fix: improve code format (#2665 )

* feat: replace io/ioutils pacakage with io/os package * fix: add missing error handling
feat: add template support for Custom HTTP SMS provider (#2662 )
2025-07-29 01:51:38 +08:00 · 2024-02-01 23:06:12 +08:00 · 2024-02-01 17:50:22 +08:00 · 2024-02-01 17:28:56 +08:00 · 2024-01-31 23:14:55 +08:00 · 2024-01-31 00:06:06 +08:00
134 changed files with 2806 additions and 1819 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -217,17 +217,22 @@ jobs:
      - name: Update Helm Chart
        if: steps.should_push.outputs.push=='true'
        run: |
-          # Set the appVersion of the chart to the current tag
+          # Set the appVersion and version of the chart to the current tag
          sed -i "s/appVersion: .*/appVersion: ${{steps.get-current-tag.outputs.tag }}/g" ./charts/casdoor/Chart.yaml
+          sed -i "s/version: .*/version: ${{steps.get-current-tag.outputs.tag }}/g" ./charts/casdoor/Chart.yaml

-          # increase the patch version of the chart
-          currentChartVersion=$(cat ./charts/casdoor/Chart.yaml | grep version | awk '{print $2}')
-          newChartVersion=$(echo $currentChartVersion | awk -F. -v OFS=. '{$NF++;print}')
-          sed -i "s/version: .*/version: $newChartVersion/g" ./charts/casdoor/Chart.yaml
+          REGISTRY=oci://registry-1.docker.io/casbin
+          cd charts/casdoor
+          helm package .
+          PKG_NAME=$(ls *.tgz)
+          helm repo index . --url $REGISTRY --merge index.yaml
+          helm push $PKG_NAME $REGISTRY
+          rm $PKG_NAME

          # Commit and push the changes back to the repository
          git config --global user.name "casbin-bot"
-          git config --global user.email "casbin-bot@github.com"
-          git add ./charts/casdoor/Chart.yaml
-          git commit -m "chor(helm): bump helm charts appVersion to ${{steps.get-current-tag.outputs.tag }}"
-          git push origin HEAD:master
+          git config --global user.email "bot@casbin.org"
+          git add Chart.yaml index.yaml
+          git commit -m "chore(helm): bump helm charts appVersion to ${{steps.get-current-tag.outputs.tag }}"
+          git tag ${{steps.get-current-tag.outputs.tag }}
+          git push origin HEAD:master --follow-tags
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ https://casdoor.org

 - By source code: https://casdoor.org/docs/basic/server-installation
 - By Docker: https://casdoor.org/docs/basic/try-with-docker
+- By Kubernetes Helm: https://casdoor.org/docs/basic/try-with-helm

 ## How to connect to Casdoor?

--- a/authz/authz.go
+++ b/authz/authz.go
@@ -80,6 +80,7 @@ p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
 p, *, *, GET, /api/saml/metadata, *, *
+p, *, *, *, /api/saml/redirect, *, *
 p, *, *, *, /cas, *, *
 p, *, *, *, /scim, *, *
 p, *, *, *, /api/webauthn, *, *
@@ -150,7 +151,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o

 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/verify-code" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information
--- a/controllers/account.go
+++ b/controllers/account.go
@@ -111,6 +111,16 @@ func (c *ApiController) Signup() {
 		return
 	}

+	invitation, msg := object.CheckInvitationCode(application, organization, &authForm, c.GetAcceptLanguage())
+	if msg != "" {
+		c.ResponseError(msg)
+		return
+	}
+	invitationName := ""
+	if invitation != nil {
+		invitationName = invitation.Name
+	}
+
 	if application.IsSignupItemVisible("Email") && application.GetSignupItemRule("Email") != "No verification" && authForm.Email != "" {
 		checkResult := object.CheckVerificationCode(authForm.Email, authForm.EmailCode, c.GetAcceptLanguage())
 		if checkResult.Code != object.VerificationSuccess {
@@ -179,6 +189,8 @@ func (c *ApiController) Signup() {
 		SignupApplication: application.Name,
 		Properties:        map[string]string{},
 		Karma:             0,
+		Invitation:        invitationName,
+		InvitationCode:    authForm.InvitationCode,
 	}

 	if len(organization.Tags) > 0 {
@@ -213,6 +225,15 @@ func (c *ApiController) Signup() {
 		return
 	}

+	if invitation != nil {
+		invitation.UsedCount += 1
+		_, err := object.UpdateInvitation(invitation.GetId(), invitation)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
 	if application.HasPromptPage() && user.Type == "normal-user" {
 		// The prompt page needs the user to be signed in
 		c.SetSessionUsername(user.GetId())
@@ -453,7 +474,7 @@ func (c *ApiController) GetUserinfo2() {
 // GetCaptcha ...
 // @Tag Login API
 // @Title GetCaptcha
-// @router /api/get-captcha [get]
+// @router /get-captcha [get]
 // @Success 200 {object} object.Userinfo The Response object
 func (c *ApiController) GetCaptcha() {
 	applicationId := c.Input().Get("applicationId")
--- a/controllers/application.go
+++ b/controllers/application.go
@@ -110,14 +110,6 @@ func (c *ApiController) GetApplication() {
 		}
 	}

-	// 0 as an initialization value, corresponding to the default configuration parameters
-	if application.FailedSigninLimit == 0 {
-		application.FailedSigninLimit = object.DefaultFailedSigninLimit
-	}
-	if application.FailedSigninfrozenTime == 0 {
-		application.FailedSigninfrozenTime = object.DefaultFailedSigninfrozenTime
-	}
-
 	c.ResponseOk(object.GetMaskedApplication(application, userId))
 }

@@ -147,6 +139,10 @@ func (c *ApiController) GetUserApplication() {
 		c.ResponseError(err.Error())
 		return
 	}
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The organization: %s should have one application at least"), user.Owner))
+		return
+	}

 	c.ResponseOk(object.GetMaskedApplication(application, userId))
 }
--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -19,7 +19,7 @@ import (
 	"encoding/json"
 	"encoding/xml"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -912,16 +912,16 @@ func (c *ApiController) HandleSamlLogin() {
 	samlResponse = url.QueryEscape(samlResponse)
 	targetUrl := fmt.Sprintf("%s?relayState=%s&samlResponse=%s",
 		slice[4], relayState, samlResponse)
-	c.Redirect(targetUrl, 303)
+	c.Redirect(targetUrl, http.StatusSeeOther)
 }

 // HandleOfficialAccountEvent ...
-// @Tag HandleOfficialAccountEvent API
+// @Tag System API
 // @Title HandleOfficialAccountEvent
-// @router /api/webhook [POST]
+// @router /webhook [POST]
 // @Success 200 {object} object.Userinfo The Response object
 func (c *ApiController) HandleOfficialAccountEvent() {
-	respBytes, err := ioutil.ReadAll(c.Ctx.Request.Body)
+	respBytes, err := io.ReadAll(c.Ctx.Request.Body)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -947,9 +947,9 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 }

 // GetWebhookEventType ...
-// @Tag GetWebhookEventType API
+// @Tag System API
 // @Title GetWebhookEventType
-// @router /api/get-webhook-event [GET]
+// @router /get-webhook-event [GET]
 // @Success 200 {object} object.Userinfo The Response object
 func (c *ApiController) GetWebhookEventType() {
 	lock.Lock()
@@ -970,26 +970,30 @@ func (c *ApiController) GetWebhookEventType() {
 // @Description Get Login Error Counts
 // @Param   id     query    string  true        "The id ( owner/name ) of user"
 // @Success 200 {object} controllers.Response The Response object
-// @router /api/get-captcha-status [get]
+// @router /get-captcha-status [get]
 func (c *ApiController) GetCaptchaStatus() {
 	organization := c.Input().Get("organization")
-	userId := c.Input().Get("user_id")
+	userId := c.Input().Get("userId")
 	user, err := object.GetUserByFields(organization, userId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	failedSigninLimit, _, err := object.GetFailedSigninConfigByUser(user)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
+	captchaEnabled := false
+	if user != nil {
+		var failedSigninLimit int
+		failedSigninLimit, _, err = object.GetFailedSigninConfigByUser(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if user.SigninWrongTimes >= failedSigninLimit {
+			captchaEnabled = true
+		}
 	}

-	var captchaEnabled bool
-	if user != nil && user.SigninWrongTimes >= failedSigninLimit {
-		captchaEnabled = true
-	}
 	c.ResponseOk(captchaEnabled)
 }

@@ -997,7 +1001,7 @@ func (c *ApiController) GetCaptchaStatus() {
 // @Title Callback
 // @Tag Callback API
 // @Description Get Login Error Counts
-// @router /api/Callback [post]
+// @router /Callback [post]
 // @Success 200 {object} object.Userinfo The Response object
 func (c *ApiController) Callback() {
 	code := c.GetString("code")
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@@ -24,7 +24,7 @@ import (

 // Enforce
 // @Title Enforce
-// @Tag Enforce API
+// @Tag Enforcer API
 // @Description Call Casbin Enforce API
 // @Param   body    body   []string  true   "Casbin request"
 // @Param   permissionId    query   string  false   "permission id"
@@ -121,6 +121,10 @@ func (c *ApiController) Enforce() {
 		}
 	} else if owner != "" {
 		permissions, err = object.GetPermissions(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	} else {
 		c.ResponseError(c.T("general:Missing parameter"))
 		return
@@ -151,7 +155,7 @@ func (c *ApiController) Enforce() {

 // BatchEnforce
 // @Title BatchEnforce
-// @Tag Enforce API
+// @Tag Enforcer API
 // @Description Call Casbin BatchEnforce API
 // @Param   body    body   []string  true   "array of casbin requests"
 // @Param   permissionId    query   string  false   "permission id"
@@ -235,6 +239,10 @@ func (c *ApiController) BatchEnforce() {
 		}
 	} else if owner != "" {
 		permissions, err = object.GetPermissions(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	} else {
 		c.ResponseError(c.T("general:Missing parameter"))
 		return
@@ -264,10 +272,13 @@ func (c *ApiController) BatchEnforce() {
 }

 func (c *ApiController) GetAllObjects() {
-	userId := c.GetSessionUsername()
+	userId := c.Input().Get("userId")
 	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
+		userId = c.GetSessionUsername()
+		if userId == "" {
+			c.ResponseError(c.T("general:Please login first"))
+			return
+		}
 	}

 	objects, err := object.GetAllObjects(userId)
@@ -280,10 +291,13 @@ func (c *ApiController) GetAllObjects() {
 }

 func (c *ApiController) GetAllActions() {
-	userId := c.GetSessionUsername()
+	userId := c.Input().Get("userId")
 	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
+		userId = c.GetSessionUsername()
+		if userId == "" {
+			c.ResponseError(c.T("general:Please login first"))
+			return
+		}
 	}

 	actions, err := object.GetAllActions(userId)
@@ -296,10 +310,13 @@ func (c *ApiController) GetAllActions() {
 }

 func (c *ApiController) GetAllRoles() {
-	userId := c.GetSessionUsername()
+	userId := c.Input().Get("userId")
 	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
+		userId = c.GetSessionUsername()
+		if userId == "" {
+			c.ResponseError(c.T("general:Please login first"))
+			return
+		}
 	}

 	roles, err := object.GetAllRoles(userId)
--- a/controllers/cert.go
+++ b/controllers/cert.go
@@ -39,13 +39,13 @@ func (c *ApiController) GetCerts() {
 	sortOrder := c.Input().Get("sortOrder")

 	if limit == "" || page == "" {
-		maskedCerts, err := object.GetMaskedCerts(object.GetCerts(owner))
+		certs, err := object.GetMaskedCerts(object.GetCerts(owner))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		c.ResponseOk(maskedCerts)
+		c.ResponseOk(certs)
 	} else {
 		limit := util.ParseInt(limit)
 		count, err := object.GetCertCount(owner, field, value)
@@ -80,13 +80,13 @@ func (c *ApiController) GetGlobalCerts() {
 	sortOrder := c.Input().Get("sortOrder")

 	if limit == "" || page == "" {
-		maskedCerts, err := object.GetMaskedCerts(object.GetGlobalCerts())
+		certs, err := object.GetMaskedCerts(object.GetGlobalCerts())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		c.ResponseOk(maskedCerts)
+		c.ResponseOk(certs)
 	} else {
 		limit := util.ParseInt(limit)
 		count, err := object.GetGlobalCertsCount(field, value)
--- a/controllers/get-dashboard.go
+++ b/controllers/get-dashboard.go
@@ -18,7 +18,7 @@ import "github.com/casdoor/casdoor/object"

 // GetDashboard
 // @Title GetDashboard
-// @Tag GetDashboard API
+// @Tag System API
 // @Description get information of dashboard
 // @Success 200 {object} controllers.Response The Response object
 // @router /get-dashboard [get]
--- a/controllers/organization.go
+++ b/controllers/organization.go
@@ -41,13 +41,12 @@ func (c *ApiController) GetOrganizations() {

 	isGlobalAdmin := c.IsGlobalAdmin()
 	if limit == "" || page == "" {
-		var maskedOrganizations []*object.Organization
+		var organizations []*object.Organization
 		var err error
-
 		if isGlobalAdmin {
-			maskedOrganizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner))
+			organizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner))
 		} else {
-			maskedOrganizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
+			organizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
 		}

 		if err != nil {
@@ -55,15 +54,15 @@ func (c *ApiController) GetOrganizations() {
 			return
 		}

-		c.ResponseOk(maskedOrganizations)
+		c.ResponseOk(organizations)
 	} else {
 		if !isGlobalAdmin {
-			maskedOrganizations, err := object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
+			organizations, err := object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
 			}
-			c.ResponseOk(maskedOrganizations)
+			c.ResponseOk(organizations)
 		} else {
 			limit := util.ParseInt(limit)
 			count, err := object.GetOrganizationCount(owner, field, value)
@@ -93,13 +92,13 @@ func (c *ApiController) GetOrganizations() {
 // @router /get-organization [get]
 func (c *ApiController) GetOrganization() {
 	id := c.Input().Get("id")
-	maskedOrganization, err := object.GetMaskedOrganization(object.GetOrganization(id))
+	organization, err := object.GetMaskedOrganization(object.GetOrganization(id))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(maskedOrganization)
+	c.ResponseOk(organization)
 }

 // UpdateOrganization ...
@@ -190,8 +189,8 @@ func (c *ApiController) GetDefaultApplication() {
 		return
 	}

-	maskedApplication := object.GetMaskedApplication(application, userId)
-	c.ResponseOk(maskedApplication)
+	application = object.GetMaskedApplication(application, userId)
+	c.ResponseOk(application)
 }

 // GetOrganizationNames ...
--- a/controllers/prometheus.go
+++ b/controllers/prometheus.go
@@ -20,7 +20,7 @@ import (

 // GetPrometheusInfo
 // @Title GetPrometheusInfo
-// @Tag Prometheus API
+// @Tag System API
 // @Description get Prometheus Info
 // @Success 200 {object} object.PrometheusInfo The Response object
 // @router /get-prometheus-info [get]
--- a/controllers/saml.go
+++ b/controllers/saml.go
@@ -16,6 +16,7 @@ package controllers

 import (
 	"fmt"
+	"net/http"

 	"github.com/casdoor/casdoor/object"
 )
@@ -34,7 +35,13 @@ func (c *ApiController) GetSamlMeta() {
 		return
 	}

-	metadata, err := object.GetSamlMeta(application, host)
+	enablePostBinding, err := c.GetBool("enablePostBinding", false)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	metadata, err := object.GetSamlMeta(application, host, enablePostBinding)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -43,3 +50,17 @@ func (c *ApiController) GetSamlMeta() {
 	c.Data["xml"] = metadata
 	c.ServeXML()
 }
+
+func (c *ApiController) HandleSamlRedirect() {
+	host := c.Ctx.Request.Host
+
+	owner := c.Ctx.Input.Param(":owner")
+	application := c.Ctx.Input.Param(":application")
+
+	relayState := c.Input().Get("RelayState")
+	samlRequest := c.Input().Get("SAMLRequest")
+
+	targetURL := object.GetSamlRedirectAddress(owner, application, relayState, samlRequest, host)
+
+	c.Redirect(targetURL, http.StatusSeeOther)
+}
--- a/controllers/service.go
+++ b/controllers/service.go
@@ -52,7 +52,7 @@ type NotificationForm struct {
 // @Param   clientSecret    query    string  true    "The clientSecret of the application"
 // @Param   from    body   controllers.EmailForm    true         "Details of the email request"
 // @Success 200 {object} controllers.Response The Response object
-// @router /api/send-email [post]
+// @router /send-email [post]
 func (c *ApiController) SendEmail() {
 	userId, ok := c.RequireSignedIn()
 	if !ok {
@@ -148,7 +148,7 @@ func (c *ApiController) SendEmail() {
 // @Param   clientSecret    query    string  true    "The clientSecret of the application"
 // @Param   from    body   controllers.SmsForm    true           "Details of the sms request"
 // @Success 200 {object} controllers.Response The Response object
-// @router /api/send-sms [post]
+// @router /send-sms [post]
 func (c *ApiController) SendSms() {
 	provider, err := c.GetProviderFromContext("SMS")
 	if err != nil {
@@ -186,7 +186,7 @@ func (c *ApiController) SendSms() {
 // @Description This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
 // @Param   from    body   controllers.NotificationForm    true         "Details of the notification request"
 // @Success 200 {object} controllers.Response The Response object
-// @router /api/send-notification [post]
+// @router /send-notification [post]
 func (c *ApiController) SendNotification() {
 	provider, err := c.GetProviderFromContext("Notification")
 	if err != nil {
--- a/controllers/syncer.go
+++ b/controllers/syncer.go
@@ -40,13 +40,13 @@ func (c *ApiController) GetSyncers() {
 	organization := c.Input().Get("organization")

 	if limit == "" || page == "" {
-		organizationSyncers, err := object.GetOrganizationSyncers(owner, organization)
+		syncers, err := object.GetMaskedSyncers(object.GetOrganizationSyncers(owner, organization))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		c.ResponseOk(organizationSyncers)
+		c.ResponseOk(syncers)
 	} else {
 		limit := util.ParseInt(limit)
 		count, err := object.GetSyncerCount(owner, organization, field, value)
@@ -56,7 +56,7 @@ func (c *ApiController) GetSyncers() {
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		syncers, err := object.GetPaginationSyncers(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		syncers, err := object.GetMaskedSyncers(object.GetPaginationSyncers(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -76,7 +76,7 @@ func (c *ApiController) GetSyncers() {
 func (c *ApiController) GetSyncer() {
 	id := c.Input().Get("id")

-	syncer, err := object.GetSyncer(id)
+	syncer, err := object.GetMaskedSyncer(object.GetSyncer(id))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/system_info.go
+++ b/controllers/system_info.go
@@ -47,6 +47,11 @@ func (c *ApiController) GetSystemInfo() {
 // @router /get-version-info [get]
 func (c *ApiController) GetVersionInfo() {
 	versionInfo, err := util.GetVersionInfo()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	if versionInfo.Version != "" {
 		c.ResponseOk(versionInfo)
 		return
--- a/controllers/token.go
+++ b/controllers/token.go
@@ -156,7 +156,7 @@ func (c *ApiController) DeleteToken() {
 // @Success 200 {object} object.TokenWrapper The Response object
 // @Success 400 {object} object.TokenError The Response object
 // @Success 401 {object} object.TokenError The Response object
-// @router api/login/oauth/access_token [post]
+// @router /login/oauth/access_token [post]
 func (c *ApiController) GetOAuthToken() {
 	clientId := c.Input().Get("client_id")
 	clientSecret := c.Input().Get("client_secret")
@@ -271,8 +271,17 @@ func (c *ApiController) RefreshToken() {
 	c.ServeJSON()
 }

+func (c *ApiController) ResponseTokenError(errorMsg string) {
+	c.Data["json"] = &object.TokenError{
+		Error: errorMsg,
+	}
+	c.SetTokenErrorHttpStatus()
+	c.ServeJSON()
+}
+
 // IntrospectToken
 // @Title IntrospectToken
+// @Tag Login API
 // @Description The introspection endpoint is an OAuth 2.0 endpoint that takes a
 // parameter representing an OAuth 2.0 token and returns a JSON document
 // representing the meta information surrounding the
@@ -292,40 +301,33 @@ func (c *ApiController) IntrospectToken() {
 		clientId = c.Input().Get("client_id")
 		clientSecret = c.Input().Get("client_secret")
 		if clientId == "" || clientSecret == "" {
-			c.ResponseError(c.T("token:Empty clientId or clientSecret"))
-			c.Data["json"] = &object.TokenError{
-				Error: object.InvalidRequest,
-			}
-			c.SetTokenErrorHttpStatus()
-			c.ServeJSON()
+			c.ResponseTokenError(object.InvalidRequest)
 			return
 		}
 	}
+
 	application, err := object.GetApplicationByClientId(clientId)
 	if err != nil {
-		c.ResponseError(err.Error())
+		c.ResponseTokenError(err.Error())
 		return
 	}

 	if application == nil || application.ClientSecret != clientSecret {
-		c.ResponseError(c.T("token:Invalid application or wrong clientSecret"))
-		c.Data["json"] = &object.TokenError{
-			Error: object.InvalidClient,
-		}
-		c.SetTokenErrorHttpStatus()
-		return
-	}
-	token, err := object.GetTokenByTokenAndApplication(tokenValue, application.Name)
-	if err != nil {
-		c.ResponseError(err.Error())
+		c.ResponseTokenError(c.T("token:Invalid application or wrong clientSecret"))
 		return
 	}

+	token, err := object.GetTokenByTokenValue(tokenValue)
+	if err != nil {
+		c.ResponseTokenError(err.Error())
+		return
+	}
 	if token == nil {
 		c.Data["json"] = &object.IntrospectionResponse{Active: false}
 		c.ServeJSON()
 		return
 	}
+
 	jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
 	if err != nil || jwtToken.Valid() != nil {
 		// and token revoked case. but we not implement
--- a/controllers/user.go
+++ b/controllers/user.go
@@ -39,13 +39,13 @@ func (c *ApiController) GetGlobalUsers() {
 	sortOrder := c.Input().Get("sortOrder")

 	if limit == "" || page == "" {
-		maskedUsers, err := object.GetMaskedUsers(object.GetGlobalUsers())
+		users, err := object.GetMaskedUsers(object.GetGlobalUsers())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		c.ResponseOk(maskedUsers)
+		c.ResponseOk(users)
 	} else {
 		limit := util.ParseInt(limit)
 		count, err := object.GetGlobalUserCount(field, value)
@@ -90,22 +90,22 @@ func (c *ApiController) GetUsers() {

 	if limit == "" || page == "" {
 		if groupName != "" {
-			maskedUsers, err := object.GetMaskedUsers(object.GetGroupUsers(util.GetId(owner, groupName)))
+			users, err := object.GetMaskedUsers(object.GetGroupUsers(util.GetId(owner, groupName)))
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
 			}
-			c.ResponseOk(maskedUsers)
+			c.ResponseOk(users)
 			return
 		}

-		maskedUsers, err := object.GetMaskedUsers(object.GetUsers(owner))
+		users, err := object.GetMaskedUsers(object.GetUsers(owner))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		c.ResponseOk(maskedUsers)
+		c.ResponseOk(users)
 	} else {
 		limit := util.ParseInt(limit)
 		count, err := object.GetUserCount(owner, field, value, groupName)
@@ -175,26 +175,6 @@ func (c *ApiController) GetUser() {
 			owner = util.GetOwnerFromId(id)
 		}

