep() {
@@ -219,19 +157,14 @@ class MfaSetupPage extends React.Component {
           onSuccess={() => {
             this.setState({
               current: this.state.current + 1,
-              isAuthenticated: true,
             });
           }}
           onFail={(res) => {
-            Setting.showMessage("error", i18next.t("mfa:Failed to initiate MFA"));
+            Setting.showMessage("error", i18next.t("mfa:Failed to initiate MFA") + ": " + res.msg);
           }}
         />
       );
     case 1:
-      if (!this.state.isAuthenticated) {
-        return null;
-      }
-
       return (
         <div>
           <MfaVerifyForm
@@ -244,52 +177,25 @@ class MfaSetupPage extends React.Component {
               });
             }}
             onFail={(res) => {
-              Setting.showMessage("error", i18next.t("general:Failed to verify"));
+              Setting.showMessage("error", i18next.t("general:Failed to verify") + ": " + res.msg);
             }}
           />
           <Col span={24} style={{display: "flex", justifyContent: "left"}}>
-            {(this.state.mfaType === EmailMfaType || this.props.account.mfaEmailEnabled) ? null :
-              <Button type={"link"} onClick={() => {
-                this.setState({
-                  mfaType: EmailMfaType,
-                });
-              }
-              }>{i18next.t("mfa:Use Email")}</Button>
-            }
-            {
-              (this.state.mfaType === SmsMfaType || this.props.account.mfaPhoneEnabled) ? null :
-                <Button type={"link"} onClick={() => {
-                  this.setState({
-                    mfaType: SmsMfaType,
-                  });
-                }
-                }>{i18next.t("mfa:Use SMS")}</Button>
-            }
-            {
-              (this.state.mfaType === TotpMfaType) ? null :
-                <Button type={"link"} onClick={() => {
-                  this.setState({
-                    mfaType: TotpMfaType,
-                  });
-                }
-                }>{i18next.t("mfa:Use Authenticator App")}</Button>
-            }
+            {this.renderMfaTypeSwitch()}
           </Col>
         </div>
       );
     case 2:
-      if (!this.state.isAuthenticated) {
-        return null;
-      }
-
       return (
-        <EnableMfaForm user={this.getUser()} mfaType={this.state.mfaType} recoveryCodes={this.state.mfaProps.recoveryCodes}
+        <MfaEnableForm user={this.getUser()} mfaType={this.state.mfaType} recoveryCodes={this.state.mfaProps.recoveryCodes}
           onSuccess={() => {
             Setting.showMessage("success", i18next.t("general:Enabled successfully"));
-            if (this.state.isPromptPage && this.state.redirectUri) {
-              Setting.goToLink(this.state.redirectUri);
+            this.props.onfinish(true);
+            if (localStorage.getItem("mfaRedirectUrl") !== null) {
+              Setting.goToLink(localStorage.getItem("mfaRedirectUrl"));
+              localStorage.removeItem("mfaRedirectUrl");
             } else {
-              Setting.goToLink("/account");
+              this.props.history.push("/account");
             }
           }}
           onFail={(res) => {
@@ -308,7 +214,7 @@ class MfaSetupPage extends React.Component {
           status="403"
           title="403 Unauthorized"
           subTitle={i18next.t("general:Sorry, you do not have permission to access this page or logged in status invalid.")}
-          extra={<a href="/"><Button type="primary">{i18next.t("general:Back Home")}</Button></a>}
+          extra={<a href="/web/public"><Button type="primary">{i18next.t("general:Back Home")}</Button></a>}
         />
       );
     }
@@ -343,4 +249,4 @@ class MfaSetupPage extends React.Component {
   }
 }
 
-export default MfaSetupPage;
+export default withRouter(MfaSetupPage);

web/src/auth/MfaVerifyForm.js

@@ -1,193 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-import {Button, Col, Form, Input, QRCode, Space} from "antd";
-import i18next from "i18next";
-import {CopyOutlined, UserOutlined} from "@ant-design/icons";
-import {SendCodeInput} from "../common/SendCodeInput";
-import * as Setting from "../Setting";
-import React, {useEffect} from "react";
-import copy from "copy-to-clipboard";
-import {CountryCodeSelect} from "../common/select/CountryCodeSelect";
-import {EmailMfaType, SmsMfaType} from "./MfaSetupPage";
-
-export const mfaAuth = "mfaAuth";
-export const mfaSetup = "mfaSetup";
-
-export const MfaSmsVerifyForm = ({mfaProps, application, onFinish, method, user}) => {
-  const [dest, setDest] = React.useState(mfaProps.secret ?? "");
-  const [form] = Form.useForm();
-
-  useEffect(() => {
-    if (mfaProps.mfaType === SmsMfaType) {
-      setDest(user.phone);
-    }
-
-    if (mfaProps.mfaType === EmailMfaType) {
-      setDest(user.email);
-    }
-  }, [mfaProps.mfaType]);
-
-  const isEmail = () => {
-    return mfaProps.mfaType === EmailMfaType;
-  };
-
-  return (
-    <Form
-      form={form}
-      style={{width: "300px"}}
-      onFinish={onFinish}
-      initialValues={{
-        countryCode: mfaProps.countryCode,
-      }}
-    >
-      {dest !== "" ?
-        <div style={{marginBottom: 20, textAlign: "left", gap: 8}}>
-          {isEmail() ? i18next.t("mfa:Your email is") : i18next.t("mfa:Your phone is")} {dest}
-        </div> :
-        (<React.Fragment>
-          <p>{isEmail() ? i18next.t("mfa:Please bind your email first, the system will automatically uses the mail for multi-factor authentication") :
-            i18next.t("mfa:Please bind your phone first, the system automatically uses the phone for multi-factor authentication")}
-          </p>
-          <Input.Group compact style={{width: "300Px", marginBottom: "30px"}}>
-            {isEmail() ? null :
-              <Form.Item
-                name="countryCode"
-                noStyle
-                rules={[
-                  {
-                    required: false,
-                    message: i18next.t("signup:Please select your country code!"),
-                  },
-                ]}
-              >
-                <CountryCodeSelect
-                  initValue={mfaProps.countryCode}
-                  style={{width: "30%"}}
-                  countryCodes={application.organizationObj.countryCodes}
-                />
-              </Form.Item>
-            }
-            <Form.Item
-              name="dest"
-              noStyle
-              rules={[{required: true, message: i18next.t("login:Please input your Email or Phone!")}]}
-            >
-              <Input
-                style={{width: isEmail() ? "100% " : "70%"}}
-                onChange={(e) => {setDest(e.target.value);}}
-                prefix={<UserOutlined />}
-                placeholder={isEmail() ? i18next.t("general:Email") : i18next.t("general:Phone")}
-              />
-            </Form.Item>
-          </Input.Group>
-        </React.Fragment>
-        )
-      }
-      <Form.Item
-        name="passcode"
-        rules={[{required: true, message: i18next.t("login:Please input your code!")}]}
-      >
-        <SendCodeInput
-          countryCode={form.getFieldValue("countryCode")}
-          method={method}
-          onButtonClickArgs={[mfaProps.secret || dest, isEmail() ? "email" : "phone", Setting.getApplicationName(application)]}
-          application={application}
-        />
-      </Form.Item>
-      <Form.Item>
-        <Button
-          style={{marginTop: 24}}
-          loading={false}
-          block
-          type="primary"
-          htmlType="submit"
-        >
-          {i18next.t("forget:Next Step")}
-        </Button>
-      </Form.Item>
-    </Form>
-  );
-};
-
-export const MfaTotpVerifyForm = ({mfaProps, onFinish}) => {
-  const [form] = Form.useForm();
-
-  const renderSecret = () => {
-    if (!mfaProps.secret) {
-      return null;
-    }
-
-    return (
-      <React.Fragment>
-        <Col span={24} style={{display: "flex", justifyContent: "center"}}>
-          <QRCode
-            errorLevel="H"
-            value={mfaProps.url}
-            icon={"https://cdn.casdoor.com/static/favicon.png"}
-          />
-        </Col>
-        <p style={{textAlign: "center"}}>{i18next.t("mfa:Scan the QR code with your Authenticator App")}</p>
-        <p style={{textAlign: "center"}}>{i18next.t("mfa:Or copy the secret to your Authenticator App")}</p>
-        <Col span={24}>
-          <Space>
-            <Input value={mfaProps.secret} />
-            <Button
-              type="primary"
-              shape="round"
-              icon={<CopyOutlined />}
-              onClick={() => {
-                copy(`${mfaProps.secret}`);
-                Setting.showMessage(
-                  "success",
-                  i18next.t("mfa:Multi-factor secret to clipboard successfully")
-                );
-              }}
-            />
-          </Space>
-        </Col>
-      </React.Fragment>
-    );
-  };
-  return (
-    <Form
-      form={form}
-      style={{width: "300px"}}
-      onFinish={onFinish}
-    >
-      {renderSecret()}
-      <Form.Item
-        name="passcode"
-        rules={[{required: true, message: "Please input your passcode"}]}
-      >
-        <Input
-          style={{marginTop: 24}}
-          prefix={<UserOutlined />}
-          placeholder={i18next.t("mfa:Passcode")}
-        />
-      </Form.Item>
-      <Form.Item>
-        <Button
-          style={{marginTop: 24}}
-          loading={false}
-          block
-          type="primary"
-          htmlType="submit"
-        >
-          {i18next.t("forget:Next Step")}
-        </Button>
-      </Form.Item>
-    </Form>
-  );
-};

