feat: fix crash in roleChangeTrigger()

feat: getPidByPort() supports alpine now (#3483 )
Signed-off-by: WindSpiritSR <simon343riley@gmail.com>
2025-07-08 09:01:00 +08:00 · 2025-01-09 16:41:56 +08:00 · 2025-01-08 12:18:46 +08:00 · 2025-01-08 00:09:16 +08:00 · 2025-01-07 23:38:50 +08:00 · 2025-01-07 21:39:21 +08:00
117 changed files with 4453 additions and 1890 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -114,12 +114,12 @@ jobs:
          wait-on-timeout: 210
          working-directory: ./web

-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: cypress-screenshots
          path: ./web/cypress/screenshots
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
        if: always()
        with:
          name: cypress-videos
@ -147,7 +147,7 @@ jobs:
      - name: Release
        run: yarn global add semantic-release@17.4.4 && semantic-release
        env:
-          GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Fetch Current version
        id: get-current-tag
--- a/authz/authz.go
+++ b/authz/authz.go
@ -98,6 +98,7 @@ p, *, *, GET, /api/get-organization-names, *, *
 p, *, *, GET, /api/get-all-objects, *, *
 p, *, *, GET, /api/get-all-actions, *, *
 p, *, *, GET, /api/get-all-roles, *, *
+p, *, *, GET, /api/run-casbin-command, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
 p, *, *, GET, /api/faceid-signin-begin, *, *
 `
--- a/conf/app.conf
+++ b/conf/app.conf
@ -25,9 +25,13 @@ enableErrorMask = false
 enableGzip = true
 inactiveTimeoutMinutes =
 ldapServerPort = 389
+ldapsCertId = ""
+ldapsServerPort = 636
 radiusServerPort = 1812
+radiusDefaultOrganization = "built-in"
 radiusSecret = "secret"
 quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
 logConfig = {"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
+initDataNewOnly = false
 initDataFile = "./init_data.json"
-frontendBaseDir = "../casdoor"
+frontendBaseDir = "../cc_0"
--- a/controllers/account.go
+++ b/controllers/account.go
@ -116,6 +116,13 @@ func (c *ApiController) Signup() {
 		return
 	}

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	err = object.CheckEntryIp(clientIp, nil, application, organization, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	msg := object.CheckUserSignup(application, organization, &authForm, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
@ -238,6 +245,10 @@ func (c *ApiController) Signup() {
 		}
 	}

+	if invitation != nil && invitation.SignupGroup != "" {
+		user.Groups = []string{invitation.SignupGroup}
+	}
+
 	affected, err := object.AddUser(user)
 	if err != nil {
 		c.ResponseError(err.Error())
--- a/controllers/application.go
+++ b/controllers/application.go
@ -110,6 +110,9 @@ func (c *ApiController) GetApplication() {
 		}
 	}

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	object.CheckEntryIp(clientIp, nil, application, nil, c.GetAcceptLanguage())
+
 	c.ResponseOk(object.GetMaskedApplication(application, userId))
 }

@ -229,6 +232,11 @@ func (c *ApiController) UpdateApplication() {
 		return
 	}

+	if err = object.CheckIpWhitelist(application.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.UpdateApplication(id, &application))
 	c.ServeJSON()
 }
@ -259,6 +267,11 @@ func (c *ApiController) AddApplication() {
 		return
 	}

+	if err = object.CheckIpWhitelist(application.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddApplication(&application))
 	c.ServeJSON()
 }
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -22,6 +22,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strconv"
 	"strings"

@ -55,6 +56,13 @@ func tokenToResponse(token *object.Token) *Response {
 func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *form.AuthForm) (resp *Response) {
 	userId := user.GetId()

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	err := object.CheckEntryIp(clientIp, user, application, application.OrganizationObj, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	allowed, err := object.CheckLoginPermission(userId, application)
 	if err != nil {
 		c.ResponseError(err.Error(), nil)
@ -256,6 +264,9 @@ func (c *ApiController) GetApplicationLogin() {
 		}
 	}

+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	object.CheckEntryIp(clientIp, nil, application, nil, c.GetAcceptLanguage())
+
 	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
@ -463,6 +474,15 @@ func (c *ApiController) Login() {
 			}

 			password := authForm.Password
+
+			if application.OrganizationObj != nil {
+				password, err = util.GetUnobfuscatedPassword(application.OrganizationObj.PasswordObfuscatorType, application.OrganizationObj.PasswordObfuscatorKey, authForm.Password)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
+			}
+
 			isSigninViaLdap := authForm.SigninMethod == "LDAP"
 			var isPasswordWithLdapEnabled bool
 			if authForm.SigninMethod == "Password" {
@ -598,6 +618,17 @@ func (c *ApiController) Login() {
 				c.ResponseError(fmt.Sprintf(c.T("auth:Failed to login in: %s"), err.Error()))
 				return
 			}
+
+			if provider.EmailRegex != "" {
+				reg, err := regexp.Compile(provider.EmailRegex)
+				if err != nil {
+					c.ResponseError(fmt.Sprintf(c.T("auth:Failed to login in: %s"), err.Error()))
+					return
+				}
+				if !reg.MatchString(userInfo.Email) {
+					c.ResponseError(fmt.Sprintf(c.T("check:Email is invalid")))
+				}
+			}
 		}

 		if authForm.Method == "signup" {
@ -835,6 +866,7 @@ func (c *ApiController) Login() {
 		}

 		if authForm.Passcode != "" {
+			user.CountryCode = user.GetCountryCode(user.CountryCode)
 			mfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferredMfaProps(false))
 			if mfaUtil == nil {
 				c.ResponseError("Invalid multi-factor authentication type")
--- a/controllers/casbin_cli_api.go
+++ b/controllers/casbin_cli_api.go
@ -0,0 +1,114 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+func processArgsToTempFiles(args []string) ([]string, []string, error) {
+	tempFiles := []string{}
+	newArgs := []string{}
+	for i := 0; i < len(args); i++ {
+		if (args[i] == "-m" || args[i] == "-p") && i+1 < len(args) {
+			pattern := fmt.Sprintf("casbin_temp_%s_*.conf", args[i])
+			tempFile, err := os.CreateTemp("", pattern)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to create temp file: %v", err)
+			}
+
+			_, err = tempFile.WriteString(args[i+1])
+			if err != nil {
+				tempFile.Close()
+				return nil, nil, fmt.Errorf("failed to write to temp file: %v", err)
+			}
+
+			tempFile.Close()
+			tempFiles = append(tempFiles, tempFile.Name())
+			newArgs = append(newArgs, args[i], tempFile.Name())
+			i++
+		} else {
+			newArgs = append(newArgs, args[i])
+		}
+	}
+	return tempFiles, newArgs, nil
+}
+
+// RunCasbinCommand
+// @Title RunCasbinCommand
+// @Tag Enforcer API
+// @Description Call Casbin CLI commands
+// @Success 200 {object} controllers.Response The Response object
+// @router /run-casbin-command [get]
+func (c *ApiController) RunCasbinCommand() {
+	language := c.Input().Get("language")
+	argString := c.Input().Get("args")
+
+	if language == "" {
+		language = "go"
+	}
+	// use "casbin-go-cli" by default, can be also "casbin-java-cli", "casbin-node-cli", etc.
+	// the pre-built binary of "casbin-go-cli" can be found at: https://github.com/casbin/casbin-go-cli/releases
+	binaryName := fmt.Sprintf("casbin-%s-cli", language)
+
+	_, err := exec.LookPath(binaryName)
+	if err != nil {
+		c.ResponseError(fmt.Sprintf("executable file: %s not found in PATH", binaryName))
+		return
+	}
+
+	// RBAC model & policy example:
+	// https://door.casdoor.com/api/run-casbin-command?language=go&args=["enforce", "-m", "[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act\n\n[role_definition]\ng = _, _\n\n[policy_effect]\ne = some(where (p.eft == allow))\n\n[matchers]\nm = g(r.sub, p.sub) %26%26 r.obj == p.obj %26%26 r.act == p.act", "-p", "p, alice, data1, read\np, bob, data2, write\np, data2_admin, data2, read\np, data2_admin, data2, write\ng, alice, data2_admin", "alice", "data1", "read"]
+	// Casbin CLI usage:
+	// https://github.com/jcasbin/casbin-java-cli?tab=readme-ov-file#get-started
+	var args []string
+	err = json.Unmarshal([]byte(argString), &args)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	tempFiles, processedArgs, err := processArgsToTempFiles(args)
+	defer func() {
+		for _, file := range tempFiles {
+			os.Remove(file)
+		}
+	}()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	command := exec.Command(binaryName, processedArgs...)
+	outputBytes, err := command.CombinedOutput()
+	if err != nil {
+		errorString := err.Error()
+		if outputBytes != nil {
+			output := string(outputBytes)
+			errorString = fmt.Sprintf("%s, error: %s", output, err.Error())
+		}
+
+		c.ResponseError(errorString)
+		return
+	}
+
+	output := string(outputBytes)
+	output = strings.TrimSuffix(output, "\n")
+	c.ResponseOk(output)
+}
--- a/controllers/mfa.go
+++ b/controllers/mfa.go
@ -22,13 +22,6 @@ import (
 	"github.com/google/uuid"
 )

-const (
-	MfaRecoveryCodesSession = "mfa_recovery_codes"
-	MfaCountryCodeSession   = "mfa_country_code"
-	MfaDestSession          = "mfa_dest"
-	MfaTotpSecretSession    = "mfa_totp_secret"
-)
-
 // MfaSetupInitiate
 // @Title MfaSetupInitiate
 // @Tag MFA API
@ -72,11 +65,6 @@ func (c *ApiController) MfaSetupInitiate() {
 	}

 	recoveryCode := uuid.NewString()
-	c.SetSession(MfaRecoveryCodesSession, recoveryCode)
-	if mfaType == object.TotpType {
-		c.SetSession(MfaTotpSecretSession, mfaProps.Secret)
-	}
-
 	mfaProps.RecoveryCodes = []string{recoveryCode}

 	resp := mfaProps
@ -94,6 +82,9 @@ func (c *ApiController) MfaSetupInitiate() {
 func (c *ApiController) MfaSetupVerify() {
 	mfaType := c.Ctx.Request.Form.Get("mfaType")
 	passcode := c.Ctx.Request.Form.Get("passcode")
+	secret := c.Ctx.Request.Form.Get("secret")
+	dest := c.Ctx.Request.Form.Get("dest")
+	countryCode := c.Ctx.Request.Form.Get("countryCode")

 	if mfaType == "" || passcode == "" {
 		c.ResponseError("missing auth type or passcode")
@ -104,32 +95,28 @@ func (c *ApiController) MfaSetupVerify() {
 		MfaType: mfaType,
 	}
 	if mfaType == object.TotpType {
-		secret := c.GetSession(MfaTotpSecretSession)
-		if secret == nil {
+		if secret == "" {
 			c.ResponseError("totp secret is missing")
 			return
 		}
-		config.Secret = secret.(string)
+		config.Secret = secret
 	} else if mfaType == object.SmsType {
-		dest := c.GetSession(MfaDestSession)
-		if dest == nil {
+		if dest == "" {
 			c.ResponseError("destination is missing")
 			return
 		}
-		config.Secret = dest.(string)
-		countryCode := c.GetSession(MfaCountryCodeSession)
-		if countryCode == nil {
+		config.Secret = dest
+		if countryCode == "" {
 			c.ResponseError("country code is missing")
 			return
 		}
-		config.CountryCode = countryCode.(string)
+		config.CountryCode = countryCode
 	} else if mfaType == object.EmailType {
-		dest := c.GetSession(MfaDestSession)
-		if dest == nil {
+		if dest == "" {
 			c.ResponseError("destination is missing")
 			return
 		}
-		config.Secret = dest.(string)
+		config.Secret = dest
 	}

 	mfaUtil := object.GetMfaUtil(mfaType, config)
@ -159,6 +146,10 @@ func (c *ApiController) MfaSetupEnable() {
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
 	mfaType := c.Ctx.Request.Form.Get("mfaType")
+	secret := c.Ctx.Request.Form.Get("secret")
+	dest := c.Ctx.Request.Form.Get("dest")
+	countryCode := c.Ctx.Request.Form.Get("secret")
+	recoveryCodes := c.Ctx.Request.Form.Get("recoveryCodes")

 	user, err := object.GetUser(util.GetId(owner, name))
 	if err != nil {
@ -176,43 +167,39 @@ func (c *ApiController) MfaSetupEnable() {
 	}

 	if mfaType == object.TotpType {
-		secret := c.GetSession(MfaTotpSecretSession)
-		if secret == nil {
+		if secret == "" {
 			c.ResponseError("totp secret is missing")
 			return
 		}
-		config.Secret = secret.(string)
+		config.Secret = secret
 	} else if mfaType == object.EmailType {
 		if user.Email == "" {
-			dest := c.GetSession(MfaDestSession)
-			if dest == nil {
+			if dest == "" {
 				c.ResponseError("destination is missing")
 				return
 			}
-			user.Email = dest.(string)
+			user.Email = dest
 		}
 	} else if mfaType == object.SmsType {
 		if user.Phone == "" {
-			dest := c.GetSession(MfaDestSession)
-			if dest == nil {
+			if dest == "" {
 				c.ResponseError("destination is missing")
 				return
 			}
-			user.Phone = dest.(string)
-			countryCode := c.GetSession(MfaCountryCodeSession)
-			if countryCode == nil {
+			user.Phone = dest
+			if countryCode == "" {
 				c.ResponseError("country code is missing")
 				return
 			}
-			user.CountryCode = countryCode.(string)
+			user.CountryCode = countryCode
 		}
 	}
-	recoveryCodes := c.GetSession(MfaRecoveryCodesSession)
-	if recoveryCodes == nil {
+
+	if recoveryCodes == "" {
 		c.ResponseError("recovery codes is missing")
 		return
 	}
-	config.RecoveryCodes = []string{recoveryCodes.(string)}
+	config.RecoveryCodes = []string{recoveryCodes}

 	mfaUtil := object.GetMfaUtil(mfaType, config)
 	if mfaUtil == nil {
@ -226,14 +213,6 @@ func (c *ApiController) MfaSetupEnable() {
 		return
 	}

-	c.DelSession(MfaRecoveryCodesSession)
-	if mfaType == object.TotpType {
-		c.DelSession(MfaTotpSecretSession)
-	} else {
-		c.DelSession(MfaCountryCodeSession)
-		c.DelSession(MfaDestSession)
-	}
-
 	c.ResponseOk(http.StatusText(http.StatusOK))
 }

--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -119,6 +119,11 @@ func (c *ApiController) UpdateOrganization() {
 		return
 	}

+	if err = object.CheckIpWhitelist(organization.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.UpdateOrganization(id, &organization))
 	c.ServeJSON()
 }
@ -149,6 +154,11 @@ func (c *ApiController) AddOrganization() {
 		return
 	}

+	if err = object.CheckIpWhitelist(organization.IpWhitelist, c.GetAcceptLanguage()); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddOrganization(&organization))
 	c.ServeJSON()
 }
--- a/controllers/product.go
+++ b/controllers/product.go
@ -182,6 +182,10 @@ func (c *ApiController) BuyProduct() {
 	paidUserName := c.Input().Get("userName")
 	owner, _ := util.GetOwnerAndNameFromId(id)
 	userId := util.GetId(owner, paidUserName)
+	if paidUserName != "" && !c.IsAdmin() {
+		c.ResponseError(c.T("general:Only admin user can specify user"))
+		return
+	}
 	if paidUserName == "" {
 		userId = c.GetSessionUsername()
 	}
--- a/controllers/token.go
+++ b/controllers/token.go
@ -322,17 +322,22 @@ func (c *ApiController) IntrospectToken() {
 	}

 	tokenTypeHint := c.Input().Get("token_type_hint")
-	token, err := object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
-	if err != nil {
-		c.ResponseTokenError(err.Error())
-		return
-	}
-	if token == nil {
-		c.Data["json"] = &object.IntrospectionResponse{Active: false}
-		c.ServeJSON()
-		return
+	var token *object.Token
+	if tokenTypeHint != "" {
+		token, err = object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
+		if err != nil {
+			c.ResponseTokenError(err.Error())
+			return
+		}
+		if token == nil {
+			c.Data["json"] = &object.IntrospectionResponse{Active: false}
+			c.ServeJSON()
+			return
+		}
 	}

+	var introspectionResponse object.IntrospectionResponse
+
 	if application.TokenFormat == "JWT-Standard" {
 		jwtToken, err := object.ParseStandardJwtTokenByApplication(tokenValue, application)
 		if err != nil || jwtToken.Valid() != nil {
@ -344,12 +349,37 @@ func (c *ApiController) IntrospectToken() {
 			return
 		}

-		c.Data["json"] = &object.IntrospectionResponse{
+		introspectionResponse = object.IntrospectionResponse{
 			Active:    true,
 			Scope:     jwtToken.Scope,
 			ClientId:  clientId,
-			Username:  token.User,
-			TokenType: token.TokenType,
+			Username:  jwtToken.Name,
+			TokenType: jwtToken.TokenType,
+			Exp:       jwtToken.ExpiresAt.Unix(),
+			Iat:       jwtToken.IssuedAt.Unix(),
+			Nbf:       jwtToken.NotBefore.Unix(),
+			Sub:       jwtToken.Subject,
+			Aud:       jwtToken.Audience,
+			Iss:       jwtToken.Issuer,
+			Jti:       jwtToken.ID,
+		}
+	} else {
+		jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
+		if err != nil || jwtToken.Valid() != nil {
+			// and token revoked case. but we not implement
+			// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
+			// refs: https://tools.ietf.org/html/rfc7009
+			c.Data["json"] = &object.IntrospectionResponse{Active: false}
+			c.ServeJSON()
+			return
+		}
+
+		introspectionResponse = object.IntrospectionResponse{
+			Active:    true,
+			Scope:     jwtToken.Scope,
+			ClientId:  clientId,
+			Username:  jwtToken.Name,
+			TokenType: jwtToken.TokenType,
 			Exp:       jwtToken.ExpiresAt.Unix(),
 			Iat:       jwtToken.IssuedAt.Unix(),
 			Nbf:       jwtToken.NotBefore.Unix(),
@ -358,33 +388,22 @@ func (c *ApiController) IntrospectToken() {
 			Iss:       jwtToken.Issuer,
 			Jti:       jwtToken.ID,
 		}
-		c.ServeJSON()
-		return
 	}

-	jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
-	if err != nil || jwtToken.Valid() != nil {
-		// and token revoked case. but we not implement
-		// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
-		// refs: https://tools.ietf.org/html/rfc7009
-		c.Data["json"] = &object.IntrospectionResponse{Active: false}
-		c.ServeJSON()
-		return
+	if tokenTypeHint == "" {
+		token, err = object.GetTokenByTokenValue(tokenValue, introspectionResponse.TokenType)
+		if err != nil {
+			c.ResponseTokenError(err.Error())
+			return
+		}
+		if token == nil {
+			c.Data["json"] = &object.IntrospectionResponse{Active: false}
+			c.ServeJSON()
+			return
+		}
 	}
+	introspectionResponse.TokenType = token.TokenType

-	c.Data["json"] = &object.IntrospectionResponse{
-		Active:    true,
-		Scope:     jwtToken.Scope,
-		ClientId:  clientId,
-		Username:  token.User,
-		TokenType: token.TokenType,
-		Exp:       jwtToken.ExpiresAt.Unix(),
-		Iat:       jwtToken.IssuedAt.Unix(),
-		Nbf:       jwtToken.NotBefore.Unix(),
-		Sub:       jwtToken.Subject,
-		Aud:       jwtToken.Audience,
-		Iss:       jwtToken.Issuer,
-		Jti:       jwtToken.ID,
-	}
+	c.Data["json"] = introspectionResponse
 	c.ServeJSON()
 }
--- a/controllers/user.go
+++ b/controllers/user.go
@ -364,7 +364,8 @@ func (c *ApiController) AddUser() {
 		return
 	}

-	msg := object.CheckUsername(user.Name, c.GetAcceptLanguage())
+	emptyUser := object.User{}
+	msg := object.CheckUpdateUser(&emptyUser, &user, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
@ -474,6 +475,16 @@ func (c *ApiController) SetPassword() {

 	userId := util.GetId(userOwner, userName)

+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+		return
+	}
+
 	requestUserId := c.GetSessionUsername()
 	if requestUserId == "" && code == "" {
 		c.ResponseError(c.T("general:Please login first"), "Please login first")
@ -489,7 +500,12 @@ func (c *ApiController) SetPassword() {
 			c.ResponseError(c.T("general:Missing parameter"))
 			return
 		}
+		if userId != c.GetSession("verifiedUserId") {
+			c.ResponseError(c.T("general:Wrong userId"))
+			return
+		}
 		c.SetSession("verifiedCode", "")
+		c.SetSession("verifiedUserId", "")
 	}

 	targetUser, err := object.GetUser(userId)
@ -512,7 +528,11 @@ func (c *ApiController) SetPassword() {
 			}
 		}
 	} else if code == "" {
-		err = object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+		if user.Ldap == "" {
+			err = object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+		} else {
+			err = object.CheckLdapUserPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+		}
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -535,11 +555,34 @@ func (c *ApiController) SetPassword() {
 		return
 	}

+	application, err := object.GetApplicationByUser(targetUser)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:the application for user %s is not found"), userId))
+		return
+	}
+
+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	err = object.CheckEntryIp(clientIp, targetUser, application, organization, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	targetUser.Password = newPassword
 	targetUser.UpdateUserPassword(organization)
 	targetUser.NeedUpdatePassword = false
+	targetUser.LastChangePasswordTime = util.GetCurrentTime()
+
+	if user.Ldap == "" {
+		_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type", "last_change_password_time"}, false)
+	} else {
+		err = object.ResetLdapPassword(targetUser, newPassword, c.GetAcceptLanguage())
+	}

-	_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type"}, false)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -132,7 +132,8 @@ func (c *ApiController) SendVerificationCode() {
 		c.ResponseError(err.Error())
 		return
 	}
-	remoteAddr := util.GetIPFromRequest(c.Ctx.Request)
+
+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)

 	if msg := vform.CheckParameter(form.SendVerifyCode, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
@ -245,8 +246,6 @@ func (c *ApiController) SendVerificationCode() {
 			if user != nil && util.GetMaskedEmail(mfaProps.Secret) == vform.Dest {
 				vform.Dest = mfaProps.Secret
 			}
-		} else if vform.Method == MfaSetupVerification {
-			c.SetSession(MfaDestSession, vform.Dest)
 		}

 		provider, err = application.GetEmailProvider(vform.Method)
@ -259,7 +258,7 @@ func (c *ApiController) SendVerificationCode() {
 			return
 		}