-		var organization *object.Organization
-		organization, err = object.GetOrganization(util.GetId("admin", owner))
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		if organization == nil {
-			c.ResponseError(fmt.Sprintf("the organization: %s is not found", owner))
-			return
-		}
-
-		if !organization.IsProfilePublic {
-			requestUserId := c.GetSessionUsername()
-			hasPermission, err := object.CheckUserPermission(requestUserId, id, false, c.GetAcceptLanguage())
-			if !hasPermission {
-				c.ResponseError(err.Error())
-				return
-			}
-		}
-
 		switch {
 		case email != "":
 			user, err = object.GetUserByEmail(owner, email)
@@ -212,6 +192,29 @@ func (c *ApiController) GetUser() {
 		return
 	}

+	if user != nil {
+		var organization *object.Organization
+		organization, err = object.GetOrganizationByUser(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if organization == nil {
+			c.ResponseError(fmt.Sprintf("the organization: %s is not found", owner))
+			return
+		}
+
+		if !organization.IsProfilePublic {
+			requestUserId := c.GetSessionUsername()
+			var hasPermission bool
+			hasPermission, err = object.CheckUserPermission(requestUserId, user.GetId(), false, c.GetAcceptLanguage())
+			if !hasPermission {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+	}
+
 	if user != nil {
 		user.MultiFactorAuths = object.GetAllMfaProps(user, true)
 	}
@@ -223,13 +226,13 @@ func (c *ApiController) GetUser() {
 	}

 	isAdminOrSelf := c.IsAdminOrSelf(user)
-	maskedUser, err := object.GetMaskedUser(user, isAdminOrSelf)
+	user, err = object.GetMaskedUser(user, isAdminOrSelf)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(maskedUser)
+	c.ResponseOk(user)
 }

 // UpdateUser
@@ -541,13 +544,13 @@ func (c *ApiController) GetSortedUsers() {
 	sorter := c.Input().Get("sorter")
 	limit := util.ParseInt(c.Input().Get("limit"))

-	maskedUsers, err := object.GetMaskedUsers(object.GetSortedUsers(owner, sorter, limit))
+	users, err := object.GetMaskedUsers(object.GetSortedUsers(owner, sorter, limit))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(maskedUsers)
+	c.ResponseOk(users)
 }

 // GetUserCount
--- a/controllers/verification.go
+++ b/controllers/verification.go
@@ -109,6 +109,15 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(err.Error())
 			return
 		}
+		if user == nil || user.IsDeleted {
+			c.ResponseError(c.T("verification:the user does not exist, please sign up first"))
+			return
+		}
+
+		if user.IsForbidden {
+			c.ResponseError(c.T("check:The user is forbidden to sign in, please contact the administrator"))
+			return
+		}
 	}

 	// mfaUserSession != "", means method is MfaAuthVerification
@@ -272,7 +281,7 @@ func (c *ApiController) VerifyCaptcha() {
 // ResetEmailOrPhone ...
 // @Tag Account API
 // @Title ResetEmailOrPhone
-// @router /api/reset-email-or-phone [post]
+// @router /reset-email-or-phone [post]
 // @Success 200 {object} object.Userinfo The Response object
 func (c *ApiController) ResetEmailOrPhone() {
 	user, ok := c.RequireSignedInUser()
@@ -367,7 +376,7 @@ func (c *ApiController) ResetEmailOrPhone() {
 // VerifyCode
 // @Tag Verification API
 // @Title VerifyCode
-// @router /api/verify-code [post]
+// @router /verify-code [post]
 // @Success 200 {object} object.Userinfo The Response object
 func (c *ApiController) VerifyCode() {
 	var authForm form.AuthForm
--- a/cred/manager.go
+++ b/cred/manager.go
@@ -24,6 +24,8 @@ func GetCredManager(passwordType string) CredManager {
 		return NewPlainCredManager()
 	} else if passwordType == "salt" {
 		return NewSha256SaltCredManager()
+	} else if passwordType == "sha512-salt" {
+		return NewSha512SaltCredManager()
 	} else if passwordType == "md5-salt" {
 		return NewMd5UserSaltCredManager()
 	} else if passwordType == "bcrypt" {
--- a/cred/sha512-salt.go
+++ b/cred/sha512-salt.go
@@ -0,0 +1,50 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cred
+
+import (
+	"crypto/sha512"
+	"encoding/hex"
+)
+
+type Sha512SaltCredManager struct{}
+
+func getSha512(data []byte) []byte {
+	hash := sha512.Sum512(data)
+	return hash[:]
+}
+
+func getSha512HexDigest(s string) string {
+	b := getSha512([]byte(s))
+	res := hex.EncodeToString(b)
+	return res
+}
+
+func NewSha512SaltCredManager() *Sha512SaltCredManager {
+	cm := &Sha512SaltCredManager{}
+	return cm
+}
+
+func (cm *Sha512SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+	res := getSha512HexDigest(password)
+	if organizationSalt != "" {
+		res = getSha512HexDigest(res + organizationSalt)
+	}
+	return res
+}
+
+func (cm *Sha512SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+	return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt)
+}
--- a/form/auth.go
+++ b/form/auth.go
@@ -14,6 +14,8 @@

 package form

+import "reflect"
+
 type AuthForm struct {
 	Type         string `json:"type"`
 	SigninMethod string `json:"signinMethod"`
@@ -60,3 +62,13 @@ type AuthForm struct {
 	Plan    string `json:"plan"`
 	Pricing string `json:"pricing"`
 }
+
+func GetAuthFormFieldValue(form *AuthForm, fieldName string) (bool, string) {
+	val := reflect.ValueOf(*form)
+	fieldValue := val.FieldByName(fieldName)
+
+	if fieldValue.IsValid() && fieldValue.Kind() == reflect.String {
+		return true, fieldValue.String()
+	}
+	return false, ""
+}
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/casdoor/go-sms-sender v0.19.0
 	github.com/casdoor/gomail/v2 v2.0.1
 	github.com/casdoor/notify v0.45.0
-	github.com/casdoor/oss v1.4.1
+	github.com/casdoor/oss v1.5.0
 	github.com/casdoor/xorm-adapter/v3 v3.1.0
 	github.com/casvisor/casvisor-go-sdk v1.0.3
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
@@ -35,7 +35,7 @@ require (
 	github.com/lestrrat-go/jwx v1.2.21
 	github.com/lib/pq v1.10.9
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
-	github.com/markbates/goth v1.75.2
+	github.com/markbates/goth v1.78.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nyaruka/phonenumbers v1.1.5
 	github.com/pquerna/otp v1.4.0
--- a/go.sum
+++ b/go.sum
@@ -1089,8 +1089,8 @@ github.com/casdoor/gomail/v2 v2.0.1 h1:J+FG6x80s9e5lBHUn8Sv0Y56mud34KiWih5YdmudR
 github.com/casdoor/gomail/v2 v2.0.1/go.mod h1:VnGPslEAtpix5FjHisR/WKB1qvZDBaujbikxDe9d+2Q=
 github.com/casdoor/notify v0.45.0 h1:OlaFvcQFjGOgA4mRx07M8AH1gvb5xNo21mcqrVGlLgk=
 github.com/casdoor/notify v0.45.0/go.mod h1:wNHQu0tiDROMBIvz0j3Om3Lhd5yZ+AIfnFb8MYb8OLQ=
-github.com/casdoor/oss v1.4.1 h1:/P2JCyGzB2TtpJ3LocKocI1VAme2YdvVau2wpMQGt7I=
-github.com/casdoor/oss v1.4.1/go.mod h1:rJAWA0hLhtu94t6IRpotLUkXO1NWMASirywQYaGizJE=
+github.com/casdoor/oss v1.5.0 h1:mi1htaXR5fynskDry1S3wk+Dd2nRY1z1pVcnGsqMqP4=
+github.com/casdoor/oss v1.5.0/go.mod h1:rJAWA0hLhtu94t6IRpotLUkXO1NWMASirywQYaGizJE=
 github.com/casdoor/xorm-adapter/v3 v3.1.0 h1:NodWayRtSLVSeCvL9H3Hc61k0G17KhV9IymTCNfh3kk=
 github.com/casdoor/xorm-adapter/v3 v3.1.0/go.mod h1:4WTcUw+bTgBylGHeGHzTtBvuTXRS23dtwzFLl9tsgFM=
 github.com/casvisor/casvisor-go-sdk v1.0.3 h1:TKJQWKnhtznEBhzLPEdNsp7nJK2GgdD8JsB0lFPMW7U=
@@ -1657,8 +1657,8 @@ github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP
 github.com/mailgun/mailgun-go/v4 v4.11.0/go.mod h1:L9s941Lgk7iB3TgywTPz074pK2Ekkg4kgbnAaAyJ2z8=
 github.com/markbates/going v1.0.0 h1:DQw0ZP7NbNlFGcKbcE/IVSOAFzScxRtLpd0rLMzLhq0=
 github.com/markbates/going v1.0.0/go.mod h1:I6mnB4BPnEeqo85ynXIx1ZFLLbtiLHNXVgWeFO9OGOA=
-github.com/markbates/goth v1.75.2 h1:C7KloBMMk50JyXaHhzfqWYLW6+bDcSVIvUGHXneLWro=
-github.com/markbates/goth v1.75.2/go.mod h1:X6xdNgpapSENS0O35iTBBcMHoJDQDfI9bJl+APCkYMc=
+github.com/markbates/goth v1.78.0 h1:7VEIFDycJp9deyVv3YraGBPdD0ZYQW93Y3Aw1eVP3BY=
+github.com/markbates/goth v1.78.0/go.mod h1:X6xdNgpapSENS0O35iTBBcMHoJDQDfI9bJl+APCkYMc=
 github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
--- a/i18n/locales/ar/data.json
+++ b/i18n/locales/ar/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/de/data.json
+++ b/i18n/locales/de/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Leerer Benutzername.",
    "FirstName cannot be blank": "Vorname darf nicht leer sein",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "Ldap Benutzername oder Passwort falsch",
    "LastName cannot be blank": "Nachname darf nicht leer sein",
    "Multiple accounts with same uid, please check your ldap server": "Mehrere Konten mit derselben uid, bitte überprüfen Sie Ihren LDAP-Server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Telefon existiert bereits",
    "Phone cannot be empty": "Das Telefon darf nicht leer sein",
    "Phone number is invalid": "Die Telefonnummer ist ungültig",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Sitzung abgelaufen, bitte erneut anmelden",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "Dem Benutzer ist der Zugang verboten, bitte kontaktieren Sie den Administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Der Benutzername darf nur alphanumerische Zeichen, Unterstriche oder Bindestriche enthalten, keine aufeinanderfolgenden Bindestriche oder Unterstriche haben und darf nicht mit einem Bindestrich oder Unterstrich beginnen oder enden.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Benutzername existiert bereits",
    "Username cannot be an email address": "Benutzername kann keine E-Mail-Adresse sein",
    "Username cannot contain white spaces": "Benutzername darf keine Leerzeichen enthalten",
--- a/i18n/locales/en/data.json
+++ b/i18n/locales/en/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/es/data.json
+++ b/i18n/locales/es/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Nombre de usuario vacío.",
    "FirstName cannot be blank": "El nombre no puede estar en blanco",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "Nombre de usuario o contraseña de Ldap incorrectos",
    "LastName cannot be blank": "El apellido no puede estar en blanco",
    "Multiple accounts with same uid, please check your ldap server": "Cuentas múltiples con el mismo uid, por favor revise su servidor ldap",
@@ -46,10 +48,15 @@
    "Phone already exists": "El teléfono ya existe",
    "Phone cannot be empty": "Teléfono no puede estar vacío",
    "Phone number is invalid": "El número de teléfono no es válido",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Sesión expirada, por favor vuelva a iniciar sesión",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "El usuario no está autorizado a iniciar sesión, por favor contacte al administrador",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "El nombre de usuario solo puede contener caracteres alfanuméricos, guiones bajos o guiones, no puede tener guiones o subrayados consecutivos, y no puede comenzar ni terminar con un guión o subrayado.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "El nombre de usuario ya existe",
    "Username cannot be an email address": "Nombre de usuario no puede ser una dirección de correo electrónico",
    "Username cannot contain white spaces": "Nombre de usuario no puede contener espacios en blanco",
--- a/i18n/locales/fa/data.json
+++ b/i18n/locales/fa/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/fi/data.json
+++ b/i18n/locales/fi/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Nom d'utilisateur vide.",
    "FirstName cannot be blank": "Le prénom ne peut pas être laissé vide",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "Nom d'utilisateur ou mot de passe LDAP incorrect",
    "LastName cannot be blank": "Le nom de famille ne peut pas être vide",
    "Multiple accounts with same uid, please check your ldap server": "Plusieurs comptes avec le même identifiant d'utilisateur, veuillez vérifier votre serveur LDAP",
@@ -46,10 +48,15 @@
    "Phone already exists": "Le téléphone existe déjà",
    "Phone cannot be empty": "Le téléphone ne peut pas être vide",
    "Phone number is invalid": "Le numéro de téléphone est invalide",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session expirée, veuillez vous connecter à nouveau",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "L'utilisateur est interdit de se connecter, veuillez contacter l'administrateur",
    "The user: %s doesn't exist in LDAP server": "L'utilisateur %s n'existe pas sur le serveur LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Le nom d'utilisateur ne peut contenir que des caractères alphanumériques, des traits soulignés ou des tirets, ne peut pas avoir de tirets ou de traits soulignés consécutifs et ne peut pas commencer ou se terminer par un tiret ou un trait souligné.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Nom d'utilisateur existe déjà",
    "Username cannot be an email address": "Nom d'utilisateur ne peut pas être une adresse e-mail",
    "Username cannot contain white spaces": "Nom d'utilisateur ne peut pas contenir d'espaces blancs",
--- a/i18n/locales/he/data.json
+++ b/i18n/locales/he/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/id/data.json
+++ b/i18n/locales/id/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Nama pengguna kosong.",
    "FirstName cannot be blank": "Nama depan tidak boleh kosong",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "Nama pengguna atau kata sandi Ldap salah",
    "LastName cannot be blank": "Nama belakang tidak boleh kosong",
    "Multiple accounts with same uid, please check your ldap server": "Beberapa akun dengan uid yang sama, harap periksa server ldap Anda",
@@ -46,10 +48,15 @@
    "Phone already exists": "Telepon sudah ada",
    "Phone cannot be empty": "Telepon tidak boleh kosong",
    "Phone number is invalid": "Nomor telepon tidak valid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Sesi kedaluwarsa, silakan masuk lagi",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "Pengguna dilarang masuk, silakan hubungi administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Nama pengguna hanya bisa menggunakan karakter alfanumerik, garis bawah atau tanda hubung, tidak boleh memiliki dua tanda hubung atau garis bawah berurutan, dan tidak boleh diawali atau diakhiri dengan tanda hubung atau garis bawah.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Nama pengguna sudah ada",
    "Username cannot be an email address": "Username tidak bisa menjadi alamat email",
    "Username cannot contain white spaces": "Username tidak boleh mengandung spasi",
--- a/i18n/locales/it/data.json
+++ b/i18n/locales/it/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/ja/data.json
+++ b/i18n/locales/ja/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "空のユーザー名。",
    "FirstName cannot be blank": "ファーストネームは空白にできません",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "Ldapのユーザー名またはパスワードが間違っています",
    "LastName cannot be blank": "姓は空白にできません",
    "Multiple accounts with same uid, please check your ldap server": "同じuidを持つ複数のアカウントがあります。あなたのLDAPサーバーを確認してください",
@@ -46,10 +48,15 @@
    "Phone already exists": "電話はすでに存在しています",
    "Phone cannot be empty": "電話は空っぽにできません",
    "Phone number is invalid": "電話番号が無効です",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "セッションが期限切れになりました。再度ログインしてください",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "ユーザーはサインインできません。管理者に連絡してください",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "ユーザー名には英数字、アンダースコア、ハイフンしか含めることができません。連続したハイフンまたはアンダースコアは不可であり、ハイフンまたはアンダースコアで始まるまたは終わることもできません。",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "ユーザー名はすでに存在しています",
    "Username cannot be an email address": "ユーザー名には電子メールアドレスを使用できません",
    "Username cannot contain white spaces": "ユーザ名にはスペースを含めることはできません",
--- a/i18n/locales/kk/data.json
+++ b/i18n/locales/kk/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/ko/data.json
+++ b/i18n/locales/ko/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "빈 사용자 이름.",
    "FirstName cannot be blank": "이름은 공백일 수 없습니다",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP 사용자 이름 또는 암호가 잘못되었습니다",
    "LastName cannot be blank": "성은 비어 있을 수 없습니다",
    "Multiple accounts with same uid, please check your ldap server": "동일한 UID를 가진 여러 계정이 있습니다. LDAP 서버를 확인해주세요",
@@ -46,10 +48,15 @@
    "Phone already exists": "전화기는 이미 존재합니다",
    "Phone cannot be empty": "전화는 비워 둘 수 없습니다",
    "Phone number is invalid": "전화번호가 유효하지 않습니다",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "세션이 만료되었습니다. 다시 로그인해주세요",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "사용자는 로그인이 금지되어 있습니다. 관리자에게 문의하십시오",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "사용자 이름은 알파벳, 숫자, 밑줄 또는 하이픈만 포함할 수 있으며, 연속된 하이픈 또는 밑줄을 가질 수 없으며, 하이픈 또는 밑줄로 시작하거나 끝날 수 없습니다.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "사용자 이름이 이미 존재합니다",
    "Username cannot be an email address": "사용자 이름은 이메일 주소가 될 수 없습니다",
    "Username cannot contain white spaces": "사용자 이름에는 공백이 포함될 수 없습니다",
--- a/i18n/locales/ms/data.json
+++ b/i18n/locales/ms/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/nl/data.json
+++ b/i18n/locales/nl/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/pl/data.json
+++ b/i18n/locales/pl/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/pt/data.json
+++ b/i18n/locales/pt/data.json
@@ -1,18 +1,18 @@
 {
  "account": {
-    "Failed to add user": "Failed to add user",
-    "Get init score failed, error: %w": "Get init score failed, error: %w",
-    "Please sign out first": "Please sign out first",
-    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+    "Failed to add user": "Falha ao adicionar usuário",
+    "Get init score failed, error: %w": "Obter pontuação inicial falhou, erro: %w",
+    "Please sign out first": "Por favor, saia da sessão primeiro",
+    "The application does not allow to sign up new account": "O aplicativo não permite a criação de uma nova conta"
  },
  "auth": {
-    "Challenge method should be S256": "Challenge method should be S256",
-    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
-    "Failed to login in: %s": "Failed to login in: %s",
-    "Invalid token": "Invalid token",
-    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "Challenge method should be S256": "Método de desafio deve ser S256",
+    "Failed to create user, user information is invalid: %s": "Falha ao criar usuário, informação do usuário inválida: %s",
+    "Failed to login in: %s": "Falha ao entrar em: %s",
+    "Invalid token": "Token inválido",
+    "State expected: %s, but got: %s": "Estado esperado: %s, mas recebeu: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "A conta para o provedor: %s e nome de usuário: %s (%s) não existe e não é permitido inscrever-se como uma nova conta via %%s, por favor, use outra forma de se inscrever",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "A conta para o provedor: %s e nome de usuário: %s (%s) não existe e não é permitido inscrever-se como uma nova conta entre em contato com seu suporte de TI",
    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
    "The application: %s does not exist": "The application: %s does not exist",
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,19 +48,24 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
-    "Username cannot start with a digit": "Username cannot start with a digit",
-    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
-    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "Username cannot start with a digit": "O nome de usuário não pode começar com um dígito",
+    "Username is too long (maximum is 39 characters).": "Nome de usuário é muito longo (máximo é 39 caracteres).",
+    "Username must have at least 2 characters": "Nome de usuário deve ter pelo menos 2 caracteres",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
-    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect": "senha ou código incorreto",
    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
    "unsupported password type: %s": "unsupported password type: %s"
  },
@@ -82,15 +89,15 @@
  },
  "organization": {
    "Only admin can modify the %s.": "Only admin can modify the %s.",
-    "The %s is immutable.": "The %s is immutable.",
-    "Unknown modify rule %s.": "Unknown modify rule %s."
+    "The %s is immutable.": "O %s é imutável.",
+    "Unknown modify rule %s.": "Regra de modificação %s desconhecida."
  },
  "provider": {
-    "Invalid application id": "Invalid application id",
-    "the provider: %s does not exist": "the provider: %s does not exist"
+    "Invalid application id": "Id do aplicativo inválido",
+    "the provider: %s does not exist": "o provedor: %s não existe"
  },
  "resource": {
-    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "User is nil for tag: avatar": "Usuário é nulo para tag: avatar",
    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
  },
  "saml": {
@@ -109,19 +116,19 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Empty clientId or clientSecret": "ClientId ou clientSecret vazio",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
-    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
-    "Invalid client_id": "Invalid client_id",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
-    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+    "Invalid application or wrong clientSecret": "Aplicativo inválido ou clientSecret errado",
+    "Invalid client_id": "client_id inválido",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "URI de redirecionamento: %s não existe na lista de URI de redirecionamento permitida",
+    "Token not found, invalid accessToken": "Token não encontrado, token de acesso inválido"
  },
  "user": {
-    "Display name cannot be empty": "Display name cannot be empty",
+    "Display name cannot be empty": "Nome de exibição não pode ser vazio",
    "New password cannot contain blank space.": "New password cannot contain blank space."
  },
  "user_upload": {
-    "Failed to import users": "Failed to import users"
+    "Failed to import users": "Falha ao importar usuários"
  },
  "util": {
    "No application is found for userId: %s": "No application is found for userId: %s",
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@@ -6,7 +6,7 @@
    "The application does not allow to sign up new account": "Приложение не позволяет зарегистрироваться новому аккаунту"
  },
  "auth": {
-    "Challenge method should be S256": "Метод испытаний должен быть S256",
+    "Challenge method should be S256": "Метод проверки должен быть S256",
    "Failed to create user, user information is invalid: %s": "Не удалось создать пользователя, информация о пользователе недействительна: %s",
    "Failed to login in: %s": "Не удалось войти в систему: %s",
    "Invalid token": "Недействительный токен",
@@ -22,7 +22,7 @@
    "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
    "Unauthorized operation": "Несанкционированная операция",
    "Unknown authentication type (not password or provider), form = %s": "Неизвестный тип аутентификации (не пароль и не провайдер), форма = %s",
-    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags",
+    "User's tag: %s is not listed in the application's tags": "Тег пользователя: %s не указан в тэгах приложения",
    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"
  },
  "cas": {
@@ -38,7 +38,9 @@
    "Empty username.": "Пустое имя пользователя.",
    "FirstName cannot be blank": "Имя не может быть пустым",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "Неправильное имя пользователя или пароль Ldap",
    "LastName cannot be blank": "Фамилия не может быть пустой",
    "Multiple accounts with same uid, please check your ldap server": "Множественные учетные записи с тем же UID. Пожалуйста, проверьте свой сервер LDAP",
@@ -46,10 +48,15 @@
    "Phone already exists": "Телефон уже существует",
    "Phone cannot be empty": "Телефон не может быть пустым",
    "Phone number is invalid": "Номер телефона является недействительным",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Сессия устарела, пожалуйста, войдите снова",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
-    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The user: %s doesn't exist in LDAP server": "Пользователь %s не существует на LDAP сервере",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Имя пользователя может состоять только из буквенно-цифровых символов, нижних подчеркиваний или дефисов, не может содержать последовательные дефисы или подчеркивания, а также не может начинаться или заканчиваться на дефис или подчеркивание.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Имя пользователя уже существует",
    "Username cannot be an email address": "Имя пользователя не может быть адресом электронной почты",
    "Username cannot contain white spaces": "Имя пользователя не может содержать пробелы",
@@ -58,7 +65,7 @@
    "Username must have at least 2 characters": "Имя пользователя должно содержать не менее 2 символов",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Вы ввели неправильный пароль или код слишком много раз, пожалуйста, подождите %d минут и попробуйте снова",
    "Your region is not allow to signup by phone": "Ваш регион не разрешает регистрацию по телефону",
-    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect": "неправильный пароль или код",
    "password or code is incorrect, you have %d remaining chances": "Неправильный пароль или код, у вас осталось %d попыток",
    "unsupported password type: %s": "неподдерживаемый тип пароля: %s"
  },
@@ -66,8 +73,8 @@
    "Missing parameter": "Отсутствующий параметр",
    "Please login first": "Пожалуйста, сначала войдите в систему",
    "The user: %s doesn't exist": "Пользователь %s не существует",
-    "don't support captchaProvider: ": "не поддерживайте captchaProvider:",
-    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+    "don't support captchaProvider: ": "неподдерживаемый captchaProvider: ",
+    "this operation is not allowed in demo mode": "эта операция не разрешена в демо-режиме"
  },
  "ldap": {
    "Ldap server exist": "LDAP-сервер существует"
@@ -106,7 +113,7 @@
  },
  "storage": {
    "The objectKey: %s is not allowed": "Объект «objectKey: %s» не разрешен",
-    "The provider type: %s is not supported": "Тип поставщика: %s не поддерживается"
+    "The provider type: %s is not supported": "Тип провайдера: %s не поддерживается"
  },
  "token": {
    "Empty clientId or clientSecret": "Пустой идентификатор клиента или секрет клиента",
@@ -125,7 +132,7 @@
  },
  "util": {
    "No application is found for userId: %s": "Не найдено заявки для пользователя с идентификатором: %s",
-    "No provider for category: %s is found for application: %s": "Нет поставщика для категории: %s для приложения: %s",
+    "No provider for category: %s is found for application: %s": "Нет провайдера для категории: %s для приложения: %s",
    "The provider: %s is not found": "Поставщик: %s не найден"
  },
  "verification": {
--- a/i18n/locales/sv/data.json
+++ b/i18n/locales/sv/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/tr/data.json
+++ b/i18n/locales/tr/data.json
@@ -38,27 +38,34 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
    "Organization does not exist": "Organization does not exist",
-    "Phone already exists": "Phone already exists",
-    "Phone cannot be empty": "Phone cannot be empty",
-    "Phone number is invalid": "Phone number is invalid",
+    "Phone already exists": "Telefon numarası zaten mevcut",
+    "Phone cannot be empty": "Telefon numarası boş olamaz",
+    "Phone number is invalid": "Telefon numarası geçersiz",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
-    "Username already exists": "Username already exists",
-    "Username cannot be an email address": "Username cannot be an email address",
-    "Username cannot contain white spaces": "Username cannot contain white spaces",
-    "Username cannot start with a digit": "Username cannot start with a digit",
-    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
-    "Username must have at least 2 characters": "Username must have at least 2 characters",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "Username already exists": "Kullanıcı adı zaten var",
+    "Username cannot be an email address": "Kullanıcı adı bir e-mail adresi olamaz",
+    "Username cannot contain white spaces": "Kullanıcı adı boşluk karakteri içeremez",
+    "Username cannot start with a digit": "Kullanıcı adı rakamla başlayamaz",
+    "Username is too long (maximum is 39 characters).": "Kullanıcı adı çok uzun (en fazla 39 karakter olmalı).",
+    "Username must have at least 2 characters": "Kullanıcı adı en az iki karakterden oluşmalı",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Çok fazla hatalı şifre denemesi yaptınız.  %d dakika kadar bekleyip yeniden giriş yapmayı deneyebilirsiniz.",
    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
-    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect": "şifre veya kod hatalı",
    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
    "unsupported password type: %s": "unsupported password type: %s"
  },
@@ -117,8 +124,8 @@
    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
  },
  "user": {
-    "Display name cannot be empty": "Display name cannot be empty",
-    "New password cannot contain blank space.": "New password cannot contain blank space."
+    "Display name cannot be empty": "Görünen ad boş olamaz",
+    "New password cannot contain blank space.": "Yeni şifreniz boşluk karakteri içeremez."
  },
  "user_upload": {
    "Failed to import users": "Failed to import users"
@@ -131,7 +138,7 @@
  "verification": {
    "Code has not been sent yet!": "Code has not been sent yet!",
    "Invalid captcha provider.": "Invalid captcha provider.",
-    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Phone number is invalid in your region %s": "Telefon numaranızın bulunduğu bölgeye hizmet veremiyoruz",
    "Turing test failed.": "Turing test failed.",
    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
--- a/i18n/locales/uk/data.json
+++ b/i18n/locales/uk/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Empty username.",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
@@ -46,10 +48,15 @@
    "Phone already exists": "Phone already exists",
    "Phone cannot be empty": "Phone cannot be empty",
    "Phone number is invalid": "Phone number is invalid",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Session outdated, please login again",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
--- a/i18n/locales/vi/data.json
+++ b/i18n/locales/vi/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "Tên đăng nhập trống.",
    "FirstName cannot be blank": "Tên không được để trống",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "Invitation code suspended",
    "LDAP user name or password incorrect": "Tên người dùng hoặc mật khẩu Ldap không chính xác",
    "LastName cannot be blank": "Họ không thể để trống",
    "Multiple accounts with same uid, please check your ldap server": "Nhiều tài khoản với cùng một uid, vui lòng kiểm tra máy chủ ldap của bạn",
@@ -46,10 +48,15 @@
    "Phone already exists": "Điện thoại đã tồn tại",
    "Phone cannot be empty": "Điện thoại không thể để trống",
    "Phone number is invalid": "Số điện thoại không hợp lệ",
+    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
+    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
+    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
    "Session outdated, please login again": "Phiên làm việc hết hạn, vui lòng đăng nhập lại",
+    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "Người dùng bị cấm đăng nhập, vui lòng liên hệ với quản trị viên",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Tên người dùng chỉ có thể chứa các ký tự chữ và số, gạch dưới hoặc gạch ngang, không được có hai ký tự gạch dưới hoặc gạch ngang liền kề và không được bắt đầu hoặc kết thúc bằng dấu gạch dưới hoặc gạch ngang.",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Tên đăng nhập đã tồn tại",
    "Username cannot be an email address": "Tên người dùng không thể là địa chỉ email",
    "Username cannot contain white spaces": "Tên người dùng không thể chứa khoảng trắng",
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@@ -38,7 +38,9 @@
    "Empty username.": "用户名不可为空",
    "FirstName cannot be blank": "名不可以为空",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code exhausted": "邀请码使用次数已耗尽",
    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code suspended": "邀请码已被禁止使用",
    "LDAP user name or password incorrect": "LDAP密码错误",
    "LastName cannot be blank": "姓不可以为空",
    "Multiple accounts with same uid, please check your ldap server": "多个帐户具有相同的uid，请检查您的 LDAP 服务器",
@@ -46,10 +48,15 @@
    "Phone already exists": "该手机号已存在",
    "Phone cannot be empty": "手机号不可为空",
    "Phone number is invalid": "无效手机号",
+    "Please register using the email corresponding to the invitation code": "请使用邀请码关联的邮箱注册",
+    "Please register using the phone  corresponding to the invitation code": "请使用邀请码关联的手机号注册",
+    "Please register using the username corresponding to the invitation code": "请使用邀请码关联的用户名注册",
    "Session outdated, please login again": "会话已过期，请重新登录",
+    "The invitation code has already been used": "邀请码已被使用",
    "The user is forbidden to sign in, please contact the administrator": "该用户被禁止登录，请联系管理员",
    "The user: %s doesn't exist in LDAP server": "用户: %s 在LDAP服务器中未找到",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "用户名只能包含字母数字字符、下划线或连字符，不能有连续的连字符或下划线，也不能以连字符或下划线开头或结尾",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "值\\\"%s\\\"在注册字段\\\"%s\\\"中与应用\\\"%s\\\"的注册项正则表达式不匹配",
    "Username already exists": "用户名已存在",
    "Username cannot be an email address": "用户名不可以是邮箱地址",
    "Username cannot contain white spaces": "用户名禁止包含空格",
--- a/idp/lark.go
+++ b/idp/lark.go
@@ -16,6 +16,7 @@ package idp