web/src/auth/PromptPage.js

@@ -16,14 +16,13 @@ import React from "react";
 import {Button, Card, Col, Result, Row} from "antd";
 import * as ApplicationBackend from "../backend/ApplicationBackend";
 import * as UserBackend from "../backend/UserBackend";
-import * as AuthBackend from "./AuthBackend";
 import * as Setting from "../Setting";
 import i18next from "i18next";
 import AffiliationSelect from "../common/select/AffiliationSelect";
 import OAuthWidget from "../common/OAuthWidget";
 import RegionSelect from "../common/select/RegionSelect";
 import {withRouter} from "react-router-dom";
-import MfaSetupPage from "./MfaSetupPage";
+import * as AuthBackend from "./AuthBackend";
 
 class PromptPage extends React.Component {
   constructor(props) {
@@ -34,7 +33,9 @@ class PromptPage extends React.Component {
       applicationName: props.applicationName ?? (props.match === undefined ? null : props.match.params.applicationName),
       application: null,
       user: null,
-      promptType: new URLSearchParams(this.props.location.search).get("promptType"),
+      steps: null,
+      current: 0,
+      finished: false,
     };
   }
 
@@ -45,6 +46,12 @@ class PromptPage extends React.Component {
     }
   }
 
+  componentDidUpdate(prevProps, prevState, snapshot) {
+    if (this.state.user !== null && this.getApplicationObj() !== null && this.state.steps === null) {
+      this.initSteps(this.state.user, this.getApplicationObj());
+    }
+  }
+
   getUser() {
     const organizationName = this.props.account.owner;
     const userName = this.props.account.name;
@@ -198,22 +205,25 @@ class PromptPage extends React.Component {
       .then((res) => {
         if (res.status === "ok") {
           this.onUpdateAccount(null);
-
-          let redirectUrl = this.getRedirectUrl();
-          if (redirectUrl === "") {
-            redirectUrl = res.data2;
-          }
-          if (redirectUrl !== "" && redirectUrl !== null) {
-            Setting.goToLink(redirectUrl);
-          } else {
-            Setting.redirectToLoginPage(this.getApplicationObj(), this.props.history);
-          }
         } else {
-          Setting.showMessage("error", `Failed to log out: ${res.msg}`);
+          Setting.showMessage("error", res.msg);
         }
       });
   }
 
+  finishAndJump() {
+    this.setState({
+      finished: true,
+    }, () => {
+      const redirectUrl = this.getRedirectUrl();
+      if (redirectUrl !== "" && redirectUrl !== null) {
+        Setting.goToLink(redirectUrl);
+      } else {
+        Setting.redirectToLoginPage(this.getApplicationObj(), this.props.history);
+      }
+    });
+  }
+
   submitUserEdit(isFinal) {
     const user = Setting.deepCopy(this.state.user);
     UserBackend.updateUser(this.state.user.owner, this.state.user.name, user)
@@ -221,8 +231,7 @@ class PromptPage extends React.Component {
         if (res.status === "ok") {
           if (isFinal) {
             Setting.showMessage("success", i18next.t("general:Successfully saved"));
-
-            this.logout();
+            this.finishAndJump();
           }
         } else {
           if (isFinal) {
@@ -238,25 +247,45 @@ class PromptPage extends React.Component {
   }
 
   renderPromptProvider(application) {
-    return <>
-      {this.renderContent(application)}
-      <div style={{marginTop: "50px"}}>
-        <Button disabled={!Setting.isPromptAnswered(this.state.user, application)} type="primary" size="large" onClick={() => {this.submitUserEdit(true);}}>{i18next.t("code:Submit and complete")}</Button>
-      </div>
-    </>;
+    return (
+      <div style={{display: "flex", alignItems: "center", flexDirection: "column"}}>
+        {this.renderContent(application)}
+        <Button style={{marginTop: "50px", width: "200px"}}
+          disabled={!Setting.isPromptAnswered(this.state.user, application)}
+          type="primary" size="large" onClick={() => {
+            this.submitUserEdit(true);
+          }}>
+          {i18next.t("code:Submit and complete")}
+        </Button>
+      </div>);
   }
 
-  renderPromptMfa() {
+  initSteps(user, application) {
+    const steps = [];
+    if (!Setting.isPromptAnswered(user, application) && this.state.promptType === "provider") {
+      steps.push({
+        content: this.renderPromptProvider(application),
+        name: "provider",
+        title: i18next.t("application:Binding providers"),
+      });
+    }
+
+    this.setState({
+      steps: steps,
+    });
+  }
+
+  renderSteps() {
+    if (this.state.steps === null || this.state.steps?.length === 0) {
+      return null;
+    }
+
     return (
-      <MfaSetupPage
-        application={this.getApplicationObj()}
-        account={this.props.account}
-        current={1}
-        isAuthenticated={true}
-        isPromptPage={true}
-        redirectUri={this.getRedirectUrl()}
-        {...this.props}
-      />
+      <Card style={{marginTop: "20px", marginBottom: "20px"}}
+        title={this.state.steps[this.state.current].title}
+      >
+        <div >{this.state.steps[this.state.current].content}</div>
+      </Card>
     );
   }
 