-		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, vform.Dest)
+		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, clientIp, vform.Dest)
 	case object.VerifyTypePhone:
 		if vform.Method == LoginVerification || vform.Method == ForgetVerification {
 			if user != nil && util.GetMaskedPhone(user.Phone) == vform.Dest {
@ -281,11 +280,6 @@ func (c *ApiController) SendVerificationCode() {
 					vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 				}
 			}
-
-			if vform.Method == MfaSetupVerification {
-				c.SetSession(MfaCountryCodeSession, vform.CountryCode)
-				c.SetSession(MfaDestSession, vform.Dest)
-			}
 		} else if vform.Method == MfaAuthVerification {
 			mfaProps := user.GetPreferredMfaProps(false)
 			if user != nil && util.GetMaskedPhone(mfaProps.Secret) == vform.Dest {
@ -293,6 +287,7 @@ func (c *ApiController) SendVerificationCode() {
 			}

 			vform.CountryCode = mfaProps.CountryCode
+			vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 		}

 		provider, err = application.GetSmsProvider(vform.Method, vform.CountryCode)
@ -309,7 +304,7 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), vform.CountryCode))
 			return
 		} else {
-			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, remoteAddr, phone)
+			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, clientIp, phone)
 		}
 	}

@ -532,5 +527,6 @@ func (c *ApiController) VerifyCode() {
 	}

 	c.SetSession("verifiedCode", authForm.Code)
+	c.SetSession("verifiedUserId", user.GetId())
 	c.ResponseOk()
 }
--- a/go.mod
+++ b/go.mod
@ -9,8 +9,9 @@ require (
 	github.com/beego/beego v1.12.12
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.77.2
-	github.com/casdoor/go-sms-sender v0.24.0
+	github.com/casdoor/go-sms-sender v0.25.0
 	github.com/casdoor/gomail/v2 v2.0.1
+	github.com/casdoor/ldapserver v1.2.0
 	github.com/casdoor/notify v0.45.0
 	github.com/casdoor/oss v1.8.0
 	github.com/casdoor/xorm-adapter/v3 v3.1.0
@ -20,7 +21,6 @@ require (
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
 	github.com/elimity-com/scim v0.0.0-20230426070224-941a5eac92f3
 	github.com/fogleman/gg v1.3.0
-	github.com/forestmgy/ldapserver v1.1.0
 	github.com/go-asn1-ber/asn1-ber v1.5.5
 	github.com/go-git/go-git/v5 v5.11.0
 	github.com/go-ldap/ldap/v3 v3.4.6
@ -63,6 +63,7 @@ require (
 	golang.org/x/crypto v0.21.0
 	golang.org/x/net v0.21.0
 	golang.org/x/oauth2 v0.17.0
+	golang.org/x/text v0.14.0
 	google.golang.org/api v0.150.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0
--- a/go.sum
+++ b/go.sum
@ -1087,10 +1087,12 @@ github.com/casdoor/casdoor-go-sdk v0.50.0 h1:bUYbz/MzJuWfLKJbJM0+U0YpYewAur+THp5
 github.com/casdoor/casdoor-go-sdk v0.50.0/go.mod h1:cMnkCQJgMYpgAlgEx8reSt1AVaDIQLcJ1zk5pzBaz+4=
 github.com/casdoor/go-reddit/v2 v2.1.0 h1:kIbfdJ7AA7H0uTQ8s0q4GGZqSS5V9wVE74RrXyD9XPs=
 github.com/casdoor/go-reddit/v2 v2.1.0/go.mod h1:eagkvwlZ4Hcsuc/uQsLHYEulz5jN65SVSwV/AIE7zsc=
-github.com/casdoor/go-sms-sender v0.24.0 h1:LNLsce3EG/87I3JS6UiajF3LlQmdIiCgebEu0IE4wSM=
-github.com/casdoor/go-sms-sender v0.24.0/go.mod h1:bOm4H8/YfJmEHjBatEVQFOnAf0OOn1B0Wi5B7zDhws0=
+github.com/casdoor/go-sms-sender v0.25.0 h1:eF4cOCSbjVg7+0uLlJQnna/FQ0BWW+Fp/x4cXhzQu1Y=
+github.com/casdoor/go-sms-sender v0.25.0/go.mod h1:bOm4H8/YfJmEHjBatEVQFOnAf0OOn1B0Wi5B7zDhws0=
 github.com/casdoor/gomail/v2 v2.0.1 h1:J+FG6x80s9e5lBHUn8Sv0Y56mud34KiWih5YdmudR/w=
 github.com/casdoor/gomail/v2 v2.0.1/go.mod h1:VnGPslEAtpix5FjHisR/WKB1qvZDBaujbikxDe9d+2Q=
+github.com/casdoor/ldapserver v1.2.0 h1:HdSYe+ULU6z9K+2BqgTrJKQRR4//ERAXB64ttOun6Ow=
+github.com/casdoor/ldapserver v1.2.0/go.mod h1:VwYU2vqQ2pA8sa00PRekH71R2XmgfzMKhmp1XrrDu2s=
 github.com/casdoor/notify v0.45.0 h1:OlaFvcQFjGOgA4mRx07M8AH1gvb5xNo21mcqrVGlLgk=
 github.com/casdoor/notify v0.45.0/go.mod h1:wNHQu0tiDROMBIvz0j3Om3Lhd5yZ+AIfnFb8MYb8OLQ=
 github.com/casdoor/oss v1.8.0 h1:uuyKhDIp7ydOtV4lpqhAY23Ban2Ln8La8+QT36CwylM=
@ -1237,8 +1239,6 @@ github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
 github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/forestmgy/ldapserver v1.1.0 h1:gvil4nuLhqPEL8SugCkFhRyA0/lIvRdwZSqlrw63ll4=
-github.com/forestmgy/ldapserver v1.1.0/go.mod h1:1RZ8lox1QSY7rmbjdmy+sYQXY4Lp7SpGzpdE3+j3IyM=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
--- a/i18n/locales/fa/data.json
+++ b/i18n/locales/fa/data.json
@ -1,167 +1,167 @@
 {
  "account": {
-    "Failed to add user": "Failed to add user",
-    "Get init score failed, error: %w": "Get init score failed, error: %w",
-    "Please sign out first": "Please sign out first",
-    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+    "Failed to add user": "عدم موفقیت در افزودن کاربر",
+    "Get init score failed, error: %w": "عدم موفقیت در دریافت امتیاز اولیه، خطا: %w",
+    "Please sign out first": "لطفاً ابتدا خارج شوید",
+    "The application does not allow to sign up new account": "برنامه اجازه ثبت‌نام حساب جدید را نمی‌دهد"
  },
  "auth": {
-    "Challenge method should be S256": "Challenge method should be S256",
-    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
-    "Failed to login in: %s": "Failed to login in: %s",
-    "Invalid token": "Invalid token",
-    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
-    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
-    "The application: %s does not exist": "The application: %s does not exist",
-    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
-    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
-    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
-    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
-    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
-    "The organization: %s does not exist": "The organization: %s does not exist",
-    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
-    "Unauthorized operation": "Unauthorized operation",
-    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
-    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"
+    "Challenge method should be S256": "روش چالش باید S256 باشد",
+    "Failed to create user, user information is invalid: %s": "عدم موفقیت در ایجاد کاربر، اطلاعات کاربر نامعتبر است: %s",
+    "Failed to login in: %s": "عدم موفقیت در ورود: %s",
+    "Invalid token": "توکن نامعتبر",
+    "State expected: %s, but got: %s": "وضعیت مورد انتظار: %s، اما دریافت شد: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) وجود ندارد و مجاز به ثبت‌نام به‌عنوان حساب جدید از طریق %%s نیست، لطفاً از روش دیگری برای ثبت‌نام استفاده کنید",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) وجود ندارد و مجاز به ثبت‌نام به‌عنوان حساب جدید نیست، لطفاً با پشتیبانی IT خود تماس بگیرید",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) در حال حاضر به حساب دیگری مرتبط است: %s (%s)",
+    "The application: %s does not exist": "برنامه: %s وجود ندارد",
+    "The login method: login with LDAP is not enabled for the application": "روش ورود: ورود با LDAP برای برنامه فعال نیست",
+    "The login method: login with SMS is not enabled for the application": "روش ورود: ورود با پیامک برای برنامه فعال نیست",
+    "The login method: login with email is not enabled for the application": "روش ورود: ورود با ایمیل برای برنامه فعال نیست",
+    "The login method: login with face is not enabled for the application": "روش ورود: ورود با چهره برای برنامه فعال نیست",
+    "The login method: login with password is not enabled for the application": "روش ورود: ورود با رمز عبور برای برنامه فعال نیست",
+    "The organization: %s does not exist": "سازمان: %s وجود ندارد",
+    "The provider: %s is not enabled for the application": "ارائه‌دهنده: %s برای برنامه فعال نیست",
+    "Unauthorized operation": "عملیات غیرمجاز",
+    "Unknown authentication type (not password or provider), form = %s": "نوع احراز هویت ناشناخته (نه رمز عبور و نه ارائه‌دهنده)، فرم = %s",
+    "User's tag: %s is not listed in the application's tags": "برچسب کاربر: %s در برچسب‌های برنامه فهرست نشده است",
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "کاربر پرداختی %s اشتراک فعال یا در انتظار ندارد و برنامه: %s قیمت‌گذاری پیش‌فرض ندارد"
  },
  "cas": {
-    "Service %s and %s do not match": "Service %s and %s do not match"
+    "Service %s and %s do not match": "سرویس %s و %s مطابقت ندارند"
  },
  "check": {
-    "Affiliation cannot be blank": "Affiliation cannot be blank",
-    "Default code does not match the code's matching rules": "Default code does not match the code's matching rules",
-    "DisplayName cannot be blank": "DisplayName cannot be blank",
-    "DisplayName is not valid real name": "DisplayName is not valid real name",
-    "Email already exists": "Email already exists",
-    "Email cannot be empty": "Email cannot be empty",
-    "Email is invalid": "Email is invalid",
-    "Empty username.": "Empty username.",
-    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
-    "Face data mismatch": "Face data mismatch",
-    "FirstName cannot be blank": "FirstName cannot be blank",
-    "Invitation code cannot be blank": "Invitation code cannot be blank",
-    "Invitation code exhausted": "Invitation code exhausted",
-    "Invitation code is invalid": "Invitation code is invalid",
-    "Invitation code suspended": "Invitation code suspended",
-    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
-    "LastName cannot be blank": "LastName cannot be blank",
-    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
-    "Organization does not exist": "Organization does not exist",
-    "Phone already exists": "Phone already exists",
-    "Phone cannot be empty": "Phone cannot be empty",
-    "Phone number is invalid": "Phone number is invalid",
-    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
-    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
-    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
-    "Session outdated, please login again": "Session outdated, please login again",
-    "The invitation code has already been used": "The invitation code has already been used",
-    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
-    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
-    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
-    "Username already exists": "Username already exists",
-    "Username cannot be an email address": "Username cannot be an email address",
-    "Username cannot contain white spaces": "Username cannot contain white spaces",
-    "Username cannot start with a digit": "Username cannot start with a digit",
-    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
-    "Username must have at least 2 characters": "Username must have at least 2 characters",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
-    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
-    "password or code is incorrect": "password or code is incorrect",
-    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
-    "unsupported password type: %s": "unsupported password type: %s"
+    "Affiliation cannot be blank": "وابستگی نمی‌تواند خالی باشد",
+    "Default code does not match the code's matching rules": "کد پیش‌فرض با قوانین تطبیق کد مطابقت ندارد",
+    "DisplayName cannot be blank": "نام نمایشی نمی‌تواند خالی باشد",
+    "DisplayName is not valid real name": "نام نمایشی یک نام واقعی معتبر نیست",
+    "Email already exists": "ایمیل قبلاً وجود دارد",
+    "Email cannot be empty": "ایمیل نمی‌تواند خالی باشد",
+    "Email is invalid": "ایمیل نامعتبر است",
+    "Empty username.": "نام کاربری خالی است.",
+    "Face data does not exist, cannot log in": "داده‌های چهره وجود ندارد، نمی‌توان وارد شد",
+    "Face data mismatch": "عدم تطابق داده‌های چهره",
+    "FirstName cannot be blank": "نام نمی‌تواند خالی باشد",
+    "Invitation code cannot be blank": "کد دعوت نمی‌تواند خالی باشد",
+    "Invitation code exhausted": "کد دعوت استفاده شده است",
+    "Invitation code is invalid": "کد دعوت نامعتبر است",
+    "Invitation code suspended": "کد دعوت معلق است",
+    "LDAP user name or password incorrect": "نام کاربری یا رمز عبور LDAP نادرست است",
+    "LastName cannot be blank": "نام خانوادگی نمی‌تواند خالی باشد",
+    "Multiple accounts with same uid, please check your ldap server": "چندین حساب با uid یکسان، لطفاً سرور LDAP خود را بررسی کنید",
+    "Organization does not exist": "سازمان وجود ندارد",
+    "Phone already exists": "تلفن قبلاً وجود دارد",
+    "Phone cannot be empty": "تلفن نمی‌تواند خالی باشد",
+    "Phone number is invalid": "شماره تلفن نامعتبر است",
+    "Please register using the email corresponding to the invitation code": "لطفاً با استفاده از ایمیل مربوط به کد دعوت ثبت‌نام کنید",
+    "Please register using the phone  corresponding to the invitation code": "لطفاً با استفاده از تلفن مربوط به کد دعوت ثبت‌نام کنید",
+    "Please register using the username corresponding to the invitation code": "لطفاً با استفاده از نام کاربری مربوط به کد دعوت ثبت‌نام کنید",
+    "Session outdated, please login again": "جلسه منقضی شده است، لطفاً دوباره وارد شوید",
+    "The invitation code has already been used": "کد دعوت قبلاً استفاده شده است",
+    "The user is forbidden to sign in, please contact the administrator": "ورود کاربر ممنوع است، لطفاً با مدیر تماس بگیرید",
+    "The user: %s doesn't exist in LDAP server": "کاربر: %s در سرور LDAP وجود ندارد",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "نام کاربری فقط می‌تواند حاوی کاراکترهای الفبایی عددی، زیرخط یا خط تیره باشد، نمی‌تواند خط تیره یا زیرخط متوالی داشته باشد، و نمی‌تواند با خط تیره یا زیرخط شروع یا پایان یابد.",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "مقدار \"%s\" برای فیلد حساب \"%s\" با عبارت منظم مورد حساب مطابقت ندارد",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "مقدار \"%s\" برای فیلد ثبت‌نام \"%s\" با عبارت منظم مورد ثبت‌نام برنامه \"%s\" مطابقت ندارد",
+    "Username already exists": "نام کاربری قبلاً وجود دارد",
+    "Username cannot be an email address": "نام کاربری نمی‌تواند یک آدرس ایمیل باشد",
+    "Username cannot contain white spaces": "نام کاربری نمی‌تواند حاوی فاصله باشد",
+    "Username cannot start with a digit": "نام کاربری نمی‌تواند با یک رقم شروع شود",
+    "Username is too long (maximum is 39 characters).": "نام کاربری بیش از حد طولانی است (حداکثر ۳۹ کاراکتر).",
+    "Username must have at least 2 characters": "نام کاربری باید حداقل ۲ کاراکتر داشته باشد",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "شما رمز عبور یا کد اشتباه را بیش از حد وارد کرده‌اید، لطفاً %d دقیقه صبر کنید و دوباره تلاش کنید",
+    "Your region is not allow to signup by phone": "منطقه شما اجازه ثبت‌نام با تلفن را ندارد",
+    "password or code is incorrect": "رمز عبور یا کد نادرست است",
+    "password or code is incorrect, you have %d remaining chances": "رمز عبور یا کد نادرست است، شما %d فرصت باقی‌مانده دارید",
+    "unsupported password type: %s": "نوع رمز عبور پشتیبانی نشده: %s"
  },
  "general": {
-    "Missing parameter": "Missing parameter",
-    "Please login first": "Please login first",
-    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
-    "The user: %s doesn't exist": "The user: %s doesn't exist",
-    "don't support captchaProvider: ": "don't support captchaProvider: ",
-    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode",
-    "this operation requires administrator to perform": "this operation requires administrator to perform"
+    "Missing parameter": "پارامتر گمشده",
+    "Please login first": "لطفاً ابتدا وارد شوید",
+    "The organization: %s should have one application at least": "سازمان: %s باید حداقل یک برنامه داشته باشد",
+    "The user: %s doesn't exist": "کاربر: %s وجود ندارد",
+    "don't support captchaProvider: ": "از captchaProvider پشتیبانی نمی‌شود: ",
+    "this operation is not allowed in demo mode": "این عملیات در حالت دمو مجاز نیست",
+    "this operation requires administrator to perform": "این عملیات نیاز به مدیر برای انجام دارد"
  },
  "ldap": {
-    "Ldap server exist": "Ldap server exist"
+    "Ldap server exist": "سرور LDAP وجود دارد"
  },
  "link": {
-    "Please link first": "Please link first",
-    "This application has no providers": "This application has no providers",
-    "This application has no providers of type": "This application has no providers of type",
-    "This provider can't be unlinked": "This provider can't be unlinked",
-    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
-    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+    "Please link first": "لطفاً ابتدا پیوند دهید",
+    "This application has no providers": "این برنامه ارائه‌دهنده‌ای ندارد",
+    "This application has no providers of type": "این برنامه ارائه‌دهنده‌ای از نوع ندارد",
+    "This provider can't be unlinked": "این ارائه‌دهنده نمی‌تواند لغو پیوند شود",
+    "You are not the global admin, you can't unlink other users": "شما مدیر جهانی نیستید، نمی‌توانید کاربران دیگر را لغو پیوند کنید",
+    "You can't unlink yourself, you are not a member of any application": "شما نمی‌توانید خودتان را لغو پیوند کنید، شما عضو هیچ برنامه‌ای نیستید"
  },
  "organization": {
-    "Only admin can modify the %s.": "Only admin can modify the %s.",
-    "The %s is immutable.": "The %s is immutable.",
-    "Unknown modify rule %s.": "Unknown modify rule %s."
+    "Only admin can modify the %s.": "فقط مدیر می‌تواند %s را تغییر دهد.",
+    "The %s is immutable.": "%s غیرقابل تغییر است.",
+    "Unknown modify rule %s.": "قانون تغییر ناشناخته %s."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \"%s\" doesn't exist": "مجوز: \"%s\" وجود ندارد"
  },
  "provider": {
-    "Invalid application id": "Invalid application id",
-    "the provider: %s does not exist": "the provider: %s does not exist"
+    "Invalid application id": "شناسه برنامه نامعتبر",
+    "the provider: %s does not exist": "ارائه‌دهنده: %s وجود ندارد"
  },
  "resource": {
-    "User is nil for tag: avatar": "User is nil for tag: avatar",
-    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+    "User is nil for tag: avatar": "کاربر برای برچسب: آواتار تهی است",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "نام کاربری یا مسیر کامل فایل خالی است: نام کاربری = %s، مسیر کامل فایل = %s"
  },
  "saml": {
-    "Application %s not found": "Application %s not found"
+    "Application %s not found": "برنامه %s یافت نشد"
  },
  "saml_sp": {
-    "provider %s's category is not SAML": "provider %s's category is not SAML"
+    "provider %s's category is not SAML": "دسته‌بندی ارائه‌دهنده %s SAML نیست"
  },
  "service": {
-    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
-    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
-    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+    "Empty parameters for emailForm: %v": "پارامترهای خالی برای emailForm: %v",
+    "Invalid Email receivers: %s": "گیرندگان ایمیل نامعتبر: %s",
+    "Invalid phone receivers: %s": "گیرندگان تلفن نامعتبر: %s"
  },
  "storage": {
-    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
-    "The provider type: %s is not supported": "The provider type: %s is not supported"
+    "The objectKey: %s is not allowed": "objectKey: %s مجاز نیست",
+    "The provider type: %s is not supported": "نوع ارائه‌دهنده: %s پشتیبانی نمی‌شود"
  },
  "token": {
-    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
-    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
-    "Invalid client_id": "Invalid client_id",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
-    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+    "Grant_type: %s is not supported in this application": "grant_type: %s در این برنامه پشتیبانی نمی‌شود",
+    "Invalid application or wrong clientSecret": "برنامه نامعتبر یا clientSecret نادرست",
+    "Invalid client_id": "client_id نامعتبر",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "آدرس بازگشت: %s در لیست آدرس‌های بازگشت مجاز وجود ندارد",
+    "Token not found, invalid accessToken": "توکن یافت نشد، accessToken نامعتبر"
  },
  "user": {
-    "Display name cannot be empty": "Display name cannot be empty",
-    "New password cannot contain blank space.": "New password cannot contain blank space."
+    "Display name cannot be empty": "نام نمایشی نمی‌تواند خالی باشد",
+    "New password cannot contain blank space.": "رمز عبور جدید نمی‌تواند حاوی فاصله خالی باشد."
  },
  "user_upload": {
-    "Failed to import users": "Failed to import users"
+    "Failed to import users": "عدم موفقیت در وارد کردن کاربران"
  },
  "util": {
-    "No application is found for userId: %s": "No application is found for userId: %s",
-    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
-    "The provider: %s is not found": "The provider: %s is not found"
+    "No application is found for userId: %s": "هیچ برنامه‌ای برای userId: %s یافت نشد",
+    "No provider for category: %s is found for application: %s": "هیچ ارائه‌دهنده‌ای برای دسته‌بندی: %s برای برنامه: %s یافت نشد",
+    "The provider: %s is not found": "ارائه‌دهنده: %s یافت نشد"
  },
  "verification": {
-    "Invalid captcha provider.": "Invalid captcha provider.",
-    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
-    "The verification code has not been sent yet!": "The verification code has not been sent yet!",
-    "The verification code has not been sent yet, or has already been used!": "The verification code has not been sent yet, or has already been used!",
-    "Turing test failed.": "Turing test failed.",
-    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
-    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
-    "Unknown type": "Unknown type",
-    "Wrong verification code!": "Wrong verification code!",
-    "You should verify your code in %d min!": "You should verify your code in %d min!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
-    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+    "Invalid captcha provider.": "ارائه‌دهنده کپچا نامعتبر.",
+    "Phone number is invalid in your region %s": "شماره تلفن در منطقه شما نامعتبر است %s",
+    "The verification code has not been sent yet!": "کد تأیید هنوز ارسال نشده است!",
+    "The verification code has not been sent yet, or has already been used!": "کد تأیید هنوز ارسال نشده است، یا قبلاً استفاده شده است!",
+    "Turing test failed.": "تست تورینگ ناموفق بود.",
+    "Unable to get the email modify rule.": "عدم توانایی در دریافت قانون تغییر ایمیل.",
+    "Unable to get the phone modify rule.": "عدم توانایی در دریافت قانون تغییر تلفن.",
+    "Unknown type": "نوع ناشناخته",
+    "Wrong verification code!": "کد تأیید اشتباه!",
+    "You should verify your code in %d min!": "شما باید کد خود را در %d دقیقه تأیید کنید!",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "لطفاً یک ارائه‌دهنده پیامک به لیست \"ارائه‌دهندگان\" برای برنامه: %s اضافه کنید",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "لطفاً یک ارائه‌دهنده ایمیل به لیست \"ارائه‌دهندگان\" برای برنامه: %s اضافه کنید",
+    "the user does not exist, please sign up first": "کاربر وجود ندارد، لطفاً ابتدا ثبت‌نام کنید"
  },
  "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
-    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+    "Found no credentials for this user": "هیچ اعتباری برای این کاربر یافت نشد",
+    "Please call WebAuthnSigninBegin first": "لطفاً ابتدا WebAuthnSigninBegin را فراخوانی کنید"
  }
 }
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@ -15,10 +15,10 @@
    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Аккаунт для провайдера: %s и имя пользователя: %s (%s) не существует и не может быть зарегистрирован как новый аккаунт. Пожалуйста, обратитесь в службу поддержки IT",
    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Аккаунт поставщика: %s и имя пользователя: %s (%s) уже связаны с другим аккаунтом: %s (%s)",
    "The application: %s does not exist": "Приложение: %s не существует",
-    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
-    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
-    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
-    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
+    "The login method: login with LDAP is not enabled for the application": "Метод входа в систему: вход с помощью LDAP не включен для приложения",
+    "The login method: login with SMS is not enabled for the application": "Метод входа: вход с помощью SMS не включен для приложения",
+    "The login method: login with email is not enabled for the application": "Метод входа: вход с помощью электронной почты не включен для приложения",
+    "The login method: login with face is not enabled for the application": "Метод входа: вход с помощью лица не включен для приложения",
    "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
@ -53,16 +53,16 @@
    "Phone already exists": "Телефон уже существует",
    "Phone cannot be empty": "Телефон не может быть пустым",
    "Phone number is invalid": "Номер телефона является недействительным",
-    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
-    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
-    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
+    "Please register using the email corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя электронную почту, соответствующую коду приглашения",
+    "Please register using the phone  corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь по телефону, соответствующему коду приглашения",
+    "Please register using the username corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя имя пользователя, соответствующее коду приглашения",
    "Session outdated, please login again": "Сессия устарела, пожалуйста, войдите снова",
    "The invitation code has already been used": "The invitation code has already been used",
    "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
    "The user: %s doesn't exist in LDAP server": "Пользователь %s не существует на LDAP сервере",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Имя пользователя может состоять только из буквенно-цифровых символов, нижних подчеркиваний или дефисов, не может содержать последовательные дефисы или подчеркивания, а также не может начинаться или заканчиваться на дефис или подчеркивание.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Значение \\\"%s\\\" для поля аккаунта \\\"%s\\\" не соответствует регулярному значению",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Значение \\\"%s\\\" поля регистрации \\\"%s\\\" не соответствует регулярному выражению приложения \\\"%s\\\"",
    "Username already exists": "Имя пользователя уже существует",
    "Username cannot be an email address": "Имя пользователя не может быть адресом электронной почты",
    "Username cannot contain white spaces": "Имя пользователя не может содержать пробелы",
@ -78,11 +78,11 @@
  "general": {
    "Missing parameter": "Отсутствующий параметр",
    "Please login first": "Пожалуйста, сначала войдите в систему",
-    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
+    "The organization: %s should have one application at least": "Организация: %s должна иметь хотя бы одно приложение",
    "The user: %s doesn't exist": "Пользователь %s не существует",
    "don't support captchaProvider: ": "неподдерживаемый captchaProvider: ",
    "this operation is not allowed in demo mode": "эта операция не разрешена в демо-режиме",
-    "this operation requires administrator to perform": "this operation requires administrator to perform"
+    "this operation requires administrator to perform": "для выполнения этой операции требуется администратор"
  },
  "ldap": {
    "Ldap server exist": "LDAP-сервер существует"
@ -101,11 +101,11 @@
    "Unknown modify rule %s.": "Неизвестное изменение правила %s."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \\\"%s\\\" doesn't exist": "Разрешение: \\\"%s\\\" не существует"
  },
  "provider": {
    "Invalid application id": "Неверный идентификатор приложения",
-    "the provider: %s does not exist": "провайдер: %s не существует"
+    "the provider: %s does not exist": "Провайдер: %s не существует"
  },
  "resource": {
    "User is nil for tag: avatar": "Пользователь равен нулю для тега: аватар",
@ -115,7 +115,7 @@
    "Application %s not found": "Приложение %s не найдено"
  },
  "saml_sp": {
-    "provider %s's category is not SAML": "категория провайдера %s не является SAML"
+    "provider %s's category is not SAML": "Категория провайдера %s не является SAML"
  },
  "service": {
    "Empty parameters for emailForm: %v": "Пустые параметры для emailForm: %v",
@ -148,7 +148,7 @@
  "verification": {
    "Invalid captcha provider.": "Недействительный поставщик CAPTCHA.",
    "Phone number is invalid in your region %s": "Номер телефона недействителен в вашем регионе %s",
-    "The verification code has not been sent yet!": "The verification code has not been sent yet!",
+    "The verification code has not been sent yet!": "Код проверки еще не отправлен!",
    "The verification code has not been sent yet, or has already been used!": "The verification code has not been sent yet, or has already been used!",
    "Turing test failed.": "Тест Тьюринга не удался.",
    "Unable to get the email modify rule.": "Невозможно получить правило изменения электронной почты.",
@ -156,8 +156,8 @@
    "Unknown type": "Неизвестный тип",
    "Wrong verification code!": "Неправильный код подтверждения!",
    "You should verify your code in %d min!": "Вы должны проверить свой код через %d минут!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика SMS в список \\\"Провайдеры\\\" для приложения: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика электронной почты в список \\\"Провайдеры\\\" для приложения: %s",
    "the user does not exist, please sign up first": "Пользователь не существует, пожалуйста, сначала зарегистрируйтесь"
  },
  "webauthn": {
--- a/idp/github.go
+++ b/idp/github.go
@ -188,10 +188,23 @@ type GitHubUserInfo struct {
 	} `json:"plan"`
 }