 import (
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"strings"
@@ -82,13 +83,22 @@ func (idp *LarkIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		AppID     string `json:"app_id"`
 		AppSecret string `json:"app_secret"`
 	}{idp.Config.ClientID, idp.Config.ClientSecret}
+
 	data, err := idp.postWithBody(params, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}

 	appToken := &LarkAccessToken{}
-	if err = json.Unmarshal(data, appToken); err != nil || appToken.Code != 0 {
+	err = json.Unmarshal(data, appToken)
+	if err != nil {
 		return nil, err
 	}

+	if appToken.Code != 0 {
+		return nil, fmt.Errorf("GetToken() error, appToken.Code: %d, appToken.Msg: %s", appToken.Code, appToken.Msg)
+	}
+
 	t := &oauth2.Token{
 		AccessToken: appToken.TenantAccessToken,
 		TokenType:   "Bearer",
@@ -98,7 +108,6 @@ func (idp *LarkIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	raw := make(map[string]interface{})
 	raw["code"] = code
 	t = t.WithExtra(raw)
-
 	return t, nil
 }

@@ -159,11 +168,17 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 		GrantType string `json:"grant_type"`
 		Code      string `json:"code"`
 	}{"authorization_code", token.Extra("code").(string)}
-	data, _ := json.Marshal(body)
+
+	data, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+
 	req, err := http.NewRequest("POST", "https://open.feishu.cn/open-apis/authen/v1/access_token", strings.NewReader(string(data)))
 	if err != nil {
 		return nil, err
 	}
+
 	req.Header.Set("Content-Type", "application/json;charset=UTF-8")
 	req.Header.Set("Authorization", "Bearer "+token.AccessToken)

@@ -171,6 +186,7 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	defer resp.Body.Close()
 	data, err = io.ReadAll(resp.Body)
 	if err != nil {
@@ -178,7 +194,8 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	}

 	var larkUserInfo LarkUserInfo
-	if err = json.Unmarshal(data, &larkUserInfo); err != nil {
+	err = json.Unmarshal(data, &larkUserInfo)
+	if err != nil {
 		return nil, err
 	}

@@ -189,7 +206,6 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 		Email:       larkUserInfo.Data.Email,
 		AvatarUrl:   larkUserInfo.Data.AvatarUrl,
 	}
-
 	return &userInfo, nil
 }

@@ -198,21 +214,23 @@ func (idp *LarkIdProvider) postWithBody(body interface{}, url string) ([]byte, e
 	if err != nil {
 		return nil, err
 	}
+
 	r := strings.NewReader(string(bs))
 	resp, err := idp.Client.Post(url, "application/json;charset=UTF-8", r)
 	if err != nil {
 		return nil, err
 	}
+
 	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
+
 	defer func(Body io.ReadCloser) {
 		err := Body.Close()
 		if err != nil {
 			return
 		}
 	}(resp.Body)
-
 	return data, nil
 }
--- a/idp/provider.go
+++ b/idp/provider.go
@@ -119,6 +119,8 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error
 		return NewMetaMaskIdProvider(), nil
 	case "Web3Onboard":
 		return NewWeb3OnboardIdProvider(), nil
+	case "Twitter":
+		return NewTwitterIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	default:
 		if isGothSupport(idpInfo.Type) {
 			return NewGothIdProvider(idpInfo.Type, idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.ClientId2, idpInfo.ClientSecret2, redirectUrl, idpInfo.HostUrl)
@@ -171,7 +173,6 @@ var gothList = []string{
 	"TikTok",
 	"Tumblr",
 	"Twitch",
-	"Twitter",
 	"Typetalk",
 	"Uber",
 	"VK",
--- a/idp/twitter.go
+++ b/idp/twitter.go
@@ -0,0 +1,190 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type TwitterIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewTwitterIdProvider(clientId string, clientSecret string, redirectUrl string) *TwitterIdProvider {
+	idp := &TwitterIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+
+	return idp
+}
+
+func (idp *TwitterIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+// getConfig return a point of Config, which describes a typical 3-legged OAuth2 flow
+func (idp *TwitterIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	endpoint := oauth2.Endpoint{
+		TokenURL: "https://api.twitter.com/2/oauth2/token",
+	}
+
+	config := &oauth2.Config{
+		Scopes:       []string{"users.read", "tweet.read"},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type TwitterAccessToken struct {
+	AccessToken string `json:"access_token"` // Interface call credentials
+	TokenType   string `json:"token_type"`   // Access token type
+	ExpiresIn   int64  `json:"expires_in"`   // access_token interface call credential timeout time, unit (seconds)
+}
+
+type TwitterCheckToken struct {
+	Data TwitterUserInfo `json:"data"`
+}
+
+// TwitterCheckTokenData
+// Get more detail via: https://developers.Twitter.com/docs/Twitter-login/guides/advanced/manual-flow#checktoken
+type TwitterCheckTokenData struct {
+	UserId string `json:"user_id"`
+}
+
+// GetToken use code get access_token (*operation of getting code ought to be done in front)
+// get more detail via: https://developers.Twitter.com/docs/Twitter-login/guides/advanced/manual-flow#confirm
+func (idp *TwitterIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	params := url.Values{}
+	// params.Add("client_id", idp.Config.ClientID)
+	params.Add("redirect_uri", idp.Config.RedirectURL)
+	params.Add("code_verifier", "casdoor-verifier")
+	params.Add("code", code)
+	params.Add("grant_type", "authorization_code")
+	req, err := http.NewRequest("POST", "https://api.twitter.com/2/oauth2/token", strings.NewReader(params.Encode()))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	e := base64.StdEncoding.EncodeToString([]byte(idp.Config.ClientID + ":" + idp.Config.ClientSecret))
+	req.Header.Add("Authorization", "Basic "+e)
+	accessTokenResp, err := idp.GetUrlResp(req)
+	var TwitterAccessToken TwitterAccessToken
+	if err = json.Unmarshal([]byte(accessTokenResp), &TwitterAccessToken); err != nil {
+		return nil, err
+	}
+
+	token := oauth2.Token{
+		AccessToken: TwitterAccessToken.AccessToken,
+		TokenType:   TwitterAccessToken.TokenType,
+		Expiry:      time.Time{},
+	}
+
+	return &token, nil
+}
+
+//{
+//    "id": "123456789",
+//    "name": "Example Name",
+//    "name_format": "{first} {last}",
+//    "picture": {
+//        "data": {
+//            "height": 50,
+//            "is_silhouette": false,
+//            "url": "https://example.com",
+//            "width": 50
+//        }
+//    },
+//    "email": "test@example.com"
+//}
+
+type TwitterUserInfo struct {
+	Id       string   `json:"id"`       // The app user's App-Scoped User ID. This ID is unique to the app and cannot be used by other apps.
+	Name     string   `json:"name"`     // The person's full name.
+	UserName string   `json:"username"` // The person's name formatted to correctly handle Chinese, Japanese, or Korean ordering.
+	Picture  struct { // The person's profile picture.
+		Data struct { // This struct is different as https://developers.Twitter.com/docs/graph-api/reference/user/picture/
+			Height       int    `json:"height"`
+			IsSilhouette bool   `json:"is_silhouette"`
+			Url          string `json:"url"`
+			Width        int    `json:"width"`
+		} `json:"data"`
+	} `json:"picture"`
+	Email string `json:"email"` // The User's primary email address listed on their profile. This field will not be returned if no valid email address is available.
+}
+
+// GetUserInfo use TwitterAccessToken gotten before return TwitterUserInfo
+// get more detail via: https://developers.Twitter.com/docs/graph-api/reference/user
+func (idp *TwitterIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	var TwitterUserInfo TwitterUserInfo
+	// accessToken := token.AccessToken
+
+	req, err := http.NewRequest("GET", "https://api.twitter.com/2/users/me", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Add("Authorization", "Bearer "+token.AccessToken)
+	// req.URL.Query().Set("user.fields", "profile_image_url")
+	// userIdUrl := fmt.Sprintf("https://graph.Twitter.com/me?access_token=%s", accessToken)
+	userIdResp, err := idp.GetUrlResp(req)
+	if err != nil {
+		return nil, err
+	}
+	empTwitterCheckToken := &TwitterCheckToken{}
+	if err = json.Unmarshal([]byte(userIdResp), &empTwitterCheckToken); err != nil {
+		return nil, err
+	}
+	TwitterUserInfo = empTwitterCheckToken.Data
+
+	userInfo := UserInfo{
+		Id:          TwitterUserInfo.Id,
+		Username:    TwitterUserInfo.UserName,
+		DisplayName: TwitterUserInfo.Name,
+		Email:       TwitterUserInfo.Email,
+		AvatarUrl:   TwitterUserInfo.Picture.Data.Url,
+	}
+	return &userInfo, nil
+}
+
+func (idp *TwitterIdProvider) GetUrlResp(url *http.Request) (string, error) {
+	resp, err := idp.Client.Do(url)
+	if err != nil {
+		return "", err
+	}
+
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	buf := new(bytes.Buffer)
+	_, err = buf.ReadFrom(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	return buf.String(), nil
+}
--- a/idp/wechat.go
+++ b/idp/wechat.go
@@ -20,7 +20,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -218,7 +217,7 @@ func GetWechatOfficialAccountAccessToken(clientId string, clientSecret string) (
 	}
 	defer resp.Body.Close()

-	respBytes, err := ioutil.ReadAll(resp.Body)
+	respBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
@@ -255,7 +254,7 @@ func GetWechatOfficialAccountQRCode(clientId string, clientSecret string) (strin
 	}
 	defer resp.Body.Close()

-	respBytes, err := ioutil.ReadAll(resp.Body)
+	respBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
--- a/init_data.json.template
+++ b/init_data.json.template
@@ -61,11 +61,6 @@
          "displayName": "WebAuthn",
          "rule": "None",
        },
-        {
-          "name": "LDAP",
-          "displayName": "LDAP",
-          "rule": "None",
-        },
      ],
      "signupItems": [
        {
@@ -128,7 +123,7 @@
      "redirectUris": [""],
      "expireInHours": 168,
      "failedSigninLimit": 5,
-      "failedSigninfrozenTime": 15
+      "failedSigninFrozenTime": 15
    }
  ],
  "users": [
--- a/ldap/server.go
+++ b/ldap/server.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 	"hash/fnv"
 	"log"
-	"strings"

 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
@@ -50,17 +49,7 @@ func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
 	res := ldap.NewBindResponse(ldap.LDAPResultSuccess)

 	if r.AuthenticationChoice() == "simple" {
-		bindDN := string(r.Name())
-		bindPassword := string(r.AuthenticationSimple())
-
-		if bindDN == "" && bindPassword == "" {
-			res.SetResultCode(ldap.LDAPResultInappropriateAuthentication)
-			res.SetDiagnosticMessage("Anonymous bind disallowed")
-			w.Write(res)
-			return
-		}
-
-		bindUsername, bindOrg, err := getNameAndOrgFromDN(bindDN)
+		bindUsername, bindOrg, err := getNameAndOrgFromDN(string(r.Name()))
 		if err != nil {
 			log.Printf("getNameAndOrgFromDN() error: %s", err.Error())
 			res.SetResultCode(ldap.LDAPResultInvalidDNSyntax)
@@ -69,6 +58,7 @@ func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
 			return
 		}

+		bindPassword := string(r.AuthenticationSimple())
 		bindUser, err := object.CheckUserPassword(bindOrg, bindUsername, bindPassword, "en")
 		if err != nil {
 			log.Printf("Bind failed User=%s, Pass=%#v, ErrMsg=%s", string(r.Name()), r.Authentication(), err)
@@ -103,46 +93,7 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 	}

 	r := m.GetSearchRequest()
-
-	// case insensitive match
-	if strings.EqualFold(r.FilterString(), "(objectClass=*)") {
-		if len(r.Attributes()) == 0 {
-			w.Write(res)
-			return
-		}
-		first_attr := string(r.Attributes()[0])
-
-		if string(r.BaseObject()) == "" {
-			// handle special search requests
-
-			if first_attr == "namingContexts" {
-				orgs, code := GetFilteredOrganizations(m)
-				if code != ldap.LDAPResultSuccess {
-					res.SetResultCode(code)
-					w.Write(res)
-					return
-				}
-				e := ldap.NewSearchResultEntry(string(r.BaseObject()))
-				dnlist := make([]message.AttributeValue, len(orgs))
-				for i, org := range orgs {
-					dnlist[i] = message.AttributeValue(fmt.Sprintf("ou=%s", org.Name))
-				}
-				e.AddAttribute("namingContexts", dnlist...)
-				w.Write(e)
-			} else if first_attr == "subschemaSubentry" {
-				e := ldap.NewSearchResultEntry(string(r.BaseObject()))
-				e.AddAttribute("subschemaSubentry", message.AttributeValue("cn=Subschema"))
-				w.Write(e)
-			}
-		} else if strings.EqualFold(first_attr, "objectclasses") && string(r.BaseObject()) == "cn=Subschema" {
-			e := ldap.NewSearchResultEntry(string(r.BaseObject()))
-			e.AddAttribute("objectClasses", []message.AttributeValue{
-				"( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )",
-				"( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )",
-			}...)
-			w.Write(e)
-		}
-
+	if r.FilterString() == "(objectClass=*)" {
 		w.Write(res)
 		return
 	}
@@ -155,72 +106,38 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 	default:
 	}

-	objectClass := searchFilterForEquality(r.Filter(), "objectClass", "posixAccount", "posixGroup")
-	switch objectClass {
-	case "posixAccount":
-		users, code := GetFilteredUsers(m)
-		if code != ldap.LDAPResultSuccess {
-			res.SetResultCode(code)
-			w.Write(res)
-			return
-		}
-
-		// log.Printf("Handling posixAccount filter=%s", r.FilterString())
-		for _, user := range users {
-			dn := fmt.Sprintf("uid=%s,cn=users,%s", user.Name, string(r.BaseObject()))
-			e := ldap.NewSearchResultEntry(dn)
-			attrs := r.Attributes()
-			for _, attr := range attrs {
-				if string(attr) == "*" {
-					attrs = AdditionalLdapUserAttributes
-					break
-				}
-			}
-			for _, attr := range attrs {
-				if strings.HasSuffix(string(attr), ";binary") {
-					// unsupported: userCertificate;binary
-					continue
-				}
-				field, ok := ldapUserAttributesMapping.CaseInsensitiveGet(string(attr))
-				if ok {
-					e.AddAttribute(message.AttributeDescription(attr), field.GetAttributeValues(user)...)
-				}
-			}
-			w.Write(e)
-		}
-
-	case "posixGroup":
-		// log.Printf("Handling posixGroup filter=%s", r.FilterString())
-		groups, code := GetFilteredGroups(m)
-		if code != ldap.LDAPResultSuccess {
-			res.SetResultCode(code)
-			w.Write(res)
-			return
-		}
-
-		for _, group := range groups {
-			dn := fmt.Sprintf("cn=%s,cn=groups,%s", group.Name, string(r.BaseObject()))
-			e := ldap.NewSearchResultEntry(dn)
-			attrs := r.Attributes()
-			for _, attr := range attrs {
-				if string(attr) == "*" {
-					attrs = AdditionalLdapGroupAttributes
-					break
-				}
-			}
-			for _, attr := range attrs {
-				field, ok := ldapGroupAttributesMapping.CaseInsensitiveGet(string(attr))
-				if ok {
-					e.AddAttribute(message.AttributeDescription(attr), field.GetAttributeValues(group)...)
-				}
-			}
-			w.Write(e)
-		}
-
-	case "":
-		log.Printf("Unmatched search request. filter=%s", r.FilterString())
+	users, code := GetFilteredUsers(m)
+	if code != ldap.LDAPResultSuccess {
+		res.SetResultCode(code)
+		w.Write(res)
+		return
 	}