@@ -266,7 +295,7 @@ class PromptPage extends React.Component {
       return null;
     }
 
-    if (!Setting.hasPromptPage(application) && this.state.promptType !== "mfa") {
+    if (this.state.steps?.length === 0) {
       return (
         <Result
           style={{display: "flex", flex: "1 1 0%", justifyContent: "center", flexDirection: "column"}}
@@ -287,17 +316,7 @@ class PromptPage extends React.Component {
 
     return (
       <div style={{display: "flex", flex: "1", justifyContent: "center"}}>
-        <Card>
-          <div style={{marginTop: "30px", marginBottom: "30px", textAlign: "center"}}>
-            {
-              Setting.renderHelmet(application)
-            }
-            {
-              Setting.renderLogo(application)
-            }
-            {this.state.promptType !== "mfa" ? this.renderPromptProvider(application) : this.renderPromptMfa(application)}
-          </div>
-        </Card>
+        {this.renderSteps()}
       </div>
     );
   }

web/src/auth/Provider.js

@@ -448,7 +448,7 @@ export function getAuthUrl(application, provider, method) {
   } else if (provider.type === "Douyin" || provider.type === "TikTok") {
     return `${endpoint}?client_key=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}`;
   } else if (provider.type === "Custom") {
-    return `${provider.customAuthUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&scope=${provider.customScope}&response_type=code&state=${state}`;
+    return `${provider.customAuthUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&scope=${provider.scopes}&response_type=code&state=${state}`;
   } else if (provider.type === "Bilibili") {
     return `${endpoint}#/?client_id=${provider.clientId}&return_url=${redirectUri}&state=${state}&response_type=code`;
   } else if (provider.type === "Deezer") {

web/src/auth/mfa/CheckPasswordForm.js

@@ -0,0 +1,56 @@
+import {LockOutlined} from "@ant-design/icons";
+import {Button, Form, Input} from "antd";
+import i18next from "i18next";
+import React from "react";
+import * as UserBackend from "../../backend/UserBackend";
+
+function CheckPasswordForm({user, onSuccess, onFail}) {
+  const [form] = Form.useForm();
+
+  const onFinish = ({password}) => {
+    const data = {...user, password};
+    UserBackend.checkUserPassword(data)
+      .then((res) => {
+        if (res.status === "ok") {
+          onSuccess(res);
+        } else {
+          onFail(res);
+        }
+      })
+      .finally(() => {
+        form.setFieldsValue({password: ""});
+      });
+  };
+
+  return (
+    <Form
+      form={form}
+      style={{width: "300px", marginTop: "20px"}}
+      onFinish={onFinish}
+    >
+      <Form.Item
+        name="password"
+        rules={[{required: true, message: i18next.t("login:Please input your password!")}]}
+      >
+        <Input.Password
+          prefix={<LockOutlined />}
+          placeholder={i18next.t("general:Password")}
+        />
+      </Form.Item>
+
+      <Form.Item>
+        <Button
+          style={{marginTop: 24}}
+          loading={false}
+          block
+          type="primary"
+          htmlType="submit"
+        >
+          {i18next.t("forget:Next Step")}
+        </Button>
+      </Form.Item>
+    </Form>
+  );
+}
+
+export default CheckPasswordForm;

web/src/auth/mfa/MfaAuthVerifyForm.js

@@ -15,9 +15,11 @@
 import React, {useState} from "react";
 import i18next from "i18next";
 import {Button, Input} from "antd";
-import * as AuthBackend from "./AuthBackend";
-import {EmailMfaType, RecoveryMfaType, SmsMfaType} from "./MfaSetupPage";
-import {MfaSmsVerifyForm, MfaTotpVerifyForm, mfaAuth} from "./MfaVerifyForm";
+import * as AuthBackend from "../AuthBackend";
+import {EmailMfaType, RecoveryMfaType, SmsMfaType} from "../MfaSetupPage";
+import {mfaAuth} from "./MfaVerifyForm";
+import MfaVerifySmsForm from "./MfaVerifySmsForm";
+import MfaVerifyTotpForm from "./MfaVerifyTotpForm";
 
 export const NextMfa = "NextMfa";
 export const RequiredMfa = "RequiredMfa";
@@ -70,13 +72,13 @@ export function MfaAuthVerifyForm({formValues, oAuthParams, mfaProps, applicatio
           {i18next.t("mfa:Multi-factor authentication description")}
         </div>
         {mfaType === SmsMfaType || mfaType === EmailMfaType ? (
-          <MfaSmsVerifyForm
+          <MfaVerifySmsForm
             mfaProps={mfaProps}
             method={mfaAuth}
             onFinish={verify}
             application={application}
           />) : (
-          <MfaTotpVerifyForm
+          <MfaVerifyTotpForm
             mfaProps={mfaProps}
             onFinish={verify}
           />

web/src/auth/mfa/MfaEnableForm.js

@@ -0,0 +1,40 @@
+import {Button} from "antd";
+import i18next from "i18next";
+import React, {useState} from "react";
+import * as MfaBackend from "../../backend/MfaBackend";
+
+export function MfaEnableForm({user, mfaType, recoveryCodes, onSuccess, onFail}) {
+  const [loading, setLoading] = useState(false);
+  const requestEnableMfa = () => {
+    const data = {
+      mfaType,
+      ...user,
+    };
+    setLoading(true);
+    MfaBackend.MfaSetupEnable(data).then(res => {
+      if (res.status === "ok") {
+        onSuccess(res);
+      } else {
+        onFail(res);
+      }
+    }
+    ).finally(() => {
+      setLoading(false);
+    });
+  };
+
+  return (
+    <div style={{width: "400px"}}>
+      <p>{i18next.t("mfa:Please save this recovery code. Once your device cannot provide an authentication code, you can reset mfa authentication by this recovery code")}</p>
+      <br />
+      <code style={{fontStyle: "solid"}}>{recoveryCodes[0]}</code>
+      <Button style={{marginTop: 24}} loading={loading} onClick={() => {
+        requestEnableMfa();
+      }} block type="primary">
+        {i18next.t("general:Enable")}
+      </Button>
+    </div>
+  );
+}
+
+export default MfaEnableForm;