+type GitHubUserEmailInfo struct {
+	Email      string `json:"email"`
+	Primary    bool   `json:"primary"`
+	Verified   bool   `json:"verified"`
+	Visibility string `json:"visibility"`
+}
+
+type GitHubErrorInfo struct {
+	Message          string `json:"message"`
+	DocumentationUrl string `json:"documentation_url"`
+	Status           string `json:"status"`
+}
+
 func (idp *GithubIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	req, err := http.NewRequest("GET", "https://api.github.com/user", nil)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
 	req.Header.Add("Authorization", "token "+token.AccessToken)
 	resp, err := idp.Client.Do(req)
@ -212,6 +225,42 @@ func (idp *GithubIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		return nil, err
 	}

+	if githubUserInfo.Email == "" {
+		reqEmail, err := http.NewRequest("GET", "https://api.github.com/user/emails", nil)
+		if err != nil {
+			return nil, err
+		}
+		reqEmail.Header.Add("Authorization", "token "+token.AccessToken)
+		respEmail, err := idp.Client.Do(reqEmail)
+		if err != nil {
+			return nil, err
+		}
+
+		defer respEmail.Body.Close()
+		emailBody, err := io.ReadAll(respEmail.Body)
+		if err != nil {
+			return nil, err
+		}
+
+		if respEmail.StatusCode != 200 {
+			var errMessage GitHubErrorInfo
+			err = json.Unmarshal(emailBody, &errMessage)
+			if err != nil {
+				return nil, err
+			}
+
+			fmt.Printf("GithubIdProvider:GetUserInfo() error, status code = %d, error message = %v\n", respEmail.StatusCode, errMessage)
+		} else {
+			var userEmails []GitHubUserEmailInfo
+			err = json.Unmarshal(emailBody, &userEmails)
+			if err != nil {
+				return nil, err
+			}
+
+			githubUserInfo.Email = idp.getEmailFromEmailsResult(userEmails)
+		}
+	}
+
 	userInfo := UserInfo{
 		Id:          strconv.Itoa(githubUserInfo.Id),
 		Username:    githubUserInfo.Login,
@ -248,3 +297,27 @@ func (idp *GithubIdProvider) postWithBody(body interface{}, url string) ([]byte,

 	return data, nil
 }
+
+func (idp *GithubIdProvider) getEmailFromEmailsResult(emailInfo []GitHubUserEmailInfo) string {
+	primaryEmail := ""
+	verifiedEmail := ""
+
+	for _, addr := range emailInfo {
+		if !addr.Verified || strings.Contains(addr.Email, "users.noreply.github.com") {
+			continue
+		}
+
+		if addr.Primary {
+			primaryEmail = addr.Email
+			break
+		} else if verifiedEmail == "" {
+			verifiedEmail = addr.Email
+		}
+	}
+
+	if primaryEmail != "" {
+		return primaryEmail
+	}
+
+	return verifiedEmail
+}
--- a/idp/kwai.go
+++ b/idp/kwai.go
@ -0,0 +1,161 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type KwaiIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewKwaiIdProvider(clientId string, clientSecret string, redirectUrl string) *KwaiIdProvider {
+	idp := &KwaiIdProvider{}
+	idp.Config = idp.getConfig(clientId, clientSecret, redirectUrl)
+	return idp
+}
+
+func (idp *KwaiIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *KwaiIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	endpoint := oauth2.Endpoint{
+		TokenURL: "https://open.kuaishou.com/oauth2/access_token",
+		AuthURL:  "https://open.kuaishou.com/oauth2/authorize", // qr code: /oauth2/connect
+	}
+
+	config := &oauth2.Config{
+		Scopes:       []string{"user_info"},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type KwaiTokenResp struct {
+	Result                int      `json:"result"`
+	ErrorMsg              string   `json:"error_msg"`
+	AccessToken           string   `json:"access_token"`
+	ExpiresIn             int      `json:"expires_in"`
+	RefreshToken          string   `json:"refresh_token"`
+	RefreshTokenExpiresIn int      `json:"refresh_token_expires_in"`
+	OpenId                string   `json:"open_id"`
+	Scopes                []string `json:"scopes"`
+}
+
+// GetToken use code to get access_token
+func (idp *KwaiIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	params := map[string]string{
+		"app_id":     idp.Config.ClientID,
+		"app_secret": idp.Config.ClientSecret,
+		"code":       code,
+		"grant_type": "authorization_code",
+	}
+	tokenUrl := fmt.Sprintf("%s?app_id=%s&app_secret=%s&code=%s&grant_type=authorization_code",
+		idp.Config.Endpoint.TokenURL, params["app_id"], params["app_secret"], params["code"])
+	resp, err := idp.Client.Get(tokenUrl)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	var tokenResp KwaiTokenResp
+	err = json.Unmarshal(body, &tokenResp)
+	if err != nil {
+		return nil, err
+	}
+	if tokenResp.Result != 1 {
+		return nil, fmt.Errorf("get token error: %s", tokenResp.ErrorMsg)
+	}
+
+	token := &oauth2.Token{
+		AccessToken:  tokenResp.AccessToken,
+		RefreshToken: tokenResp.RefreshToken,
+		Expiry:       time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second),
+	}
+
+	raw := make(map[string]interface{})
+	raw["open_id"] = tokenResp.OpenId
+	token = token.WithExtra(raw)
+
+	return token, nil
+}
+
+// More details: https://open.kuaishou.com/openapi/user_info
+type KwaiUserInfo struct {
+	Result   int    `json:"result"`
+	ErrorMsg string `json:"error_msg"`
+	UserInfo struct {
+		Head string `json:"head"`
+		Name string `json:"name"`
+		Sex  string `json:"sex"`
+		City string `json:"city"`
+	} `json:"user_info"`
+}
+
+// GetUserInfo use token to get user profile
+func (idp *KwaiIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	userInfoUrl := fmt.Sprintf("https://open.kuaishou.com/openapi/user_info?app_id=%s&access_token=%s",
+		idp.Config.ClientID, token.AccessToken)
+
+	resp, err := idp.Client.Get(userInfoUrl)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var kwaiUserInfo KwaiUserInfo
+	err = json.Unmarshal(body, &kwaiUserInfo)
+	if err != nil {
+		return nil, err
+	}
+
+	if kwaiUserInfo.Result != 1 {
+		return nil, fmt.Errorf("get user info error: %s", kwaiUserInfo.ErrorMsg)
+	}
+
+	userInfo := &UserInfo{
+		Id:          token.Extra("open_id").(string),
+		Username:    kwaiUserInfo.UserInfo.Name,
+		DisplayName: kwaiUserInfo.UserInfo.Name,
+		AvatarUrl:   kwaiUserInfo.UserInfo.Head,
+		Extra: map[string]string{
+			"gender": kwaiUserInfo.UserInfo.Sex,
+			"city":   kwaiUserInfo.UserInfo.City,
+		},
+	}
+
+	return userInfo, nil
+}
--- a/idp/provider.go
+++ b/idp/provider.go
@ -113,6 +113,8 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error
 		return NewOktaIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl), nil
 	case "Douyin":
 		return NewDouyinIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+	case "Kwai":
+		return NewKwaiIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Bilibili":
 		return NewBilibiliIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "MetaMask":
--- a/ldap/server.go
+++ b/ldap/server.go
@ -15,33 +15,81 @@
 package ldap

 import (
+	"crypto/tls"
 	"fmt"
 	"hash/fnv"
 	"log"

 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
-	ldap "github.com/forestmgy/ldapserver"
+	ldap "github.com/casdoor/ldapserver"
 	"github.com/lor00x/goldap/message"
 )

 func StartLdapServer() {
 	ldapServerPort := conf.GetConfigString("ldapServerPort")
-	if ldapServerPort == "" || ldapServerPort == "0" {
-		return
-	}
+	ldapsServerPort := conf.GetConfigString("ldapsServerPort")

 	server := ldap.NewServer()
+	serverSsl := ldap.NewServer()
 	routes := ldap.NewRouteMux()

 	routes.Bind(handleBind)
 	routes.Search(handleSearch).Label(" SEARCH****")

 	server.Handle(routes)
-	err := server.ListenAndServe("0.0.0.0:" + ldapServerPort)
+	serverSsl.Handle(routes)
+	go func() {
+		if ldapServerPort == "" || ldapServerPort == "0" {
+			return
+		}
+		err := server.ListenAndServe("0.0.0.0:" + ldapServerPort)
+		if err != nil {
+			log.Printf("StartLdapServer() failed, err = %s", err.Error())
+		}
+	}()
+
+	go func() {
+		if ldapsServerPort == "" || ldapsServerPort == "0" {
+			return
+		}
+		ldapsCertId := conf.GetConfigString("ldapsCertId")
+		if ldapsCertId == "" {
+			return
+		}
+		config, err := getTLSconfig(ldapsCertId)
+		if err != nil {
+			log.Printf("StartLdapsServer() failed, err = %s", err.Error())
+			return
+		}
+		secureConn := func(s *ldap.Server) {
+			s.Listener = tls.NewListener(s.Listener, config)
+		}
+		err = serverSsl.ListenAndServe("0.0.0.0:"+ldapsServerPort, secureConn)
+		if err != nil {
+			log.Printf("StartLdapsServer() failed, err = %s", err.Error())
+		}
+	}()
+}
+
+func getTLSconfig(ldapsCertId string) (*tls.Config, error) {
+	rawCert, err := object.GetCert(ldapsCertId)
 	if err != nil {
-		log.Printf("StartLdapServer() failed, err = %s", err.Error())
+		return nil, err
 	}
+	if rawCert == nil {
+		return nil, fmt.Errorf("cert is empty")
+	}
+	cert, err := tls.X509KeyPair([]byte(rawCert.Certificate), []byte(rawCert.PrivateKey))
+	if err != nil {
+		return &tls.Config{}, err
+	}
+
+	return &tls.Config{
+		MinVersion:   tls.VersionTLS10,
+		MaxVersion:   tls.VersionTLS13,
+		Certificates: []tls.Certificate{cert},
+	}, nil
 }

 func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
@ -142,7 +190,7 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 		}
 		for _, attr := range attrs {
 			e.AddAttribute(message.AttributeDescription(attr), getAttribute(string(attr), user))
-			if string(attr) == "cn" {
+			if string(attr) == "title" {
 				e.AddAttribute(message.AttributeDescription(attr), getAttribute("title", user))
 			}
 		}
--- a/ldap/util.go
+++ b/ldap/util.go
@ -23,7 +23,7 @@ import (
 	"github.com/casdoor/casdoor/util"
 	"github.com/lor00x/goldap/message"

-	ldap "github.com/forestmgy/ldapserver"
+	ldap "github.com/casdoor/ldapserver"

 	"github.com/xorm-io/builder"
 )
--- a/main.go
+++ b/main.go
@ -83,6 +83,11 @@ func main() {
 	// logs.SetLevel(logs.LevelInformational)
 	logs.SetLogFuncCall(false)

+	err = util.StopOldInstance(port)
+	if err != nil {
+		panic(err)
+	}
+
 	go ldap.StartLdapServer()
 	go radius.StartRadiusServer()
 	go object.ClearThroughputPerSecond()
--- a/object/application.go
+++ b/object/application.go
@ -95,6 +95,7 @@ type Application struct {
 	Tags                  []string        `xorm:"mediumtext" json:"tags"`
 	SamlAttributes        []*SamlItem     `xorm:"varchar(1000)" json:"samlAttributes"`
 	IsShared              bool            `json:"isShared"`
+	IpRestriction         string          `json:"ipRestriction"`

 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
@ -108,6 +109,7 @@ type Application struct {
 	SigninUrl            string     `xorm:"varchar(200)" json:"signinUrl"`
 	ForgetUrl            string     `xorm:"varchar(200)" json:"forgetUrl"`
 	AffiliationUrl       string     `xorm:"varchar(100)" json:"affiliationUrl"`
+	IpWhitelist          string     `xorm:"varchar(200)" json:"ipWhitelist"`
 	TermsOfUse           string     `xorm:"varchar(100)" json:"termsOfUse"`
 	SignupHtml           string     `xorm:"mediumtext" json:"signupHtml"`
 	SigninHtml           string     `xorm:"mediumtext" json:"signinHtml"`
@ -721,8 +723,15 @@ func (application *Application) GetId() string {
 }

 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app", ".chromiumapp.org"}, application.RedirectUris...)
-	for _, targetUri := range redirectUris {
+	isValid, err := util.IsValidOrigin(redirectUri)
+	if err != nil {
+		panic(err)
+	}
+	if isValid {
+		return true
+	}
+
+	for _, targetUri := range application.RedirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
 			return true
--- a/object/check.go
+++ b/object/check.go
@ -273,7 +273,7 @@ func CheckPasswordComplexity(user *User, password string) string {
 	return CheckPasswordComplexityByOrg(organization, password)
 }

-func checkLdapUserPassword(user *User, password string, lang string) error {
+func CheckLdapUserPassword(user *User, password string, lang string) error {
 	ldaps, err := GetLdaps(user.Owner)
 	if err != nil {
 		return err
@ -368,7 +368,7 @@ func CheckUserPassword(organization string, username string, password string, la
 		}

 		// only for LDAP users
-		err = checkLdapUserPassword(user, password, lang)
+		err = CheckLdapUserPassword(user, password, lang)
 		if err != nil {
 			if err.Error() == "user not exist" {
 				return nil, fmt.Errorf(i18n.Translate(lang, "check:The user: %s doesn't exist in LDAP server"), username)
@ -381,7 +381,13 @@ func CheckUserPassword(organization string, username string, password string, la
 		if err != nil {
 			return nil, err
 		}
+
+		err = checkPasswordExpired(user, lang)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	return user, nil
 }

@ -520,11 +526,46 @@ func CheckUsername(username string, lang string) string {
 	return ""
 }

+func CheckUsernameWithEmail(username string, lang string) string {
+	if username == "" {
+		return i18n.Translate(lang, "check:Empty username.")
+	} else if len(username) > 39 {
+		return i18n.Translate(lang, "check:Username is too long (maximum is 39 characters).")
+	}
+
+	// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
+
+	if !util.ReUserNameWithEmail.MatchString(username) {
+		return i18n.Translate(lang, "check:Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.")
+	}
+	return ""
+}
+
 func CheckUpdateUser(oldUser, user *User, lang string) string {
 	if oldUser.Name != user.Name {
-		if msg := CheckUsername(user.Name, lang); msg != "" {
-			return msg
+		organizationName := oldUser.Owner
+		if organizationName == "" {
+			organizationName = user.Owner
 		}
+
+		organization, err := getOrganization("admin", organizationName)
+		if err != nil {
+			return err.Error()
+		}
+		if organization == nil {
+			return fmt.Sprintf(i18n.Translate(lang, "auth:The organization: %s does not exist"), organizationName)
+		}
+
+		if organization.UseEmailAsUsername {
+			if msg := CheckUsernameWithEmail(user.Name, lang); msg != "" {
+				return msg
+			}
+		} else {
+			if msg := CheckUsername(user.Name, lang); msg != "" {
+				return msg
+			}
+		}
+
 		if HasUserByField(user.Owner, "name", user.Name) {
 			return i18n.Translate(lang, "check:Username already exists")
 		}
@ -539,6 +580,11 @@ func CheckUpdateUser(oldUser, user *User, lang string) string {
 			return i18n.Translate(lang, "check:Phone already exists")
 		}
 	}
+	if oldUser.IpWhitelist != user.IpWhitelist {
+		if err := CheckIpWhitelist(user.IpWhitelist, lang); err != nil {
+			return err.Error()
+		}
+	}

 	return ""
 }
--- a/object/check_ip.go
+++ b/object/check_ip.go
@ -0,0 +1,104 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/casdoor/casdoor/i18n"
+)
+
+func CheckEntryIp(clientIp string, user *User, application *Application, organization *Organization, lang string) error {
+	entryIp := net.ParseIP(clientIp)
+	if entryIp == nil {
+		return fmt.Errorf(i18n.Translate(lang, "check:Failed to parse client IP: %s"), clientIp)
+	} else if entryIp.IsLoopback() {
+		return nil
+	}
+
+	var err error
+	if user != nil {
+		err = isEntryIpAllowd(user.IpWhitelist, entryIp, lang)
+		if err != nil {
+			return fmt.Errorf(err.Error() + user.Name)
+		}
+	}
+
+	if application != nil {
+		err = isEntryIpAllowd(application.IpWhitelist, entryIp, lang)
+		if err != nil {
+			application.IpRestriction = err.Error() + application.Name
+			return fmt.Errorf(err.Error() + application.Name)
+		} else {
+			application.IpRestriction = ""
+		}
+
+		if organization == nil && application.OrganizationObj != nil {
+			organization = application.OrganizationObj
+		}
+	}
+
+	if organization != nil {
+		err = isEntryIpAllowd(organization.IpWhitelist, entryIp, lang)
+		if err != nil {
+			organization.IpRestriction = err.Error() + organization.Name
+			return fmt.Errorf(err.Error() + organization.Name)
+		} else {
+			organization.IpRestriction = ""
+		}
+	}
+
+	return nil
+}
+
+func isEntryIpAllowd(ipWhitelistStr string, entryIp net.IP, lang string) error {
+	if ipWhitelistStr == "" {
+		return nil
+	}
+
+	ipWhitelist := strings.Split(ipWhitelistStr, ",")
+	for _, ip := range ipWhitelist {
+		_, ipNet, err := net.ParseCIDR(ip)
+		if err != nil {
+			return err
+		}
+		if ipNet == nil {
+			return fmt.Errorf(i18n.Translate(lang, "check:CIDR for IP: %s should not be empty"), entryIp.String())
+		}
+
+		if ipNet.Contains(entryIp) {
+			return nil
+		}
+	}
+
+	return fmt.Errorf(i18n.Translate(lang, "check:Your IP address: %s has been banned according to the configuration of: "), entryIp.String())
+}
+
+func CheckIpWhitelist(ipWhitelistStr string, lang string) error {
+	if ipWhitelistStr == "" {
+		return nil
+	}
+
+	ipWhiteList := strings.Split(ipWhitelistStr, ",")
+	for _, ip := range ipWhiteList {
+		if _, _, err := net.ParseCIDR(ip); err != nil {
+			return fmt.Errorf(i18n.Translate(lang, "check:%s does not meet the CIDR format requirements: %s"), ip, err.Error())
+		}
+	}
+
+	return nil
+}
--- a/object/check_password_expired.go
+++ b/object/check_password_expired.go
@ -0,0 +1,53 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/casdoor/casdoor/i18n"
+	"github.com/casdoor/casdoor/util"
+)
+
+func checkPasswordExpired(user *User, lang string) error {
+	organization, err := GetOrganizationByUser(user)
+	if err != nil {
+		return err
+	}
+	if organization == nil {
+		return fmt.Errorf(i18n.Translate(lang, "check:Organization does not exist"))
+	}
+
+	passwordExpireDays := organization.PasswordExpireDays
+	if passwordExpireDays <= 0 {
+		return nil
+	}
+
+	lastChangePasswordTime := user.LastChangePasswordTime
+	if lastChangePasswordTime == "" {
+		if user.CreatedTime == "" {
+			return fmt.Errorf(i18n.Translate(lang, "check:Your password has expired. Please reset your password by clicking \"Forgot password\""))
+		}
+		lastChangePasswordTime = user.CreatedTime
+	}
+
+	lastTime := util.String2Time(lastChangePasswordTime)
+	expireTime := lastTime.AddDate(0, 0, passwordExpireDays)
+	if time.Now().After(expireTime) {
+		return fmt.Errorf(i18n.Translate(lang, "check:Your password has expired. Please reset your password by clicking \"Forgot password\""))
+	}
+	return nil
+}
--- a/object/get-dashboard.go
+++ b/object/get-dashboard.go
@ -19,124 +19,90 @@ import (
 	"time"
 )