+	for _, user := range users {
+		dn := fmt.Sprintf("uid=%s,cn=%s,%s", user.Id, user.Name, string(r.BaseObject()))
+		e := ldap.NewSearchResultEntry(dn)
+		uidNumberStr := fmt.Sprintf("%v", hash(user.Name))
+		e.AddAttribute("uidNumber", message.AttributeValue(uidNumberStr))
+		e.AddAttribute("gidNumber", message.AttributeValue(uidNumberStr))
+		e.AddAttribute("homeDirectory", message.AttributeValue("/home/"+user.Name))
+		e.AddAttribute("cn", message.AttributeValue(user.Name))
+		e.AddAttribute("uid", message.AttributeValue(user.Id))
+		attrs := r.Attributes()
+		for _, attr := range attrs {
+			if string(attr) == "*" {
+				attrs = AdditionalLdapAttributes
+				break
+			}
+		}
+		for _, attr := range attrs {
+			e.AddAttribute(message.AttributeDescription(attr), getAttribute(string(attr), user))
+			if string(attr) == "cn" {
+				e.AddAttribute(message.AttributeDescription(attr), getAttribute("title", user))
+			}
+		}
+
+		w.Write(e)
+	}
 	w.Write(res)
 }

--- a/ldap/util.go
+++ b/ldap/util.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 	"log"
 	"strings"
-	"time"

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -29,259 +28,65 @@ import (
 	"github.com/xorm-io/builder"
 )

-type V = message.AttributeValue
+type AttributeMapper func(user *object.User) message.AttributeValue

-type UserAttributeMapper func(user *object.User) []V
-
-type UserFieldRelation struct {
+type FieldRelation struct {
 	userField     string
-	ldapField     string
 	notSearchable bool
 	hideOnStarOp  bool
-	fieldMapper   UserAttributeMapper
-	constantValue []V
+	fieldMapper   AttributeMapper
 }

-func (rel UserFieldRelation) GetField() (string, error) {
+func (rel FieldRelation) GetField() (string, error) {
 	if rel.notSearchable {
 		return "", fmt.Errorf("attribute %s not supported", rel.userField)
 	}
 	return rel.userField, nil
 }

-func (rel UserFieldRelation) GetAttributeValues(user *object.User) []V {
-	if rel.constantValue != nil && rel.fieldMapper == nil {
-		return rel.constantValue
-	}
+func (rel FieldRelation) GetAttributeValue(user *object.User) message.AttributeValue {
 	return rel.fieldMapper(user)
 }

-type UserFieldRelationMap map[string]UserFieldRelation
-
-func (m UserFieldRelationMap) CaseInsensitiveGet(key string) (UserFieldRelation, bool) {
-	lowerKey := strings.ToLower(key)
-	ret, ok := m[lowerKey]
-	return ret, ok
-}
-
-type GroupAttributeMapper func(group *object.Group) []V
-
-type GroupFieldRelation struct {
-	groupField    string
-	ldapField     string
-	notSearchable bool
-	hideOnStarOp  bool
-	fieldMapper   GroupAttributeMapper
-	constantValue []V
-}
-
-func (rel GroupFieldRelation) GetField() (string, error) {
-	if rel.notSearchable {
-		return "", fmt.Errorf("attribute %s not supported", rel.groupField)
-	}
-	return rel.groupField, nil
-}
-
-func (rel GroupFieldRelation) GetAttributeValues(group *object.Group) []V {
-	if rel.constantValue != nil && rel.fieldMapper == nil {
-		return rel.constantValue
-	}
-	return rel.fieldMapper(group)
-}
-
-type GroupFieldRelationMap map[string]GroupFieldRelation
-
-func (m GroupFieldRelationMap) CaseInsensitiveGet(key string) (GroupFieldRelation, bool) {
-	lowerKey := strings.ToLower(key)
-	ret, ok := m[lowerKey]
-	return ret, ok
-}
-
-var ldapUserAttributesMapping = UserFieldRelationMap{
-	"cn": {ldapField: "cn", userField: "name", hideOnStarOp: true, fieldMapper: func(user *object.User) []V {
-		return []V{V(user.Name)}
+var ldapAttributesMapping = map[string]FieldRelation{
+	"cn": {userField: "name", hideOnStarOp: true, fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Name)
 	}},
-	"uid": {ldapField: "uid", userField: "name", hideOnStarOp: true, fieldMapper: func(user *object.User) []V {
-		return []V{V(user.Name)}
+	"uid": {userField: "name", hideOnStarOp: true, fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Name)
 	}},
-	"displayname": {ldapField: "displayName", userField: "displayName", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.DisplayName)}
+	"displayname": {userField: "displayName", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.DisplayName)
 	}},
-	"email": {ldapField: "email", userField: "email", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.Email)}
+	"email": {userField: "email", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Email)
 	}},
-	"mail": {ldapField: "mail", userField: "email", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.Email)}
+	"mail": {userField: "email", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Email)
 	}},
-	"mobile": {ldapField: "mobile", userField: "phone", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.Phone)}
+	"mobile": {userField: "phone", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Phone)
 	}},
-	"telephonenumber": {ldapField: "telephoneNumber", userField: "phone", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.Phone)}
+	"title": {userField: "tag", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Tag)
 	}},
-	"postaladdress": {ldapField: "postalAddress", userField: "address", fieldMapper: func(user *object.User) []V {
-		return []V{V(strings.Join(user.Address, " "))}
-	}},
-	"title": {ldapField: "title", userField: "title", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.Title)}
-	}},
-	"gecos": {ldapField: "gecos", userField: "displayName", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.DisplayName)}
-	}},
-	"description": {ldapField: "description", userField: "displayName", fieldMapper: func(user *object.User) []V {
-		return []V{V(user.DisplayName)}
-	}},
-	"logindisabled": {ldapField: "loginDisabled", userField: "isForbidden", fieldMapper: func(user *object.User) []V {
-		if user.IsForbidden {
-			return []V{V("1")}
-		} else {
-			return []V{V("0")}
-		}
-	}},
-	"userpassword": {
-		ldapField:     "userPassword",
+	"userPassword": {
 		userField:     "userPassword",
 		notSearchable: true,
-		fieldMapper: func(user *object.User) []V {
-			return []V{V(getUserPasswordWithType(user))}
+		fieldMapper: func(user *object.User) message.AttributeValue {
+			return message.AttributeValue(getUserPasswordWithType(user))
 		},
 	},
-	"uidnumber": {ldapField: "uidNumber", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		return []V{V(fmt.Sprintf("%v", hash(user.Name)))}
-	}},
-	"gidnumber": {ldapField: "gidNumber", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		if len(user.Groups) == 0 {
-			return []V{V("")}
-		}
-		group, err := object.GetGroup(user.Groups[0])
-		if err != nil {
-			log.Printf("gidnumber object.GetGroup error: %s", err)
-			return []V{V("")}
-		}
-		return []V{V(fmt.Sprintf("%v", hash(group.Name)))}
-	}},
-	"homedirectory": {ldapField: "homeDirectory", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		return []V{V("/home/" + user.Name)}
-	}},
-	"loginshell": {ldapField: "loginShell", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		if user.IsForbidden || user.IsDeleted {
-			return []V{V("/sbin/nologin")}
-		} else {
-			return []V{V("/bin/bash")}
-		}
-	}},
-	"shadowlastchange": {ldapField: "shadowLastChange", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		// "this attribute specifies number of days between January 1, 1970, and the date that the password was last modified"
-		updatedTime, err := time.Parse(time.RFC3339, user.UpdatedTime)
-		if err != nil {
-			log.Printf("shadowlastchange time.Parse error: %s", err)
-			updatedTime = time.Now()
-		}
-		return []V{V(fmt.Sprint(updatedTime.Unix() / 86400))}
-	}},
-	"pwdchangedtime": {ldapField: "pwdChangedTime", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		updatedTime, err := time.Parse(time.RFC3339, user.UpdatedTime)
-		if err != nil {
-			log.Printf("pwdchangedtime time.Parse error: %s", err)
-			updatedTime = time.Now()
-		}
-		return []V{V(updatedTime.UTC().Format("20060102030405Z"))}
-	}},
-	"shadowmin":     {ldapField: "shadowMin", notSearchable: true, constantValue: []V{V("0")}},
-	"shadowmax":     {ldapField: "shadowMax", notSearchable: true, constantValue: []V{V("99999")}},
-	"shadowwarning": {ldapField: "shadowWarning", notSearchable: true, constantValue: []V{V("7")}},
-	"shadowexpire": {ldapField: "shadowExpire", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		if user.IsForbidden {
-			return []V{V("1")}
-		} else {
-			return []V{V("-1")}
-		}
-	}},
-	"shadowinactive": {ldapField: "shadowInactive", notSearchable: true, constantValue: []V{V("0")}},
-	"shadowflag":     {ldapField: "shadowFlag", notSearchable: true, constantValue: []V{V("0")}},
-	"memberof": {ldapField: "memberOf", notSearchable: true, fieldMapper: func(user *object.User) []V {
-		var groupdn []V
-		for _, groupId := range user.Groups {
-			group, err := object.GetGroup(groupId)
-			if err != nil {
-				log.Printf("memberOf object.GetGroup error: %s", err)
-				continue
-			}
-			groupdn = append(groupdn, V(fmt.Sprintf("cn=%s,cn=groups,ou=%s", group.Name, group.Owner)))
-		}
-		return groupdn
-	}},
-	"objectclass": {ldapField: "objectClass", notSearchable: true, constantValue: []V{
-		V("top"),
-		V("posixAccount"),
-		V("shadowAccount"),
-		V("person"),
-		V("organizationalPerson"),
-		V("inetOrgPerson"),
-		V("apple-user"),
-		V("sambaSamAccount"),
-		V("sambaIdmapEntry"),
-		V("extensibleObject"),
-	}},
 }

-var ldapGroupAttributesMapping = GroupFieldRelationMap{
-	"cn": {ldapField: "cn", hideOnStarOp: true, fieldMapper: func(group *object.Group) []V {
-		return []V{V(group.Name)}
-	}},
-	"gidnumber": {ldapField: "gidNumber", hideOnStarOp: true, fieldMapper: func(group *object.Group) []V {
-		return []V{V(fmt.Sprintf("%v", hash(group.Name)))}
-	}},
-	"member": {ldapField: "member", fieldMapper: func(group *object.Group) []V {
-		users, err := object.GetGroupUsers(group.GetId())
-		if err != nil {
-			log.Printf("member object.GetGroupUsers error: %s", err)
-			return []V{V("")}
-		}
-		var members []V
-		for _, user := range users {
-			members = append(members, V(fmt.Sprintf("uid=%s,cn=users,ou=%s", user.Name, user.Owner)))
-		}
-		return members
-	}},
-	"memberuid": {ldapField: "memberUid", fieldMapper: func(group *object.Group) []V {
-		users, err := object.GetGroupUsers(group.GetId())
-		if err != nil {
-			log.Printf("member object.GetGroupUsers error: %s", err)
-			return []V{V("")}
-		}
-		var members []message.AttributeValue
-		for _, user := range users {
-			members = append(members, message.AttributeValue(user.Name))
-		}
-		return members
-	}},
-	"description": {ldapField: "description", hideOnStarOp: true, fieldMapper: func(group *object.Group) []V {
-		return []V{V(group.DisplayName)}
-	}},
-	"objectclass": {ldapField: "objectClass", hideOnStarOp: true, constantValue: []V{
-		V("top"),
-		V("posixGroup"),
-	}},
-}
-
-var (
-	AdditionalLdapUserAttributes  []message.LDAPString
-	AdditionalLdapGroupAttributes []message.LDAPString
-)
+var AdditionalLdapAttributes []message.LDAPString

 func init() {
-	for _, v := range ldapUserAttributesMapping {
+	for k, v := range ldapAttributesMapping {
 		if v.hideOnStarOp {
 			continue
 		}
-		AdditionalLdapUserAttributes = append(AdditionalLdapUserAttributes, message.LDAPString(v.ldapField))
-	}
-	for _, v := range ldapGroupAttributesMapping {
-		if v.hideOnStarOp {
-			continue
-		}
-		AdditionalLdapGroupAttributes = append(AdditionalLdapGroupAttributes, message.LDAPString(v.ldapField))
+		AdditionalLdapAttributes = append(AdditionalLdapAttributes, message.LDAPString(k))
 	}
 }

@@ -502,52 +307,6 @@ func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int)
 	}
 }

-func GetFilteredOrganizations(m *ldap.Message) ([]*object.Organization, int) {
-	if m.Client.IsGlobalAdmin {
-		organizations, err := object.GetOrganizations("")
-		if err != nil {
-			panic(err)
-		}
-		return organizations, ldap.LDAPResultSuccess
-	} else if m.Client.IsOrgAdmin {
-		requestUserId := util.GetId(m.Client.OrgName, m.Client.UserName)
-		user, err := object.GetUser(requestUserId)
-		if err != nil {
-			panic(err)
-		}
-		organization, err := object.GetOrganizationByUser(user)
-		if err != nil {
-			panic(err)
-		}
-		return []*object.Organization{organization}, ldap.LDAPResultSuccess
-	} else {
-		return nil, ldap.LDAPResultInsufficientAccessRights
-	}
-}
-
-func GetFilteredGroups(m *ldap.Message) ([]*object.Group, int) {
-	if m.Client.IsGlobalAdmin {
-		groups, err := object.GetGroups("")
-		if err != nil {
-			panic(err)
-		}
-		return groups, ldap.LDAPResultSuccess
-	} else if m.Client.IsOrgAdmin {
-		requestUserId := util.GetId(m.Client.OrgName, m.Client.UserName)
-		user, err := object.GetUser(requestUserId)
-		if err != nil {
-			panic(err)
-		}
-		groups, err := object.GetGroups(user.Owner)
-		if err != nil {
-			panic(err)
-		}
-		return groups, ldap.LDAPResultSuccess
-	} else {
-		return nil, ldap.LDAPResultInsufficientAccessRights
-	}
-}
-
 // get user password with hash type prefix
 // TODO not handle salt yet
 // @return {md5}5f4dcc3b5aa765d61d8327deb882cf99
@@ -571,49 +330,18 @@ func getUserPasswordWithType(user *object.User) string {
 	return fmt.Sprintf("{%s}%s", prefix, user.Password)
 }

+func getAttribute(attributeName string, user *object.User) message.AttributeValue {
+	v, ok := ldapAttributesMapping[attributeName]
+	if !ok {
+		return ""
+	}
+	return v.GetAttributeValue(user)
+}
+
 func getUserFieldFromAttribute(attributeName string) (string, error) {
-	v, ok := ldapUserAttributesMapping.CaseInsensitiveGet(attributeName)
+	v, ok := ldapAttributesMapping[attributeName]
 	if !ok {
 		return "", fmt.Errorf("attribute %s not supported", attributeName)
 	}
 	return v.GetField()
 }
-
-func searchFilterForEquality(filter message.Filter, desc string, values ...string) string {
-	switch f := filter.(type) {
-	case message.FilterAnd:
-		for _, child := range f {
-			if val := searchFilterForEquality(child, desc, values...); val != "" {
-				return val
-			}
-		}
-	case message.FilterOr:
-		for _, child := range f {
-			if val := searchFilterForEquality(child, desc, values...); val != "" {
-				return val
-			}
-		}
-	case message.FilterNot:
-		return searchFilterForEquality(f.Filter, desc, values...)
-	case message.FilterSubstrings:
-		// Handle FilterSubstrings case if needed
-	case message.FilterEqualityMatch:
-		if strings.EqualFold(string(f.AttributeDesc()), desc) {
-			for _, value := range values {
-				if val := string(f.AssertionValue()); val == value {
-					return val
-				}
-			}
-		}
-	case message.FilterGreaterOrEqual:
-		// Handle FilterGreaterOrEqual case if needed
-	case message.FilterLessOrEqual:
-		// Handle FilterLessOrEqual case if needed
-	case message.FilterPresent:
-		// Handle FilterPresent case if needed
-	case message.FilterApproxMatch:
-		// Handle FilterApproxMatch case if needed
-	}
-
-	return ""
-}
--- a/object/adapter.go
+++ b/object/adapter.go
@@ -37,7 +37,7 @@ type Adapter struct {
 	Host         string `xorm:"varchar(100)" json:"host"`
 	Port         int    `json:"port"`
 	User         string `xorm:"varchar(100)" json:"user"`
-	Password     string `xorm:"varchar(100)" json:"password"`
+	Password     string `xorm:"varchar(150)" json:"password"`
 	Database     string `xorm:"varchar(100)" json:"database"`

 	*xormadapter.Adapter `xorm:"-" json:"-"`
--- a/object/application.go
+++ b/object/application.go
@@ -37,12 +37,13 @@ type SignupItem struct {
 	Prompted    bool   `json:"prompted"`
 	Label       string `json:"label"`
 	Placeholder string `json:"placeholder"`
+	Regex       string `json:"regex"`
 	Rule        string `json:"rule"`
 }

 type SamlItem struct {
 	Name       string `json:"name"`
-	NameFormat string `json:"nameformat"`
+	NameFormat string `json:"nameFormat"`
 	Value      string `json:"value"`
 }

@@ -51,37 +52,38 @@ type Application struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`

-	DisplayName         string          `xorm:"varchar(100)" json:"displayName"`
-	Logo                string          `xorm:"varchar(200)" json:"logo"`
-	HomepageUrl         string          `xorm:"varchar(100)" json:"homepageUrl"`
-	Description         string          `xorm:"varchar(100)" json:"description"`
-	Organization        string          `xorm:"varchar(100)" json:"organization"`
-	Cert                string          `xorm:"varchar(100)" json:"cert"`
-	EnablePassword      bool            `json:"enablePassword"`
-	EnableSignUp        bool            `json:"enableSignUp"`
-	EnableSigninSession bool            `json:"enableSigninSession"`
-	EnableAutoSignin    bool            `json:"enableAutoSignin"`
-	EnableCodeSignin    bool            `json:"enableCodeSignin"`
-	EnableSamlCompress  bool            `json:"enableSamlCompress"`
-	EnableSamlC14n10    bool            `json:"enableSamlC14n10"`
-	EnableWebAuthn      bool            `json:"enableWebAuthn"`
-	EnableLinkWithEmail bool            `json:"enableLinkWithEmail"`
-	OrgChoiceMode       string          `json:"orgChoiceMode"`
-	SamlReplyUrl        string          `xorm:"varchar(100)" json:"samlReplyUrl"`
-	Providers           []*ProviderItem `xorm:"mediumtext" json:"providers"`
-	SigninMethods       []*SigninMethod `xorm:"varchar(2000)" json:"signinMethods"`
-	SignupItems         []*SignupItem   `xorm:"varchar(2000)" json:"signupItems"`
-	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
-	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`
-	CertPublicKey       string          `xorm:"-" json:"certPublicKey"`
-	Tags                []string        `xorm:"mediumtext" json:"tags"`
-	InvitationCodes     []string        `xorm:"varchar(200)" json:"invitationCodes"`
-	SamlAttributes      []*SamlItem     `xorm:"varchar(1000)" json:"samlAttributes"`
+	DisplayName           string          `xorm:"varchar(100)" json:"displayName"`
+	Logo                  string          `xorm:"varchar(200)" json:"logo"`
+	HomepageUrl           string          `xorm:"varchar(100)" json:"homepageUrl"`
+	Description           string          `xorm:"varchar(100)" json:"description"`
+	Organization          string          `xorm:"varchar(100)" json:"organization"`
+	Cert                  string          `xorm:"varchar(100)" json:"cert"`
+	EnablePassword        bool            `json:"enablePassword"`
+	EnableSignUp          bool            `json:"enableSignUp"`
+	EnableSigninSession   bool            `json:"enableSigninSession"`
+	EnableAutoSignin      bool            `json:"enableAutoSignin"`
+	EnableCodeSignin      bool            `json:"enableCodeSignin"`
+	EnableSamlCompress    bool            `json:"enableSamlCompress"`
+	EnableSamlC14n10      bool            `json:"enableSamlC14n10"`
+	EnableSamlPostBinding bool            `json:"enableSamlPostBinding"`
+	EnableWebAuthn        bool            `json:"enableWebAuthn"`
+	EnableLinkWithEmail   bool            `json:"enableLinkWithEmail"`
+	OrgChoiceMode         string          `json:"orgChoiceMode"`
+	SamlReplyUrl          string          `xorm:"varchar(100)" json:"samlReplyUrl"`
+	Providers             []*ProviderItem `xorm:"mediumtext" json:"providers"`
+	SigninMethods         []*SigninMethod `xorm:"varchar(2000)" json:"signinMethods"`
+	SignupItems           []*SignupItem   `xorm:"varchar(2000)" json:"signupItems"`
+	GrantTypes            []string        `xorm:"varchar(1000)" json:"grantTypes"`
+	OrganizationObj       *Organization   `xorm:"-" json:"organizationObj"`
+	CertPublicKey         string          `xorm:"-" json:"certPublicKey"`
+	Tags                  []string        `xorm:"mediumtext" json:"tags"`
+	SamlAttributes        []*SamlItem     `xorm:"varchar(1000)" json:"samlAttributes"`

 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
 	RedirectUris         []string   `xorm:"varchar(1000)" json:"redirectUris"`
 	TokenFormat          string     `xorm:"varchar(100)" json:"tokenFormat"`
+	TokenFields          []string   `xorm:"varchar(1000)" json:"tokenFields"`
 	ExpireInHours        int        `json:"expireInHours"`
 	RefreshExpireInHours int        `json:"refreshExpireInHours"`
 	SignupUrl            string     `xorm:"varchar(200)" json:"signupUrl"`
@@ -99,7 +101,7 @@ type Application struct {
 	FormBackgroundUrl    string     `xorm:"varchar(200)" json:"formBackgroundUrl"`

 	FailedSigninLimit      int `json:"failedSigninLimit"`
-	FailedSigninfrozenTime int `json:"failedSigninfrozenTime"`
+	FailedSigninFrozenTime int `json:"failedSigninFrozenTime"`
 }

 func GetApplicationCount(owner, field, value string) (int64, error) {
@@ -212,8 +214,6 @@ func extendApplicationWithSigninMethods(application *Application) (err error) {
 			signinMethod := &SigninMethod{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"}
 			application.SigninMethods = append(application.SigninMethods, signinMethod)
 		}
-		signinMethod := &SigninMethod{Name: "LDAP", DisplayName: "LDAP", Rule: "None"}
-		application.SigninMethods = append(application.SigninMethods, signinMethod)
 	}

 	if len(application.SigninMethods) == 0 {
@@ -348,6 +348,17 @@ func GetMaskedApplication(application *Application, userId string) *Application
 		return nil
 	}

+	if application.TokenFields == nil {
+		application.TokenFields = []string{}
+	}
+
+	if application.FailedSigninLimit == 0 {
+		application.FailedSigninLimit = DefaultFailedSigninLimit
+	}
+	if application.FailedSigninFrozenTime == 0 {
+		application.FailedSigninFrozenTime = DefaultFailedSigninFrozenTime
+	}
+
 	if userId != "" {
 		if isUserIdGlobalAdmin(userId) {
 			return application
@@ -381,10 +392,6 @@ func GetMaskedApplication(application *Application, userId string) *Application
 		}
 	}

-	if application.InvitationCodes != nil {
-		application.InvitationCodes = []string{"***"}
-	}
-
 	return application
 }