web/src/auth/mfa/MfaVerifyForm.js

@@ -0,0 +1,58 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import {Form} from "antd";
+import i18next from "i18next";
+import * as MfaBackend from "../../backend/MfaBackend";
+import * as Setting from "../../Setting";
+import React from "react";
+import {EmailMfaType, SmsMfaType, TotpMfaType} from "../MfaSetupPage";
+import MfaVerifySmsForm from "./MfaVerifySmsForm";
+import MfaVerifyTotpForm from "./MfaVerifyTotpForm";
+
+export const mfaAuth = "mfaAuth";
+export const mfaSetup = "mfaSetup";
+
+export function MfaVerifyForm({mfaProps, application, user, onSuccess, onFail}) {
+  const [form] = Form.useForm();
+  const onFinish = ({passcode}) => {
+    const data = {passcode, mfaType: mfaProps.mfaType, ...user};
+    MfaBackend.MfaSetupVerify(data)
+      .then((res) => {
+        if (res.status === "ok") {
+          onSuccess(res);
+        } else {
+          onFail(res);
+        }
+      })
+      .catch((error) => {
+        Setting.showMessage("error", `${i18next.t("general:Failed to connect to server")}: ${error}`);
+      })
+      .finally(() => {
+        form.setFieldsValue({passcode: ""});
+      });
+  };
+
+  if (mfaProps === undefined || mfaProps === null || application === undefined || application === null || user === undefined || user === null) {
+    return <div></div>;
+  }
+
+  if (mfaProps.mfaType === SmsMfaType || mfaProps.mfaType === EmailMfaType) {
+    return <MfaVerifySmsForm mfaProps={mfaProps} onFinish={onFinish} application={application} method={mfaSetup} user={user} />;
+  } else if (mfaProps.mfaType === TotpMfaType) {
+    return <MfaVerifyTotpForm mfaProps={mfaProps} onFinish={onFinish} />;
+  } else {
+    return <div></div>;
+  }
+}

web/src/auth/mfa/MfaVerifySmsForm.js

@@ -0,0 +1,125 @@
+import {UserOutlined} from "@ant-design/icons";
+import {Button, Form, Input} from "antd";
+import i18next from "i18next";
+import React, {useEffect} from "react";
+import {CountryCodeSelect} from "../../common/select/CountryCodeSelect";
+import {SendCodeInput} from "../../common/SendCodeInput";
+import * as Setting from "../../Setting";
+import {EmailMfaType, SmsMfaType} from "../MfaSetupPage";
+import {mfaAuth} from "./MfaVerifyForm";
+
+export const MfaVerifySmsForm = ({mfaProps, application, onFinish, method, user}) => {
+  const [dest, setDest] = React.useState("");
+  const [form] = Form.useForm();
+
+  useEffect(() => {
+    if (method === mfaAuth) {
+      setDest(mfaProps.secret);
+      return;
+    }
+    if (mfaProps.mfaType === SmsMfaType) {
+      setDest(user.phone);
+      return;
+    }
+
+    if (mfaProps.mfaType === EmailMfaType) {
+      setDest(user.email);
+    }
+  }, [mfaProps.mfaType]);
+
+  const isShowText = () => {
+    if (method === mfaAuth) {
+      return true;
+    }
+    if (mfaProps.mfaType === SmsMfaType && user.phone !== "") {
+      return true;
+    }
+    if (mfaProps.mfaType === EmailMfaType && user.email !== "") {
+      return true;
+    }
+    return false;
+  };
+
+  const isEmail = () => {
+    return mfaProps.mfaType === EmailMfaType;
+  };
+
+  return (
+    <Form
+      form={form}
+      style={{width: "300px"}}
+      onFinish={onFinish}
+      initialValues={{
+        countryCode: mfaProps.countryCode,
+      }}
+    >
+      {isShowText() ?
+        <div style={{marginBottom: 20, textAlign: "left", gap: 8}}>
+          {isEmail() ? i18next.t("mfa:Your email is") : i18next.t("mfa:Your phone is")} {dest}
+        </div> :
+        (<React.Fragment>
+          <p>{isEmail() ? i18next.t("mfa:Please bind your email first, the system will automatically uses the mail for multi-factor authentication") :
+            i18next.t("mfa:Please bind your phone first, the system automatically uses the phone for multi-factor authentication")}
+          </p>
+          <Input.Group compact style={{width: "300Px", marginBottom: "30px"}}>
+            {isEmail() ? null :
+              <Form.Item
+                name="countryCode"
+                noStyle
+                rules={[
+                  {
+                    required: false,
+                    message: i18next.t("signup:Please select your country code!"),
+                  },
+                ]}
+              >
+                <CountryCodeSelect
+                  initValue={mfaProps.countryCode}
+                  style={{width: "30%"}}
+                  countryCodes={application.organizationObj.countryCodes}
+                />
+              </Form.Item>
+            }
+            <Form.Item
+              name="dest"
+              noStyle
+              rules={[{required: true, message: i18next.t("login:Please input your Email or Phone!")}]}
+            >
+              <Input
+                style={{width: isEmail() ? "100% " : "70%"}}
+                onChange={(e) => {setDest(e.target.value);}}
+                prefix={<UserOutlined />}
+                placeholder={isEmail() ? i18next.t("general:Email") : i18next.t("general:Phone")}
+              />
+            </Form.Item>
+          </Input.Group>
+        </React.Fragment>
+        )
+      }
+      <Form.Item
+        name="passcode"
+        rules={[{required: true, message: i18next.t("login:Please input your code!")}]}
+      >
+        <SendCodeInput
+          countryCode={form.getFieldValue("countryCode")}
+          method={method}
+          onButtonClickArgs={[mfaProps.secret || dest, isEmail() ? "email" : "phone", Setting.getApplicationName(application)]}
+          application={application}
+        />
+      </Form.Item>
+      <Form.Item>
+        <Button
+          style={{marginTop: 24}}
+          loading={false}
+          block
+          type="primary"
+          htmlType="submit"
+        >
+          {i18next.t("forget:Next Step")}
+        </Button>
+      </Form.Item>
+    </Form>
+  );
+};
+
+export default MfaVerifySmsForm;

web/src/auth/mfa/MfaVerifyTotpForm.js

@@ -0,0 +1,79 @@
+import {CopyOutlined, UserOutlined} from "@ant-design/icons";
+import {Button, Col, Form, Input, QRCode, Space} from "antd";
+import copy from "copy-to-clipboard";
+import i18next from "i18next";
+import React from "react";
+import * as Setting from "../../Setting";
+
+export const MfaVerifyTotpForm = ({mfaProps, onFinish}) => {
+  const [form] = Form.useForm();
+
+  const renderSecret = () => {
+    if (!mfaProps.secret) {
+      return null;
+    }
+
+    return (
+      <React.Fragment>
+        <Col span={24} style={{display: "flex", justifyContent: "center"}}>
+          <QRCode
+            errorLevel="H"
+            value={mfaProps.url}
+            icon={"https://cdn.casdoor.com/static/favicon.png"}
+          />
+        </Col>
+        <p style={{textAlign: "center"}}>{i18next.t("mfa:Scan the QR code with your Authenticator App")}</p>
+        <p style={{textAlign: "center"}}>{i18next.t("mfa:Or copy the secret to your Authenticator App")}</p>
+        <Col span={24}>
+          <Space>
+            <Input value={mfaProps.secret} />
+            <Button
+              type="primary"
+              shape="round"
+              icon={<CopyOutlined />}
+              onClick={() => {
+                copy(`${mfaProps.secret}`);
+                Setting.showMessage(
+                  "success",
+                  i18next.t("mfa:Multi-factor secret to clipboard successfully")
+                );
+              }}
+            />
+          </Space>
+        </Col>
+      </React.Fragment>
+    );
+  };
+  return (
+    <Form
+      form={form}
+      style={{width: "300px"}}
+      onFinish={onFinish}
+    >
+      {renderSecret()}
+      <Form.Item
+        name="passcode"
+        rules={[{required: true, message: "Please input your passcode"}]}
+      >
+        <Input
+          style={{marginTop: 24}}
+          prefix={<UserOutlined />}
+          placeholder={i18next.t("mfa:Passcode")}
+        />
+      </Form.Item>
+      <Form.Item>
+        <Button
+          style={{marginTop: 24}}
+          loading={false}
+          block
+          type="primary"
+          htmlType="submit"
+        >
+          {i18next.t("forget:Next Step")}
+        </Button>
+      </Form.Item>
+    </Form>
+  );
+};
+
+export default MfaVerifyTotpForm;

web/src/backend/OrganizationBackend.js

@@ -14,8 +14,8 @@
 
 import * as Setting from "../Setting";
 