-type Dashboard struct {
-	OrganizationCounts []int `json:"organizationCounts"`
-	UserCounts         []int `json:"userCounts"`
-	ProviderCounts     []int `json:"providerCounts"`
-	ApplicationCounts  []int `json:"applicationCounts"`
-	SubscriptionCounts []int `json:"subscriptionCounts"`
+type DashboardDateItem struct {
+	CreatedTime string `json:"createTime"`
 }

-func GetDashboard(owner string) (*Dashboard, error) {
+type DashboardMapItem struct {
+	dashboardDateItems []DashboardDateItem
+	itemCount          int64
+}
+
+func GetDashboard(owner string) (*map[string][]int64, error) {
 	if owner == "All" {
 		owner = ""
 	}

-	dashboard := &Dashboard{
-		OrganizationCounts: make([]int, 31),
-		UserCounts:         make([]int, 31),
-		ProviderCounts:     make([]int, 31),
-		ApplicationCounts:  make([]int, 31),
-		SubscriptionCounts: make([]int, 31),
+	dashboard := make(map[string][]int64)
+	dashboardMap := sync.Map{}
+	tableNames := []string{"organization", "user", "provider", "application", "subscription", "role", "group", "resource", "cert", "permission", "transaction", "model", "adapter", "enforcer"}
+
+	time30day := time.Now().AddDate(0, 0, -30)
+	var wg sync.WaitGroup
+	var err error
+	wg.Add(len(tableNames))
+	ch := make(chan error, len(tableNames))
+	for _, tableName := range tableNames {
+		dashboard[tableName+"Counts"] = make([]int64, 31)
+		tableName := tableName
+		go func(ch chan error) {
+			defer wg.Done()
+			dashboardDateItems := []DashboardDateItem{}
+			var countResult int64
+
+			dbQueryBefore := ormer.Engine.Cols("created_time")
+			dbQueryAfter := ormer.Engine.Cols("created_time")
+
+			if owner != "" {
+				dbQueryAfter = dbQueryAfter.And("owner = ?", owner)
+				dbQueryBefore = dbQueryBefore.And("owner = ?", owner)
+			}
+
+			if countResult, err = dbQueryBefore.And("created_time < ?", time30day).Table(tableName).Count(); err != nil {
+				ch <- err
+				return
+			}
+			if err = dbQueryAfter.And("created_time >= ?", time30day).Table(tableName).Find(&dashboardDateItems); err != nil {
+				ch <- err
+				return
+			}
+
+			dashboardMap.Store(tableName, DashboardMapItem{
+				dashboardDateItems: dashboardDateItems,
+				itemCount:          countResult,
+			})
+		}(ch)
 	}

-	organizations := []Organization{}
-	users := []User{}
-	providers := []Provider{}
-	applications := []Application{}
-	subscriptions := []Subscription{}
-
-	var wg sync.WaitGroup
-	wg.Add(5)
-	go func() {
-		defer wg.Done()
-		if err := ormer.Engine.Find(&organizations, &Organization{Owner: owner}); err != nil {
-			panic(err)
-		}
-	}()
-
-	go func() {
-		defer wg.Done()
-
-		if err := ormer.Engine.Find(&users, &User{Owner: owner}); err != nil {
-			panic(err)
-		}
-	}()
-
-	go func() {
-		defer wg.Done()
-
-		if err := ormer.Engine.Find(&providers, &Provider{Owner: owner}); err != nil {
-			panic(err)
-		}
-	}()
-
-	go func() {
-		defer wg.Done()
-
-		if err := ormer.Engine.Find(&applications, &Application{Owner: owner}); err != nil {
-			panic(err)
-		}
-	}()
-
-	go func() {
-		defer wg.Done()
-
-		if err := ormer.Engine.Find(&subscriptions, &Subscription{Owner: owner}); err != nil {
-			panic(err)
-		}
-	}()
 	wg.Wait()
+	close(ch)
+
+	for err = range ch {
+		if err != nil {
+			return nil, err
+		}
+	}

 	nowTime := time.Now()
 	for i := 30; i >= 0; i-- {
 		cutTime := nowTime.AddDate(0, 0, -i)
-		dashboard.OrganizationCounts[30-i] = countCreatedBefore(organizations, cutTime)
-		dashboard.UserCounts[30-i] = countCreatedBefore(users, cutTime)
-		dashboard.ProviderCounts[30-i] = countCreatedBefore(providers, cutTime)
-		dashboard.ApplicationCounts[30-i] = countCreatedBefore(applications, cutTime)
-		dashboard.SubscriptionCounts[30-i] = countCreatedBefore(subscriptions, cutTime)
+		for _, tableName := range tableNames {
+			item, exist := dashboardMap.Load(tableName)
+			if !exist {
+				continue
+			}
+			dashboard[tableName+"Counts"][30-i] = countCreatedBefore(item.(DashboardMapItem), cutTime)
+		}
 	}
-	return dashboard, nil
+	return &dashboard, nil
 }

-func countCreatedBefore(objects interface{}, before time.Time) int {
-	count := 0
-	switch obj := objects.(type) {
-	case []Organization:
-		for _, o := range obj {
-			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", o.CreatedTime)
-			if createdTime.Before(before) {
-				count++
-			}
-		}
-	case []User:
-		for _, u := range obj {
-			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", u.CreatedTime)
-			if createdTime.Before(before) {
-				count++
-			}
-		}
-	case []Provider:
-		for _, p := range obj {
-			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", p.CreatedTime)
-			if createdTime.Before(before) {
-				count++
-			}
-		}
-	case []Application:
-		for _, a := range obj {
-			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", a.CreatedTime)
-			if createdTime.Before(before) {
-				count++
-			}
-		}
-	case []Subscription:
-		for _, s := range obj {
-			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", s.CreatedTime)
-			if createdTime.Before(before) {
-				count++
-			}
+func countCreatedBefore(dashboardMapItem DashboardMapItem, before time.Time) int64 {
+	count := dashboardMapItem.itemCount
+	for _, e := range dashboardMapItem.dashboardDateItems {
+		createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", e.CreatedTime)
+		if createdTime.Before(before) {
+			count++
 		}
 	}
 	return count
--- a/object/init_data.go
+++ b/object/init_data.go
@ -48,12 +48,16 @@ type InitData struct {
 	Transactions  []*Transaction        `json:"transactions"`
 }

+var initDataNewOnly bool
+
 func InitFromFile() {
 	initDataFile := conf.GetConfigString("initDataFile")
 	if initDataFile == "" {
 		return
 	}

+	initDataNewOnly = conf.GetConfigBool("initDataNewOnly")
+
 	initData, err := readInitDataFromFile(initDataFile)
 	if err != nil {
 		panic(err)
@ -182,6 +186,9 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 		if organization.Tags == nil {
 			organization.Tags = []string{}
 		}
+		if organization.AccountItems == nil {
+			organization.AccountItems = []*AccountItem{}
+		}
 	}
 	for _, application := range data.Applications {
 		if application.Providers == nil {
@ -266,6 +273,9 @@ func initDefinedOrganization(organization *Organization) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteOrganization(organization)
 		if err != nil {
 			panic(err)
@ -275,7 +285,9 @@ func initDefinedOrganization(organization *Organization) {
 		}
 	}
 	organization.CreatedTime = util.GetCurrentTime()
-	organization.AccountItems = getBuiltInAccountItems()
+	if len(organization.AccountItems) == 0 {
+		organization.AccountItems = getBuiltInAccountItems()
+	}

 	_, err = AddOrganization(organization)
 	if err != nil {
@ -290,6 +302,9 @@ func initDefinedApplication(application *Application) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteApplication(application)
 		if err != nil {
 			panic(err)
@ -311,6 +326,9 @@ func initDefinedUser(user *User) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteUser(user)
 		if err != nil {
 			panic(err)
@ -337,6 +355,9 @@ func initDefinedCert(cert *Cert) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteCert(cert)
 		if err != nil {
 			panic(err)
@ -359,6 +380,9 @@ func initDefinedLdap(ldap *Ldap) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteLdap(ldap)
 		if err != nil {
 			panic(err)
@ -380,6 +404,9 @@ func initDefinedProvider(provider *Provider) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteProvider(provider)
 		if err != nil {
 			panic(err)
@ -401,6 +428,9 @@ func initDefinedModel(model *Model) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteModel(model)
 		if err != nil {
 			panic(err)
@ -423,6 +453,9 @@ func initDefinedPermission(permission *Permission) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deletePermission(permission)
 		if err != nil {
 			panic(err)
@ -445,6 +478,9 @@ func initDefinedPayment(payment *Payment) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeletePayment(payment)
 		if err != nil {
 			panic(err)
@ -467,6 +503,9 @@ func initDefinedProduct(product *Product) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteProduct(product)
 		if err != nil {
 			panic(err)
@ -489,6 +528,9 @@ func initDefinedResource(resource *Resource) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteResource(resource)
 		if err != nil {
 			panic(err)
@ -511,6 +553,9 @@ func initDefinedRole(role *Role) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteRole(role)
 		if err != nil {
 			panic(err)
@ -533,6 +578,9 @@ func initDefinedSyncer(syncer *Syncer) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteSyncer(syncer)
 		if err != nil {
 			panic(err)
@ -555,6 +603,9 @@ func initDefinedToken(token *Token) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteToken(token)
 		if err != nil {
 			panic(err)
@ -577,6 +628,9 @@ func initDefinedWebhook(webhook *Webhook) {
 	}

 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteWebhook(webhook)
 		if err != nil {
 			panic(err)
@ -598,6 +652,9 @@ func initDefinedGroup(group *Group) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := deleteGroup(group)
 		if err != nil {
 			panic(err)
@ -619,6 +676,9 @@ func initDefinedAdapter(adapter *Adapter) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteAdapter(adapter)
 		if err != nil {
 			panic(err)
@ -640,6 +700,9 @@ func initDefinedEnforcer(enforcer *Enforcer) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteEnforcer(enforcer)
 		if err != nil {
 			panic(err)
@ -661,6 +724,9 @@ func initDefinedPlan(plan *Plan) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeletePlan(plan)
 		if err != nil {
 			panic(err)
@ -682,6 +748,9 @@ func initDefinedPricing(pricing *Pricing) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeletePricing(pricing)
 		if err != nil {
 			panic(err)
@ -703,6 +772,9 @@ func initDefinedInvitation(invitation *Invitation) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteInvitation(invitation)
 		if err != nil {
 			panic(err)
@ -738,6 +810,9 @@ func initDefinedSubscription(subscription *Subscription) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteSubscription(subscription)
 		if err != nil {
 			panic(err)
@ -759,6 +834,9 @@ func initDefinedTransaction(transaction *Transaction) {
 		panic(err)
 	}
 	if existed != nil {
+		if initDataNewOnly {
+			return
+		}
 		affected, err := DeleteTransaction(transaction)
 		if err != nil {
 			panic(err)
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@ -20,9 +20,11 @@ import (
 	"strings"

 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	goldap "github.com/go-ldap/ldap/v3"
 	"github.com/thanhpk/randstr"
+	"golang.org/x/text/encoding/unicode"
 )

 type LdapConn struct {
@ -371,6 +373,64 @@ func GetExistUuids(owner string, uuids []string) ([]string, error) {
 	return existUuids, nil
 }

+func ResetLdapPassword(user *User, newPassword string, lang string) error {
+	ldaps, err := GetLdaps(user.Owner)
+	if err != nil {
+		return err
+	}
+
+	for _, ldapServer := range ldaps {
+		conn, err := ldapServer.GetLdapConn()
+		if err != nil {
+			continue
+		}
+
+		searchReq := goldap.NewSearchRequest(ldapServer.BaseDn, goldap.ScopeWholeSubtree, goldap.NeverDerefAliases,
+			0, 0, false, ldapServer.buildAuthFilterString(user), []string{}, nil)
+
+		searchResult, err := conn.Conn.Search(searchReq)
+		if err != nil {
+			conn.Close()
+			return err
+		}
+
+		if len(searchResult.Entries) == 0 {
+			conn.Close()
+			continue
+		}
+		if len(searchResult.Entries) > 1 {
+			conn.Close()
+			return fmt.Errorf(i18n.Translate(lang, "check:Multiple accounts with same uid, please check your ldap server"))
+		}
+
+		userDn := searchResult.Entries[0].DN
+
+		var pwdEncoded string
+		modifyPasswordRequest := goldap.NewModifyRequest(userDn, nil)
+		if conn.IsAD {
+			utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM)
+			pwdEncoded, err := utf16.NewEncoder().String("\"" + newPassword + "\"")
+			if err != nil {
+				conn.Close()
+				return err
+			}
+			modifyPasswordRequest.Replace("unicodePwd", []string{pwdEncoded})
+			modifyPasswordRequest.Replace("userAccountControl", []string{"512"})
+		} else {
+			pwdEncoded = newPassword
+			modifyPasswordRequest.Replace("userPassword", []string{pwdEncoded})
+		}
+
+		err = conn.Conn.Modify(modifyPasswordRequest)
+		if err != nil {
+			conn.Close()
+			return err
+		}
+		conn.Close()
+	}
+	return nil
+}
+
 func (ldapUser *LdapUser) buildLdapUserName(owner string) (string, error) {
 	user := User{}
 	uidWithNumber := fmt.Sprintf("%s_%s", ldapUser.Uid, ldapUser.UidNumber)
--- a/object/organization.go
+++ b/object/organization.go
@ -60,6 +60,9 @@ type Organization struct {
 	PasswordType           string     `xorm:"varchar(100)" json:"passwordType"`
 	PasswordSalt           string     `xorm:"varchar(100)" json:"passwordSalt"`
 	PasswordOptions        []string   `xorm:"varchar(100)" json:"passwordOptions"`
+	PasswordObfuscatorType string     `xorm:"varchar(100)" json:"passwordObfuscatorType"`
+	PasswordObfuscatorKey  string     `xorm:"varchar(100)" json:"passwordObfuscatorKey"`
+	PasswordExpireDays     int        `json:"passwordExpireDays"`
 	CountryCodes           []string   `xorm:"varchar(200)"  json:"countryCodes"`
 	DefaultAvatar          string     `xorm:"varchar(200)" json:"defaultAvatar"`
 	DefaultApplication     string     `xorm:"varchar(100)" json:"defaultApplication"`
@ -69,11 +72,13 @@ type Organization struct {
 	MasterPassword         string     `xorm:"varchar(100)" json:"masterPassword"`
 	DefaultPassword        string     `xorm:"varchar(100)" json:"defaultPassword"`
 	MasterVerificationCode string     `xorm:"varchar(100)" json:"masterVerificationCode"`
+	IpWhitelist            string     `xorm:"varchar(200)" json:"ipWhitelist"`
 	InitScore              int        `json:"initScore"`
 	EnableSoftDeletion     bool       `json:"enableSoftDeletion"`
 	IsProfilePublic        bool       `json:"isProfilePublic"`
 	UseEmailAsUsername     bool       `json:"useEmailAsUsername"`
 	EnableTour             bool       `json:"enableTour"`
+	IpRestriction          string     `json:"ipRestriction"`

 	MfaItems     []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
 	AccountItems []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@ -364,7 +364,7 @@ func GetAllActions(userId string) ([]string, error) {

 	res := []string{}
 	for _, enforcer := range enforcers {
-		items := enforcer.GetAllObjects()
+		items := enforcer.GetAllActions()
 		res = append(res, items...)
 	}
 	return res, nil
--- a/object/provider.go
+++ b/object/provider.go
@ -16,6 +16,7 @@ package object

 import (
 	"fmt"
+	"regexp"
 	"strings"

 	"github.com/beego/beego/context"
@ -70,6 +71,7 @@ type Provider struct {
 	IdP                    string `xorm:"mediumtext" json:"idP"`
 	IssuerUrl              string `xorm:"varchar(100)" json:"issuerUrl"`
 	EnableSignAuthnRequest bool   `json:"enableSignAuthnRequest"`
+	EmailRegex             string `xorm:"varchar(200)" json:"emailRegex"`

 	ProviderUrl string `xorm:"varchar(200)" json:"providerUrl"`
 }
@ -200,6 +202,13 @@ func UpdateProvider(id string, provider *Provider) (bool, error) {
 		return false, nil
 	}

+	if provider.EmailRegex != "" {
+		_, err := regexp.Compile(provider.EmailRegex)
+		if err != nil {
+			return false, err
+		}
+	}
+
 	if name != provider.Name {
 		err := providerChangeTrigger(name, provider.Name)
 		if err != nil {
@ -234,6 +243,13 @@ func AddProvider(provider *Provider) (bool, error) {
 		provider.IntranetEndpoint = util.GetEndPoint(provider.IntranetEndpoint)
 	}

+	if provider.EmailRegex != "" {
+		_, err := regexp.Compile(provider.EmailRegex)
+		if err != nil {
+			return false, err
+		}
+	}
+
 	affected, err := ormer.Engine.Insert(provider)
 	if err != nil {
 		return false, err
@ -421,7 +437,7 @@ func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.Provid
 			providerInfo.ClientId = provider.ClientId2
 			providerInfo.ClientSecret = provider.ClientSecret2
 		}
-	} else if provider.Type == "AzureAD" || provider.Type == "AzureADB2C" || provider.Type == "ADFS" || provider.Type == "Okta" {
+	} else if provider.Type == "ADFS" || provider.Type == "AzureAD" || provider.Type == "AzureADB2C" || provider.Type == "Casdoor" || provider.Type == "Okta" {
 		providerInfo.HostUrl = provider.Domain
 	}

--- a/object/record.go
+++ b/object/record.go
@ -33,7 +33,7 @@ var (

 func init() {
 	logPostOnly = conf.GetConfigBool("logPostOnly")
-	passwordRegex = regexp.MustCompile("\"password\":\".+\"")
+	passwordRegex = regexp.MustCompile("\"password\":\"([^\"]*?)\"")
 }

 type Record struct {
@ -50,7 +50,7 @@ func maskPassword(recordString string) string {
 }

 func NewRecord(ctx *context.Context) (*casvisorsdk.Record, error) {
-	ip := strings.Replace(util.GetIPFromRequest(ctx.Request), ": ", "", -1)
+	clientIp := strings.Replace(util.GetClientIpFromRequest(ctx.Request), ": ", "", -1)
 	action := strings.Replace(ctx.Request.URL.Path, "/api/", "", -1)
 	requestUri := util.FilterQuery(ctx.Request.RequestURI, []string{"accessToken"})
 	if len(requestUri) > 1000 {
@ -83,7 +83,7 @@ func NewRecord(ctx *context.Context) (*casvisorsdk.Record, error) {
 	record := casvisorsdk.Record{
 		Name:        util.GenerateId(),
 		CreatedTime: util.GetCurrentTime(),
-		ClientIp:    ip,
+		ClientIp:    clientIp,
 		User:        "",
 		Method:      ctx.Request.Method,
 		RequestUri:  requestUri,
--- a/object/role.go
+++ b/object/role.go
@ -338,6 +338,10 @@ func roleChangeTrigger(oldName string, newName string) error {

 	for _, role := range roles {
 		for j, u := range role.Roles {
+			if u == "*" {
+				continue
+			}
+
 			owner, name := util.GetOwnerAndNameFromId(u)
 			if name == oldName {
 				role.Roles[j] = util.GetId(owner, newName)
@ -358,6 +362,10 @@ func roleChangeTrigger(oldName string, newName string) error {
 	for _, permission := range permissions {
 		for j, u := range permission.Roles {
 			// u = organization/username
+			if u == "*" {
+				continue
+			}
+
 			owner, name := util.GetOwnerAndNameFromId(u)
 			if name == oldName {
 				permission.Roles[j] = util.GetId(owner, newName)
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -26,6 +26,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strings"
 	"time"

 	"github.com/beevik/etree"
@ -222,10 +223,13 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 	originFrontend, originBackend := getOriginFromHost(host)

 	idpLocation := ""
+	idpBinding := ""
 	if enablePostBinding {
 		idpLocation = fmt.Sprintf("%s/api/saml/redirect/%s/%s", originBackend, application.Owner, application.Name)
+		idpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 	} else {
 		idpLocation = fmt.Sprintf("%s/login/saml/authorize/%s/%s", originFrontend, application.Owner, application.Name)
+		idpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 	}

 	d := IdpEntityDescriptor{
@ -258,7 +262,7 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 				{Xmlns: "urn:oasis:names:tc:SAML:2.0:assertion", Name: "Name", NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", FriendlyName: "Name"},
 			},
 			SingleSignOnService: SingleSignOnService{
-				Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+				Binding:  idpBinding,
 				Location: idpLocation,
 			},
 			ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
@ -273,29 +277,38 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 func GetSamlResponse(application *Application, user *User, samlRequest string, host string) (string, string, string, error) {
 	// request type
 	method := "GET"
-
+	samlRequest = strings.ReplaceAll(samlRequest, " ", "+")
 	// base64 decode
 	defated, err := base64.StdEncoding.DecodeString(samlRequest)
 	if err != nil {
 		return "", "", "", fmt.Errorf("err: Failed to decode SAML request, %s", err.Error())
 	}