--- a/object/cert.go~
+++ b/object/cert.go~
--- a/object/check.go
+++ b/object/check.go
@@ -16,6 +16,7 @@ package object

 import (
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 	"unicode"
@@ -28,94 +29,93 @@ import (
 )

 const (
-	DefaultFailedSigninLimit = 5
-	// DefaultFailedSigninfrozenTime The unit of frozen time is minutes
-	DefaultFailedSigninfrozenTime = 15
+	DefaultFailedSigninLimit      = 5
+	DefaultFailedSigninFrozenTime = 15
 )

-func CheckUserSignup(application *Application, organization *Organization, form *form.AuthForm, lang string) string {
+func CheckUserSignup(application *Application, organization *Organization, authForm *form.AuthForm, lang string) string {
 	if organization == nil {
 		return i18n.Translate(lang, "check:Organization does not exist")
 	}

 	if application.IsSignupItemVisible("Username") {
-		if len(form.Username) <= 1 {
+		if len(authForm.Username) <= 1 {
 			return i18n.Translate(lang, "check:Username must have at least 2 characters")
 		}
-		if unicode.IsDigit(rune(form.Username[0])) {
+		if unicode.IsDigit(rune(authForm.Username[0])) {
 			return i18n.Translate(lang, "check:Username cannot start with a digit")
 		}
-		if util.IsEmailValid(form.Username) {
+		if util.IsEmailValid(authForm.Username) {
 			return i18n.Translate(lang, "check:Username cannot be an email address")
 		}
-		if util.ReWhiteSpace.MatchString(form.Username) {
+		if util.ReWhiteSpace.MatchString(authForm.Username) {
 			return i18n.Translate(lang, "check:Username cannot contain white spaces")
 		}

-		if msg := CheckUsername(form.Username, lang); msg != "" {
+		if msg := CheckUsername(authForm.Username, lang); msg != "" {
 			return msg
 		}

-		if HasUserByField(organization.Name, "name", form.Username) {
+		if HasUserByField(organization.Name, "name", authForm.Username) {
 			return i18n.Translate(lang, "check:Username already exists")
 		}
-		if HasUserByField(organization.Name, "email", form.Email) {
+		if HasUserByField(organization.Name, "email", authForm.Email) {
 			return i18n.Translate(lang, "check:Email already exists")
 		}
-		if HasUserByField(organization.Name, "phone", form.Phone) {
+		if HasUserByField(organization.Name, "phone", authForm.Phone) {
 			return i18n.Translate(lang, "check:Phone already exists")
 		}
 	}

 	if application.IsSignupItemVisible("Password") {
-		msg := CheckPasswordComplexityByOrg(organization, form.Password)
+		msg := CheckPasswordComplexityByOrg(organization, authForm.Password)
 		if msg != "" {
 			return msg
 		}
 	}

 	if application.IsSignupItemVisible("Email") {
-		if form.Email == "" {
+		if authForm.Email == "" {
 			if application.IsSignupItemRequired("Email") {
 				return i18n.Translate(lang, "check:Email cannot be empty")
 			}
 		} else {
-			if HasUserByField(organization.Name, "email", form.Email) {
+			if HasUserByField(organization.Name, "email", authForm.Email) {
 				return i18n.Translate(lang, "check:Email already exists")
-			} else if !util.IsEmailValid(form.Email) {
+			} else if !util.IsEmailValid(authForm.Email) {
 				return i18n.Translate(lang, "check:Email is invalid")
 			}
 		}
 	}

 	if application.IsSignupItemVisible("Phone") {
-		if form.Phone == "" {
+		if authForm.Phone == "" {
 			if application.IsSignupItemRequired("Phone") {
 				return i18n.Translate(lang, "check:Phone cannot be empty")
 			}
 		} else {
-			if HasUserByField(organization.Name, "phone", form.Phone) {
+			if HasUserByField(organization.Name, "phone", authForm.Phone) {
 				return i18n.Translate(lang, "check:Phone already exists")
-			} else if !util.IsPhoneAllowInRegin(form.CountryCode, organization.CountryCodes) {
+			} else if !util.IsPhoneAllowInRegin(authForm.CountryCode, organization.CountryCodes) {
 				return i18n.Translate(lang, "check:Your region is not allow to signup by phone")
-			} else if !util.IsPhoneValid(form.Phone, form.CountryCode) {
+			} else if !util.IsPhoneValid(authForm.Phone, authForm.CountryCode) {
 				return i18n.Translate(lang, "check:Phone number is invalid")
 			}
 		}
 	}

 	if application.IsSignupItemVisible("Display name") {
-		if application.GetSignupItemRule("Display name") == "First, last" && (form.FirstName != "" || form.LastName != "") {
-			if form.FirstName == "" {
+		if application.GetSignupItemRule("Display name") == "First, last" && (authForm.FirstName != "" || authForm.LastName != "") {
+			if authForm.FirstName == "" {
 				return i18n.Translate(lang, "check:FirstName cannot be blank")
-			} else if form.LastName == "" {
+			} else if authForm.LastName == "" {
 				return i18n.Translate(lang, "check:LastName cannot be blank")
 			}
 		} else {
-			if form.Name == "" {
+			if authForm.Name == "" {
 				return i18n.Translate(lang, "check:DisplayName cannot be blank")
 			} else if application.GetSignupItemRule("Display name") == "Real name" {
-				if !isValidRealName(form.Name) {
+				if !isValidRealName(authForm.Name) {
 					return i18n.Translate(lang, "check:DisplayName is not valid real name")
 				}
 			}
@@ -123,28 +123,69 @@ func CheckUserSignup(application *Application, organization *Organization, form
 	}

 	if application.IsSignupItemVisible("Affiliation") {
-		if form.Affiliation == "" {
+		if authForm.Affiliation == "" {
 			return i18n.Translate(lang, "check:Affiliation cannot be blank")
 		}
 	}

-	if len(application.InvitationCodes) > 0 {
-		if form.InvitationCode == "" {
-			if application.IsSignupItemRequired("Invitation code") {
-				return i18n.Translate(lang, "check:Invitation code cannot be blank")
-			}
-		} else {
-			if !util.InSlice(application.InvitationCodes, form.InvitationCode) {
-				return i18n.Translate(lang, "check:Invitation code is invalid")
-			}
+	for _, signupItem := range application.SignupItems {
+		if signupItem.Regex == "" {
+			continue
+		}
+
+		isString, value := form.GetAuthFormFieldValue(authForm, signupItem.Name)
+		if !isString {
+			continue
+		}
+
+		regexSignupItem, err := regexp.Compile(signupItem.Regex)
+		if err != nil {
+			return err.Error()
+		}
+
+		matched := regexSignupItem.MatchString(value)
+		if !matched {
+			return fmt.Sprintf(i18n.Translate(lang, "check:The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\""), value, signupItem.Name, application.Name)
 		}
 	}

 	return ""
 }

+func CheckInvitationCode(application *Application, organization *Organization, authForm *form.AuthForm, lang string) (*Invitation, string) {
+	if authForm.InvitationCode == "" {
+		if application.IsSignupItemRequired("Invitation code") {
+			return nil, i18n.Translate(lang, "check:Invitation code cannot be blank")
+		} else {
+			return nil, ""
+		}
+	}
+
+	invitations, err := GetInvitations(organization.Name)
+	if err != nil {
+		return nil, err.Error()
+	}
+	errMsg := ""
+	for _, invitation := range invitations {
+		if invitation.Application != application.Name && invitation.Application != "All" {
+			continue
+		}
+		if isValid, msg := invitation.IsInvitationCodeValid(application, authForm.InvitationCode, authForm.Username, authForm.Email, authForm.Phone, lang); isValid {
+			return invitation, msg
+		} else if msg != "" && errMsg == "" {
+			errMsg = msg
+		}
+	}
+
+	if errMsg != "" {
+		return nil, errMsg
+	} else {
+		return nil, i18n.Translate(lang, "check:Invitation code is invalid")
+	}
+}
+
 func checkSigninErrorTimes(user *User, lang string) error {
-	failedSigninLimit, failedSigninfrozenTime, err := GetFailedSigninConfigByUser(user)
+	failedSigninLimit, failedSigninFrozenTime, err := GetFailedSigninConfigByUser(user)
 	if err != nil {
 		return err
 	}
@@ -152,7 +193,7 @@ func checkSigninErrorTimes(user *User, lang string) error {
 	if user.SigninWrongTimes >= failedSigninLimit {
 		lastSignWrongTime, _ := time.Parse(time.RFC3339, user.LastSigninWrongTime)
 		passedTime := time.Now().UTC().Sub(lastSignWrongTime)
-		minutes := failedSigninfrozenTime - int(passedTime.Minutes())
+		minutes := failedSigninFrozenTime - int(passedTime.Minutes())

 		// deny the login if the error times is greater than the limit and the last login time is less than the duration
 		if minutes > 0 {
@@ -273,7 +314,7 @@ func checkLdapUserPassword(user *User, password string, lang string) error {
 		}
 		return fmt.Errorf(i18n.Translate(lang, "check:LDAP user name or password incorrect"))
 	}
-	return nil
+	return resetUserSigninErrorTimes(user)
 }

 func CheckUserPassword(organization string, username string, password string, lang string, options ...bool) (*User, error) {
@@ -308,13 +349,23 @@ func CheckUserPassword(organization string, username string, password string, la
 		if !isSigninViaLdap && !isPasswordWithLdapEnabled {
 			return nil, fmt.Errorf(i18n.Translate(lang, "check:password or code is incorrect"))
 		}
+
+		// check the login error times
+		if !enableCaptcha {
+			err = checkSigninErrorTimes(user, lang)
+			if err != nil {
+				return nil, err
+			}
+		}
+
 		// only for LDAP users
 		err = checkLdapUserPassword(user, password, lang)
 		if err != nil {
 			if err.Error() == "user not exist" {
 				return nil, fmt.Errorf(i18n.Translate(lang, "check:The user: %s doesn't exist in LDAP server"), username)
 			}
-			return nil, err
+
+			return nil, recordSigninErrorInfo(user, lang, enableCaptcha)
 		}
 	} else {
 		err = CheckPassword(user, password, lang, enableCaptcha)
@@ -499,12 +550,11 @@ func CheckToEnableCaptcha(application *Application, organization, username strin
 					return false, err
 				}

-				var failedSigninLimit int
-				if application.FailedSigninLimit == 0 {
-					failedSigninLimit = 5
-				} else {
-					failedSigninLimit = application.FailedSigninLimit
+				failedSigninLimit := application.FailedSigninLimit
+				if failedSigninLimit == 0 {
+					failedSigninLimit = DefaultFailedSigninLimit
 				}
+
 				return user != nil && user.SigninWrongTimes >= failedSigninLimit, nil
 			}
 			return providerItem.Rule == "Always", nil
--- a/object/check_password_complexity.go
+++ b/object/check_password_complexity.go
@@ -24,7 +24,7 @@ var (
 	regexLowerCase = regexp.MustCompile(`[a-z]`)
 	regexUpperCase = regexp.MustCompile(`[A-Z]`)
 	regexDigit     = regexp.MustCompile(`\d`)
-	regexSpecial   = regexp.MustCompile(`[!@#$%^&*]`)
+	regexSpecial   = regexp.MustCompile("[!-/:-@[-`{-~]")
 )

 func isValidOption_AtLeast6(password string) string {
--- a/object/check_util.go
+++ b/object/check_util.go
@@ -52,18 +52,18 @@ func GetFailedSigninConfigByUser(user *User) (int, int, error) {
 	if err != nil {
 		return 0, 0, err
 	}
-	failedSigninLimit := application.FailedSigninLimit
-	failedSigninfrozenTime := application.FailedSigninfrozenTime

-	// 0 as an initialization value, corresponding to the default configuration parameters
+	failedSigninLimit := application.FailedSigninLimit
 	if failedSigninLimit == 0 {
 		failedSigninLimit = DefaultFailedSigninLimit
 	}
-	if failedSigninfrozenTime == 0 {
-		failedSigninfrozenTime = DefaultFailedSigninfrozenTime
+
+	failedSigninFrozenTime := application.FailedSigninFrozenTime
+	if failedSigninFrozenTime == 0 {
+		failedSigninFrozenTime = DefaultFailedSigninFrozenTime
 	}

-	return failedSigninLimit, failedSigninfrozenTime, nil
+	return failedSigninLimit, failedSigninFrozenTime, nil
 }

 func recordSigninErrorInfo(user *User, lang string, options ...bool) error {
@@ -72,7 +72,7 @@ func recordSigninErrorInfo(user *User, lang string, options ...bool) error {
 		enableCaptcha = options[0]
 	}

-	failedSigninLimit, failedSigninfrozenTime, errSignin := GetFailedSigninConfigByUser(user)
+	failedSigninLimit, failedSigninFrozenTime, errSignin := GetFailedSigninConfigByUser(user)
 	if errSignin != nil {
 		return errSignin
 	}
@@ -101,5 +101,5 @@ func recordSigninErrorInfo(user *User, lang string, options ...bool) error {
 	}

 	// don't show the chance error message if the user has no chance left
-	return fmt.Errorf(i18n.Translate(lang, "check:You have entered the wrong password or code too many times, please wait for %d minutes and try again"), failedSigninfrozenTime)
+	return fmt.Errorf(i18n.Translate(lang, "check:You have entered the wrong password or code too many times, please wait for %d minutes and try again"), failedSigninFrozenTime)
 }
--- a/object/init.go
+++ b/object/init.go
@@ -181,10 +181,9 @@ func initBuiltInApplication() {
 			{Name: "provider_captcha_default", CanSignUp: false, CanSignIn: false, CanUnlink: false, Prompted: false, SignupGroup: "", Rule: "None", Provider: nil},
 		},
 		SigninMethods: []*SigninMethod{
-			{Name: "Password", DisplayName: "Password", Rule: "None"},
+			{Name: "Password", DisplayName: "Password", Rule: "All"},
 			{Name: "Verification code", DisplayName: "Verification code", Rule: "All"},
 			{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"},
-			{Name: "LDAP", DisplayName: "LDAP", Rule: "None"},
 		},
 		SignupItems: []*SignupItem{
 			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},
@@ -198,6 +197,7 @@ func initBuiltInApplication() {
 		},
 		Tags:          []string{},
 		RedirectUris:  []string{},
+		TokenFields:   []string{},
 		ExpireInHours: 168,
 		FormOffset:    2,
 	}
--- a/object/init_data.go
+++ b/object/init_data.go
@@ -145,11 +145,14 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 		if application.GrantTypes == nil {
 			application.GrantTypes = []string{}
 		}
+		if application.Tags == nil {
+			application.Tags = []string{}
+		}
 		if application.RedirectUris == nil {
 			application.RedirectUris = []string{}
 		}
-		if application.Tags == nil {
-			application.Tags = []string{}
+		if application.TokenFields == nil {
+			application.TokenFields = []string{}
 		}
 	}
 	for _, permission := range data.Permissions {
--- a/object/invitation.go
+++ b/object/invitation.go
@@ -17,6 +17,7 @@ package object
 import (
 	"fmt"

+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
 )
@@ -28,7 +29,8 @@ type Invitation struct {
 	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`

-	Code      string `xorm:"varchar(100)" json:"code"`
+	Code      string `xorm:"varchar(100) index" json:"code"`
+	IsRegexp  bool   `json:"isRegexp"`
 	Quota     int    `json:"quota"`
 	UsedCount int    `json:"usedCount"`

@@ -99,6 +101,12 @@ func UpdateInvitation(id string, invitation *Invitation) (bool, error) {
 		return false, nil
 	}

+	if isRegexp, err := util.IsRegexp(invitation.Code); err != nil {
+		return false, err
+	} else {
+		invitation.IsRegexp = isRegexp
+	}
+
 	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(invitation)
 	if err != nil {
 		return false, err
@@ -108,6 +116,12 @@ func UpdateInvitation(id string, invitation *Invitation) (bool, error) {
 }

 func AddInvitation(invitation *Invitation) (bool, error) {
+	if isRegexp, err := util.IsRegexp(invitation.Code); err != nil {
+		return false, err
+	} else {
+		invitation.IsRegexp = isRegexp
+	}
+
 	affected, err := ormer.Engine.Insert(invitation)
 	if err != nil {
 		return false, err
@@ -132,3 +146,36 @@ func (invitation *Invitation) GetId() string {
 func VerifyInvitation(id string) (payment *Payment, attachInfo map[string]interface{}, err error) {
 	return nil, nil, fmt.Errorf("the invitation: %s does not exist", id)
 }
+
+func (invitation *Invitation) IsInvitationCodeValid(application *Application, invitationCode string, username string, email string, phone string, lang string) (bool, string) {
+	if matched, err := util.IsInvitationCodeMatch(invitation.Code, invitationCode); err != nil {
+		return false, err.Error()
+	} else if !matched {
+		return false, ""
+	}
+
+	if invitation.State != "Active" {
+		return false, i18n.Translate(lang, "check:Invitation code suspended")
+	}
+	if invitation.UsedCount >= invitation.Quota {
+		return false, i18n.Translate(lang, "check:Invitation code exhausted")
+	}
+	if application.IsSignupItemRequired("Username") && invitation.Username != "" && invitation.Username != username {
+		return false, i18n.Translate(lang, "check:Please register using the username corresponding to the invitation code")
+	}
+	if application.IsSignupItemRequired("Email") && invitation.Email != "" && invitation.Email != email {
+		return false, i18n.Translate(lang, "check:Please register using the email corresponding to the invitation code")
+	}
+	if application.IsSignupItemRequired("Phone") && invitation.Phone != "" && invitation.Phone != phone {
+		return false, i18n.Translate(lang, "check:Please register using the phone  corresponding to the invitation code")
+	}
+
+	// Determine whether the invitation code is in the form of a regular expression other than pure numbers and letters
+	if invitation.IsRegexp {
+		user, _ := GetUserByInvitationCode(invitation.Owner, invitationCode)
+		if user != nil {
+			return false, i18n.Translate(lang, "check:The invitation code has already been used")
+		}
+	}
+	return true, ""
+}
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@@ -308,7 +308,7 @@ func BatchEnforce(permission *Permission, requests [][]string, permissionIds ...
 	return enforcer.BatchEnforce(interfaceRequests)
 }

-func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) ([]string, error) {
+func getEnforcers(userId string) ([]*casbin.Enforcer, error) {
 	permissions, _, err := getPermissionsAndRolesByUser(userId)
 	if err != nil {
 		return nil, err
@@ -320,7 +320,8 @@ func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) ([
 	}

 	for _, role := range allRoles {
-		permissionsByRole, err := GetPermissionsByRole(role)
+		var permissionsByRole []*Permission
+		permissionsByRole, err = GetPermissionsByRole(role)
 		if err != nil {
 			return nil, err
 		}
@@ -328,29 +329,45 @@ func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) ([
 		permissions = append(permissions, permissionsByRole...)
 	}

-	var values []string
+	var enforcers []*casbin.Enforcer
 	for _, permission := range permissions {
-		enforcer, err := getPermissionEnforcer(permission)
+		var enforcer *casbin.Enforcer
+		enforcer, err = getPermissionEnforcer(permission)
 		if err != nil {
 			return nil, err
 		}

-		values = append(values, fn(enforcer)...)
+		enforcers = append(enforcers, enforcer)
 	}
-
-	return values, nil
+	return enforcers, nil
 }

 func GetAllObjects(userId string) ([]string, error) {
-	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
-		return enforcer.GetAllObjects()
-	})
+	enforcers, err := getEnforcers(userId)
+	if err != nil {
+		return nil, err
+	}
+
+	res := []string{}
+	for _, enforcer := range enforcers {
+		items := enforcer.GetAllObjects()
+		res = append(res, items...)
+	}
+	return res, nil
 }

 func GetAllActions(userId string) ([]string, error) {
-	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
-		return enforcer.GetAllActions()
-	})
+	enforcers, err := getEnforcers(userId)
+	if err != nil {
+		return nil, err
+	}
+
+	res := []string{}
+	for _, enforcer := range enforcers {
+		items := enforcer.GetAllObjects()
+		res = append(res, items...)
+	}
+	return res, nil
 }

 func GetAllRoles(userId string) ([]string, error) {
--- a/object/role.go
+++ b/object/role.go
@@ -266,10 +266,9 @@ func (role *Role) GetId() string {
 }

 func getRolesByUserInternal(userId string) ([]*Role, error) {
-	roles := []*Role{}
 	user, err := GetUser(userId)
 	if err != nil {
-		return roles, err
+		return nil, err
 	}
 	if user == nil {
 		return nil, fmt.Errorf("The user: %s doesn't exist", userId)
@@ -280,9 +279,10 @@ func getRolesByUserInternal(userId string) ([]*Role, error) {
 		query = query.Or("r.groups like ?", fmt.Sprintf("%%%s%%", group))
 	}

+	roles := []*Role{}
 	err = query.Find(&roles)
 	if err != nil {
-		return roles, err
+		return nil, err
 	}

 	res := []*Role{}
@@ -291,14 +291,13 @@ func getRolesByUserInternal(userId string) ([]*Role, error) {
 			res = append(res, role)
 		}
 	}
-
 	return res, nil
 }

 func getRolesByUser(userId string) ([]*Role, error) {
 	roles, err := getRolesByUserInternal(userId)
 	if err != nil {
-		return roles, err
+		return nil, err
 	}

 	allRolesIds := []string{}
@@ -379,15 +378,11 @@ func GetMaskedRoles(roles []*Role) []*Role {

 // GetAncestorRoles returns a list of roles that contain the given roleIds
 func GetAncestorRoles(roleIds ...string) ([]*Role, error) {
-	var (
-		result  = []*Role{}
-		roleMap = make(map[string]*Role)
-		visited = make(map[string]bool)
-	)
 	if len(roleIds) == 0 {
-		return result, nil
+		return []*Role{}, nil
 	}

+	visited := map[string]bool{}
 	for _, roleId := range roleIds {
 		visited[roleId] = true
 	}
@@ -399,25 +394,26 @@ func GetAncestorRoles(roleIds ...string) ([]*Role, error) {
 		return nil, err
 	}

+	roleMap := map[string]*Role{}
 	for _, r := range allRoles {
 		roleMap[r.GetId()] = r
 	}

-	// Second, find all the roles that contain father roles
+	// find all the roles that contain father roles
+	res := []*Role{}
 	for _, r := range allRoles {
 		isContain, ok := visited[r.GetId()]
 		if isContain {
-			result = append(result, r)
+			res = append(res, r)
 		} else if !ok {
 			rId := r.GetId()
 			visited[rId] = containsRole(r, roleMap, visited, roleIds...)
 			if visited[rId] {
-				result = append(result, r)
+				res = append(res, r)
 			}
 		}
 	}
-
-	return result, nil
+	return res, nil
 }

 // containsRole is a helper function to check if a roles is related to any role in the given list roles
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@@ -198,7 +198,7 @@ type Attribute struct {
 	Values       []string `xml:"AttributeValue"`
 }

-func GetSamlMeta(application *Application, host string) (*IdpEntityDescriptor, error) {
+func GetSamlMeta(application *Application, host string, enablePostBinding bool) (*IdpEntityDescriptor, error) {
 	cert, err := getCertByApplication(application)
 	if err != nil {
 		return nil, err
@@ -217,6 +217,13 @@ func GetSamlMeta(application *Application, host string) (*IdpEntityDescriptor, e

 	originFrontend, originBackend := getOriginFromHost(host)