-export function getOrganizations(owner, page = "", pageSize = "", field = "", value = "", sortField = "", sortOrder = "") {
-  return fetch(`${Setting.ServerUrl}/api/get-organizations?owner=${owner}&p=${page}&pageSize=${pageSize}&field=${field}&value=${value}&sortField=${sortField}&sortOrder=${sortOrder}`, {
+export function getOrganizations(owner, organizationName = "", page = "", pageSize = "", field = "", value = "", sortField = "", sortOrder = "") {
+  return fetch(`${Setting.ServerUrl}/api/get-organizations?owner=${owner}&organizationName=${organizationName}&p=${page}&pageSize=${pageSize}&field=${field}&value=${value}&sortField=${sortField}&sortOrder=${sortOrder}`, {
     method: "GET",
     credentials: "include",
     headers: {

web/src/backend/RecordBackend.js

@@ -14,8 +14,8 @@
 
 import * as Setting from "../Setting";
 
-export function getRecords(page, pageSize, field = "", value = "", sortField = "", sortOrder = "") {
-  return fetch(`${Setting.ServerUrl}/api/get-records?pageSize=${pageSize}&p=${page}&field=${field}&value=${value}&sortField=${sortField}&sortOrder=${sortOrder}`, {
+export function getRecords(organizationName, page, pageSize, field = "", value = "", sortField = "", sortOrder = "") {
+  return fetch(`${Setting.ServerUrl}/api/get-records?organizationName=${organizationName}&pageSize=${pageSize}&p=${page}&field=${field}&value=${value}&sortField=${sortField}&sortOrder=${sortOrder}`, {
     method: "GET",
     credentials: "include",
     headers: {

web/src/common/CustomGithubCorner.js

@@ -30,7 +30,7 @@ class CustomGithubCorner extends React.Component {
     }
 
     return (
-      <GithubCorner href={Conf.GithubRepo} size={60} />
+      <GithubCorner href={"https://github.com/casdoor/casdoor"} size={60} />
     );
   }
 }

web/src/common/modal/CropperDivModal.js

@@ -28,6 +28,9 @@ export const CropperDivModal = (props) => {
   const [visible, setVisible] = useState(false);
   const [confirmLoading, setConfirmLoading] = useState(false);
   const {title} = props;
+  const {setTitle} = props;
+  const {tag} = props;
+  const {disabled} = props;
   const {user} = props;
   const {buttonText} = props;
   const {organization} = props;
@@ -59,8 +62,8 @@ export const CropperDivModal = (props) => {
       }
       // Setting.showMessage("success", "uploading...");
       const extension = image.substring(image.indexOf("/") + 1, image.indexOf(";base64"));
-      const fullFilePath = `avatar/${user.owner}/${user.name}.${extension}`;
-      ResourceBackend.uploadResource(user.owner, user.name, "avatar", "CropperDivModal", fullFilePath, blob)
+      const fullFilePath = `${tag}/${user.owner}/${user.name}.${extension}`;
+      ResourceBackend.uploadResource(user.owner, user.name, tag, "CropperDivModal", fullFilePath, blob)
         .then((res) => {
           if (res.status === "ok") {
             window.location.href = window.location.pathname;
@@ -139,19 +142,19 @@ export const CropperDivModal = (props) => {
 
   return (
     <div>
-      <Button type="default" onClick={showModal}>
+      <Button type="default" onClick={showModal} disabled={disabled}>
         {buttonText}
       </Button>
       <Modal
         maskClosable={false}
         title={title}
         open={visible}
-        okText={i18next.t("user:Upload a photo")}
+        okText={title}
         confirmLoading={confirmLoading}
         onCancel={handleCancel}
         width={600}
         footer={
-          [<Button block key="submit" type="primary" onClick={handleOk}>{i18next.t("user:Set new profile picture")}</Button>]
+          [<Button block key="submit" type="primary" onClick={handleOk}>{setTitle}</Button>]
         }
       >
         <Col style={{margin: "0px auto 60px auto", width: 1000, height: 350}}>

web/src/common/notifaction/EnableMfaNotification.js

@@ -0,0 +1,87 @@
+import {Button, Space, Tag, notification} from "antd";
+import i18next from "i18next";
+import {useEffect} from "react";
+import {useHistory, useLocation} from "react-router-dom";
+import * as Setting from "../../Setting";
+import {MfaRulePrompted, MfaRuleRequired} from "../../Setting";
+
+const EnableMfaNotification = ({account}) => {
+  const [api, contextHolder] = notification.useNotification();
+  const history = useHistory();
+  const location = useLocation();
+
+  useEffect(() => {
+    if (account === null) {
+      return;
+    }
+
+    const mfaItems = Setting.getMfaItemsByRules(account, account?.organization, [MfaRuleRequired, MfaRulePrompted]);
+    if (location.state?.from === "/login" && mfaItems.length !== 0) {
+      if (mfaItems.some((item) => item.rule === MfaRuleRequired)) {
+        openRequiredEnableNotification(mfaItems.find((item) => item.rule === MfaRuleRequired).name);
+      } else {
+        openPromptEnableNotification(mfaItems.filter((item) => item.rule === MfaRulePrompted)?.map((item) => item.name));
+      }
+    }
+  }, [account, location.state?.from]);
+
+  const openPromptEnableNotification = (mfaTypes) => {
+    const key = `open${Date.now()}`;
+    const btn = (
+      <Space>
+        <Button type="link" size="small" onClick={() => api.destroy(key)}>
+          {i18next.t("general:Later")}
+        </Button>
+        <Button type="primary" size="small" onClick={() => {
+          history.push(`/mfa/setup?mfaType=${mfaTypes[0]}`, {from: "/"});
+          api.destroy(key);
+        }}
+        >
+          {i18next.t("general:Go to enable")}
+        </Button>
+      </Space>
+    );
+    api.open({
+      message: i18next.t("mfa:Enable multi-factor authentication"),
+      description:
+      <Space direction={"vertical"}>
+        {i18next.t("mfa:To ensure the security of your account, it is recommended that you enable multi-factor authentication")}
+        <Space>{mfaTypes.map((item) => <Tag color="orange" key={item}>{item}</Tag>)}</Space>
+      </Space>,
+      btn,
+      key,
+    });
+  };
+
+  const openRequiredEnableNotification = (mfaType) => {
+    const key = `open${Date.now()}`;
+    const btn = (
+      <Space>
+        <Button type="primary" size="small" onClick={() => {
+          api.destroy(key);
+        }}
+        >
+          {i18next.t("general:Confirm")}
+        </Button>
+      </Space>
+    );
+    api.open({
+      message: i18next.t("mfa:Enable multi-factor authentication"),
+      description:
+      <Space direction={"vertical"}>
+        {i18next.t("mfa:To ensure the security of your account, it is required to enable multi-factor authentication")}
+        <Space><Tag color="orange">{mfaType}</Tag></Space>
+      </Space>,
+      btn,
+      key,
+    });
+  };
+
+  return (
+    <>
+      {contextHolder}
+    </>
+  );
+};
+
+export default EnableMfaNotification;

web/src/common/select/OrganizationSelect.js

@@ -19,7 +19,7 @@ import * as OrganizationBackend from "../../backend/OrganizationBackend";
 import * as Setting from "../../Setting";
 
 function OrganizationSelect(props) {
-  const {onChange, initValue, style, onSelect} = props;
+  const {onChange, initValue, style, onSelect, withAll, className} = props;
   const [organizations, setOrganizations] = React.useState([]);
   const [value, setValue] = React.useState(initValue);
 