-	// decompress
-	var buffer bytes.Buffer
-	rdr := flate.NewReader(bytes.NewReader(defated))
+	var requestByte []byte

-	for {
-		_, err = io.CopyN(&buffer, rdr, 1024)
-		if err != nil {
-			if err == io.EOF {
-				break
+	if strings.Contains(string(defated), "xmlns:") {
+		requestByte = defated
+	} else {
+		// decompress
+		var buffer bytes.Buffer
+		rdr := flate.NewReader(bytes.NewReader(defated))
+
+		for {
+
+			_, err = io.CopyN(&buffer, rdr, 1024)
+			if err != nil {
+				if err == io.EOF {
+					break
+				}
+				return "", "", "", err
 			}
-			return "", "", "", err
 		}
+
+		requestByte = buffer.Bytes()
 	}

 	var authnRequest saml.AuthNRequest
-	err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
+	err = xml.Unmarshal(requestByte, &authnRequest)
 	if err != nil {
 		return "", "", "", fmt.Errorf("err: Failed to unmarshal AuthnRequest, please check the SAML request, %s", err.Error())
 	}
--- a/object/token.go
+++ b/object/token.go
@ -102,14 +102,6 @@ func GetTokenByAccessToken(accessToken string) (*Token, error) {
 		return nil, err
 	}

-	if !existed {
-		token = Token{AccessToken: accessToken}
-		existed, err = ormer.Engine.Get(&token)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	if !existed {
 		return nil, nil
 	}
@ -123,14 +115,6 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 		return nil, err
 	}

-	if !existed {
-		token = Token{RefreshToken: refreshToken}
-		existed, err = ormer.Engine.Get(&token)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	if !existed {
 		return nil, nil
 	}
@ -140,6 +124,7 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
 	switch tokenTypeHint {
 	case "access_token":
+	case "access-token":
 		token, err := GetTokenByAccessToken(tokenValue)
 		if err != nil {
 			return nil, err
@ -148,6 +133,7 @@ func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
 			return token, nil
 		}
 	case "refresh_token":
+	case "refresh-token":
 		token, err := GetTokenByRefreshToken(tokenValue)
 		if err != nil {
 			return nil, err
--- a/object/token_cas.go
+++ b/object/token_cas.go
@ -22,6 +22,7 @@ import (
 	"encoding/xml"
 	"fmt"
 	"math/rand"
+	"strings"
 	"sync"
 	"time"

@ -184,6 +185,15 @@ func StoreCasTokenForProxyTicket(token *CasAuthenticationSuccess, targetService,
 	return proxyTicket
 }

+func escapeXMLText(input string) (string, error) {
+	var sb strings.Builder
+	err := xml.EscapeText(&sb, []byte(input))
+	if err != nil {
+		return "", err
+	}
+	return sb.String(), nil
+}
+
 func GenerateCasToken(userId string, service string) (string, error) {
 	user, err := GetUser(userId)
 	if err != nil {
@ -225,6 +235,11 @@ func GenerateCasToken(userId string, service string) (string, error) {
 		}

 		if value != "" {
+			if escapedValue, err := escapeXMLText(value); err != nil {
+				return "", err
+			} else {
+				value = escapedValue
+			}
 			authenticationSuccess.Attributes.UserAttributes.Attributes = append(authenticationSuccess.Attributes.UserAttributes.Attributes, &CasNamedAttribute{
 				Name:  k,
 				Value: value,
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@ -309,22 +309,29 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 		}, nil
 	}

+	var oldTokenScope string
 	if application.TokenFormat == "JWT-Standard" {
-		_, err = ParseStandardJwtToken(refreshToken, cert)
+		oldToken, err := ParseStandardJwtToken(refreshToken, cert)
 		if err != nil {
 			return &TokenError{
 				Error:            InvalidGrant,
 				ErrorDescription: fmt.Sprintf("parse refresh token error: %s", err.Error()),
 			}, nil
 		}
+		oldTokenScope = oldToken.Scope
 	} else {
-		_, err = ParseJwtToken(refreshToken, cert)
+		oldToken, err := ParseJwtToken(refreshToken, cert)
 		if err != nil {
 			return &TokenError{
 				Error:            InvalidGrant,
 				ErrorDescription: fmt.Sprintf("parse refresh token error: %s", err.Error()),
 			}, nil
 		}
+		oldTokenScope = oldToken.Scope
+	}
+
+	if scope == "" {
+		scope = oldTokenScope
 	}

 	// generate a new token
@ -332,6 +339,9 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 	if err != nil {
 		return nil, err
 	}
+	if user == nil {
+		return "", fmt.Errorf("The user: %s doesn't exist", util.GetId(application.Organization, token.User))
+	}

 	if user.IsForbidden {
 		return &TokenError{
@ -501,7 +511,7 @@ func GetPasswordToken(application *Application, username string, password string
 	}

 	if user.Ldap != "" {
-		err = checkLdapUserPassword(user, password, "en")
+		err = CheckLdapUserPassword(user, password, "en")
 	} else {
 		err = CheckPassword(user, password, "en")
 	}
--- a/object/user.go
+++ b/object/user.go
@ -129,6 +129,7 @@ type User struct {
 	Bilibili        string `xorm:"bilibili varchar(100)" json:"bilibili"`
 	Okta            string `xorm:"okta varchar(100)" json:"okta"`
 	Douyin          string `xorm:"douyin varchar(100)" json:"douyin"`
+	Kwai            string `xorm:"kwai varchar(100)" json:"kwai"`
 	Line            string `xorm:"line varchar(100)" json:"line"`
 	Amazon          string `xorm:"amazon varchar(100)" json:"amazon"`
 	Auth0           string `xorm:"auth0 varchar(100)" json:"auth0"`
@ -200,12 +201,14 @@ type User struct {
 	Permissions []*Permission `json:"permissions"`
 	Groups      []string      `xorm:"groups varchar(1000)" json:"groups"`

-	LastSigninWrongTime string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
-	SigninWrongTimes    int    `json:"signinWrongTimes"`
+	LastChangePasswordTime string `xorm:"varchar(100)" json:"lastChangePasswordTime"`
+	LastSigninWrongTime    string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
+	SigninWrongTimes       int    `json:"signinWrongTimes"`

 	ManagedAccounts    []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
 	MfaAccounts        []MfaAccount     `xorm:"mfaAccounts blob" json:"mfaAccounts"`
 	NeedUpdatePassword bool             `json:"needUpdatePassword"`
+	IpWhitelist        string           `xorm:"varchar(200)" json:"ipWhitelist"`
 }

 type Userinfo struct {
@ -235,6 +238,7 @@ type MfaAccount struct {
 	AccountName string `xorm:"varchar(100)" json:"accountName"`
 	Issuer      string `xorm:"varchar(100)" json:"issuer"`
 	SecretKey   string `xorm:"varchar(100)" json:"secretKey"`
+	Origin      string `xorm:"varchar(100)" json:"origin"`
 }

 type FaceId struct {
@ -677,6 +681,10 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 		user.Password = oldUser.Password
 	}

+	if user.Id != oldUser.Id && user.Id == "" {
+		user.Id = oldUser.Id
+	}
+
 	if user.Avatar != oldUser.Avatar && user.Avatar != "" && user.PermanentAvatar != "*" {
 		user.PermanentAvatar, err = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
 		if err != nil {
@ -689,14 +697,14 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 			"owner", "display_name", "avatar", "first_name", "last_name",
 			"location", "address", "country_code", "region", "language", "affiliation", "title", "id_card_type", "id_card", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application",
 			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "managedAccounts", "face_ids", "mfaAccounts",
-			"signin_wrong_times", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled",
+			"signin_wrong_times", "last_change_password_time", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled",
 			"github", "google", "qq", "wechat", "facebook", "dingtalk", "weibo", "gitee", "linkedin", "wecom", "lark", "gitlab", "adfs",
-			"baidu", "alipay", "casdoor", "infoflow", "apple", "azuread", "azureadb2c", "slack", "steam", "bilibili", "okta", "douyin", "line", "amazon",
+			"baidu", "alipay", "casdoor", "infoflow", "apple", "azuread", "azureadb2c", "slack", "steam", "bilibili", "okta", "douyin", "kwai", "line", "amazon",
 			"auth0", "battlenet", "bitbucket", "box", "cloudfoundry", "dailymotion", "deezer", "digitalocean", "discord", "dropbox",
 			"eveonline", "fitbit", "gitea", "heroku", "influxcloud", "instagram", "intercom", "kakao", "lastfm", "mailru", "meetup",
 			"microsoftonline", "naver", "nextcloud", "onedrive", "oura", "patreon", "paypal", "salesforce", "shopify", "soundcloud",
 			"spotify", "strava", "stripe", "type", "tiktok", "tumblr", "twitch", "twitter", "typetalk", "uber", "vk", "wepay", "xero", "yahoo",
-			"yammer", "yandex", "zoom", "custom", "need_update_password",
+			"yammer", "yandex", "zoom", "custom", "need_update_password", "ip_whitelist",
 		}
 	}
 	if isAdmin {
@ -815,6 +823,10 @@ func AddUser(user *User) (bool, error) {
 		user.UpdateUserPassword(organization)
 	}

+	if user.CreatedTime == "" {
+		user.CreatedTime = util.GetCurrentTime()
+	}
+
 	err = user.UpdateUserHash()
 	if err != nil {
 		return false, err
--- a/object/user_util.go
+++ b/object/user_util.go
@ -557,6 +557,14 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 			itemsChanged = append(itemsChanged, item)
 		}
 	}
+	if oldUser.IpWhitelist != newUser.IpWhitelist {
+		item := GetAccountItemByName("IP whitelist", organization)
+		if item == nil {
+			newUser.IpWhitelist = oldUser.IpWhitelist
+		} else {
+			itemsChanged = append(itemsChanged, item)
+		}
+	}

 	if oldUser.Balance != newUser.Balance {
 		item := GetAccountItemByName("Balance", organization)
--- a/object/verification.go
+++ b/object/verification.go
@ -57,7 +57,7 @@ type VerificationRecord struct {
 	Receiver   string `xorm:"varchar(100) index notnull" json:"receiver"`
 	Code       string `xorm:"varchar(10) notnull" json:"code"`
 	Time       int64  `xorm:"notnull" json:"time"`
-	IsUsed     bool
+	IsUsed     bool   `xorm:"notnull" json:"isUsed"`
 }

 func IsAllowSend(user *User, remoteAddr, recordType string) error {
--- a/radius/server.go
+++ b/radius/server.go
@ -68,8 +68,10 @@ func handleAccessRequest(w radius.ResponseWriter, r *radius.Request) {
 	log.Printf("handleAccessRequest() username=%v, org=%v, password=%v", username, organization, password)

 	if organization == "" {
-		w.Write(r.Response(radius.CodeAccessReject))
-		return
+		organization = conf.GetConfigString("radiusDefaultOrganization")
+		if organization == "" {
+			organization = "built-in"
+		}
 	}

 	var user *object.User
--- a/routers/cors_filter.go
+++ b/routers/cors_filter.go
@ -16,11 +16,11 @@ package routers

 import (
 	"net/http"
-	"strings"

 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 const (
@ -52,7 +52,13 @@ func CorsFilter(ctx *context.Context) {
 		origin = ""
 	}

-	if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "https://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") || strings.HasPrefix(origin, "http://casdoor-app") || strings.Contains(origin, ".chromiumapp.org") {
+	isValid, err := util.IsValidOrigin(origin)
+	if err != nil {
+		ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
+		responseError(ctx, err.Error())
+		return
+	}
+	if isValid {
 		setCorsHeaders(ctx, origin)
 		return
 	}
--- a/routers/router.go
+++ b/routers/router.go
@ -174,6 +174,8 @@ func initAPI() {
 	beego.Router("/api/get-all-actions", &controllers.ApiController{}, "GET:GetAllActions")
 	beego.Router("/api/get-all-roles", &controllers.ApiController{}, "GET:GetAllRoles")

+	beego.Router("/api/run-casbin-command", &controllers.ApiController{}, "GET:RunCasbinCommand")
+
 	beego.Router("/api/get-sessions", &controllers.ApiController{}, "GET:GetSessions")
 	beego.Router("/api/get-session", &controllers.ApiController{}, "GET:GetSingleSession")
 	beego.Router("/api/update-session", &controllers.ApiController{}, "POST:UpdateSession")
--- a/storage/cucloud_oss.go
+++ b/storage/cucloud_oss.go
@ -0,0 +1,21 @@
+package storage
+
+import (
+	awss3 "github.com/aws/aws-sdk-go/service/s3"
+	"github.com/casdoor/oss"
+	"github.com/casdoor/oss/s3"
+)
+
+func NewCUCloudOssStorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) oss.StorageInterface {
+	sp := s3.New(&s3.Config{
+		AccessID:   clientId,
+		AccessKey:  clientSecret,
+		Region:     region,
+		Bucket:     bucket,
+		Endpoint:   endpoint,
+		S3Endpoint: endpoint,
+		ACL:        awss3.BucketCannedACLPublicRead,
+	})
+
+	return sp
+}
--- a/storage/storage.go
+++ b/storage/storage.go
@ -23,7 +23,10 @@ func GetStorageProvider(providerType string, clientId string, clientSecret strin
 	case "AWS S3":
 		return NewAwsS3StorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	case "MinIO":
-		return NewMinIOS3StorageProvider(clientId, clientSecret, "_", bucket, endpoint), nil
+		if region == "" {
+			region = "_"
+		}
+		return NewMinIOS3StorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	case "Aliyun OSS":
 		return NewAliyunOssStorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	case "Tencent Cloud COS":
@ -38,6 +41,8 @@ func GetStorageProvider(providerType string, clientId string, clientSecret strin
 		return NewSynologyNasStorageProvider(clientId, clientSecret, endpoint), nil
 	case "Casdoor":
 		return NewCasdoorStorageProvider(providerType, clientId, clientSecret, region, bucket, endpoint, cert, content), nil
+	case "CUCloud OSS":
+		return NewCUCloudOssStorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	}

 	return nil, nil
--- a/swagger/swagger.json
+++ b/swagger/swagger.json
@ -7558,6 +7558,9 @@
                    "type": "integer",
                    "format": "int64"
                },
+                "kwai": {
+                    "type": "string"
+                },
                "language": {
                    "type": "string"
                },
--- a/swagger/swagger.yml
+++ b/swagger/swagger.yml
@ -4981,6 +4981,8 @@ definitions:
      karma:
        type: integer
        format: int64
+      kwai:
+        type: string
      language:
        type: string
      lark:
--- a/util/log.go
+++ b/util/log.go
@ -23,50 +23,50 @@ import (
 	"github.com/beego/beego/logs"
 )

-func GetIPInfo(clientIP string) string {
-	if clientIP == "" {
+func getIpInfo(clientIp string) string {
+	if clientIp == "" {
 		return ""
 	}

-	ips := strings.Split(clientIP, ",")
-	res := ""
-	for i := range ips {
-		ip := strings.TrimSpace(ips[i])
-		// desc := GetDescFromIP(ip)
-		ipstr := fmt.Sprintf("%s: %s", ip, "")
-		if i != len(ips)-1 {
-			res += ipstr + " -> "
-		} else {
-			res += ipstr
-		}
-	}
+	ips := strings.Split(clientIp, ",")
+	res := strings.TrimSpace(ips[0])
+	//res := ""
+	//for i := range ips {
+	//	ip := strings.TrimSpace(ips[i])
+	//	ipstr := fmt.Sprintf("%s: %s", ip, "")
+	//	if i != len(ips)-1 {
+	//		res += ipstr + " -> "
+	//	} else {
+	//		res += ipstr
+	//	}
+	//}

 	return res
 }

-func GetIPFromRequest(req *http.Request) string {
-	clientIP := req.Header.Get("x-forwarded-for")
-	if clientIP == "" {
+func GetClientIpFromRequest(req *http.Request) string {
+	clientIp := req.Header.Get("x-forwarded-for")
+	if clientIp == "" {
 		ipPort := strings.Split(req.RemoteAddr, ":")
 		if len(ipPort) >= 1 && len(ipPort) <= 2 {
-			clientIP = ipPort[0]
+			clientIp = ipPort[0]
 		} else if len(ipPort) > 2 {
 			idx := strings.LastIndex(req.RemoteAddr, ":")
-			clientIP = req.RemoteAddr[0:idx]
-			clientIP = strings.TrimLeft(clientIP, "[")
-			clientIP = strings.TrimRight(clientIP, "]")
+			clientIp = req.RemoteAddr[0:idx]
+			clientIp = strings.TrimLeft(clientIp, "[")
+			clientIp = strings.TrimRight(clientIp, "]")
 		}
 	}

-	return GetIPInfo(clientIP)
+	return getIpInfo(clientIp)
 }

 func LogInfo(ctx *context.Context, f string, v ...interface{}) {
-	ipString := fmt.Sprintf("(%s) ", GetIPFromRequest(ctx.Request))
+	ipString := fmt.Sprintf("(%s) ", GetClientIpFromRequest(ctx.Request))
 	logs.Info(ipString+f, v...)
 }

 func LogWarning(ctx *context.Context, f string, v ...interface{}) {
-	ipString := fmt.Sprintf("(%s) ", GetIPFromRequest(ctx.Request))
+	ipString := fmt.Sprintf("(%s) ", GetClientIpFromRequest(ctx.Request))
 	logs.Warning(ipString+f, v...)
 }
--- a/util/obfuscator.go
+++ b/util/obfuscator.go
@ -0,0 +1,76 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/des"
+	"encoding/hex"
+	"fmt"
+)
+
+func unPaddingPkcs7(s []byte) []byte {
+	length := len(s)
+	if length == 0 {
+		return s
+	}
+	unPadding := int(s[length-1])
+	return s[:(length - unPadding)]
+}
+
+func decryptDesOrAes(passwordCipher string, block cipher.Block) (string, error) {
+	passwordCipherBytes, err := hex.DecodeString(passwordCipher)
+	if err != nil {
+		return "", err
+	}
+
+	if len(passwordCipherBytes) < block.BlockSize() {
+		return "", fmt.Errorf("the password ciphertext should contain a random hexadecimal string of length %d at the beginning", block.BlockSize()*2)
+	}
+
+	iv := passwordCipherBytes[:block.BlockSize()]
+	password := make([]byte, len(passwordCipherBytes)-block.BlockSize())
+
+	mode := cipher.NewCBCDecrypter(block, iv)
+	mode.CryptBlocks(password, passwordCipherBytes[block.BlockSize():])
+
+	return string(unPaddingPkcs7(password)), nil
+}
+
+func GetUnobfuscatedPassword(passwordObfuscatorType string, passwordObfuscatorKey string, passwordCipher string) (string, error) {
+	if passwordObfuscatorType == "Plain" || passwordObfuscatorType == "" {
+		return passwordCipher, nil
+	} else if passwordObfuscatorType == "DES" || passwordObfuscatorType == "AES" {
+		key, err := hex.DecodeString(passwordObfuscatorKey)
+		if err != nil {
+			return "", err
+		}
+
+		var block cipher.Block
+		if passwordObfuscatorType == "DES" {
+			block, err = des.NewCipher(key)
+		} else {
+			block, err = aes.NewCipher(key)
+		}
+		if err != nil {
+			return "", err
+		}
+
+		return decryptDesOrAes(passwordCipher, block)
+	} else {
+		return "", fmt.Errorf("unsupported password obfuscator type: %s", passwordObfuscatorType)
+	}
+}
--- a/util/process.go
+++ b/util/process.go
@ -0,0 +1,97 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+)
+
+func getPidByPort(port int) (int, error) {
+	var cmd *exec.Cmd
+	switch runtime.GOOS {
+	case "windows":
+		cmd = exec.Command("cmd", "/c", "netstat -ano | findstr :"+strconv.Itoa(port))
+	case "darwin", "linux":
+		cmd = exec.Command("lsof", "-t", "-i", ":"+strconv.Itoa(port))
+	default:
+		return 0, fmt.Errorf("unsupported OS: %s", runtime.GOOS)
+	}
+
+	output, err := cmd.Output()
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			if exitErr.ExitCode() == 1 {
+				return 0, nil
+			}
+		} else {
+			return 0, err
+		}
+	}
+
+	lines := strings.Split(string(output), "\n")
+	for _, line := range lines {
+		fields := strings.Fields(line)
+		if len(fields) > 0 {
+			if runtime.GOOS == "windows" {
+				if fields[1] == "0.0.0.0:"+strconv.Itoa(port) {
+					pid, err := strconv.Atoi(fields[len(fields)-1])
+					if err != nil {
+						return 0, err
+					}
+
+					return pid, nil
+				}
+			} else {
+				pid, err := strconv.Atoi(fields[0])
+				if err != nil {
+					return 0, err
+				}
+
+				return pid, nil
+			}
+		}
+	}
+
+	return 0, nil
+}
+
+func StopOldInstance(port int) error {
+	pid, err := getPidByPort(port)
+	if err != nil {
+		return err
+	}
+	if pid == 0 {
+		return nil
+	}
+
+	process, err := os.FindProcess(pid)
+	if err != nil {
+		return err
+	}
+
+	err = process.Kill()
+	if err != nil {
+		return err
+	} else {
+		fmt.Printf("The old instance with pid: %d has been stopped\n", pid)
+	}
+
+	return nil
+}
--- a/util/validation.go
+++ b/util/validation.go
@ -17,6 +17,7 @@ package util
 import (
 	"fmt"
 	"net/mail"
+	"net/url"
 	"regexp"
 	"strings"

@ -24,10 +25,11 @@ import (
 )

 var (
-	rePhone          *regexp.Regexp
-	ReWhiteSpace     *regexp.Regexp
-	ReFieldWhiteList *regexp.Regexp
-	ReUserName       *regexp.Regexp
+	rePhone             *regexp.Regexp
+	ReWhiteSpace        *regexp.Regexp
+	ReFieldWhiteList    *regexp.Regexp
+	ReUserName          *regexp.Regexp
+	ReUserNameWithEmail *regexp.Regexp
 )

 func init() {
@ -35,6 +37,7 @@ func init() {
 	ReWhiteSpace, _ = regexp.Compile(`\s`)
 	ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*$")
+	ReUserNameWithEmail, _ = regexp.Compile(`^([a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*)|([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$`) // Add support for email formats
 }

 func IsEmailValid(email string) bool {
@ -51,6 +54,9 @@ func IsPhoneValid(phone string, countryCode string) bool {
 }

 func IsPhoneAllowInRegin(countryCode string, allowRegions []string) bool {
+	if ContainsString(allowRegions, "All") {
+		return true
+	}
 	return ContainsString(allowRegions, countryCode)
 }