+	idpLocation := ""
+	if enablePostBinding {
+		idpLocation = fmt.Sprintf("%s/api/saml/redirect/%s/%s", originBackend, application.Owner, application.Name)
+	} else {
+		idpLocation = fmt.Sprintf("%s/login/saml/authorize/%s/%s", originFrontend, application.Owner, application.Name)
+	}
+
 	d := IdpEntityDescriptor{
 		XMLName: xml.Name{
 			Local: "md:EntityDescriptor",
@@ -248,7 +255,7 @@ func GetSamlMeta(application *Application, host string) (*IdpEntityDescriptor, e
 			},
 			SingleSignOnService: SingleSignOnService{
 				Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-				Location: fmt.Sprintf("%s/login/saml/authorize/%s/%s", originFrontend, application.Owner, application.Name),
+				Location: idpLocation,
 			},
 			ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
 		},
@@ -442,3 +449,8 @@ func NewSamlResponse11(user *User, requestID string, host string) *etree.Element

 	return samlResponse
 }
+
+func GetSamlRedirectAddress(owner string, application string, relayState string, samlRequest string, host string) string {
+	originF, _ := getOriginFromHost(host)
+	return fmt.Sprintf("%s/login/saml/authorize/%s/%s?relayState=%s&samlRequest=%s", originF, owner, application, relayState, samlRequest)
+}
--- a/object/sms.go
+++ b/object/sms.go
@@ -27,7 +27,7 @@ func getSmsClient(provider *Provider) (sender.SmsClient, error) {
 	if provider.Type == sender.HuaweiCloud || provider.Type == sender.AzureACS {
 		client, err = sender.NewSmsClient(provider.Type, provider.ClientId, provider.ClientSecret, provider.SignName, provider.TemplateCode, provider.ProviderUrl, provider.AppId)
 	} else if provider.Type == "Custom HTTP SMS" {
-		client, err = newHttpSmsClient(provider.Endpoint, provider.Method, provider.Title)
+		client, err = newHttpSmsClient(provider.Endpoint, provider.Method, provider.Title, provider.TemplateCode)
 	} else {
 		client, err = sender.NewSmsClient(provider.Type, provider.ClientId, provider.ClientSecret, provider.SignName, provider.TemplateCode, provider.AppId)
 	}
--- a/object/sms_custom_http.go
+++ b/object/sms_custom_http.go
@@ -27,20 +27,26 @@ type HttpSmsClient struct {
 	endpoint  string
 	method    string
 	paramName string
+	template  string
 }

-func newHttpSmsClient(endpoint string, method string, paramName string) (*HttpSmsClient, error) {
+func newHttpSmsClient(endpoint, method, paramName, template string) (*HttpSmsClient, error) {
+	if template == "" {
+		template = "%s"
+	}
 	client := &HttpSmsClient{
 		endpoint:  endpoint,
 		method:    method,
 		paramName: paramName,
+		template:  template,
 	}
 	return client, nil
 }

 func (c *HttpSmsClient) SendMessage(param map[string]string, targetPhoneNumber ...string) error {
 	phoneNumber := targetPhoneNumber[0]
-	content := param["code"]
+	code := param["code"]
+	content := fmt.Sprintf(c.template, code)

 	var req *http.Request
 	var err error
--- a/object/syncer.go
+++ b/object/syncer.go
@@ -43,7 +43,7 @@ type Syncer struct {
 	Host             string         `xorm:"varchar(100)" json:"host"`
 	Port             int            `json:"port"`
 	User             string         `xorm:"varchar(100)" json:"user"`
-	Password         string         `xorm:"varchar(100)" json:"password"`
+	Password         string         `xorm:"varchar(150)" json:"password"`
 	Database         string         `xorm:"varchar(100)" json:"database"`
 	Table            string         `xorm:"varchar(100)" json:"table"`
 	TableColumns     []*TableColumn `xorm:"mediumtext" json:"tableColumns"`
@@ -116,22 +116,35 @@ func GetSyncer(id string) (*Syncer, error) {
 	return getSyncer(owner, name)
 }

-func GetMaskedSyncer(syncer *Syncer) *Syncer {
+func GetMaskedSyncer(syncer *Syncer, errs ...error) (*Syncer, error) {
+	if len(errs) > 0 && errs[0] != nil {
+		return nil, errs[0]
+	}
+
 	if syncer == nil {
-		return nil
+		return nil, nil
 	}

 	if syncer.Password != "" {
 		syncer.Password = "***"
 	}
-	return syncer
+	return syncer, nil
 }

-func GetMaskedSyncers(syncers []*Syncer) []*Syncer {
-	for _, syncer := range syncers {
-		syncer = GetMaskedSyncer(syncer)
+func GetMaskedSyncers(syncers []*Syncer, errs ...error) ([]*Syncer, error) {
+	if len(errs) > 0 && errs[0] != nil {
+		return nil, errs[0]
 	}
-	return syncers
+
+	var err error
+	for _, syncer := range syncers {
+		syncer, err = GetMaskedSyncer(syncer)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return syncers, nil
 }

 func UpdateSyncer(id string, syncer *Syncer) (bool, error) {
--- a/object/syncer_util.go
+++ b/object/syncer_util.go
@@ -93,6 +93,8 @@ func (syncer *Syncer) setUserByKeyValue(user *User, key string, value string) {
 		user.CreatedTime = value
 	case "UpdatedTime":
 		user.UpdatedTime = value
+	case "DeletedTime":
+		user.DeletedTime = value
 	case "Id":
 		user.Id = value
 	case "Type":
@@ -266,6 +268,7 @@ func (syncer *Syncer) getMapFromOriginalUser(user *OriginalUser) map[string]stri
 	m["Name"] = user.Name
 	m["CreatedTime"] = user.CreatedTime
 	m["UpdatedTime"] = user.UpdatedTime
+	m["DeletedTime"] = user.DeletedTime
 	m["Id"] = user.Id
 	m["Type"] = user.Type
 	m["Password"] = user.Password
--- a/object/token.go
+++ b/object/token.go
@@ -186,6 +186,26 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 	return &token, nil
 }

+func GetTokenByTokenValue(tokenValue string) (*Token, error) {
+	token, err := GetTokenByAccessToken(tokenValue)
+	if err != nil {
+		return nil, err
+	}
+	if token != nil {
+		return token, nil
+	}
+
+	token, err = GetTokenByRefreshToken(tokenValue)
+	if err != nil {
+		return nil, err
+	}
+	if token != nil {
+		return token, nil
+	}
+
+	return nil, nil
+}
+
 func updateUsedByCode(token *Token) bool {
 	affected, err := ormer.Engine.Where("code=?", token.Code).Cols("code_is_used").Update(token)
 	if err != nil {
@@ -283,20 +303,6 @@ func ExpireTokenByAccessToken(accessToken string) (bool, *Application, *Token, e
 	return affected != 0, application, token, nil
 }

-func GetTokenByTokenAndApplication(token string, application string) (*Token, error) {
-	tokenResult := Token{}
-	existed, err := ormer.Engine.Where("(refresh_token = ? or access_token = ? ) and application = ?", token, token, application).Get(&tokenResult)
-	if err != nil {
-		return nil, err
-	}
-
-	if !existed {
-		return nil, nil
-	}
-
-	return &tokenResult, nil
-}
-
 func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string, lang string) (string, *Application, error) {
 	if responseType != "code" && responseType != "token" && responseType != "id_token" {
 		return fmt.Sprintf(i18n.Translate(lang, "token:Grant_type: %s is not supported in this application"), responseType), nil, nil
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@@ -16,6 +16,7 @@ package object

 import (
 	"fmt"
+	"reflect"
 	"time"

 	"github.com/casdoor/casdoor/util"
@@ -39,7 +40,7 @@ type UserShort struct {
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
 	Avatar      string `xorm:"varchar(500)" json:"avatar"`
 	Email       string `xorm:"varchar(100) index" json:"email"`
-	Phone       string `xorm:"varchar(20) index" json:"phone"`
+	Phone       string `xorm:"varchar(100) index" json:"phone"`
 }

 type UserWithoutThirdIdp struct {
@@ -47,10 +48,11 @@ type UserWithoutThirdIdp struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100) index" json:"createdTime"`
 	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
+	DeletedTime string `xorm:"varchar(100)" json:"deletedTime"`

 	Id                string   `xorm:"varchar(100) index" json:"id"`
 	Type              string   `xorm:"varchar(100)" json:"type"`
-	Password          string   `xorm:"varchar(100)" json:"password"`
+	Password          string   `xorm:"varchar(150)" json:"password"`
 	PasswordSalt      string   `xorm:"varchar(100)" json:"passwordSalt"`
 	PasswordType      string   `xorm:"varchar(100)" json:"passwordType"`
 	DisplayName       string   `xorm:"varchar(100)" json:"displayName"`
@@ -61,7 +63,7 @@ type UserWithoutThirdIdp struct {
 	PermanentAvatar   string   `xorm:"varchar(500)" json:"permanentAvatar"`
 	Email             string   `xorm:"varchar(100) index" json:"email"`
 	EmailVerified     bool     `json:"emailVerified"`
-	Phone             string   `xorm:"varchar(20) index" json:"phone"`
+	Phone             string   `xorm:"varchar(100) index" json:"phone"`
 	CountryCode       string   `xorm:"varchar(6)" json:"countryCode"`
 	Region            string   `xorm:"varchar(100)" json:"region"`
 	Location          string   `xorm:"varchar(100)" json:"location"`
@@ -166,6 +168,7 @@ func getUserWithoutThirdIdp(user *User) *UserWithoutThirdIdp {
 		Name:        user.Name,
 		CreatedTime: user.CreatedTime,
 		UpdatedTime: user.UpdatedTime,
+		DeletedTime: user.DeletedTime,

 		Id:                user.Id,
 		Type:              user.Type,
@@ -270,6 +273,34 @@ func getClaimsWithoutThirdIdp(claims Claims) ClaimsWithoutThirdIdp {
 	return res
 }

+func getClaimsCustom(claims Claims, tokenField []string) jwt.MapClaims {
+	res := make(jwt.MapClaims)
+
+	userValue := reflect.ValueOf(claims.User).Elem()
+
+	res["iss"] = claims.RegisteredClaims.Issuer
+	res["sub"] = claims.RegisteredClaims.Subject
+	res["aud"] = claims.RegisteredClaims.Audience
+	res["exp"] = claims.RegisteredClaims.ExpiresAt
+	res["nbf"] = claims.RegisteredClaims.NotBefore
+	res["iat"] = claims.RegisteredClaims.IssuedAt
+	res["jti"] = claims.RegisteredClaims.ID
+	res["tokenType"] = claims.TokenType
+	res["nonce"] = claims.Nonce
+	res["tag"] = claims.Tag
+	res["scope"] = claims.Scope
+
+	for _, field := range tokenField {
+		userField := userValue.FieldByName(field)
+		if userField.IsValid() {
+			newfield := util.SnakeToCamel(util.CamelToSnakeCase(field))
+			res[newfield] = userField.Interface()
+		}
+	}
+
+	return res
+}
+
 func refineUser(user *User) *User {
 	user.Password = ""

@@ -329,20 +360,30 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 	var refreshToken *jwt.Token

 	// the JWT token length in "JWT-Empty" mode will be very short, as User object only has two properties: owner and name
-	if application.TokenFormat == "JWT-Empty" {
-		claimsShort := getShortClaims(claims)
-
-		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
-		claimsShort.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
-		claimsShort.TokenType = "refresh-token"
-		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
-	} else {
+	if application.TokenFormat == "JWT" {
 		claimsWithoutThirdIdp := getClaimsWithoutThirdIdp(claims)

 		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithoutThirdIdp)
 		claimsWithoutThirdIdp.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
 		claimsWithoutThirdIdp.TokenType = "refresh-token"
 		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithoutThirdIdp)
+	} else if application.TokenFormat == "JWT-Empty" {
+		claimsShort := getShortClaims(claims)
+
+		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
+		claimsShort.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
+		claimsShort.TokenType = "refresh-token"
+		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsShort)
+	} else if application.TokenFormat == "JWT-Custom" {
+		claimsCustom := getClaimsCustom(claims, application.TokenFields)
+
+		token = jwt.NewWithClaims(jwt.SigningMethodRS256, claimsCustom)
+		refreshClaims := getClaimsCustom(claims, application.TokenFields)
+		refreshClaims["exp"] = jwt.NewNumericDate(refreshExpireTime)
+		refreshClaims["TokenType"] = "refresh-token"
+		refreshToken = jwt.NewWithClaims(jwt.SigningMethodRS256, refreshClaims)
+	} else {
+		return "", "", "", fmt.Errorf("unknown application TokenFormat: %s", application.TokenFormat)
 	}

 	cert, err := getCertByApplication(application)
--- a/object/user.go
+++ b/object/user.go
@@ -49,11 +49,12 @@ type User struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100) index" json:"createdTime"`
 	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
+	DeletedTime string `xorm:"varchar(100)" json:"deletedTime"`

 	Id                string   `xorm:"varchar(100) index" json:"id"`
 	ExternalId        string   `xorm:"varchar(100) index" json:"externalId"`
 	Type              string   `xorm:"varchar(100)" json:"type"`
-	Password          string   `xorm:"varchar(100)" json:"password"`
+	Password          string   `xorm:"varchar(150)" json:"password"`
 	PasswordSalt      string   `xorm:"varchar(100)" json:"passwordSalt"`
 	PasswordType      string   `xorm:"varchar(100)" json:"passwordType"`
 	DisplayName       string   `xorm:"varchar(100)" json:"displayName"`
@@ -64,7 +65,7 @@ type User struct {
 	PermanentAvatar   string   `xorm:"varchar(500)" json:"permanentAvatar"`
 	Email             string   `xorm:"varchar(100) index" json:"email"`
 	EmailVerified     bool     `json:"emailVerified"`
-	Phone             string   `xorm:"varchar(20) index" json:"phone"`
+	Phone             string   `xorm:"varchar(100) index" json:"phone"`
 	CountryCode       string   `xorm:"varchar(6)" json:"countryCode"`
 	Region            string   `xorm:"varchar(100)" json:"region"`
 	Location          string   `xorm:"varchar(100)" json:"location"`
@@ -183,6 +184,8 @@ type User struct {
 	MfaPhoneEnabled     bool                  `json:"mfaPhoneEnabled"`
 	MfaEmailEnabled     bool                  `json:"mfaEmailEnabled"`
 	MultiFactorAuths    []*MfaProps           `xorm:"-" json:"multiFactorAuths,omitempty"`
+	Invitation          string                `xorm:"varchar(100) index" json:"invitation"`
+	InvitationCode      string                `xorm:"varchar(100) index" json:"invitationCode"`

 	Ldap       string            `xorm:"ldap varchar(100)" json:"ldap"`
 	Properties map[string]string `json:"properties"`
@@ -496,6 +499,24 @@ func GetUserByUserIdOnly(userId string) (*User, error) {
 	}
 }

+func GetUserByInvitationCode(owner string, invitationCode string) (*User, error) {
+	if owner == "" || invitationCode == "" {
+		return nil, nil
+	}
+
+	user := User{Owner: owner, InvitationCode: invitationCode}
+	existed, err := ormer.Engine.Get(&user)
+	if err != nil {
+		return nil, err
+	}
+
+	if existed {
+		return &user, nil
+	} else {
+		return nil, nil
+	}
+}
+
 func GetUserByAccessKey(accessKey string) (*User, error) {
 	if accessKey == "" {
 		return nil, nil
@@ -619,7 +640,7 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 	if len(columns) == 0 {
 		columns = []string{
 			"owner", "display_name", "avatar", "first_name", "last_name",
-			"location", "address", "country_code", "region", "language", "affiliation", "title", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application",
+			"location", "address", "country_code", "region", "language", "affiliation", "title", "id_card_type", "id_card", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application",
 			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "managedAccounts",
 			"signin_wrong_times", "last_signin_wrong_time", "groups", "access_key", "access_secret",
 			"github", "google", "qq", "wechat", "facebook", "dingtalk", "weibo", "gitee", "linkedin", "wecom", "lark", "gitlab", "adfs",
@@ -638,6 +659,10 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 	columns = append(columns, "updated_time")
 	user.UpdatedTime = util.GetCurrentTime()

+	if len(user.DeletedTime) > 0 {
+		columns = append(columns, "deleted_time")
+	}
+
 	if util.ContainsString(columns, "groups") {
 		_, err := userEnforcer.UpdateGroupsForUser(user.GetId(), user.Groups)
 		if err != nil {
--- a/object/user_upload.go
+++ b/object/user_upload.go
@@ -134,6 +134,7 @@ func UploadUsers(owner string, path string) (bool, error) {
 			LastSigninIp:      parseLineItem(&line, 38),
 			Ldap:              "",
 			Properties:        map[string]string{},
+			DeletedTime:       parseLineItem(&line, 39),
 		}

 		if _, ok := oldUserMap[user.GetId()]; !ok {
--- a/routers/authz_filter.go
+++ b/routers/authz_filter.go
@@ -164,6 +164,10 @@ func getUrlPath(urlPath string) string {
 		return "/api/webauthn"
 	}

+	if strings.HasPrefix(urlPath, "/api/saml/redirect") {
+		return "/api/saml/redirect"
+	}
+
 	return urlPath
 }

--- a/routers/cors_filter.go
+++ b/routers/cors_filter.go
@@ -24,16 +24,18 @@ import (
 )

 const (
-	headerOrigin       = "Origin"
-	headerAllowOrigin  = "Access-Control-Allow-Origin"
-	headerAllowMethods = "Access-Control-Allow-Methods"
-	headerAllowHeaders = "Access-Control-Allow-Headers"
+	headerOrigin           = "Origin"
+	headerAllowOrigin      = "Access-Control-Allow-Origin"
+	headerAllowMethods     = "Access-Control-Allow-Methods"
+	headerAllowHeaders     = "Access-Control-Allow-Headers"
+	headerAllowCredentials = "Access-Control-Allow-Credentials"
 )

 func setCorsHeaders(ctx *context.Context, origin string) {
 	ctx.Output.Header(headerAllowOrigin, origin)
 	ctx.Output.Header(headerAllowMethods, "POST, GET, OPTIONS, DELETE")
 	ctx.Output.Header(headerAllowHeaders, "Content-Type, Authorization")
+	ctx.Output.Header(headerAllowCredentials, "true")

 	if ctx.Input.Method() == "OPTIONS" {
 		ctx.ResponseWriter.WriteHeader(http.StatusOK)
--- a/routers/router.go
+++ b/routers/router.go
@@ -13,7 +13,7 @@
 // limitations under the License.

 // Package routers
-// @APIVersion 1.376.1
+// @APIVersion 1.503.0
 // @Title Casdoor RESTful API
 // @Description Swagger Docs of Casdoor Backend API
 // @Contact casbin@googlegroups.com
@@ -60,6 +60,7 @@ func initAPI() {
 	beego.Router("/api/get-saml-login", &controllers.ApiController{}, "GET:GetSamlLogin")
 	beego.Router("/api/acs", &controllers.ApiController{}, "POST:HandleSamlLogin")
 	beego.Router("/api/saml/metadata", &controllers.ApiController{}, "GET:GetSamlMeta")
+	beego.Router("/api/saml/redirect/:owner/:application", &controllers.ApiController{}, "*:HandleSamlRedirect")
 	beego.Router("/api/webhook", &controllers.ApiController{}, "POST:HandleOfficialAccountEvent")
 	beego.Router("/api/get-webhook-event", &controllers.ApiController{}, "GET:GetWebhookEventType")
 	beego.Router("/api/get-captcha-status", &controllers.ApiController{}, "GET:GetCaptchaStatus")
--- a/storage/storage.go
+++ b/storage/storage.go
@@ -34,6 +34,8 @@ func GetStorageProvider(providerType string, clientId string, clientSecret strin
 		return NewQiniuCloudKodoStorageProvider(clientId, clientSecret, region, bucket, endpoint)
 	case "Google Cloud Storage":
 		return NewGoogleCloudStorageProvider(clientSecret, bucket, endpoint)
+	case "Synology":
+		return NewSynologyNasStorageProvider(clientId, clientSecret, endpoint)
 	}