@@ -27,15 +27,20 @@ function OrganizationSelect(props) {
     if (props.organizations === undefined) {
       getOrganizations();
     }
-  }, []);
+    window.addEventListener("storageOrganizationsChanged", getOrganizations);
+    return function() {
+      window.removeEventListener("storageOrganizationsChanged", getOrganizations);
+    };
+  }, [value]);
 
   const getOrganizations = () => {
     OrganizationBackend.getOrganizationNames("admin")
       .then((res) => {
         if (res.status === "ok") {
           setOrganizations(res.data);
-          if (initValue === undefined) {
-            setValue(organizations.length > 0 ? organizations[0] : "");
+          const selectedValueExist = res.data.filter(organization => organization.name === value).length > 0;
+          if (initValue === undefined || !selectedValueExist) {
+            handleOnChange(getOrganizationItems().length > 0 ? getOrganizationItems()[0].value : "");
           }
         }
       });
@@ -46,9 +51,24 @@ function OrganizationSelect(props) {
     onChange?.(value);
   };
 
+  const getOrganizationItems = () => {
+    const items = [];
+
+    organizations.forEach((organization) => items.push(Setting.getOption(organization.displayName, organization.name)));
+
+    if (withAll) {
+      items.unshift({
+        label: i18next.t("organization:All"),
+        value: "All",
+      });
+    }
+
+    return items;
+  };
+
   return (
     <Select
-      options={organizations.map((organization) => Setting.getOption(organization.displayName, organization.name))}
+      options={getOrganizationItems()}
       virtual={false}
       placeholder={i18next.t("login:Please select an organization")}
       value={value}
@@ -56,6 +76,7 @@ function OrganizationSelect(props) {
       filterOption={(input, option) => (option?.label ?? "").toLowerCase().includes(input.toLowerCase())}
       style={style}
       onSelect={onSelect}
+      className={className}
     >
     </Select>
   );

web/src/locales/de/data.json

@@ -20,6 +20,7 @@
     "Auto signin - Tooltip": "Wenn eine angemeldete Session in Casdoor vorhanden ist, wird diese automatisch für die Anmeldung auf Anwendungsebene verwendet",
     "Background URL": "Background-URL",
     "Background URL - Tooltip": "URL des Hintergrundbildes, das auf der Anmeldeseite angezeigt wird",
+    "Binding providers": "Binding providers",
     "Center": "Zentrum",
     "Copy SAML metadata URL": "SAML-Metadaten-URL kopieren",
     "Copy prompt page URL": "URL der Prompt-Seite kopieren",
@@ -96,6 +97,7 @@
     "Signup items": "Registrierungs Items",
     "Signup items - Tooltip": "Items, die Benutzer ausfüllen müssen, wenn sie neue Konten registrieren",
     "Signup page URL copied to clipboard successfully, please paste it into the incognito window or another browser": "Die URL der Registrierungsseite wurde in die Zwischenablage kopiert. Bitte fügen Sie sie in einen Inkognito-Tab oder einen anderen Browser ein",
+    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
     "The application does not allow to sign up new account": "Die Anwendung erlaubt es nicht, ein neues Konto zu registrieren",
     "Token expire": "Token läuft ab",
     "Token expire - Tooltip": "Ablaufzeit des Access-Tokens",
@@ -226,6 +228,7 @@
     "Forget URL": "Passwort vergessen URL",
     "Forget URL - Tooltip": "Benutzerdefinierte URL für die \"Passwort vergessen\" Seite. Wenn nicht festgelegt, wird die standardmäßige Casdoor \"Passwort vergessen\" Seite verwendet. Wenn sie festgelegt ist, wird der \"Passwort vergessen\" Link auf der Login-Seite zu dieser URL umgeleitet",
     "Found some texts still not translated? Please help us translate at": "Haben Sie noch Texte gefunden, die nicht übersetzt wurden? Bitte helfen Sie uns beim Übersetzen",
+    "Go to enable": "Go to enable",
     "Go to writable demo site?": "Gehe zur beschreibbaren Demo-Website?",
     "Groups": "Groups",
     "Groups - Tooltip": "Groups - Tooltip",
@@ -240,6 +243,7 @@
     "Languages": "Sprachen",
     "Languages - Tooltip": "Verfügbare Sprachen",
     "Last name": "Nachname",
+    "Later": "Later",
     "Logo": "Logo",
     "Logo - Tooltip": "Symbole, die die Anwendung der Außenwelt präsentiert",
     "MFA items": "MFA items",
@@ -425,6 +429,7 @@
   },
   "mfa": {
     "Each time you sign in to your Account, you'll need your password and a authentication code": "Each time you sign in to your Account, you'll need your password and a authentication code",
+    "Enable multi-factor authentication": "Enable multi-factor authentication",
     "Failed to get application": "Failed to get application",
     "Failed to initiate MFA": "Failed to initiate MFA",
     "Have problems?": "Have problems?",
@@ -445,6 +450,8 @@
     "Scan the QR code with your Authenticator App": "Scan the QR code with your Authenticator App",
     "Set preferred": "Set preferred",
     "Setup": "Setup",
+    "To ensure the security of your account, it is recommended that you enable multi-factor authentication": "To ensure the security of your account, it is recommended that you enable multi-factor authentication",
+    "To ensure the security of your account, it is required to enable multi-factor authentication": "To ensure the security of your account, it is required to enable multi-factor authentication",
     "Use Authenticator App": "Use Authenticator App",
     "Use Email": "Use Email",
     "Use SMS": "Use SMS",
@@ -466,6 +473,7 @@
   "organization": {
     "Account items": "Konto Items",
     "Account items - Tooltip": "Elemente auf der persönlichen Einstellungsseite",
+    "All": "Alle",
     "Edit Organization": "Organisation bearbeiten",
     "Follow global theme": "Folge dem globalen Theme",
     "Init score": "Initialer Score",
@@ -475,6 +483,7 @@
     "Modify rule": "Regel ändern",
     "New Organization": "Neue Organisation",
     "Optional": "Optional",
+    "Prompt": "Prompt",
     "Required": "Required",
     "Soft deletion": "Softe Löschung",
     "Soft deletion - Tooltip": "Wenn aktiviert, werden gelöschte Benutzer nicht vollständig aus der Datenbank entfernt. Stattdessen werden sie als gelöscht markiert",
@@ -568,8 +577,8 @@
   "pricing": {
     "Copy pricing page URL": "Preisseite URL kopieren",
     "Edit Pricing": "Edit Pricing",
-    "Free": "Kostenlos",
     "Failed to get plans": "Es konnten keine Pläne abgerufen werden",
+    "Free": "Kostenlos",
     "Getting started": "Loslegen",
     "New Pricing": "New Pricing",
     "Trial duration": "Testphase Dauer",
@@ -737,6 +746,8 @@
     "Token URL - Tooltip": "Token-URL",
     "Type": "Typ",
     "Type - Tooltip": "Wählen Sie einen Typ aus",
+    "User mapping": "User mapping",
+    "User mapping - Tooltip": "User mapping - Tooltip",
     "UserInfo URL": "UserInfo-URL",
     "UserInfo URL - Tooltip": "UserInfo-URL",
     "admin (Shared)": "admin (Shared)"
@@ -900,8 +911,13 @@
     "Homepage - Tooltip": "Homepage-URL des Benutzers",
     "ID card": "Ausweis",
     "ID card - Tooltip": "ID card - Tooltip",
+    "ID card back": "ID card back",
+    "ID card front": "ID card front",
+    "ID card info": "ID card info",
+    "ID card info - Tooltip": "ID card info - Tooltip",
     "ID card type": "ID card type",
     "ID card type - Tooltip": "ID card type - Tooltip",
+    "ID card with person": "ID card with person",
     "Input your email": "Geben Sie Ihre E-Mail-Adresse ein",
     "Input your phone number": "Geben Sie Ihre Telefonnummer ein",
     "Is admin": "Ist Admin",
@@ -957,6 +973,9 @@
     "Two passwords you typed do not match.": "Zwei von Ihnen eingegebene Passwörter stimmen nicht überein.",
     "Unlink": "Link aufheben",
     "Upload (.xlsx)": "Hochladen (.xlsx)",
+    "Upload ID card back picture": "Upload ID card back picture",
+    "Upload ID card front picture": "Upload ID card front picture",
+    "Upload ID card with person picture": "Upload ID card with person picture",
     "Upload a photo": "Lade ein Foto hoch",
     "Values": "Werte",
     "Verification code sent": "Bestätigungscode gesendet",