@ -97,3 +103,21 @@ func GetCountryCode(prefix string, phone string) (string, error) {
 func FilterField(field string) bool {
 	return ReFieldWhiteList.MatchString(field)
 }
+
+func IsValidOrigin(origin string) (bool, error) {
+	urlObj, err := url.Parse(origin)
+	if err != nil {
+		return false, err
+	}
+	if urlObj == nil {
+		return false, nil
+	}
+
+	originHostOnly := ""
+	if urlObj.Host != "" {
+		originHostOnly = fmt.Sprintf("%s://%s", urlObj.Scheme, urlObj.Hostname())
+	}
+
+	res := originHostOnly == "http://localhost" || originHostOnly == "https://localhost" || originHostOnly == "http://127.0.0.1" || originHostOnly == "http://casdoor-app" || strings.HasSuffix(originHostOnly, ".chromiumapp.org")
+	return res, nil
+}
--- a/web/craco.config.js
+++ b/web/craco.config.js
@ -1,4 +1,5 @@
 const CracoLessPlugin = require("craco-less");
+const path = require("path");

 module.exports = {
  devServer: {
@ -55,47 +56,42 @@ module.exports = {
    },
  ],
  webpack: {
-    configure: {
-      // ignore webpack warnings by source-map-loader 
+    configure: (webpackConfig, { env, paths }) => {
+      paths.appBuild = path.resolve(__dirname, "build-temp");
+      webpackConfig.output.path = path.resolve(__dirname, "build-temp");
+
+      // ignore webpack warnings by source-map-loader
      // https://github.com/facebook/create-react-app/pull/11752#issuecomment-1345231546
-      ignoreWarnings: [
+      webpackConfig.ignoreWarnings = [
        function ignoreSourcemapsloaderWarnings(warning) {
          return (
            warning.module &&
-            warning.module.resource.includes('node_modules') &&
+            warning.module.resource.includes("node_modules") &&
            warning.details &&
-            warning.details.includes('source-map-loader')
-          )
+            warning.details.includes("source-map-loader")
+          );
        },
-      ],
+      ];
+
      // use polyfill Buffer with Webpack 5
      // https://viglucci.io/articles/how-to-polyfill-buffer-with-webpack-5
      // https://craco.js.org/docs/configuration/webpack/
-      resolve: {
-        fallback: {
-          // "process": require.resolve('process/browser'),
-          // "util": require.resolve("util/"),
-          // "url": require.resolve("url/"),
-          // "zlib": require.resolve("browserify-zlib"),
-          // "stream": require.resolve("stream-browserify"),
-          // "http": require.resolve("stream-http"),
-          // "https": require.resolve("https-browserify"),
-          // "assert": require.resolve("assert/"),
-          "buffer": require.resolve('buffer/'),    
-          "process": false,
-          "util": false,
-          "url": false,
-          "zlib": false,
-          "stream": false,
-          "http": false,
-          "https": false,
-          "assert": false,
-          "buffer": false,
-          "crypto": false,
-          "os": false,
-          "fs": false,
-        },
-      }
+      webpackConfig.resolve.fallback = {
+        buffer: require.resolve("buffer/"),
+        process: false,
+        util: false,
+        url: false,
+        zlib: false,
+        stream: false,
+        http: false,
+        https: false,
+        assert: false,
+        crypto: false,
+        os: false,
+        fs: false,
+      };
+
+      return webpackConfig;
    },
-  }
+  },
 };
--- a/web/mv.js
+++ b/web/mv.js
@ -0,0 +1,21 @@
+const fs = require("fs");
+const path = require("path");
+
+const sourceDir = path.join(__dirname, "build-temp");
+const targetDir = path.join(__dirname, "build");
+
+if (!fs.existsSync(sourceDir)) {
+  // eslint-disable-next-line no-console
+  console.error(`Source directory "${sourceDir}" does not exist.`);
+  process.exit(1);
+}
+
+if (fs.existsSync(targetDir)) {
+  fs.rmSync(targetDir, {recursive: true, force: true});
+  // eslint-disable-next-line no-console
+  console.log(`Target directory "${targetDir}" has been deleted successfully.`);
+}
+
+fs.renameSync(sourceDir, targetDir);
+// eslint-disable-next-line no-console
+console.log(`Renamed "${sourceDir}" to "${targetDir}" successfully.`);
--- a/web/package.json
+++ b/web/package.json
@ -27,6 +27,7 @@
    "copy-to-clipboard": "^3.3.1",
    "core-js": "^3.25.0",
    "craco-less": "^2.0.0",
+    "crypto-js": "^4.2.0",
    "echarts": "^5.4.3",
    "ethers": "5.6.9",
    "face-api.js": "^0.22.2",
@ -56,6 +57,7 @@
  "scripts": {
    "start": "cross-env PORT=7001 craco start",
    "build": "craco build",
+    "postbuild": "node mv.js",
    "test": "craco test",
    "eject": "craco eject",
    "crowdin:sync": "crowdin upload && crowdin download",
--- a/web/src/App.js
+++ b/web/src/App.js
@ -308,7 +308,7 @@ class App extends Component {
                AI Assistant
              </a>
            </Tooltip>
-            <a className="custom-link" style={{float: "right", marginTop: "2px"}} target="_blank" rel="noreferrer" href={"https://ai.casbin.com"}>
+            <a className="custom-link" style={{float: "right", marginTop: "2px"}} target="_blank" rel="noreferrer" href={`${Conf.AiAssistantUrl}`}>
              <ShareAltOutlined className="custom-link" style={{fontSize: "20px", color: "rgb(140,140,140)"}} />
            </a>
            <a className="custom-link" style={{float: "right", marginRight: "30px", marginTop: "2px"}} target="_blank" rel="noreferrer" href={"https://github.com/casibase/casibase"}>
@ -326,7 +326,7 @@ class App extends Component {
        }}
        visible={this.state.isAiAssistantOpen}
      >
-        <iframe id="iframeHelper" title={"iframeHelper"} src={"https://ai.casbin.com/?isRaw=1"} width="100%" height="100%" scrolling="no" frameBorder="no" />
+        <iframe id="iframeHelper" title={"iframeHelper"} src={`${Conf.AiAssistantUrl}/?isRaw=1`} width="100%" height="100%" scrolling="no" frameBorder="no" />
      </Drawer>
    );
  }
@ -362,7 +362,11 @@ class App extends Component {
    if (this.isDoorPages()) {
      return (
        <ConfigProvider theme={{
-          algorithm: Setting.getAlgorithm(["default"]),
+          token: {
+            colorPrimary: this.state.themeData.colorPrimary,
+            borderRadius: this.state.themeData.borderRadius,
+          },
+          algorithm: Setting.getAlgorithm(this.state.themeAlgorithm),
        }}>
          <StyleProvider hashPriority="high" transformers={[legacyLogicalPropertiesTransformer]}>
            <Layout id="parent-area">
@ -372,6 +376,7 @@ class App extends Component {
                    <EntryPage
                      account={this.state.account}
                      theme={this.state.themeData}
+                      themeAlgorithm={this.state.themeAlgorithm}
                      updateApplication={(application) => {
                        this.setState({
                          application: application,
@ -446,7 +451,6 @@ class App extends Component {
                setLogoutState={() => {
                  this.setState({
                    account: null,
-                    themeAlgorithm: ["default"],
                  });
                }}
              />
--- a/web/src/App.less
+++ b/web/src/App.less
@ -129,6 +129,15 @@ img {
  background-attachment: fixed;
 }

+.loginBackgroundDark {
+  flex: auto;
+  display: flex;
+  align-items: center;
+  background: #000 no-repeat;
+  background-size: 100% 100%;
+  background-attachment: fixed;
+}
+
 .ant-menu-horizontal {
  border-bottom: none !important;
 }
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@ -46,12 +46,18 @@ require("codemirror/mode/css/css");
 const {Option} = Select;

 const template = `<style>
-  .login-panel{
+  .login-panel {
    padding: 40px 70px 0 70px;
    border-radius: 10px;
    background-color: #ffffff;
    box-shadow: 0 0 30px 20px rgba(0, 0, 0, 0.20);
-}
+  }
+  .login-panel-dark {
+    padding: 40px 70px 0 70px;
+    border-radius: 10px;
+    background-color: #333333;
+    box-shadow: 0 0 30px 20px rgba(255, 255, 255, 0.20);
+  }
 </style>`;

 const previewGrid = Setting.isMobile() ? 22 : 11;
@ -592,6 +598,16 @@ class ApplicationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Input placeholder = {this.state.application.organizationObj?.ipWhitelist} value={this.state.application.ipWhitelist} onChange={e => {
+              this.updateApplicationField("ipWhitelist", e.target.value);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("signup:Terms of Use"), i18next.t("signup:Terms of Use - Tooltip"))} :
@ -749,7 +765,7 @@ class ApplicationEditPage extends React.Component {
            />
            <br />
            <Button style={{marginBottom: "10px"}} type="primary" shape="round" icon={<CopyOutlined />} onClick={() => {
-              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}&post=${this.state.application.enableSamlPostBinding}`);
+              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}&enablePostBinding=${this.state.application.enableSamlPostBinding}`);
              Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
            }}
            >
@ -977,6 +993,7 @@ class ApplicationEditPage extends React.Component {
                <SigninTable
                  title={i18next.t("application:Signin items")}
                  table={this.state.application.signinItems}
+                  themeAlgorithm={this.state.themeAlgorithm}
                  onUpdateTable={(value) => {
                    this.updateApplicationField("signinItems", value);
                  }}
--- a/web/src/CasbinEditor.js
+++ b/web/src/CasbinEditor.js
@ -19,6 +19,7 @@ import "codemirror/mode/properties/properties";
 import * as Setting from "./Setting";
 import IframeEditor from "./IframeEditor";
 import {Tabs} from "antd";
+import i18next from "i18next";

 const {TabPane} = Tabs;

@ -68,8 +69,8 @@ const CasbinEditor = ({model, onModelTextChange}) => {
  return (
    <div style={{height: "100%", width: "100%", display: "flex", flexDirection: "column"}}>
      <Tabs activeKey={activeKey} onChange={handleTabChange} style={{flex: "0 0 auto", marginTop: "-10px"}}>
-        <TabPane tab="Basic Editor" key="basic" />
-        <TabPane tab="Advanced Editor" key="advanced" />
+        <TabPane tab={i18next.t("model:Basic Editor")} key="basic" />
+        <TabPane tab={i18next.t("model:Advanced Editor")} key="advanced" />
      </Tabs>
      <div style={{flex: "1 1 auto", overflow: "hidden"}}>
        {activeKey === "advanced" ? (
--- a/web/src/Conf.js
+++ b/web/src/Conf.js
@ -31,3 +31,6 @@ export const ThemeDefault = {
 };

 export const CustomFooter = null;
+
+// Blank or null to hide Ai Assistant button
+export const AiAssistantUrl = "https://ai.casbin.com";
--- a/web/src/EntryPage.js
+++ b/web/src/EntryPage.js
@ -34,6 +34,7 @@ import PaymentResultPage from "./PaymentResultPage";
 import QrCodePage from "./QrCodePage";
 import CaptchaPage from "./CaptchaPage";
 import CustomHead from "./basic/CustomHead";
+import * as Util from "./auth/Util";

 class EntryPage extends React.Component {
  constructor(props) {
@ -94,10 +95,20 @@ class EntryPage extends React.Component {
        });
    };

+    if (this.state.application?.ipRestriction) {
+      return Util.renderMessageLarge(this, this.state.application.ipRestriction);
+    }
+
+    if (this.state.application?.organizationObj?.ipRestriction) {
+      return Util.renderMessageLarge(this, this.state.application.organizationObj.ipRestriction);
+    }
+
+    const isDarkMode = this.props.themeAlgorithm.includes("dark");
+
    return (
      <React.Fragment>
        <CustomHead headerHtml={this.state.application?.headerHtml} />
-        <div className="loginBackground"
+        <div className={`${isDarkMode ? "loginBackgroundDark" : "loginBackground"}`}
          style={{backgroundImage: Setting.inIframe() || Setting.isMobile() ? null : `url(${this.state.application?.formBackgroundUrl})`}}>
          <Spin size="large" spinning={this.state.application === undefined && this.state.pricing === undefined} tip={i18next.t("login:Loading")}
            style={{margin: "0 auto"}} />
@ -124,6 +135,7 @@ class EntryPage extends React.Component {
            <Route exact path="/captcha" render={(props) => <CaptchaPage {...props} />} />
          </Switch>
        </div>
+
      </React.Fragment>
    );
  }
--- a/web/src/IframeEditor.js
+++ b/web/src/IframeEditor.js
@ -17,6 +17,7 @@ import React, {forwardRef, useEffect, useImperativeHandle, useRef, useState} fro
 const IframeEditor = forwardRef(({initialModelText, onModelTextChange}, ref) => {
  const iframeRef = useRef(null);
  const [iframeReady, setIframeReady] = useState(false);
+  const currentLang = localStorage.getItem("language") || "en";

  useEffect(() => {
    const handleMessage = (event) => {
@ -26,24 +27,31 @@ const IframeEditor = forwardRef(({initialModelText, onModelTextChange}, ref) =>
        onModelTextChange(event.data.modelText);
      } else if (event.data.type === "iframeReady") {
        setIframeReady(true);
-        iframeRef.current?.contentWindow.postMessage({
-          type: "initializeModel",
-          modelText: initialModelText,
-        }, "*");
+        if (initialModelText && iframeRef.current?.contentWindow) {
+          iframeRef.current.contentWindow.postMessage({
+            type: "initializeModel",
+            modelText: initialModelText,
+            lang: currentLang,
+          }, "*");
+        }
      }
    };

    window.addEventListener("message", handleMessage);
    return () => window.removeEventListener("message", handleMessage);
-  }, [onModelTextChange, initialModelText]);
+  }, [onModelTextChange, initialModelText, currentLang]);

  useImperativeHandle(ref, () => ({
    getModelText: () => {
-      iframeRef.current?.contentWindow.postMessage({type: "getModelText"}, "*");
+      if (iframeRef.current?.contentWindow) {
+        iframeRef.current.contentWindow.postMessage({
+          type: "getModelText",
+        }, "*");
+      }
    },
    updateModelText: (newModelText) => {
-      if (iframeReady) {
-        iframeRef.current?.contentWindow.postMessage({
+      if (iframeReady && iframeRef.current?.contentWindow) {
+        iframeRef.current.contentWindow.postMessage({
          type: "updateModelText",
          modelText: newModelText,
        }, "*");
@ -54,7 +62,7 @@ const IframeEditor = forwardRef(({initialModelText, onModelTextChange}, ref) =>
  return (
    <iframe
      ref={iframeRef}
-      src="https://editor.casbin.org/model-editor"
+      src={`https://editor.casbin.org/model-editor?lang=${currentLang}`}
      frameBorder="0"
      width="100%"
      height="500px"
--- a/web/src/InvitationEditPage.js
+++ b/web/src/InvitationEditPage.js
@ -20,6 +20,7 @@ import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
 import copy from "copy-to-clipboard";
+import * as GroupBackend from "./backend/GroupBackend";

 const {Option} = Select;

@ -33,6 +34,7 @@ class InvitationEditPage extends React.Component {
      invitation: null,
      organizations: [],
      applications: [],
+      groups: [],
      mode: props.location.mode !== undefined ? props.location.mode : "edit",
    };
  }
@ -41,6 +43,7 @@ class InvitationEditPage extends React.Component {
    this.getInvitation();
    this.getOrganizations();
    this.getApplicationsByOrganization(this.state.organizationName);
+    this.getGroupsByOrganization(this.state.organizationName);
  }

  getInvitation() {
@ -75,6 +78,17 @@ class InvitationEditPage extends React.Component {
      });
  }

+  getGroupsByOrganization(organizationName) {
+    GroupBackend.getGroups(organizationName)
+      .then((res) => {
+        if (res.status === "ok") {
+          this.setState({
+            groups: res.data,
+          });
+        }
+      });
+  }
+
  parseInvitationField(key, value) {
    if ([""].includes(key)) {
      value = Setting.myParseInt(value);
@ -120,7 +134,7 @@ class InvitationEditPage extends React.Component {
            {Setting.getLabel(i18next.t("general:Organization"), i18next.t("general:Organization - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value); this.getApplicationsByOrganization(value);})}>
+            <Select virtual={false} style={{width: "100%"}} disabled={!Setting.isAdminUser(this.props.account) || isCreatedByPlan} value={this.state.invitation.owner} onChange={(value => {this.updateInvitationField("owner", value); this.getApplicationsByOrganization(value);this.getGroupsByOrganization(value);})}>
              {
                this.state.organizations.map((organization, index) => <Option key={index} value={organization.name}>{organization.name}</Option>)
              }
@ -204,6 +218,21 @@ class InvitationEditPage extends React.Component {
              ]} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("provider:Signup group"), i18next.t("provider:Signup group - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} style={{width: "100%"}} value={this.state.invitation.signupGroup} onChange={(value => {this.updateInvitationField("signupGroup", value);})}>
+              <Option key={""} value={""}>
+                {i18next.t("general:Default")}
+              </Option>
+              {
+                this.state.groups.map((group, index) => <Option key={index} value={`${group.owner}/${group.name}`}>{group.name}</Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("signup:Username"), i18next.t("signup:Username - Tooltip"))} :
--- a/web/src/ManagementPage.js
+++ b/web/src/ManagementPage.js
@ -192,17 +192,21 @@ function ManagementPage(props) {
            themeAlgorithm={props.themeAlgorithm}
            onChange={props.setLogoAndThemeAlgorithm} />
          <LanguageSelect languages={props.account.organization.languages} />
-          <Tooltip title="Click to open AI assitant">
-            <div className="select-box" onClick={props.openAiAssistant}>
-              <DeploymentUnitOutlined style={{fontSize: "24px"}} />
-            </div>
-          </Tooltip>
+          {
+            Conf.AiAssistantUrl?.trim() && (
+              <Tooltip title="Click to open AI assistant">
+                <div className="select-box" onClick={props.openAiAssistant}>
+                  <DeploymentUnitOutlined style={{fontSize: "24px"}} />
+                </div>
+              </Tooltip>
+            )
+          }
          <OpenTour />
-          {Setting.isAdminUser(props.account) && !Setting.isMobile() && (props.uri.indexOf("/trees") === -1) &&
+          {Setting.isAdminUser(props.account) && (props.uri.indexOf("/trees") === -1) &&
                        <OrganizationSelect
                          initValue={Setting.getOrganization()}
                          withAll={true}
-                          style={{marginRight: "20px", width: "180px", display: "flex"}}
+                          style={{marginRight: "20px", width: "180px", display: !Setting.isMobile() ? "flex" : "none"}}
                          onChange={(value) => {
                            Setting.setOrganization(value);
                          }}
--- a/web/src/OrganizationEditPage.js
+++ b/web/src/OrganizationEditPage.js
@ -19,6 +19,7 @@ import * as ApplicationBackend from "./backend/ApplicationBackend";
 import * as LdapBackend from "./backend/LdapBackend";
 import * as Setting from "./Setting";
 import * as Conf from "./Conf";
+import * as Obfuscator from "./auth/Obfuscator";
 import i18next from "i18next";
 import {LinkOutlined} from "@ant-design/icons";
 import LdapTable from "./table/LdapTable";
@ -112,6 +113,22 @@ class OrganizationEditPage extends React.Component {
    });
  }

+  updatePasswordObfuscator(key, value) {
+    const organization = this.state.organization;
+    if (organization.passwordObfuscatorType === "") {
+      organization.passwordObfuscatorType = "Plain";
+    }
+    if (key === "type") {
+      organization.passwordObfuscatorType = value;
+      organization.passwordObfuscatorKey = Obfuscator.getRandomKeyForObfuscator(value);
+    } else if (key === "key") {
+      organization.passwordObfuscatorKey = value;
+    }
+    this.setState({
+      organization: organization,
+    });
+  }
+
  renderOrganization() {
    return (
      <Card size="small" title={
@ -294,6 +311,44 @@ class OrganizationEditPage extends React.Component {
            />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:Password obfuscator"), i18next.t("general:Password obfuscator - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} style={{width: "100%"}}
+              value={this.state.organization.passwordObfuscatorType}
+              onChange={(value => {this.updatePasswordObfuscator("type", value);})}>
+              {
+                [
+                  {id: "Plain", name: "Plain"},
+                  {id: "AES", name: "AES"},
+                  {id: "DES", name: "DES"},
+                ].map((obfuscatorType, index) => <Option key={index} value={obfuscatorType.id}>{obfuscatorType.name}</Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
+        {
+          (this.state.organization.passwordObfuscatorType === "Plain" || this.state.organization.passwordObfuscatorType === "") ? null : (<Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+              {Setting.getLabel(i18next.t("general:Password obf key"), i18next.t("general:Password obf key - Tooltip"))} :
+            </Col>
+            <Col span={22} >
+              <Input value={this.state.organization.passwordObfuscatorKey} onChange={(e) => {this.updatePasswordObfuscator("key", e.target.value);}} />
+            </Col>
+          </Row>)
+        }
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("organization:Password expire days"), i18next.t("organization:Password expire days - Tooltip"))} :
+          </Col>
+          <Col span={4} >
+            <InputNumber value={this.state.organization.passwordExpireDays} onChange={value => {
+              this.updateOrganizationField("passwordExpireDays", value);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("general:Supported country codes"), i18next.t("general:Supported country codes - Tooltip"))} :
@ -305,6 +360,7 @@ class OrganizationEditPage extends React.Component {
              }}
              filterOption={(input, option) => (option?.text ?? "").toLowerCase().includes(input.toLowerCase())}
            >
+              {Setting.getCountryCodeOption({name: i18next.t("organization:All"), code: "All", phone: 0})}
              {
                Setting.getCountryCodeData().map((country) => Setting.getCountryCodeOption(country))
              }
@ -406,6 +462,16 @@ class OrganizationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Input value={this.state.organization.ipWhitelist} onChange={e => {
+              this.updateOrganizationField("ipWhitelist", e.target.value);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("organization:Init score"), i18next.t("organization:Init score - Tooltip"))} :
@ -528,6 +594,12 @@ class OrganizationEditPage extends React.Component {
    const organization = Setting.deepCopy(this.state.organization);
    organization.accountItems = organization.accountItems?.filter(accountItem => accountItem.name !== "Please select an account item");