 	return nil
--- a/storage/synology_nas.go
+++ b/storage/synology_nas.go
@@ -0,0 +1,31 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package storage
+
+import (
+	"github.com/casdoor/oss"
+	"github.com/casdoor/oss/synology"
+)
+
+func NewSynologyNasStorageProvider(clientId string, clientSecret string, endpoint string) oss.StorageInterface {
+	sp := synology.New(&synology.Config{
+		AccessID:     clientId,
+		AccessKey:    clientSecret,
+		Endpoint:     endpoint,
+		SharedFolder: "/home",
+	})
+
+	return sp
+}
--- a/swagger/swagger.json
+++ b/swagger/swagger.json
--- a/swagger/swagger.yml
+++ b/swagger/swagger.yml
@@ -2,7 +2,7 @@ swagger: "2.0"
 info:
  title: Casdoor RESTful API
  description: Swagger Docs of Casdoor Backend API
-  version: 1.376.1
+  version: 1.503.0
  contact:
    email: casbin@googlegroups.com
 basePath: /
@@ -31,6 +31,17 @@ paths:
          description: ""
          schema:
            $ref: '#/definitions/object.OidcDiscovery'
+  /api/Callback:
+    post:
+      tags:
+      - Callback API
+      description: Get Login Error Counts
+      operationId: ApiController.Callback
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Userinfo'
  /api/add-adapter:
    post:
      tags:
@@ -121,6 +132,24 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/add-invitation:
+    post:
+      tags:
+      - Invitation API
+      description: add invitation
+      operationId: ApiController.AddInvitation
+      parameters:
+      - in: body
+        name: body
+        description: The details of the invitation
+        required: true
+        schema:
+          $ref: '#/definitions/object.Invitation'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/add-ldap:
    post:
      tags:
@@ -442,162 +471,10 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
-  /api/api/Callback:
-    post:
-      tags:
-      - Callback API
-      description: Get Login Error Counts
-      operationId: ApiController.Callback
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.Userinfo'
-  /api/api/get-captcha:
-    get:
-      tags:
-      - Login API
-      operationId: ApiController.GetCaptcha
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.Userinfo'
-  /api/api/get-captcha-status:
-    get:
-      tags:
-      - Token API
-      description: Get Login Error Counts
-      operationId: ApiController.GetCaptchaStatus
-      parameters:
-      - in: query
-        name: id
-        description: The id ( owner/name ) of user
-        required: true
-        type: string
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/controllers.Response'
-  /api/api/get-webhook-event:
-    get:
-      tags:
-      - GetWebhookEventType API
-      operationId: ApiController.GetWebhookEventType
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.Userinfo'
-  /api/api/reset-email-or-phone:
-    post:
-      tags:
-      - Account API
-      operationId: ApiController.ResetEmailOrPhone
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.Userinfo'
-  /api/api/send-email:
-    post:
-      tags:
-      - Service API
-      description: This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
-      operationId: ApiController.SendEmail
-      parameters:
-      - in: query
-        name: clientId
-        description: The clientId of the application
-        required: true
-        type: string
-      - in: query
-        name: clientSecret
-        description: The clientSecret of the application
-        required: true
-        type: string
-      - in: body
-        name: from
-        description: Details of the email request
-        required: true
-        schema:
-          $ref: '#/definitions/controllers.EmailForm'
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/controllers.Response'
-  /api/api/send-notification:
-    post:
-      tags:
-      - Service API
-      description: This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
-      operationId: ApiController.SendNotification
-      parameters:
-      - in: body
-        name: from
-        description: Details of the notification request
-        required: true
-        schema:
-          $ref: '#/definitions/controllers.NotificationForm'
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/controllers.Response'
-  /api/api/send-sms:
-    post:
-      tags:
-      - Service API
-      description: This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
-      operationId: ApiController.SendSms
-      parameters:
-      - in: query
-        name: clientId
-        description: The clientId of the application
-        required: true
-        type: string
-      - in: query
-        name: clientSecret
-        description: The clientSecret of the application
-        required: true
-        type: string
-      - in: body
-        name: from
-        description: Details of the sms request
-        required: true
-        schema:
-          $ref: '#/definitions/controllers.SmsForm'
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/controllers.Response'
-  /api/api/verify-code:
-    post:
-      tags:
-      - Verification API
-      operationId: ApiController.VerifyCode
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.Userinfo'
-  /api/api/webhook:
-    post:
-      tags:
-      - HandleOfficialAccountEvent API
-      operationId: ApiController.HandleOfficialAccountEvent
-      responses:
-        "200":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.Userinfo'
  /api/batch-enforce:
    post:
      tags:
-      - Enforce API
+      - Enforcer API
      description: Call Casbin BatchEnforce API
      operationId: ApiController.BatchEnforce
      parameters:
@@ -617,6 +494,10 @@ paths:
        name: modelId
        description: model id
        type: string
+      - in: query
+        name: owner
+        description: owner
+        type: string
      responses:
        "200":
          description: The Response object
@@ -744,6 +625,24 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/delete-invitation:
+    post:
+      tags:
+      - Invitation API
+      description: delete invitation
+      operationId: ApiController.DeleteInvitation
+      parameters:
+      - in: body
+        name: body
+        description: The details of the invitation
+        required: true
+        schema:
+          $ref: '#/definitions/object.Invitation'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/delete-ldap:
    post:
      tags:
@@ -1064,7 +963,7 @@ paths:
  /api/enforce:
    post:
      tags:
-      - Enforce API
+      - Enforcer API
      description: Call Casbin Enforce API
      operationId: ApiController.Enforce
      parameters:
@@ -1088,6 +987,10 @@ paths:
        name: resourceId
        description: resource id
        type: string
+      - in: query
+        name: owner
+        description: owner
+        type: string
      responses:
        "200":
          description: The Response object
@@ -1213,6 +1116,33 @@ paths:
            type: array
            items:
              $ref: '#/definitions/object.Application'
+  /api/get-captcha:
+    get:
+      tags:
+      - Login API
+      operationId: ApiController.GetCaptcha
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Userinfo'
+  /api/get-captcha-status:
+    get:
+      tags:
+      - Token API
+      description: Get Login Error Counts
+      operationId: ApiController.GetCaptchaStatus
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of user
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/get-cert:
    get:
      tags:
@@ -1252,7 +1182,7 @@ paths:
  /api/get-dashboard:
    get:
      tags:
-      - GetDashboard API
+      - System API
      description: get information of dashboard
      operationId: ApiController.GetDashboard
      responses:
@@ -1410,6 +1340,42 @@ paths:
            type: array
            items:
              $ref: '#/definitions/object.Group'
+  /api/get-invitation:
+    get:
+      tags:
+      - Invitation API
+      description: get invitation
+      operationId: ApiController.GetInvitation
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the invitation
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Invitation'
+  /api/get-invitations:
+    get:
+      tags:
+      - Invitation API
+      description: get invitations
+      operationId: ApiController.GetInvitations
+      parameters:
+      - in: query
+        name: owner
+        description: The owner of invitations
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/object.Invitation'
  /api/get-ldap:
    get:
      tags:
@@ -1785,7 +1751,7 @@ paths:
  /api/get-prometheus-info:
    get:
      tags:
-      - Prometheus API
+      - System API
      description: get Prometheus Info
      operationId: ApiController.GetPrometheusInfo
      responses:
@@ -2269,6 +2235,16 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/object.Webhook'
+  /api/get-webhook-event:
+    get:
+      tags:
+      - System API
+      operationId: ApiController.GetWebhookEventType
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Userinfo'
  /api/get-webhooks:
    get:
      tags:
@@ -2396,8 +2372,50 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/login/oauth/access_token:
+    post:
+      tags:
+      - Token API
+      description: get OAuth access token
+      operationId: ApiController.GetOAuthToken
+      parameters:
+      - in: query
+        name: grant_type
+        description: OAuth grant type
+        required: true
+        type: string
+      - in: query
+        name: client_id
+        description: OAuth client id
+        required: true
+        type: string
+      - in: query
+        name: client_secret
+        description: OAuth client secret
+        required: true
+        type: string
+      - in: query
+        name: code
+        description: OAuth code
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.TokenWrapper'
+        "400":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.TokenError'
+        "401":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.TokenError'
  /api/login/oauth/introspect:
    post:
+      tags:
+      - Login API
      description: The introspection endpoint is an OAuth 2.0 endpoint that takes a
      operationId: ApiController.IntrospectToken
      parameters:
@@ -2543,6 +2561,16 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/reset-email-or-phone:
+    post:
+      tags:
+      - Account API
+      operationId: ApiController.ResetEmailOrPhone
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Userinfo'
  /api/run-syncer:
    get:
      tags:
@@ -2561,6 +2589,80 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/send-email:
+    post:
+      tags:
+      - Service API
+      description: This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
+      operationId: ApiController.SendEmail
+      parameters:
+      - in: query
+        name: clientId
+        description: The clientId of the application
+        required: true
+        type: string
+      - in: query
+        name: clientSecret
+        description: The clientSecret of the application
+        required: true
+        type: string
+      - in: body
+        name: from
+        description: Details of the email request
+        required: true
+        schema:
+          $ref: '#/definitions/controllers.EmailForm'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
+  /api/send-notification:
+    post:
+      tags:
+      - Service API
+      description: This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
+      operationId: ApiController.SendNotification
+      parameters:
+      - in: body
+        name: from
+        description: Details of the notification request
+        required: true
+        schema:
+          $ref: '#/definitions/controllers.NotificationForm'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
+  /api/send-sms:
+    post:
+      tags:
+      - Service API
+      description: This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
+      operationId: ApiController.SendSms
+      parameters:
+      - in: query
+        name: clientId
+        description: The clientId of the application
+        required: true
+        type: string
+      - in: query
+        name: clientSecret
+        description: The clientSecret of the application
+        required: true
+        type: string
+      - in: body
+        name: from
+        description: Details of the sms request
+        required: true
+        schema:
+          $ref: '#/definitions/controllers.SmsForm'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/send-verification-code:
    post:
      tags:
@@ -2778,6 +2880,29 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/update-invitation:
+    post:
+      tags:
+      - Invitation API
+      description: update invitation
+      operationId: ApiController.UpdateInvitation
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the invitation
+        required: true
+        type: string
+      - in: body
+        name: body
+        description: The details of the invitation
+        required: true
+        schema:
+          $ref: '#/definitions/object.Invitation'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/update-ldap:
    post:
      tags:
@@ -3245,6 +3370,33 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/object.Userinfo'
+  /api/verify-code:
+    post:
+      tags:
+      - Verification API
+      operationId: ApiController.VerifyCode
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Userinfo'
+  /api/verify-invitation:
+    get:
+      tags:
+      - Invitation API
+      description: verify invitation
+      operationId: ApiController.VerifyInvitation
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the invitation
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/webauthn/signin/begin:
    get:
      tags:
@@ -3314,46 +3466,16 @@ paths:
          description: '"The Response object"'
          schema:
            $ref: '#/definitions/controllers.Response'
-  /apiapi/login/oauth/access_token:
+  /api/webhook:
    post:
      tags:
-      - Token API
-      description: get OAuth access token
-      operationId: ApiController.GetOAuthToken
-      parameters:
-      - in: query
-        name: grant_type
-        description: OAuth grant type
-        required: true
-        type: string
-      - in: query
-        name: client_id
-        description: OAuth client id
-        required: true
-        type: string
-      - in: query
-        name: client_secret
-        description: OAuth client secret
-        required: true
-        type: string
-      - in: query
-        name: code
-        description: OAuth code
-        required: true
-        type: string
+      - System API
+      operationId: ApiController.HandleOfficialAccountEvent
      responses:
        "200":
          description: The Response object
          schema:
-            $ref: '#/definitions/object.TokenWrapper'
-        "400":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.TokenError'
-        "401":
-          description: The Response object
-          schema:
-            $ref: '#/definitions/object.TokenError'
+            $ref: '#/definitions/object.Userinfo'
 definitions:
  casbin.Enforcer:
    title: Enforcer
@@ -3546,10 +3668,10 @@ definitions:
      expireInHours:
        type: integer
        format: int64
-      failedSigninLimit:
+      failedSigninFrozenTime:
        type: integer
        format: int64
-      failedSigninfrozenTime:
+      failedSigninLimit:
        type: integer
        format: int64
      forgetUrl:
@@ -3606,6 +3728,10 @@ definitions:
        type: string
      signinHtml:
        type: string
+      signinMethods:
+        type: array
+        items:
+          $ref: '#/definitions/object.SigninMethod'
      signinUrl:
        type: string
      signupHtml:
@@ -3624,6 +3750,10 @@ definitions:
        type: string
      themeData:
        $ref: '#/definitions/object.ThemeData'
+      tokenFields:
+        type: array
+        items:
+          type: string
      tokenFormat:
        type: string
  object.Cert:
@@ -3780,6 +3910,40 @@ definitions:
        type: string
      username:
        type: string
+  object.Invitation:
+    title: Invitation
+    type: object
+    properties:
+      application:
+        type: string
+      code:
+        type: string
+      createdTime:
+        type: string
+      displayName:
+        type: string
+      email:
+        type: string
+      name:
+        type: string
+      owner:
+        type: string
+      phone:
+        type: string
+      quota:
+        type: integer
+        format: int64
+      signupGroup:
+        type: string
+      state:
+        type: string
+      updatedTime:
+        type: string
+      usedCount:
+        type: integer
+        format: int64
+      username:
+        type: string
  object.Ldap:
    title: Ldap
    type: object
@@ -4451,10 +4615,20 @@ definitions:
    properties:
      name:
        type: string
-      nameformat:
+      nameFormat:
        type: string
      value:
        type: string
+  object.SigninMethod:
+    title: SigninMethod
+    type: object
+    properties:
+      displayName:
+        type: string
+      name:
+        type: string
+      rule:
+        type: string
  object.SignupItem:
    title: SignupItem
    type: object
@@ -4467,6 +4641,8 @@ definitions:
        type: string
      prompted:
        type: boolean
+      regex:
+        type: string
      required:
        type: boolean
      rule:
@@ -4724,6 +4900,8 @@ definitions:
        type: string
      deezer:
        type: string
+      deletedTime:
+        type: string
      digitalocean:
        type: string
      dingtalk:
--- a/util/json.go
+++ b/util/json.go
@@ -14,7 +14,10 @@

 package util

-import "encoding/json"
+import (
+	"encoding/json"
+	"reflect"
+)

 func StructToJson(v interface{}) string {
 	data, err := json.Marshal(v)
@@ -37,3 +40,30 @@ func StructToJsonFormatted(v interface{}) string {
 func JsonToStruct(data string, v interface{}) error {
 	return json.Unmarshal([]byte(data), v)
 }
+
+func TryJsonToAnonymousStruct(j string) (interface{}, error) {
+	var data map[string]interface{}
+	if err := json.Unmarshal([]byte(j), &data); err != nil {
+		return nil, err
+	}
+
+	// Create a slice of StructFields
+	fields := make([]reflect.StructField, 0, len(data))
+	for k, v := range data {
+		fields = append(fields, reflect.StructField{
+			Name: k,
+			Type: reflect.TypeOf(v),
+		})
+	}
+
+	// Create the struct type
+	t := reflect.StructOf(fields)
+
+	// Unmarshal again, this time to the new struct type
+	val := reflect.New(t)
+	i := val.Interface()
+	if err := json.Unmarshal([]byte(j), &i); err != nil {
+		return nil, err
+	}
+	return i, nil
+}
--- a/util/path.go
+++ b/util/path.go
@@ -16,7 +16,6 @@ package util

 import (
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -40,7 +39,7 @@ func GetPath(path string) string {
 func ListFiles(path string) []string {
 	res := []string{}

-	files, err := ioutil.ReadDir(path)
+	files, err := os.ReadDir(path)
 	if err != nil {
 		panic(err)
 	}
--- a/util/setting.go
+++ b/util/setting.go
@@ -14,10 +14,10 @@

 package util

-import "io/ioutil"
+import "os"

 func GetUploadXlsxPath(fileId string) string {
-	file, err := ioutil.TempFile("", fileId)
+	file, err := os.CreateTemp("", fileId)
 	if err != nil {
 		panic(err)
 	}
--- a/util/string.go
+++ b/util/string.go
@@ -324,9 +324,16 @@ func GetUsernameFromEmail(email string) string {
 }

 func StringToInterfaceArray(array []string) []interface{} {
-	var interfaceArray []interface{}
-	for _, v := range array {
-		interfaceArray = append(interfaceArray, v)
+	var (
+		interfaceArray []interface{}
+		elem           interface{}
+	)
+	for _, elem = range array {
+		jStruct, err := TryJsonToAnonymousStruct(elem.(string))
+		if err == nil {
+			elem = jStruct
+		}
+		interfaceArray = append(interfaceArray, elem)
 	}
 	return interfaceArray
 }
--- a/util/system.go
+++ b/util/system.go
@@ -119,6 +119,9 @@ func GetVersionInfo() (*VersionInfo, error) {
 	}

 	cIter, err := r.Log(&git.LogOptions{From: ref.Hash()})
+	if err != nil {
+		return res, err
+	}

 	commitOffset := 0
 	version := ""
--- a/util/system_test.go
+++ b/util/system_test.go
@@ -70,6 +70,9 @@ func TestGetVersion(t *testing.T) {

 	testHash := plumbing.NewHash("f8bc87eb4e5ba3256424cf14aafe0549f812f1cf")
 	cIter, err := r.Log(&git.LogOptions{From: testHash})
+	if err != nil {
+		t.Log(err)
+	}

 	aheadCnt := 0
 	releaseVersion := ""
--- a/util/validation.go
+++ b/util/validation.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"net/mail"
 	"regexp"
+	"strings"

 	"github.com/nyaruka/phonenumbers"
 )
@@ -53,6 +54,23 @@ func IsPhoneAllowInRegin(countryCode string, allowRegions []string) bool {
 	return ContainsString(allowRegions, countryCode)
 }

+func IsRegexp(s string) (bool, error) {
+	if _, err := regexp.Compile(s); err != nil {
+		return false, err
+	}
+	return regexp.QuoteMeta(s) != s, nil
+}
+
+func IsInvitationCodeMatch(pattern string, invitationCode string) (bool, error) {
+	if !strings.HasPrefix(pattern, "^") {
+		pattern = "^" + pattern
+	}
+	if !strings.HasSuffix(pattern, "$") {
+		pattern = pattern + "$"
+	}
+	return regexp.MatchString(pattern, invitationCode)
+}
+
 func GetE164Number(phone string, countryCode string) (string, bool) {
 	phoneNumber, _ := phonenumbers.Parse(phone, countryCode)
 	return phonenumbers.Format(phoneNumber, phonenumbers.E164), phonenumbers.IsValidNumber(phoneNumber)
--- a/web/src/App.js
+++ b/web/src/App.js
@@ -368,7 +368,11 @@ class App extends Component {
    if (this.state.account === undefined) {
      return null;
    } else if (this.state.account === null) {
-      return null;
+      return (
+        <React.Fragment>
+          <LanguageSelect />
+        </React.Fragment>
+      );
    } else {
      return (
        <React.Fragment>
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@@ -13,7 +13,7 @@
 // limitations under the License.

 import React from "react";
-import {Button, Card, Col, ConfigProvider, Input, InputNumber, List, Popover, Radio, Result, Row, Select, Space, Switch, Upload} from "antd";
+import {Button, Card, Col, ConfigProvider, Input, InputNumber, Popover, Radio, Result, Row, Select, Switch, Upload} from "antd";
 import {CopyOutlined, LinkOutlined, UploadOutlined} from "@ant-design/icons";
 import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as CertBackend from "./backend/CertBackend";
@@ -27,7 +27,7 @@ import LoginPage from "./auth/LoginPage";
 import i18next from "i18next";
 import UrlTable from "./table/UrlTable";
 import ProviderTable from "./table/ProviderTable";
-import SigninTable from "./table/SigninTable";
+import SigninMethodTable from "./table/SigninMethodTable";
 import SignupTable from "./table/SignupTable";
 import SamlAttributeTable from "./table/SamlAttributeTable";
 import PromptPage from "./auth/PromptPage";
@@ -116,7 +116,6 @@ class ApplicationEditPage extends React.Component {
    this.getApplication();
    this.getOrganizations();
    this.getProviders();
-    this.getSamlMetadata();
  }

  getApplication() {
@@ -141,15 +140,13 @@ class ApplicationEditPage extends React.Component {
          application.tags = [];
        }

-        if (application.invitationCodes === null) {
-          application.invitationCodes = [];
-        }
-
        this.setState({
          application: application,
        });

        this.getCerts(application.organization);
+
+        this.getSamlMetadata(application.enableSamlPostBinding);
      });
  }

@@ -190,8 +187,8 @@ class ApplicationEditPage extends React.Component {
      });
  }

-  getSamlMetadata() {
-    ApplicationBackend.getSamlMetadata("admin", this.state.applicationName)
+  getSamlMetadata(checked) {
+    ApplicationBackend.getSamlMetadata("admin", this.state.applicationName, checked)
      .then((data) => {
        this.setState({
          samlMetadata: data,
@@ -386,10 +383,22 @@ class ApplicationEditPage extends React.Component {
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.application.tokenFormat} onChange={(value => {this.updateApplicationField("tokenFormat", value);})}
-              options={["JWT", "JWT-Empty"].map((item) => Setting.getOption(item, item))}
+              options={["JWT", "JWT-Empty", "JWT-Custom"].map((item) => Setting.getOption(item, item))}
            />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("application:Token fields"), i18next.t("application:Token fields - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} disabled={this.state.application.tokenFormat !== "JWT-Custom"} mode="tags" showSearch style={{width: "100%"}} value={this.state.application.tokenFields} onChange={(value => {this.updateApplicationField("tokenFields", value);})}>
+              {
+                Setting.getUserCommonFields().map((item, index) => <Option key={index} value={item}>{item}</Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("application:Token expire"), i18next.t("application:Token expire - Tooltip"))} :
@@ -425,8 +434,8 @@ class ApplicationEditPage extends React.Component {
            {Setting.getLabel(i18next.t("application:Failed signin frozen time"), i18next.t("application:Failed signin frozen time - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <InputNumber style={{width: "150px"}} value={this.state.application.failedSigninfrozenTime} min={1} step={1} precision={0} addonAfter="Minutes" onChange={value => {
-              this.updateApplicationField("failedSigninfrozenTime", value);
+            <InputNumber style={{width: "150px"}} value={this.state.application.failedSigninFrozenTime} min={1} step={1} precision={0} addonAfter="Minutes" onChange={value => {
+              this.updateApplicationField("failedSigninFrozenTime", value);
            }} />
          </Col>
        </Row>
@@ -475,7 +484,7 @@ class ApplicationEditPage extends React.Component {
            {Setting.getLabel(i18next.t("application:Signin methods"), i18next.t("application:Signin methods - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <SigninTable
+            <SigninMethodTable
              title={i18next.t("application:Signin methods")}
              table={this.state.application.signinMethods}
              onUpdateTable={(value) => {
@@ -655,6 +664,17 @@ class ApplicationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("application:Enable SAML POST binding"), i18next.t("application:Enable SAML POST binding - Tooltip"))} :
+          </Col>
+          <Col span={1} >
+            <Switch checked={this.state.application.enableSamlPostBinding} onChange={checked => {
+              this.updateApplicationField("enableSamlPostBinding", checked);
+              this.getSamlMetadata(checked);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:SAML attributes"), i18next.t("general:SAML attributes - Tooltip"))} :
@@ -680,7 +700,7 @@ class ApplicationEditPage extends React.Component {
            />
            <br />
            <Button style={{marginBottom: "10px"}} type="primary" shape="round" icon={<CopyOutlined />} onClick={() => {
-              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}`);
+              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}&post=${this.state.application.enableSamlPostBinding}`);
              Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
            }}
            >
@@ -785,7 +805,7 @@ class ApplicationEditPage extends React.Component {
          </Col>
          <Col span={22} >
            <Row style={{marginTop: "20px"}} >
-              <Radio.Group onChange={e => {this.updateApplicationField("formOffset", e.target.value);}} value={this.state.application.formOffset}>
+              <Radio.Group buttonStyle="solid" onChange={e => {this.updateApplicationField("formOffset", e.target.value);}} value={this.state.application.formOffset}>
                <Radio.Button value={1}>{i18next.t("application:Left")}</Radio.Button>
                <Radio.Button value={2}>{i18next.t("application:Center")}</Radio.Button>
                <Radio.Button value={3}>{i18next.t("application:Right")}</Radio.Button>
@@ -825,7 +845,7 @@ class ApplicationEditPage extends React.Component {
          </Col>
          <Col span={22} style={{marginTop: "5px"}}>
            <Row>
-              <Radio.Group value={this.state.application.themeData?.isEnabled ?? false} onChange={e => {
+              <Radio.Group buttonStyle="solid" value={this.state.application.themeData?.isEnabled ?? false} onChange={e => {
                const {_, ...theme} = this.state.application.themeData ?? {...Conf.ThemeDefault, isEnabled: false};
                this.updateApplicationField("themeData", {...theme, isEnabled: e.target.value});
              }} >
@@ -861,52 +881,6 @@ class ApplicationEditPage extends React.Component {
                  />
                </Col>
              </Row>
-              <Row style={{marginTop: "20px"}} >
-                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                  {Setting.getLabel(i18next.t("application:Invitation code"), i18next.t("application:Invitation code - Tooltip"))} :
-                </Col>
-                <Col span={22} >
-                  <List
-                    header={
-                      <Button type="primary" onClick={() => {
-                        this.updateApplicationField("invitationCodes", Setting.addRow(this.state.application.invitationCodes, Setting.getRandomName()));
-                      }
-                      }>
-                        {i18next.t("general:Add")}
-                      </Button>
-                    }
-                    dataSource={this.state.application.invitationCodes.map(code => {
-                      return {code: code};
-                    })}
-                    renderItem={(item, index) => (
-                      <List.Item key={index}>
-                        <Space>
-                          <Input value={item.code} onChange={e => {
-                            const invitationCodes = [...this.state.application.invitationCodes];
-                            invitationCodes[index] = e.target.value;
-                            this.updateApplicationField("invitationCodes", invitationCodes);
-                          }} />
-                        </Space>
-                        <Space>
-                          <Button icon={<CopyOutlined />} onClick={() => {
-                            copy(item.code);
-                            Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
-                          }
-                          }>
-                            {i18next.t("general:Copy")}
-                          </Button>
-                          <Button type="primary" danger onClick={() => {
-                            this.updateApplicationField("invitationCodes", this.state.application.invitationCodes.filter(code => code !== item.code));
-                          }
-                          }>
-                            {i18next.t("general:Delete")}
-                          </Button>
-                        </Space>
-                      </List.Item>
-                    )}
-                  />
-                </Col>
-              </Row>
            </React.Fragment>
          )
        }
--- a/web/src/ApplicationListPage.js
+++ b/web/src/ApplicationListPage.js
@@ -50,7 +50,6 @@ class ApplicationListPage extends BaseListPage {
        {name: "Password", displayName: "Password", rule: "All"},
        {name: "Verification code", displayName: "Verification code", rule: "All"},
        {name: "WebAuthn", displayName: "WebAuthn", rule: "None"},
-        {name: "LDAP", displayName: "LDAP", rule: "None"},
      ],
      signupItems: [
        {name: "ID", visible: false, required: true, rule: "Random"},
@@ -65,6 +64,7 @@ class ApplicationListPage extends BaseListPage {
      cert: "cert-built-in",
      redirectUris: ["http://localhost:9000/callback"],
      tokenFormat: "JWT",
+      tokenFields: [],
      expireInHours: 24 * 7,
      refreshExpireInHours: 24 * 7,
      formOffset: 2,
--- a/web/src/InvitationEditPage.js
+++ b/web/src/InvitationEditPage.js
@@ -107,7 +107,7 @@ class InvitationEditPage extends React.Component {
            {Setting.getLabel(i18next.t("general:Organization"), i18next.t("general:Organization - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value);})}>
+            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value); this.getApplicationsByOrganization(value);})}>
              {
                this.state.organizations.map((organization, index) => <Option key={index} value={organization.name}>{organization.name}</Option>)
              }
@@ -171,8 +171,10 @@ class InvitationEditPage extends React.Component {
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.invitation.application}
              onChange={(value => {this.updateInvitationField("application", value);})}
-              options={this.state.applications.map((application) => Setting.getOption(application.name, application.name))
-              } />
+              options={[
+                {label: "All", value: i18next.t("general:All")},
+                ...this.state.applications.map((application) => Setting.getOption(application.name, application.name)),
+              ]} />
          </Col>
        </Row>
        <Row style={{marginTop: "20px"}} >
--- a/web/src/InvitationListPage.js
+++ b/web/src/InvitationListPage.js
@@ -37,7 +37,7 @@ class InvitationListPage extends BaseListPage {
      code: Math.random().toString(36).slice(-10),
      quota: 1,
      usedCount: 0,
-      application: "",
+      application: "All",
      username: "",
      email: "",
      phone: "",
--- a/web/src/OrganizationEditPage.js
+++ b/web/src/OrganizationEditPage.js
@@ -184,7 +184,7 @@ class OrganizationEditPage extends React.Component {
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.organization.passwordType} onChange={(value => {this.updateOrganizationField("passwordType", value);})}
-              options={["plain", "salt", "md5-salt", "bcrypt", "pbkdf2-salt", "argon2id"].map(item => Setting.getOption(item, item))}
+              options={["plain", "salt", "sha512-salt", "md5-salt", "bcrypt", "pbkdf2-salt", "argon2id"].map(item => Setting.getOption(item, item))}
            />
          </Col>
        </Row>
@@ -393,7 +393,7 @@ class OrganizationEditPage extends React.Component {
          </Col>
          <Col span={22} style={{marginTop: "5px"}}>
            <Row>
-              <Radio.Group value={this.state.organization.themeData?.isEnabled ?? false} onChange={e => {
+              <Radio.Group buttonStyle="solid" value={this.state.organization.themeData?.isEnabled ?? false} onChange={e => {
                const {_, ...theme} = this.state.organization.themeData ?? {...Conf.ThemeDefault, isEnabled: false};
                this.updateOrganizationField("themeData", {...theme, isEnabled: e.target.value});
              }} >
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@@ -796,7 +796,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["Custom HTTP SMS", "Local File System", "MinIO", "Tencent Cloud COS", "Google Cloud Storage", "Qiniu Cloud Kodo"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "Local File System", "MinIO", "Tencent Cloud COS", "Google Cloud Storage", "Qiniu Cloud Kodo", "Synology"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {Setting.getLabel(i18next.t("provider:Endpoint (Intranet)"), i18next.t("provider:Region endpoint for Intranet"))} :
@@ -832,7 +832,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["Custom HTTP SMS", "MinIO", "Google Cloud Storage", "Qiniu Cloud Kodo"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "MinIO", "Google Cloud Storage", "Qiniu Cloud Kodo", "Synology"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
@@ -1041,7 +1041,7 @@ class ProviderEditPage extends React.Component {
                </Row>
                )
              }
-              {["Custom HTTP SMS", "Infobip SMS"].includes(this.state.provider.type) ?
+              {["Infobip SMS"].includes(this.state.provider.type) ?
                null :
                (<Row style={{marginTop: "20px"}} >
                  <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
--- a/web/src/Setting.js
+++ b/web/src/Setting.js
@@ -207,6 +207,10 @@ export const OtherProviderInfo = {
      logo: `${StaticBaseUrl}/img/social_google_cloud.png`,
      url: "https://cloud.google.com/storage",
    },
+    "Synology": {
+      logo: `${StaticBaseUrl}/img/social_synology.png`,
+      url: "https://www.synology.com/en-global/dsm/feature/file_sharing",
+    },
  },
  SAML: {
    "Aliyun IDaaS": {
@@ -1024,6 +1028,7 @@ export function getProviderTypeOptions(category) {
        {id: "Azure Blob", name: "Azure Blob"},
        {id: "Qiniu Cloud Kodo", name: "Qiniu Cloud Kodo"},
        {id: "Google Cloud Storage", name: "Google Cloud Storage"},
+        {id: "Synology", name: "Synology"},
      ]
    );
  } else if (category === "SAML") {
@@ -1131,36 +1136,28 @@ export function renderLogo(application) {
  }
 }