web/src/locales/en/data.json

@@ -20,6 +20,7 @@
     "Auto signin - Tooltip": "When a logged-in session exists in Casdoor, it is automatically used for application-side login",
     "Background URL": "Background URL",
     "Background URL - Tooltip": "URL of the background image used in the login page",
+    "Binding providers": "Binding providers",
     "Center": "Center",
     "Copy SAML metadata URL": "Copy SAML metadata URL",
     "Copy prompt page URL": "Copy prompt page URL",
@@ -96,6 +97,7 @@
     "Signup items": "Signup items",
     "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
     "Signup page URL copied to clipboard successfully, please paste it into the incognito window or another browser": "Signup page URL copied to clipboard successfully, please paste it into the incognito window or another browser",
+    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
     "The application does not allow to sign up new account": "The application does not allow to sign up new account",
     "Token expire": "Token expire",
     "Token expire - Tooltip": "Access token expiration time",
@@ -226,6 +228,7 @@
     "Forget URL": "Forget URL",
     "Forget URL - Tooltip": "Custom URL for the \"Forget password\" page. If not set, the default Casdoor \"Forget password\" page will be used. When set, the \"Forget password\" link on the login page will redirect to this URL",
     "Found some texts still not translated? Please help us translate at": "Found some texts still not translated? Please help us translate at",
+    "Go to enable": "Go to enable",
     "Go to writable demo site?": "Go to writable demo site?",
     "Groups": "Groups",
     "Groups - Tooltip": "Groups - Tooltip",
@@ -240,6 +243,7 @@
     "Languages": "Languages",
     "Languages - Tooltip": "Available languages",
     "Last name": "Last name",
+    "Later": "Later",
     "Logo": "Logo",
     "Logo - Tooltip": "Icons that the application presents to the outside world",
     "MFA items": "MFA items",
@@ -425,15 +429,16 @@
   },
   "mfa": {
     "Each time you sign in to your Account, you'll need your password and a authentication code": "Each time you sign in to your Account, you'll need your password and a authentication code",
+    "Enable multi-factor authentication": "Enable multi-factor authentication",
     "Failed to get application": "Failed to get application",
     "Failed to initiate MFA": "Failed to initiate MFA",
     "Have problems?": "Have problems?",
     "Multi-factor authentication": "Multi-factor authentication",
     "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Setup Multi-factor authentication",
+    "Multi-factor authentication description": "Multi-factor authentication description",
     "Multi-factor methods": "Multi-factor methods",
     "Multi-factor recover": "Multi-factor recover",
-    "Multi-factor recover description": "If you are unable to access your device, enter your recovery code to verify your identity",
+    "Multi-factor recover description": "Multi-factor recover description",
     "Multi-factor secret to clipboard successfully": "Multi-factor secret to clipboard successfully",
     "Or copy the secret to your Authenticator App": "Or copy the secret to your Authenticator App",
     "Passcode": "Passcode",
@@ -445,6 +450,8 @@
     "Scan the QR code with your Authenticator App": "Scan the QR code with your Authenticator App",
     "Set preferred": "Set preferred",
     "Setup": "Setup",
+    "To ensure the security of your account, it is recommended that you enable multi-factor authentication": "To ensure the security of your account, it is recommended that you enable multi-factor authentication",
+    "To ensure the security of your account, it is required to enable multi-factor authentication": "To ensure the security of your account, it is required to enable multi-factor authentication",
     "Use Authenticator App": "Use Authenticator App",
     "Use Email": "Use Email",
     "Use SMS": "Use SMS",
@@ -466,6 +473,7 @@
   "organization": {
     "Account items": "Account items",
     "Account items - Tooltip": "Items in the Personal settings page",
+    "All": "All",
     "Edit Organization": "Edit Organization",
     "Follow global theme": "Follow global theme",
     "Init score": "Init score",
@@ -475,6 +483,7 @@
     "Modify rule": "Modify rule",
     "New Organization": "New Organization",
     "Optional": "Optional",
+    "Prompt": "Prompt",
     "Required": "Required",
     "Soft deletion": "Soft deletion",
     "Soft deletion - Tooltip": "When enabled, deleting users will not completely remove them from the database. Instead, they will be marked as deleted",
@@ -568,8 +577,8 @@
   "pricing": {
     "Copy pricing page URL": "Copy pricing page URL",
     "Edit Pricing": "Edit Pricing",
-    "Free": "Free",
     "Failed to get plans": "Failed to get plans",
+    "Free": "Free",
     "Getting started": "Getting started",
     "New Pricing": "New Pricing",
     "Trial duration": "Trial duration",
@@ -737,6 +746,8 @@
     "Token URL - Tooltip": "Token URL",
     "Type": "Type",
     "Type - Tooltip": "Select a type",
+    "User mapping": "User mapping",
+    "User mapping - Tooltip": "User mapping - Tooltip",
     "UserInfo URL": "UserInfo URL",
     "UserInfo URL - Tooltip": "UserInfo URL",
     "admin (Shared)": "admin (Shared)"
@@ -900,8 +911,13 @@
     "Homepage - Tooltip": "Homepage URL of the user",
     "ID card": "ID card",
     "ID card - Tooltip": "ID card - Tooltip",
+    "ID card back": "ID card back",
+    "ID card front": "ID card front",
+    "ID card info": "ID card info",
+    "ID card info - Tooltip": "ID card info - Tooltip",
     "ID card type": "ID card type",
     "ID card type - Tooltip": "ID card type - Tooltip",
+    "ID card with person": "ID card with person",
     "Input your email": "Input your email",
     "Input your phone number": "Input your phone number",
     "Is admin": "Is admin",
@@ -957,6 +973,9 @@
     "Two passwords you typed do not match.": "Two passwords you typed do not match.",
     "Unlink": "Unlink",
     "Upload (.xlsx)": "Upload (.xlsx)",
+    "Upload ID card back picture": "Upload ID card back picture",
+    "Upload ID card front picture": "Upload ID card front picture",
+    "Upload ID card with person picture": "Upload ID card with person picture",
     "Upload a photo": "Upload a photo",
     "Values": "Values",
     "Verification code sent": "Verification code sent",