+    const passwordObfuscatorErrorMessage = Obfuscator.checkPasswordObfuscator(organization.passwordObfuscatorType, organization.passwordObfuscatorKey);
+    if (passwordObfuscatorErrorMessage.length > 0) {
+      Setting.showMessage("error", passwordObfuscatorErrorMessage);
+      return;
+    }
+
    OrganizationBackend.updateOrganization(this.state.organization.owner, this.state.organizationName, organization)
      .then((res) => {
        if (res.status === "ok") {
--- a/web/src/OrganizationListPage.js
+++ b/web/src/OrganizationListPage.js
@ -35,6 +35,9 @@ class OrganizationListPage extends BaseListPage {
      passwordType: "plain",
      PasswordSalt: "",
      passwordOptions: [],
+      passwordObfuscatorType: "Plain",
+      passwordObfuscatorKey: "",
+      passwordExpireDays: 0,
      countryCodes: ["US"],
      defaultAvatar: `${Setting.StaticBaseUrl}/img/casbin.svg`,
      defaultApplication: "",
--- a/web/src/ProductBuyPage.js
+++ b/web/src/ProductBuyPage.js
@ -123,6 +123,22 @@ class ProductBuyPage extends React.Component {
      return "$";
    } else if (product?.currency === "CNY") {
      return "￥";
+    } else if (product?.currency === "EUR") {
+      return "€";
+    } else if (product?.currency === "JPY") {
+      return "¥";
+    } else if (product?.currency === "GBP") {
+      return "£";
+    } else if (product?.currency === "AUD") {
+      return "A$";
+    } else if (product?.currency === "CAD") {
+      return "C$";
+    } else if (product?.currency === "CHF") {
+      return "CHF";
+    } else if (product?.currency === "HKD") {
+      return "HK$";
+    } else if (product?.currency === "SGD") {
+      return "S$";
    } else {
      return "(Unknown currency)";
    }
--- a/web/src/ProductEditPage.js
+++ b/web/src/ProductEditPage.js
@ -209,6 +209,14 @@ class ProductEditPage extends React.Component {
                [
                  {id: "USD", name: "USD"},
                  {id: "CNY", name: "CNY"},
+                  {id: "EUR", name: "EUR"},
+                  {id: "JPY", name: "JPY"},
+                  {id: "GBP", name: "GBP"},
+                  {id: "AUD", name: "AUD"},
+                  {id: "CAD", name: "CAD"},
+                  {id: "CHF", name: "CHF"},
+                  {id: "HKD", name: "HKD"},
+                  {id: "SGD", name: "SGD"},
                ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
              }
            </Select>
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@ -633,6 +633,20 @@ class ProviderEditPage extends React.Component {
            </React.Fragment>
          )
        }
+        {
+          this.state.provider.category === "OAuth" ? (
+            <Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                {Setting.getLabel(i18next.t("provider:Email regex"), i18next.t("provider:Email regex - Tooltip"))} :
+              </Col>
+              <Col span={22}>
+                <TextArea rows={4} value={this.state.provider.emailRegex} onChange={e => {
+                  this.updateProviderField("emailRegex", e.target.value);
+                }} />
+              </Col>
+            </Row>
+          ) : null
+        }
        {
          this.state.provider.type === "Custom" ? (
            <React.Fragment>
@ -908,7 +922,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            )}
-            {["Custom HTTP SMS", "Qiniu Cloud Kodo", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
@ -932,7 +946,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            ) : null}
-            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo", "Casdoor"].includes(this.state.provider.type) ? (
+            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo", "Casdoor", "CUCloud OSS", "MinIO"].includes(this.state.provider.type) ? (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {["Casdoor"].includes(this.state.provider.type) ?
--- a/web/src/RoleEditPage.js
+++ b/web/src/RoleEditPage.js
@ -187,7 +187,7 @@ class RoleEditPage extends React.Component {
            {Setting.getLabel(i18next.t("role:Sub users"), i18next.t("role:Sub users - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
+            <Select virtual={true} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
              onChange={(value => {this.updateRoleField("users", value);})}
              options={this.state.users.map((user) => Setting.getOption(`${user.owner}/${user.name}`, `${user.owner}/${user.name}`))}
            />
--- a/web/src/Setting.js
+++ b/web/src/Setting.js
@ -233,6 +233,10 @@ export const OtherProviderInfo = {
      logo: `${StaticBaseUrl}/img/casdoor.png`,
      url: "https://casdoor.org/docs/provider/storage/overview",
    },
+    "CUCloud OSS": {
+      logo: `${StaticBaseUrl}/img/social_cucloud.png`,
+      url: "https://www.cucloud.cn/product/oss.html",
+    },
  },
  SAML: {
    "Aliyun IDaaS": {
@ -418,6 +422,9 @@ export function getCountryCode(country) {
 }

 export function getCountryCodeData(countryCodes = phoneNumber.getCountries()) {
+  if (countryCodes?.includes("All")) {
+    countryCodes = phoneNumber.getCountries();
+  }
  return countryCodes?.map((countryCode) => {
    if (phoneNumber.isSupportedCountry(countryCode)) {
      const name = initCountries().getName(countryCode, getLanguage());
@ -436,10 +443,10 @@ export function getCountryCodeOption(country) {
    <Option key={country.code} value={country.code} label={`+${country.phone}`} text={`${country.name}, ${country.code}, ${country.phone}`} >
      <div style={{display: "flex", justifyContent: "space-between", marginRight: "10px"}}>
        <div>
-          {getCountryImage(country)}
+          {country.code === "All" ? null : getCountryImage(country)}
          {`${country.name}`}
        </div>
-        {`+${country.phone}`}
+        {country.code === "All" ? null : `+${country.phone}`}
      </div>
    </Option>
  );
@ -917,7 +924,7 @@ export function getClickable(text) {
  return (
    <a onClick={() => {
      copy(text);
-      showMessage("success", "Copied to clipboard");
+      showMessage("success", i18next.t("general:Copied to clipboard successfully"));
    }}>
      {text}
    </a>
@ -978,6 +985,7 @@ export function getProviderTypeOptions(category) {
        {id: "Bilibili", name: "Bilibili"},
        {id: "Okta", name: "Okta"},
        {id: "Douyin", name: "Douyin"},
+        {id: "Kwai", name: "Kwai"},
        {id: "Line", name: "Line"},
        {id: "Amazon", name: "Amazon"},
        {id: "Auth0", name: "Auth0"},
@ -1075,6 +1083,7 @@ export function getProviderTypeOptions(category) {
        {id: "Google Cloud Storage", name: "Google Cloud Storage"},
        {id: "Synology", name: "Synology"},
        {id: "Casdoor", name: "Casdoor"},
+        {id: "CUCloud OSS", name: "CUCloud OSS"},
      ]
    );
  } else if (category === "SAML") {
@ -1168,7 +1177,7 @@ export function renderLogo(application) {

 function isSigninMethodEnabled(application, signinMethod) {
  if (application && application.signinMethods) {
-    return application.signinMethods.filter(item => item.name === signinMethod).length > 0;
+    return application.signinMethods.filter(item => item.name === signinMethod && item.rule !== "Hide password").length > 0;
  } else {
    return false;
  }
@ -1547,10 +1556,30 @@ export function getDefaultHtmlEmailContent() {

 export function getCurrencyText(product) {
  if (product?.currency === "USD") {
-    return i18next.t("product:USD");
+    return i18next.t("currency:USD");
  } else if (product?.currency === "CNY") {
-    return i18next.t("product:CNY");
+    return i18next.t("currency:CNY");
+  } else if (product?.currency === "EUR") {
+    return i18next.t("currency:EUR");
+  } else if (product?.currency === "JPY") {
+    return i18next.t("currency:JPY");
+  } else if (product?.currency === "GBP") {
+    return i18next.t("currency:GBP");
+  } else if (product?.currency === "AUD") {
+    return i18next.t("currency:AUD");
+  } else if (product?.currency === "CAD") {
+    return i18next.t("currency:CAD");
+  } else if (product?.currency === "CHF") {
+    return i18next.t("currency:CHF");
+  } else if (product?.currency === "HKD") {
+    return i18next.t("currency:HKD");
+  } else if (product?.currency === "SGD") {
+    return i18next.t("currency:SGD");
  } else {
    return "(Unknown currency)";
  }
 }
+
+export function isDarkTheme(themeAlgorithm) {
+  return themeAlgorithm && themeAlgorithm.includes("dark");
+}
--- a/web/src/UserEditPage.js
+++ b/web/src/UserEditPage.js
@ -1009,6 +1009,19 @@ class UserEditPage extends React.Component {
          </Col>
        </Row>
      );
+    } else if (accountItem.name === "Last change password time") {
+      return (
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("user:Last change password time"), i18next.t("user:Last change password time"))} :
+          </Col>
+          <Col span={22}>
+            <Input value={this.state.user.lastChangePasswordTime} onChange={e => {
+              this.updateUserField("lastChangePasswordTime", e.target.value);
+            }} />
+          </Col>
+        </Row>
+      );
    } else if (accountItem.name === "Managed accounts") {
      return (
        <Row style={{marginTop: "20px"}} >
@ -1070,6 +1083,19 @@ class UserEditPage extends React.Component {
          </Col>
        </Row>
      );
+    } else if (accountItem.name === "IP whitelist") {
+      return (
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
+          </Col>
+          <Col span={22}>
+            <Input value={this.state.user.ipWhitelist} onChange={e => {
+              this.updateUserField("ipWhitelist", e.target.value);
+            }} />
+          </Col>
+        </Row>
+      );
    }
  }

--- a/web/src/auth/KwaiLoginButton.js
+++ b/web/src/auth/KwaiLoginButton.js
@ -0,0 +1,31 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import {createButton} from "react-social-login-buttons";
+import {StaticBaseUrl} from "../Setting";
+
+function Icon({width = 24, height = 24}) {
+  return <img src={`${StaticBaseUrl}/buttons/kwai.svg`} alt="Sign in with Kwai" style={{width: width, height: height}} />;
+}
+
+const config = {
+  text: "Sign in with Kwai",
+  icon: Icon,
+  style: {background: "#ffffff", color: "#000000"},
+  activeStyle: {background: "#ededee"},
+};
+
+const KwaiLoginButton = createButton(config);
+
+export default KwaiLoginButton;
--- a/web/src/auth/LoginPage.js
+++ b/web/src/auth/LoginPage.js
@ -19,6 +19,7 @@ import {withRouter} from "react-router-dom";
 import * as UserWebauthnBackend from "../backend/UserWebauthnBackend";
 import OrganizationSelect from "../common/select/OrganizationSelect";
 import * as Conf from "../Conf";
+import * as Obfuscator from "./Obfuscator";
 import * as AuthBackend from "./AuthBackend";
 import * as OrganizationBackend from "../backend/OrganizationBackend";
 import * as ApplicationBackend from "../backend/ApplicationBackend";
@ -51,7 +52,6 @@ class LoginPage extends React.Component {
      username: null,
      validEmailOrPhone: false,
      validEmail: false,
-      enableCaptchaModal: CaptchaRule.Never,
      openCaptchaModal: false,
      openFaceRecognitionModal: false,
      verifyCaptcha: undefined,
@ -92,17 +92,6 @@ class LoginPage extends React.Component {
    }
    if (prevProps.application !== this.props.application) {
      this.setState({loginMethod: this.getDefaultLoginMethod(this.props.application)});
-
-      const captchaProviderItems = this.getCaptchaProviderItems(this.props.application);
-      if (captchaProviderItems) {
-        if (captchaProviderItems.some(providerItem => providerItem.rule === "Always")) {
-          this.setState({enableCaptchaModal: CaptchaRule.Always});
-        } else if (captchaProviderItems.some(providerItem => providerItem.rule === "Dynamic")) {
-          this.setState({enableCaptchaModal: CaptchaRule.Dynamic});
-        } else {
-          this.setState({enableCaptchaModal: CaptchaRule.Never});
-        }
-      }
    }

    if (prevProps.account !== this.props.account && this.props.account !== undefined) {
@ -132,6 +121,19 @@ class LoginPage extends React.Component {
    }
  }

+  getCaptchaRule(application) {
+    const captchaProviderItems = this.getCaptchaProviderItems(application);
+    if (captchaProviderItems) {
+      if (captchaProviderItems.some(providerItem => providerItem.rule === "Always")) {
+        return CaptchaRule.Always;
+      } else if (captchaProviderItems.some(providerItem => providerItem.rule === "Dynamic")) {
+        return CaptchaRule.Dynamic;
+      } else {
+        return CaptchaRule.Never;
+      }
+    }
+  }
+
  checkCaptchaStatus(values) {
    AuthBackend.getCaptchaStatus(values)
      .then((res) => {
@ -225,7 +227,26 @@ class LoginPage extends React.Component {
    return "password";
  }

-  getPlaceholder() {
+  getCurrentLoginMethod() {
+    if (this.state.loginMethod === "password") {
+      return "Password";
+    } else if (this.state.loginMethod?.includes("verificationCode")) {
+      return "Verification code";
+    } else if (this.state.loginMethod === "webAuthn") {
+      return "WebAuthn";
+    } else if (this.state.loginMethod === "ldap") {
+      return "LDAP";
+    } else if (this.state.loginMethod === "faceId") {
+      return "Face ID";
+    } else {
+      return "Password";
+    }
+  }
+
+  getPlaceholder(defaultPlaceholder = null) {
+    if (defaultPlaceholder) {
+      return defaultPlaceholder;
+    }
    switch (this.state.loginMethod) {
    case "verificationCode": return i18next.t("login:Email or phone");
    case "verificationCodeEmail": return i18next.t("login:Email");
@ -260,17 +281,7 @@ class LoginPage extends React.Component {
      values["organization"] = this.getApplicationObj().organization;
    }

-    if (this.state.loginMethod === "password") {
-      values["signinMethod"] = "Password";
-    } else if (this.state.loginMethod?.includes("verificationCode")) {
-      values["signinMethod"] = "Verification code";
-    } else if (this.state.loginMethod === "webAuthn") {
-      values["signinMethod"] = "WebAuthn";
-    } else if (this.state.loginMethod === "ldap") {
-      values["signinMethod"] = "LDAP";
-    } else if (this.state.loginMethod === "faceId") {
-      values["signinMethod"] = "Face ID";
-    }
+    values["signinMethod"] = this.getCurrentLoginMethod();
    const oAuthParams = Util.getOAuthGetParameters();

    values["type"] = oAuthParams?.responseType ?? this.state.type;
@ -379,13 +390,22 @@ class LoginPage extends React.Component {
      return;
    }
    if (this.state.loginMethod === "password" || this.state.loginMethod === "ldap") {
-      if (this.state.enableCaptchaModal === CaptchaRule.Always) {
+      const organization = this.getApplicationObj()?.organizationObj;
+      const [passwordCipher, errorMessage] = Obfuscator.encryptByPasswordObfuscator(organization?.passwordObfuscatorType, organization?.passwordObfuscatorKey, values["password"]);
+      if (errorMessage.length > 0) {
+        Setting.showMessage("error", errorMessage);
+        return;
+      } else {
+        values["password"] = passwordCipher;
+      }
+      const captchaRule = this.getCaptchaRule(this.getApplicationObj());
+      if (captchaRule === CaptchaRule.Always) {
        this.setState({
          openCaptchaModal: true,
          values: values,
        });
        return;
-      } else if (this.state.enableCaptchaModal === CaptchaRule.Dynamic) {
+      } else if (captchaRule === CaptchaRule.Dynamic) {
        this.checkCaptchaStatus(values);
        return;
      }
@ -398,6 +418,7 @@ class LoginPage extends React.Component {
    if (this.state.type === "cas") {
      // CAS
      const casParams = Util.getCasParameters();
+      values["signinMethod"] = this.getCurrentLoginMethod();
      values["type"] = this.state.type;
      AuthBackend.loginCas(values, casParams).then((res) => {
        const loginHandler = (res) => {
@ -426,8 +447,8 @@ class LoginPage extends React.Component {
                    formValues={values}
                    authParams={casParams}
                    application={this.getApplicationObj()}
-                    onFail={() => {
-                      Setting.showMessage("error", i18next.t("mfa:Verification failed"));
+                    onFail={(errorMessage) => {
+                      Setting.showMessage("error", errorMessage);
                    }}
                    onSuccess={(res) => loginHandler(res)}
                  />);
@ -467,6 +488,10 @@ class LoginPage extends React.Component {
              const accessToken = res.data;
              Setting.goToLink(`${oAuthParams.redirectUri}#${amendatoryResponseType}=${accessToken}&state=${oAuthParams.state}&token_type=bearer`);
            } else if (responseType === "saml") {
+              if (res.data === RequiredMfa) {
+                this.props.onLoginSuccess(window.location.href);
+                return;
+              }
              if (res.data2.needUpdatePassword) {
                sessionStorage.setItem("signinUrl", window.location.href);
                Setting.goToLink(this, `/forget/${this.state.applicationName}`);
@ -495,8 +520,8 @@ class LoginPage extends React.Component {
                      formValues={values}
                      authParams={oAuthParams}
                      application={this.getApplicationObj()}
-                      onFail={() => {
-                        Setting.showMessage("error", i18next.t("mfa:Verification failed"));
+                      onFail={(errorMessage) => {
+                        Setting.showMessage("error", errorMessage);
                      }}
                      onSuccess={(res) => loginHandler(res)}
                    />);
@ -661,7 +686,7 @@ class LoginPage extends React.Component {
              id="input"
              className="login-username-input"
              prefix={<UserOutlined className="site-form-item-icon" />}
-              placeholder={this.getPlaceholder()}
+              placeholder={this.getPlaceholder(signinItem.placeholder)}
              onChange={e => {
                this.setState({
                  username: e.target.value,
@ -902,7 +927,7 @@ class LoginPage extends React.Component {
  }

  renderCaptchaModal(application) {
-    if (this.state.enableCaptchaModal === CaptchaRule.Never) {
+    if (this.getCaptchaRule(this.getApplicationObj()) === CaptchaRule.Never) {
      return null;
    }
    const captchaProviderItems = this.getCaptchaProviderItems(application);
@ -1075,7 +1100,7 @@ class LoginPage extends React.Component {
                className="login-password-input"
                prefix={<LockOutlined className="site-form-item-icon" />}
                type="password"
-                placeholder={i18next.t("general:Password")}
+                placeholder={signinItem.placeholder ? signinItem.placeholder : i18next.t("general:Password")}
                disabled={this.state.loginMethod === "password" ? !Setting.isPasswordEnabled(application) : !Setting.isLdapEnabled(application)}
              />
            </Form.Item>
@ -1125,6 +1150,9 @@ class LoginPage extends React.Component {
    ]);

    application?.signinMethods?.forEach((signinMethod) => {
+      if (signinMethod.rule === "Hide password") {
+        return;
+      }
      const item = itemsMap.get(generateItemKey(signinMethod.name, signinMethod.rule));
      if (item) {
        let label = signinMethod.name === signinMethod.displayName ? item.label : signinMethod.displayName;
@ -1279,7 +1307,7 @@ class LoginPage extends React.Component {
        <div className="login-content" style={{margin: this.props.preview ?? this.parseOffset(application.formOffset)}}>
          {Setting.inIframe() || Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCss}} />}
          {Setting.inIframe() || !Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCssMobile}} />}
-          <div className="login-panel">
+          <div className={Setting.isDarkTheme(this.props.themeAlgorithm) ? "login-panel-dark" : "login-panel"}>
            <div className="side-image" style={{display: application.formOffset !== 4 ? "none" : null}}>
              <div dangerouslySetInnerHTML={{__html: application.formSideHtml}} />
            </div>
--- a/web/src/auth/MfaSetupPage.js
+++ b/web/src/auth/MfaSetupPage.js
@ -37,7 +37,7 @@ class MfaSetupPage extends React.Component {
    this.state = {
      account: props.account,
      application: null,
-      applicationName: props.account.signupApplication ?? "",
+      applicationName: props.account.signupApplication ?? localStorage.getItem("applicationName") ?? "",
      current: location.state?.from !== undefined ? 1 : 0,
      mfaProps: null,
      mfaType: params.get("mfaType") ?? SmsMfaType,
@ -179,8 +179,10 @@ class MfaSetupPage extends React.Component {
            mfaProps={this.state.mfaProps}
            application={this.state.application}
            user={this.props.account}
-            onSuccess={() => {
+            onSuccess={(res) => {
              this.setState({
+                dest: res.dest,
+                countryCode: res.countryCode,
                current: this.state.current + 1,
              });
            }}
@ -195,7 +197,7 @@ class MfaSetupPage extends React.Component {
      );
    case 2:
      return (
-        <MfaEnableForm user={this.getUser()} mfaType={this.state.mfaType} recoveryCodes={this.state.mfaProps.recoveryCodes}
+        <MfaEnableForm user={this.getUser()} mfaType={this.state.mfaType} secret={this.state.mfaProps.secret} recoveryCodes={this.state.mfaProps.recoveryCodes} dest={this.state.dest} countryCode={this.state.countryCode}
          onSuccess={() => {
            Setting.showMessage("success", i18next.t("general:Enabled successfully"));
            this.props.onfinish();
--- a/web/src/auth/Obfuscator.js
+++ b/web/src/auth/Obfuscator.js
@ -0,0 +1,95 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import CryptoJS from "crypto-js";
+import {Buffer} from "buffer";
+
+export function getRandomKeyForObfuscator(obfuscatorType) {
+  if (obfuscatorType === "DES") {
+    return getRandomHexKey(16);
+  } else if (obfuscatorType === "AES") {
+    return getRandomHexKey(32);
+  } else {
+    return "";
+  }
+}
+
+export const passwordObfuscatorKeyRegexes = {
+  "DES": /^[1-9a-f]{16}$/,
+  "AES": /^[1-9a-f]{32}$/,
+};
+
+function encrypt(cipher, key, iv, password) {
+  const encrypted = cipher.encrypt(
+    CryptoJS.enc.Hex.parse(Buffer.from(password, "utf-8").toString("hex")),
+    CryptoJS.enc.Hex.parse(key),
+    {
+      iv: iv,
+      mode: CryptoJS.mode.CBC,
+      pad: CryptoJS.pad.Pkcs7,
+    }
+  );
+  return iv.concat(encrypted.ciphertext).toString(CryptoJS.enc.Hex);
+}
+
+export function checkPasswordObfuscator(passwordObfuscatorType, passwordObfuscatorKey) {
+  if (passwordObfuscatorType === undefined) {
+    return "passwordObfuscatorType should not be undefined";
+  } else if (passwordObfuscatorType === "Plain" || passwordObfuscatorType === "") {
+    return "";
+  } else if (passwordObfuscatorType === "AES" || passwordObfuscatorType === "DES") {
+    if (passwordObfuscatorKeyRegexes[passwordObfuscatorType].test(passwordObfuscatorKey)) {
+      return "";
+    } else {
+      return `The password obfuscator key doesn't match the regex: ${passwordObfuscatorKeyRegexes[passwordObfuscatorType].source}`;
+    }
+  } else {
+    return `unsupported password obfuscator type: ${passwordObfuscatorType}`;
+  }
+}
+
+export function encryptByPasswordObfuscator(passwordObfuscatorType, passwordObfuscatorKey, password) {
+  const passwordObfuscatorErrorMessage = checkPasswordObfuscator(passwordObfuscatorType, passwordObfuscatorKey);
+  if (passwordObfuscatorErrorMessage.length > 0) {
+    return ["", passwordObfuscatorErrorMessage];
+  } else {
+    if (passwordObfuscatorType === "Plain" || passwordObfuscatorType === "") {
+      return [password, ""];
+    } else if (passwordObfuscatorType === "AES") {
+      return [encryptByAes(passwordObfuscatorKey, password), ""];
+    } else if (passwordObfuscatorType === "DES") {
+      return [encryptByDes(passwordObfuscatorKey, password), ""];
+    }
+  }
+}
+
+function encryptByDes(key, password) {
+  const iv = CryptoJS.lib.WordArray.random(8);
+  return encrypt(CryptoJS.DES, key, iv, password);
+}
+
+function encryptByAes(key, password) {
+  const iv = CryptoJS.lib.WordArray.random(16);
+  return encrypt(CryptoJS.AES, key, iv, password);
+}
+
+function getRandomHexKey(length) {
+  const characters = "123456789abcdef";
+  let key = "";
+  for (let i = 0; i < length; i++) {
+    const randomIndex = Math.floor(Math.random() * characters.length);
+    key += characters[randomIndex];
+  }
+  return key;
+}
--- a/web/src/auth/Provider.js
+++ b/web/src/auth/Provider.js
@ -119,6 +119,10 @@ const authInfo = {
    scope: "user_info",
    endpoint: "https://open.douyin.com/platform/oauth/connect",
  },
+  Kwai: {
+    scope: "user_info",
+    endpoint: "https://open.kuaishou.com/oauth2/connect",
+  },
  Custom: {
    endpoint: "https://example.com/",
  },
@ -470,6 +474,8 @@ export function getAuthUrl(application, provider, method, code) {
    return `${provider.domain}/v1/authorize?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}`;
  } else if (provider.type === "Douyin" || provider.type === "TikTok") {
    return `${endpoint}?client_key=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}`;
+  } else if (provider.type === "Kwai") {
+    return `${endpoint}?app_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}`;
  } else if (provider.type === "Custom") {
    return `${provider.customAuthUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&scope=${provider.scopes}&response_type=code&state=${state}`;
  } else if (provider.type === "Bilibili") {
--- a/web/src/auth/ProviderButton.js
+++ b/web/src/auth/ProviderButton.js
@ -40,6 +40,7 @@ import SteamLoginButton from "./SteamLoginButton";
 import BilibiliLoginButton from "./BilibiliLoginButton";
 import OktaLoginButton from "./OktaLoginButton";
 import DouyinLoginButton from "./DouyinLoginButton";
+import KwaiLoginButton from "./KwaiLoginButton";
 import LoginButton from "./LoginButton";
 import * as AuthBackend from "./AuthBackend";
 import {WechatOfficialAccountModal} from "./Util";
@ -96,6 +97,8 @@ function getSigninButton(provider) {
    return <OktaLoginButton text={text} align={"center"} />;
  } else if (provider.type === "Douyin") {
    return <DouyinLoginButton text={text} align={"center"} />;
+  } else if (provider.type === "Kwai") {
+    return <KwaiLoginButton text={text} align={"center"} />;
  } else {
    return <LoginButton key={provider.type} type={provider.type} logoUrl={getProviderLogoURL(provider)} />;
  }
--- a/web/src/auth/SignupPage.js
+++ b/web/src/auth/SignupPage.js
@ -842,7 +842,7 @@ class SignupPage extends React.Component {
        <div className="login-content" style={{margin: this.props.preview ?? this.parseOffset(application.formOffset)}}>
          {Setting.inIframe() || Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCss}} />}
          {Setting.inIframe() || !Setting.isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCssMobile}} />}
-          <div className="login-panel" >
+          <div className={Setting.isDarkTheme(this.props.themeAlgorithm) ? "login-panel-dark" : "login-panel"}>
            <div className="side-image" style={{display: application.formOffset !== 4 ? "none" : null}}>
              <div dangerouslySetInnerHTML={{__html: application.formSideHtml}} />
            </div>
--- a/web/src/auth/Util.js
+++ b/web/src/auth/Util.js
@ -113,6 +113,9 @@ export function getCasLoginParameters(owner, name) {