-export function isPasswordEnabled(application) {
-  if (application) {
-    return application.signinMethods.filter(item => item.name === "Password").length > 0;
+function isSigninMethodEnabled(application, signinMethod) {
+  if (application && application.signinMethods) {
+    return application.signinMethods.filter(item => item.name === signinMethod).length > 0;
  } else {
    return false;
  }
 }

+export function isPasswordEnabled(application) {
+  return isSigninMethodEnabled(application, "Password");
+}
+
 export function isCodeSigninEnabled(application) {
-  if (application) {
-    return application.signinMethods.filter(item => item.name === "Verification code").length > 0;
-  } else {
-    return false;
-  }
+  return isSigninMethodEnabled(application, "Verification code");
 }

 export function isWebAuthnEnabled(application) {
-  if (application) {
-    return application.signinMethods.filter(item => item.name === "WebAuthn").length > 0;
-  } else {
-    return false;
-  }
+  return isSigninMethodEnabled(application, "WebAuthn");
 }

 export function isLdapEnabled(application) {
-  if (application) {
-    return application.signinMethods.filter(item => item.name === "LDAP").length > 0;
-  } else {
-    return false;
-  }
+  return isSigninMethodEnabled(application, "LDAP");
 }

 export function getLoginLink(application) {
@@ -1450,6 +1447,13 @@ export function getFriendlyUserName(account) {
  }
 }

+export function getUserCommonFields() {
+  return ["Owner", "Name", "CreatedTime", "UpdatedTime", "DeletedTime", "Id", "Type", "Password", "PasswordSalt", "DisplayName", "FirstName", "LastName", "Avatar", "PermanentAvatar",
+    "Email", "EmailVerified", "Phone", "Location", "Address", "Affiliation", "Title", "IdCardType", "IdCard", "Homepage", "Bio", "Tag", "Region",
+    "Language", "Gender", "Birthday", "Education", "Score", "Ranking", "IsDefaultAvatar", "IsOnline", "IsAdmin", "IsForbidden", "IsDeleted", "CreatedIp",
+    "PreferredMfaType", "TotpSecret", "SignupApplication"];
+}
+
 export function getDefaultHtmlEmailContent() {
  return `<!DOCTYPE html>
 <html lang="en">
--- a/web/src/UserEditPage.js
+++ b/web/src/UserEditPage.js
@@ -27,6 +27,7 @@ import * as ApplicationBackend from "./backend/ApplicationBackend";
 import PasswordModal from "./common/modal/PasswordModal";
 import ResetModal from "./common/modal/ResetModal";
 import AffiliationSelect from "./common/select/AffiliationSelect";
+import moment from "moment";
 import OAuthWidget from "./common/OAuthWidget";
 import SamlWidget from "./common/SamlWidget";
 import RegionSelect from "./common/select/RegionSelect";
@@ -122,6 +123,17 @@ class UserEditPage extends React.Component {
        this.setState({
          applications: res.data || [],
        });
+
+        const applications = res.data;
+        if (this.state.user) {
+          if (this.state.user.signupApplication === "" || applications.filter(application => application.name === this.state.user.signupApplication).length === 0) {
+            if (applications.length > 0) {
+              this.updateUserField("signupApplication", applications[0].name);
+            } else {
+              this.updateUserField("signupApplication", "");
+            }
+          }
+        }
      });
  }

@@ -858,6 +870,7 @@ class UserEditPage extends React.Component {
          <Col span={(Setting.isMobile()) ? 22 : 2} >
            <Switch checked={this.state.user.isDeleted} onChange={checked => {
              this.updateUserField("isDeleted", checked);
+              this.updateUserField("deletedTime", checked ? moment().format() : "");
            }} />
          </Col>
        </Row>
@@ -890,11 +903,9 @@ class UserEditPage extends React.Component {
                      </Space>
                      {item.enabled ? (
                        <Space>
-                          {item.enabled ?
-                            <Tag icon={<CheckCircleOutlined />} color="success">
-                              {i18next.t("general:Enabled")}
-                            </Tag> : null
-                          }
+                          <Tag icon={<CheckCircleOutlined />} color="success">
+                            {i18next.t("general:Enabled")}
+                          </Tag>
                          {item.isPreferred ?
                            <Tag icon={<CheckCircleOutlined />} color="blue" style={{marginRight: 20}} >
                              {i18next.t("mfa:preferred")}
@@ -916,18 +927,23 @@ class UserEditPage extends React.Component {
                              {i18next.t("mfa:Set preferred")}
                            </Button>
                          }
+                          {this.isSelf() ? <Button type={"default"} onClick={() => {
+                            this.props.history.push(`/mfa/setup?mfaType=${item.mfaType}`);
+                          }}>
+                            {i18next.t("general:Edit")}
+                          </Button> : null}
                        </Space>
                      ) :
                        <Space>
-                          {item.mfaType !== TotpMfaType && Setting.isAdminUser(this.props.account) && window.location.href.indexOf("/users") !== -1 ?
+                          {item.mfaType !== TotpMfaType && Setting.isLocalAdminUser(this.props.account) && !this.isSelf() ?
                            <EnableMfaModal user={this.state.user} mfaType={item.mfaType} onSuccess={() => {
                              this.getUser();
                            }} /> : null}
-                          <Button type={"default"} onClick={() => {
+                          {this.isSelf() ? <Button type={"default"} onClick={() => {
                            this.props.history.push(`/mfa/setup?mfaType=${item.mfaType}`);
                          }}>
                            {i18next.t("mfa:Setup")}
-                          </Button>
+                          </Button> : null}
                        </Space>}
                    </List.Item>
                  )}
@@ -991,12 +1007,14 @@ class UserEditPage extends React.Component {
  renderUser() {
    return (
      <Card size="small" title={
-        <div>
-          {this.state.mode === "add" ? i18next.t("user:New User") : i18next.t("user:Edit User")}&nbsp;&nbsp;&nbsp;&nbsp;
-          <Button onClick={() => this.submitUserEdit(false)}>{i18next.t("general:Save")}</Button>
-          <Button style={{marginLeft: "20px"}} type="primary" onClick={() => this.submitUserEdit(true)}>{i18next.t("general:Save & Exit")}</Button>
-          {this.state.mode === "add" ? <Button style={{marginLeft: "20px"}} onClick={() => this.deleteUser()}>{i18next.t("general:Cancel")}</Button> : null}
-        </div>
+        (this.props.account === null) ? i18next.t("user:User Profile") : (
+          <div>
+            {this.state.mode === "add" ? i18next.t("user:New User") : i18next.t("user:Edit User")}&nbsp;&nbsp;&nbsp;&nbsp;
+            <Button onClick={() => this.submitUserEdit(false)}>{i18next.t("general:Save")}</Button>
+            <Button style={{marginLeft: "20px"}} type="primary" onClick={() => this.submitUserEdit(true)}>{i18next.t("general:Save & Exit")}</Button>
+            {this.state.mode === "add" ? <Button style={{marginLeft: "20px"}} onClick={() => this.deleteUser()}>{i18next.t("general:Cancel")}</Button> : null}
+          </div>
+        )
      } style={(Setting.isMobile()) ? {margin: "5px"} : {}} type="inner">
        {
          this.getUserOrganization()?.accountItems?.map(accountItem => {
@@ -1054,7 +1072,11 @@ class UserEditPage extends React.Component {
              if (userListUrl !== null) {
                this.props.history.push(userListUrl);
              } else {
-                this.props.history.push("/users");
+                if (Setting.isLocalAdminUser(this.props.account)) {
+                  this.props.history.push("/users");
+                } else {
+                  this.props.history.push("/");
+                }
              }
            } else {
              this.props.history.push(`/users/${this.state.user.owner}/${this.state.user.name}`);
@@ -1111,7 +1133,7 @@ class UserEditPage extends React.Component {
          )
        }
        {
-          this.state.user === null ? null :
+          (this.state.user === null || this.props.account === null) ? null :
            <div style={{marginTop: "20px", marginLeft: "40px"}}>
              <Button size="large" onClick={() => this.submitUserEdit(false)}>{i18next.t("general:Save")}</Button>
              <Button style={{marginLeft: "20px"}} type="primary" size="large" onClick={() => this.submitUserEdit(true)}>{i18next.t("general:Save & Exit")}</Button>
--- a/web/src/UserListPage.js
+++ b/web/src/UserListPage.js
@@ -70,7 +70,7 @@ class UserListPage extends BaseListPage {
      password: "123",
      passwordSalt: "",
      displayName: `New User - ${randomName}`,
-      avatar: `${Setting.StaticBaseUrl}/img/casbin.svg`,
+      avatar: this.state.organization.defaultAvatar ?? `${Setting.StaticBaseUrl}/img/casbin.svg`,
      email: `${randomName}@example.com`,
      phone: Setting.getRandomNumber(),
      countryCode: this.state.organization.countryCodes?.length > 0 ? this.state.organization.countryCodes[0] : "",
--- a/web/src/WebhookEditPage.js
+++ b/web/src/WebhookEditPage.js
@@ -62,6 +62,7 @@ const userTemplate = {
  "name": "admin",
  "createdTime": "2020-07-16T21:46:52+08:00",
  "updatedTime": "",
+  "deletedTime": "",
  "id": "9eb20f79-3bb5-4e74-99ac-39e3b9a171e8",
  "type": "normal-user",
  "password": "***",
--- a/web/src/auth/AuthBackend.js
+++ b/web/src/auth/AuthBackend.js
@@ -146,7 +146,7 @@ export function getWechatMessageEvent() {
 }

 export function getCaptchaStatus(values) {
-  return fetch(`${Setting.ServerUrl}/api/get-captcha-status?organization=${values["organization"]}&user_id=${values["username"]}`, {
+  return fetch(`${Setting.ServerUrl}/api/get-captcha-status?organization=${values["organization"]}&userId=${values["username"]}`, {
    method: "GET",
    credentials: "include",
    headers: {
--- a/web/src/auth/LoginPage.js
+++ b/web/src/auth/LoginPage.js
@@ -201,7 +201,7 @@ class LoginPage extends React.Component {
  }

  getDefaultLoginMethod(application) {
-    if (application?.signinMethods.length > 0) {
+    if (application?.signinMethods?.length > 0) {
      switch (application?.signinMethods[0].name) {
      case "Password": return "password";
      case "Verification code": {
@@ -588,6 +588,10 @@ class LoginPage extends React.Component {
                  },
                  {
                    validator: (_, value) => {
+                      if (value === "") {
+                        return Promise.resolve();
+                      }
+
                      if (this.state.loginMethod === "verificationCode") {
                        if (!Setting.isValidEmail(value) && !Setting.isValidPhone(value)) {
                          this.setState({validEmailOrPhone: false});
@@ -937,7 +941,7 @@ class LoginPage extends React.Component {
      [generateItemKey("LDAP", "None"), {label: i18next.t("login:LDAP"), key: "ldap"}],
    ]);

-    application?.signinMethods.forEach((signinMethod) => {
+    application?.signinMethods?.forEach((signinMethod) => {
      const item = itemsMap.get(generateItemKey(signinMethod.name, signinMethod.rule));
      if (item) {
        const label = signinMethod.name === signinMethod.displayName ? item.label : signinMethod.displayName;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
dacongda	e593f5be5b	fix: improve code format (#2665 ) * feat: replace io/ioutils pacakage with io/os package * fix: add missing error handling	2024-02-01 23:06:12 +08:00
Dmitri Aleksandrov	0918757e85	feat: add template support for Custom HTTP SMS provider (#2662 )	2024-02-01 17:50:22 +08:00
dacongda	ce0d45a70b	feat: support SAML POST binding (#2661 ) * fix: support saml http post binding * fix: support saml http post binding * fix: support saml post binding sp	2024-02-01 17:28:56 +08:00
Konstantin	c4096788b2	feat: ABAC support for /api/enforce endpoint (#2660 )	2024-01-31 23:14:55 +08:00
dacongda	523186f895	feat: Support sha512 password encryption algorithm (#2657 ) * add sha512 encryption support for password * fead: add sha512 encryption support for password	2024-01-31 00:06:06 +08:00
Satinder Singh	ef373ca736	feat: add deletedTime to user (#2652 )	2024-01-30 23:18:32 +08:00
Yang Luo	721a681ff1	fix: improve error handling in GetUserApplication()	2024-01-30 21:40:39 +08:00
Yang Luo	8b1c4b0c75	feat: make phone field longer to 100	2024-01-30 19:06:18 +08:00
Yang Luo	540f22f8bd	feat: refactor GetTokenByTokenValue()	2024-01-29 10:03:33 +08:00
Yang Luo	79f81f1356	Improve error handling in IntrospectToken()	2024-01-29 09:58:40 +08:00
Yaodong Yu	4e145f71b5	feat: improve MFA UI and jump URL (#2647 ) * fix: mfa UI * fix: mfa UI	2024-01-28 16:46:35 +08:00
Yang Luo	104f975a2f	fix: fix wrong org issue for user's "signupApplication"	2024-01-28 01:51:03 +08:00
Yang Luo	71bb400559	feat: support using org's defaultAvatar when adding user in web UI	2024-01-28 01:07:20 +08:00
Yang Luo	93c3c78d42	feat: support "id_card" in UpdateUser()	2024-01-26 08:23:55 +08:00
Zhang Zhe	dd51bbbabf	feat: fix autoComplete for MFA passcode and SMS code (#2642 ) * update: mfa autoComplete="off" * Update SendCodeInput.js --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2024-01-23 19:52:16 +08:00
HGZ-20	5318519bf8	fix: fix bug in LDAP user login error count (#2636 ) Fix the issue where the login error count is not reset to 0 after a successful LDAP user login.	2024-01-22 13:42:11 +08:00
HGZ-20	d7c40459c0	feat: implement the enforcement for new invitation page (#2628 ) Added new invitation code implementation	2024-01-22 02:25:13 +08:00
LiusCraft	de2932b5fb	feat: use standalone Twitter OAuth provider instead of goth (#2632 )	2024-01-20 21:49:02 +08:00
Yang Luo	f4c873ffe6	Fix user profile page UI	2024-01-20 19:28:43 +08:00
Yang Luo	97c7f2631a	feat: fix organization.IsProfilePublic issue	2024-01-20 16:00:04 +08:00
Yang Luo	93f0425759	Remove old application's InvitationCodes	2024-01-20 10:58:08 +08:00
Yang Luo	6a00657e42	feat: fix forbidden and soft-delete check in forget password page	2024-01-19 22:13:02 +08:00
Yang Luo	88130bf020	feat: add forbidden check in SetPassword()	2024-01-19 16:30:22 +08:00
Yang Luo	5e99007fc9	Update goth to v1.78.0	2024-01-19 16:09:32 +08:00
Yang Luo	66aca3124c	fix: improve error handling in LarkIdProvider	2024-01-19 15:37:15 +08:00
github-actions[bot]	61deb75c84	refactor: New Crowdin translations (#2512 ) * refactor: New Crowdin translations by Github Action * refactor: New Crowdin Backend translations by Github Action --------- Co-authored-by: Crowdin Bot <support+bot@crowdin.com>	2024-01-18 22:18:51 +08:00
Yang Luo	b8db07db4d	feat: enable GetMaskedSyncers()	2024-01-18 20:59:27 +08:00
Yang Luo	a681c267b3	Refactor code format	2024-01-18 20:53:04 +08:00
Yang Luo	5fb6ea0ab4	Fix "password" tab in SigninMethods	2024-01-18 20:17:05 +08:00
Yang Luo	0f6b7984d4	feat: improve isAllowedInDemoMode()	2024-01-17 13:07:44 +08:00
Yang Luo	ba9d6e5d78	Fix Swagger API version	2024-01-16 00:09:28 +08:00
Yang Luo	a4524e9996	fix: fix Swagger @Tag	2024-01-15 23:35:40 +08:00
Yang Luo	b469928780	Fix Swagger @router	2024-01-15 23:27:42 +08:00
Yang Luo	dc6fe13f75	feat: use signupItem.Regex to check signup page	2024-01-15 18:12:38 +08:00
Yang Luo	8227762988	Support more special chars in password validating	2024-01-15 18:12:38 +08:00
hsluoyz	d92b072ed0	feat: revert PR: "feat: more RFC like LDAP server behaviour" (#2611 )	2024-01-15 13:58:33 +08:00
hsluoyz	1161310f81	feat: improve README.md	2024-01-15 10:14:01 +08:00
xiao-kong-long	48ba5f91ed	feat: add Synology NAS storage provider (#2605 )	2024-01-14 22:38:31 +08:00
Satinder Singh	53df2c2704	fix: add semantic versioning for helm charts (#2603 )	2024-01-14 09:44:16 +08:00
Yang Luo	78066da208	Improve setCorsHeaders() for "include" mode	2024-01-13 23:46:05 +08:00
Yang Luo	60096468fe	fix: fix CI email	2024-01-13 18:12:52 +08:00
Yang Luo	39d6bc10f7	Fix GetCaptchaStatus() crash if not logged in	2024-01-13 18:04:38 +08:00
Yang Luo	177f2f2f11	Add userId param to GetAllObjects() API	2024-01-13 18:03:40 +08:00
Yang Luo	79b393afee	feat: add regex to SignupTable	2024-01-13 16:08:49 +08:00
Yang Luo	5bb12a30d4	Don't show two errors in verificationCode login page	2024-01-13 16:01:22 +08:00
Yang Luo	fdb68bf9c8	Rename to SigninMethodTable	2024-01-13 15:53:01 +08:00
Yang Luo	37748850c8	Fix nameFormat in SamlItem	2024-01-13 15:32:49 +08:00
Yang Luo	8968396ae5	Fix bug in getDefaultLoginMethod()	2024-01-13 12:13:09 +08:00
Yang Luo	f5395f15f9	feat: fix isSigninMethodEnabled() bug in frontend	2024-01-13 11:35:06 +08:00
Yang Luo	73e44df867	Improve GetAllRoles() error handling	2024-01-13 10:06:08 +08:00
Yang Luo	0b575ccf84	Refactor getAllValues()	2024-01-13 09:58:55 +08:00
Yang Luo	9b7f465a47	Fix failedSigninFrozenTime typo	2024-01-13 02:12:29 +08:00
Yang Luo	b1fe28fb83	Refactor application.FailedSigninLimit code	2024-01-13 02:09:18 +08:00
Satinder Singh	530d054adb	feat: ci should commit index.yaml and push to docker hub (#2600 )	2024-01-11 16:10:08 +08:00
SamYSF	a2b9f9baaf	feat: support "JWT-Custom" to customize user properties inside access token (#2594 ) * feat: add custom attribute to access token * Update token_jwt.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2024-01-10 00:59:02 +08:00
Yang Luo	a2d20fcb63	Update i18n	2024-01-09 22:16:17 +08:00
Yang Luo	b118a3bb76	Add TokenFields to application	2024-01-09 22:09:21 +08:00
Yang Luo	280867d0cb	Add checkSigninErrorTimes() for LDAP signin	2024-01-09 21:53:44 +08:00
Yang Luo	30fa2f7d81	Disable LDAP login method by default	2024-01-09 21:36:09 +08:00
Michael	518288691d	fix(ci): fix the helm publish step (#2593 ) fixes https://github.com/casdoor/casdoor-helm/issues/3	2024-01-09 17:48:01 +08:00