web/src/locales/es/data.json

@@ -20,6 +20,7 @@
     "Auto signin - Tooltip": "Cuando existe una sesión iniciada en Casdoor, se utiliza automáticamente para el inicio de sesión del lado de la aplicación",
     "Background URL": "URL de fondo",
     "Background URL - Tooltip": "URL de la imagen de fondo utilizada en la página de inicio de sesión",
+    "Binding providers": "Binding providers",
     "Center": "Centro",
     "Copy SAML metadata URL": "Copia la URL de metadatos SAML",
     "Copy prompt page URL": "Copiar URL de la página del prompt",
@@ -96,6 +97,7 @@
     "Signup items": "Artículos de registro",
     "Signup items - Tooltip": "Elementos para que los usuarios los completen al registrar nuevas cuentas",
     "Signup page URL copied to clipboard successfully, please paste it into the incognito window or another browser": "La URL de la página de registro se ha copiado correctamente en el portapapeles. Por favor, péguela en una ventana de incógnito o en otro navegador",
+    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
     "The application does not allow to sign up new account": "La aplicación no permite registrarse una cuenta nueva",
     "Token expire": "Token expirado",
     "Token expire - Tooltip": "Tiempo de expiración del token de acceso",
@@ -226,6 +228,7 @@
     "Forget URL": "Olvide la URL",
     "Forget URL - Tooltip": "URL personalizada para la página \"Olvidé mi contraseña\". Si no se establece, se utilizará la página \"Olvidé mi contraseña\" predeterminada de Casdoor. Cuando se establezca, el enlace \"Olvidé mi contraseña\" en la página de inicio de sesión redireccionará a esta URL",
     "Found some texts still not translated? Please help us translate at": "¿Encontraste algunos textos que aún no están traducidos? Por favor, ayúdanos a traducirlos en",
+    "Go to enable": "Go to enable",
     "Go to writable demo site?": "¿Ir al sitio demo editable?",
     "Groups": "Groups",
     "Groups - Tooltip": "Groups - Tooltip",
@@ -240,6 +243,7 @@
     "Languages": "Idiomas",
     "Languages - Tooltip": "Idiomas disponibles",
     "Last name": "Apellido",
+    "Later": "Later",
     "Logo": "Logotipo",
     "Logo - Tooltip": "Iconos que la aplicación presenta al mundo exterior",
     "MFA items": "MFA items",
@@ -425,6 +429,7 @@
   },
   "mfa": {
     "Each time you sign in to your Account, you'll need your password and a authentication code": "Each time you sign in to your Account, you'll need your password and a authentication code",
+    "Enable multi-factor authentication": "Enable multi-factor authentication",
     "Failed to get application": "Failed to get application",
     "Failed to initiate MFA": "Failed to initiate MFA",
     "Have problems?": "Have problems?",
@@ -445,6 +450,8 @@
     "Scan the QR code with your Authenticator App": "Scan the QR code with your Authenticator App",
     "Set preferred": "Set preferred",
     "Setup": "Setup",
+    "To ensure the security of your account, it is recommended that you enable multi-factor authentication": "To ensure the security of your account, it is recommended that you enable multi-factor authentication",
+    "To ensure the security of your account, it is required to enable multi-factor authentication": "To ensure the security of your account, it is required to enable multi-factor authentication",
     "Use Authenticator App": "Use Authenticator App",
     "Use Email": "Use Email",
     "Use SMS": "Use SMS",
@@ -466,6 +473,7 @@
   "organization": {
     "Account items": "Elementos de la cuenta",
     "Account items - Tooltip": "Elementos en la página de configuración personal",
+    "All": "Toda",
     "Edit Organization": "Editar organización",
     "Follow global theme": "Seguir el tema global",
     "Init score": "Puntuación de inicio",
@@ -475,6 +483,7 @@
     "Modify rule": "Modificar regla",
     "New Organization": "Nueva organización",
     "Optional": "Optional",
+    "Prompt": "Prompt",
     "Required": "Required",
     "Soft deletion": "Eliminación suave",
     "Soft deletion - Tooltip": "Cuando se habilita, la eliminación de usuarios no los eliminará por completo de la base de datos. En su lugar, se marcarán como eliminados",
@@ -568,8 +577,8 @@
   "pricing": {
     "Copy pricing page URL": "Copiar URL de la página de precios",
     "Edit Pricing": "Edit Pricing",
-    "Free": "Gratis",
     "Failed to get plans": "No se pudieron obtener los planes",
+    "Free": "Gratis",
     "Getting started": "Empezar",
     "New Pricing": "New Pricing",
     "Trial duration": "Duración del período de prueba",
@@ -737,6 +746,8 @@
     "Token URL - Tooltip": "URL de token",
     "Type": "Tipo",
     "Type - Tooltip": "Seleccionar un tipo",
+    "User mapping": "User mapping",
+    "User mapping - Tooltip": "User mapping - Tooltip",
     "UserInfo URL": "URL de información del usuario",
     "UserInfo URL - Tooltip": "URL de información de usuario",
     "admin (Shared)": "administrador (compartido)"
@@ -900,8 +911,13 @@
     "Homepage - Tooltip": "URL de la página de inicio del usuario",
     "ID card": "Tarjeta de identificación",
     "ID card - Tooltip": "ID card - Tooltip",
+    "ID card back": "ID card back",
+    "ID card front": "ID card front",
+    "ID card info": "ID card info",
+    "ID card info - Tooltip": "ID card info - Tooltip",
     "ID card type": "ID card type",
     "ID card type - Tooltip": "ID card type - Tooltip",
+    "ID card with person": "ID card with person",
     "Input your email": "Introduce tu correo electrónico",
     "Input your phone number": "Ingrese su número de teléfono",
     "Is admin": "Es el administrador",
@@ -957,6 +973,9 @@
     "Two passwords you typed do not match.": "Dos contraseñas que has escrito no coinciden.",
     "Unlink": "Desvincular",
     "Upload (.xlsx)": "Subir (.xlsx)",
+    "Upload ID card back picture": "Upload ID card back picture",
+    "Upload ID card front picture": "Upload ID card front picture",
+    "Upload ID card with person picture": "Upload ID card with person picture",
     "Upload a photo": "Subir una foto",
     "Values": "Valores",
     "Verification code sent": "Código de verificación enviado",