 export function getOAuthGetParameters(params) {
  const queries = (params !== undefined) ? params : new URLSearchParams(window.location.search);
+  const lowercaseQueries = {};
+  queries.forEach((val, key) => {lowercaseQueries[key.toLowerCase()] = val;});
+
  const clientId = getRefinedValue(queries.get("client_id"));
  const responseType = getRefinedValue(queries.get("response_type"));

@ -138,9 +141,9 @@ export function getOAuthGetParameters(params) {
  const nonce = getRefinedValue(queries.get("nonce"));
  const challengeMethod = getRefinedValue(queries.get("code_challenge_method"));
  const codeChallenge = getRefinedValue(queries.get("code_challenge"));
-  const samlRequest = getRefinedValue(queries.get("SAMLRequest"));
-  const relayState = getRefinedValue(queries.get("RelayState"));
-  const noRedirect = getRefinedValue(queries.get("noRedirect"));
+  const samlRequest = getRefinedValue(lowercaseQueries["samlRequest".toLowerCase()]);
+  const relayState = getRefinedValue(lowercaseQueries["RelayState".toLowerCase()]);
+  const noRedirect = getRefinedValue(lowercaseQueries["noRedirect".toLowerCase()]);

  if (clientId === "" && samlRequest === "") {
    // login
--- a/web/src/auth/mfa/MfaAuthVerifyForm.js
+++ b/web/src/auth/mfa/MfaAuthVerifyForm.js
@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import React, {useState} from "react";
+import React, {Fragment, useState} from "react";
 import i18next from "i18next";
 import {Button, Input} from "antd";
 import * as AuthBackend from "../AuthBackend";
@ -67,24 +67,32 @@ export function MfaAuthVerifyForm({formValues, authParams, mfaProps, application

  if (mfaType !== RecoveryMfaType) {
    return (
-      <div style={{width: 300, height: 350}}>
+      <div style={{width: 320, height: 350}}>
        <div style={{marginBottom: 24, textAlign: "center", fontSize: "24px"}}>
          {i18next.t("mfa:Multi-factor authentication")}
        </div>
-        <div style={{marginBottom: 24}}>
-          {i18next.t("mfa:Multi-factor authentication description")}
-        </div>
        {mfaType === SmsMfaType || mfaType === EmailMfaType ? (
-          <MfaVerifySmsForm
-            mfaProps={mfaProps}
-            method={mfaAuth}
-            onFinish={verify}
-            application={application}
-          />) : (
-          <MfaVerifyTotpForm
-            mfaProps={mfaProps}
-            onFinish={verify}
-          />
+          <Fragment>
+            <div style={{marginBottom: 24}}>
+              {i18next.t("mfa:You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue")}
+            </div>
+            <MfaVerifySmsForm
+              mfaProps={mfaProps}
+              method={mfaAuth}
+              onFinish={verify}
+              application={application}
+            />
+          </Fragment>
+        ) : (
+          <Fragment>
+            <div style={{marginBottom: 24}}>
+              {i18next.t("mfa:You have enabled Multi-Factor Authentication, please enter the TOTP code")}
+            </div>
+            <MfaVerifyTotpForm
+              mfaProps={mfaProps}
+              onFinish={verify}
+            />
+          </Fragment>
        )}
        <span style={{float: "right"}}>
          {i18next.t("mfa:Have problems?")}
--- a/web/src/auth/mfa/MfaEnableForm.js
+++ b/web/src/auth/mfa/MfaEnableForm.js
@ -3,11 +3,15 @@ import i18next from "i18next";
 import React, {useState} from "react";
 import * as MfaBackend from "../../backend/MfaBackend";

-export function MfaEnableForm({user, mfaType, recoveryCodes, onSuccess, onFail}) {
+export function MfaEnableForm({user, mfaType, secret, recoveryCodes, dest, countryCode, onSuccess, onFail}) {
  const [loading, setLoading] = useState(false);
  const requestEnableMfa = () => {
    const data = {
      mfaType,
+      secret,
+      recoveryCodes,
+      dest,
+      countryCode,
      ...user,
    };
    setLoading(true);
--- a/web/src/auth/mfa/MfaVerifyForm.js
+++ b/web/src/auth/mfa/MfaVerifyForm.js
@ -26,11 +26,13 @@ export const mfaSetup = "mfaSetup";

 export function MfaVerifyForm({mfaProps, application, user, onSuccess, onFail}) {
  const [form] = Form.useForm();
-  const onFinish = ({passcode}) => {
-    const data = {passcode, mfaType: mfaProps.mfaType, ...user};
+  const onFinish = ({passcode, countryCode, dest}) => {
+    const data = {passcode, mfaType: mfaProps.mfaType, secret: mfaProps.secret, dest: dest, countryCode: countryCode, ...user};
    MfaBackend.MfaSetupVerify(data)
      .then((res) => {
        if (res.status === "ok") {
+          res.dest = dest;
+          res.countryCode = countryCode;
          onSuccess(res);
        } else {
          onFail(res);
--- a/web/src/auth/mfa/MfaVerifySmsForm.js
+++ b/web/src/auth/mfa/MfaVerifySmsForm.js
@ -1,5 +1,5 @@
 import {UserOutlined} from "@ant-design/icons";
-import {Button, Form, Input} from "antd";
+import {Button, Form, Input, Space} from "antd";
 import i18next from "i18next";
 import React, {useEffect} from "react";
 import {CountryCodeSelect} from "../../common/select/CountryCodeSelect";
@ -15,15 +15,18 @@ export const MfaVerifySmsForm = ({mfaProps, application, onFinish, method, user}
  useEffect(() => {
    if (method === mfaAuth) {
      setDest(mfaProps.secret);
+      form.setFieldValue("dest", mfaProps.secret);
      return;
    }
    if (mfaProps.mfaType === SmsMfaType) {
      setDest(user.phone);
+      form.setFieldValue("dest", user.phone);
      return;
    }

    if (mfaProps.mfaType === EmailMfaType) {
      setDest(user.email);
+      form.setFieldValue("dest", user.email);
    }
  }, [mfaProps.mfaType]);

@ -57,45 +60,44 @@ export const MfaVerifySmsForm = ({mfaProps, application, onFinish, method, user}
        <div style={{marginBottom: 20, textAlign: "left", gap: 8}}>
          {isEmail() ? i18next.t("mfa:Your email is") : i18next.t("mfa:Your phone is")} {dest}
        </div> :
-        (<React.Fragment>
+        (
          <p>{isEmail() ? i18next.t("mfa:Please bind your email first, the system will automatically uses the mail for multi-factor authentication") :
            i18next.t("mfa:Please bind your phone first, the system automatically uses the phone for multi-factor authentication")}
          </p>
-          <Input.Group compact style={{width: "300Px", marginBottom: "30px"}}>
-            {isEmail() ? null :
-              <Form.Item
-                name="countryCode"
-                noStyle
-                rules={[
-                  {
-                    required: false,
-                    message: i18next.t("signup:Please select your country code!"),
-                  },
-                ]}
-              >
-                <CountryCodeSelect
-                  initValue={mfaProps.countryCode}
-                  style={{width: "30%"}}
-                  countryCodes={application.organizationObj.countryCodes}
-                />
-              </Form.Item>
-            }
-            <Form.Item
-              name="dest"
-              noStyle
-              rules={[{required: true, message: i18next.t("login:Please input your Email or Phone!")}]}
-            >
-              <Input
-                style={{width: isEmail() ? "100% " : "70%"}}
-                onChange={(e) => {setDest(e.target.value);}}
-                prefix={<UserOutlined />}
-                placeholder={isEmail() ? i18next.t("general:Email") : i18next.t("general:Phone")}
-              />
-            </Form.Item>
-          </Input.Group>
-        </React.Fragment>
        )
      }
+      <Space.Compact style={{width: "300Px", marginBottom: "30px", display: isShowText() ? "none" : ""}}>
+        {isEmail() || isShowText() ? null :
+          <Form.Item
+            name="countryCode"
+            noStyle
+            rules={[
+              {
+                required: false,
+                message: i18next.t("signup:Please select your country code!"),
+              },
+            ]}
+          >
+            <CountryCodeSelect
+              initValue={mfaProps.countryCode}
+              style={{width: "30%"}}
+              countryCodes={application.organizationObj.countryCodes}
+            />
+          </Form.Item>
+        }
+        <Form.Item
+          name="dest"
+          noStyle
+          rules={[{required: true, message: i18next.t("login:Please input your Email or Phone!")}]}
+        >
+          <Input
+            style={{width: isEmail() ? "100% " : "70%"}}
+            onChange={(e) => {setDest(e.target.value);}}
+            prefix={<UserOutlined />}
+            placeholder={isEmail() ? i18next.t("general:Email") : i18next.t("general:Phone")}
+          />
+        </Form.Item>
+      </Space.Compact>
      <Form.Item
        name="passcode"
        rules={[{required: true, message: i18next.t("login:Please input your code!")}]}
--- a/web/src/backend/MfaBackend.js
+++ b/web/src/backend/MfaBackend.js
@ -32,6 +32,9 @@ export function MfaSetupVerify(values) {
  formData.append("name", values.name);
  formData.append("mfaType", values.mfaType);
  formData.append("passcode", values.passcode);
+  formData.append("secret", values.secret);
+  formData.append("dest", values.dest);
+  formData.append("countryCode", values.countryCode);
  return fetch(`${Setting.ServerUrl}/api/mfa/setup/verify`, {
    method: "POST",
    credentials: "include",
@ -44,6 +47,10 @@ export function MfaSetupEnable(values) {
  formData.append("mfaType", values.mfaType);
  formData.append("owner", values.owner);
  formData.append("name", values.name);
+  formData.append("secret", values.secret);
+  formData.append("recoveryCodes", values.recoveryCodes);
+  formData.append("dest", values.dest);
+  formData.append("countryCode", values.countryCode);
  return fetch(`${Setting.ServerUrl}/api/mfa/setup/enable`, {
    method: "POST",
    credentials: "include",
--- a/web/src/basic/Dashboard.js
+++ b/web/src/basic/Dashboard.js
@ -135,6 +135,15 @@ const Dashboard = (props) => {
        i18next.t("general:Applications"),
        i18next.t("general:Organizations"),
        i18next.t("general:Subscriptions"),
+        i18next.t("general:Roles"),
+        i18next.t("general:Groups"),
+        i18next.t("general:Resources"),
+        i18next.t("general:Certs"),
+        i18next.t("general:Permissions"),
+        i18next.t("general:Transactions"),
+        i18next.t("general:Models"),
+        i18next.t("general:Adapters"),
+        i18next.t("general:Enforcers"),
      ], top: "10%"},
      grid: {left: "3%", right: "4%", bottom: "0", top: "25%", containLabel: true},
      xAxis: {type: "category", boundaryGap: false, data: dateArray},
@ -145,6 +154,15 @@ const Dashboard = (props) => {
        {name: i18next.t("general:Providers"), type: "line", data: dashboardData.providerCounts},
        {name: i18next.t("general:Applications"), type: "line", data: dashboardData.applicationCounts},
        {name: i18next.t("general:Subscriptions"), type: "line", data: dashboardData.subscriptionCounts},
+        {name: i18next.t("general:Roles"), type: "line", data: dashboardData.roleCounts},
+        {name: i18next.t("general:Groups"), type: "line", data: dashboardData.groupCounts},
+        {name: i18next.t("general:Resources"), type: "line", data: dashboardData.resourceCounts},
+        {name: i18next.t("general:Certs"), type: "line", data: dashboardData.certCounts},
+        {name: i18next.t("general:Permissions"), type: "line", data: dashboardData.permissionCounts},
+        {name: i18next.t("general:Transactions"), type: "line", data: dashboardData.transactionCounts},
+        {name: i18next.t("general:Models"), type: "line", data: dashboardData.modelCounts},
+        {name: i18next.t("general:Adapters"), type: "line", data: dashboardData.adapterCounts},
+        {name: i18next.t("general:Enforcers"), type: "line", data: dashboardData.enforcerCounts},
      ],
    };
    myChart.setOption(option);
--- a/web/src/common/CasdoorAppConnector.js
+++ b/web/src/common/CasdoorAppConnector.js
@ -0,0 +1,113 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React from "react";
+import {Alert, Button, QRCode} from "antd";
+import copy from "copy-to-clipboard";
+import * as Setting from "../Setting";
+import i18next from "i18next";
+
+export const generateCasdoorAppUrl = (accessToken, forQrCode = true) => {
+  let qrUrl = "";
+  let error = null;
+
+  if (!accessToken) {
+    error = i18next.t("general:Access token is empty");
+    return {qrUrl, error};
+  }
+
+  qrUrl = `casdoor-app://login?serverUrl=${window.location.origin}&accessToken=${accessToken}`;
+
+  if (forQrCode && qrUrl.length >= 2000) {
+    qrUrl = "";
+    error = i18next.t("general:QR code is too large");
+  }
+
+  return {qrUrl, error};
+};
+
+export const CasdoorAppQrCode = ({accessToken, icon}) => {
+  const {qrUrl, error} = generateCasdoorAppUrl(accessToken, true);
+
+  if (error) {
+    return <Alert message={error} type="error" showIcon />;
+  }
+
+  return (
+    <QRCode
+      value={qrUrl}
+      icon={icon}
+      errorLevel="M"
+      size={230}
+      bordered={false}
+    />
+  );
+};
+
+export const CasdoorAppUrl = ({accessToken}) => {
+  const {qrUrl, error} = generateCasdoorAppUrl(accessToken, false);
+
+  const handleCopyUrl = async() => {
+    if (!window.isSecureContext) {
+      return;
+    }
+
+    copy(qrUrl);
+    Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
+  };
+
+  if (error) {
+    return <Alert message={error} type="error" showIcon />;
+  }
+
+  return (
+    <div>
+      <div style={{
+        display: "flex",
+        justifyContent: "space-between",
+        alignItems: "center",
+        marginBottom: "10px",
+      }}>
+        {window.isSecureContext && (
+          <Button size="small" type="primary" onClick={handleCopyUrl} style={{marginLeft: "10px"}}>
+            {i18next.t("resource:Copy Link")}
+          </Button>
+        )}
+      </div>
+      <div
+        style={{
+          padding: "10px",
+          maxWidth: "400px",
+          maxHeight: "100px",
+          overflow: "auto",
+          wordBreak: "break-all",
+          whiteSpace: "pre-wrap",
+          cursor: "pointer",
+          userSelect: "all",
+          backgroundColor: "#f5f5f5",
+          borderRadius: "4px",
+        }}
+        onClick={(e) => {
+          const selection = window.getSelection();
+          const range = document.createRange();
+          range.selectNodeContents(e.target);
+          selection.removeAllRanges();
+          selection.addRange(range);
+        }}
+      >
+        {qrUrl}
+      </div>
+    </div>
+  );
+};
--- a/web/src/locales/ar/data.json
+++ b/web/src/locales/ar/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "The format of access token",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Sending",
    "Submit and complete": "Submit and complete"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Go to writable demo site?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Home",
    "Home - Tooltip": "Home page of the application",
    "ID": "ID",
    "ID - Tooltip": "Unique random string",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Make sure the password is correct",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Different combinations of password complexity options",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Password salt",
    "Password salt - Tooltip": "Random parameter used for password encryption",
    "Password type": "Password type",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Advanced Editor",
+    "Basic Editor": "Basic Editor",
    "Edit Model": "Edit Model",
    "Model text": "Model text",
    "Model text - Tooltip": "Casbin access control model, including built-in models like ACL, RBAC, ABAC, RESTful, etc. You can also create custom models. For more information, please visit the Casbin website",
@ -583,6 +612,8 @@
    "Modify rule": "Modify rule",
    "New Organization": "New Organization",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Soft deletion",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Buy",
    "Buy Product": "Buy Product",
-    "CNY": "CNY",
    "Detail": "Detail",
    "Detail - Tooltip": "Detail of product",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
    "This product is currently not in sale.": "This product is currently not in sale.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Signup HTML - Edit",
    "Signup HTML - Tooltip": "Custom HTML for replacing the default signup page style",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Site key",
    "Site key - Tooltip": "Site key",
@ -950,6 +981,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1146,6 +1178,7 @@
    "Keys": "Keys",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
--- a/web/src/locales/cs/data.json
+++ b/web/src/locales/cs/data.json
@ -74,6 +74,7 @@
    "Left": "Vlevo",
    "Logged in successfully": "Úspěšně přihlášen",
    "Logged out successfully": "Úspěšně odhlášen",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Nová aplikace",
    "No verification": "Bez ověření",
    "Normal": "Normální",
@ -112,6 +113,7 @@
    "Signin session": "Přihlašovací relace",
    "Signup items": "Položky registrace",
    "Signup items - Tooltip": "Položky, které uživatelé vyplňují při registraci nových účtů",
+    "Single Choice": "Single Choice",
    "Small icon": "Malá ikona",
    "Tags - Tooltip": "Pouze uživatelé s tagem uvedeným v tazích aplikace se mohou přihlásit",
    "The application does not allow to sign up new account": "Aplikace neumožňuje registraci nového účtu",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "Formát přístupového tokenu",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Nečekali jste, že uvidíte tuto výzvu"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Odesílání",
    "Submit and complete": "Odeslat a dokončit"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Upravit Enforcer",
    "New Enforcer": "Nový Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Přístupový klíč - Tooltip",
    "Access secret": "Přístupové tajemství",
    "Access secret - Tooltip": "Přístupové tajemství - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Akce",
    "Adapter": "Adaptér",
    "Adapter - Tooltip": "Název tabulky úložiště politiky",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Přejít na zapisovatelnou demo stránku?",
    "Groups": "Skupiny",
    "Groups - Tooltip": "Skupiny - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Domů",
    "Home - Tooltip": "Domovská stránka aplikace",
    "ID": "ID",
    "ID - Tooltip": "Unikátní náhodný řetězec",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identita",
    "Invitations": "Pozvánky",
    "Is enabled": "Je povoleno",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Ujistěte se, že heslo je správné",
    "Password complexity options": "Možnosti složitosti hesla",
    "Password complexity options - Tooltip": "Různé kombinace možností složitosti hesla",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Heslová sůl",
    "Password salt - Tooltip": "Náhodný parametr použitý pro šifrování hesla",
    "Password type": "Typ hesla",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Poskytovatelé plateb, které mají být nakonfigurovány, včetně PayPal, Alipay, WeChat Pay, atd.",
    "Providers": "Poskytovatelé",
    "Providers - Tooltip": "Poskytovatelé, kteří mají být nakonfigurováni, včetně přihlášení třetích stran, objektového úložiště, ověřovacího kódu, atd.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Skutečné jméno",
    "Records": "Záznamy",
    "Request URI": "Požadavek URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Rozpoznávání obličeje",
    "Face recognition failed": "Rozpoznávání obličeje selhalo",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Nepodařilo se získat autorizaci MetaMask",
    "Failed to obtain Web3-Onboard authorization": "Nepodařilo se získat autorizaci Web3-Onboard",
    "Forgot password?": "Zapomněli jste heslo?",
@ -530,7 +557,6 @@
    "Have problems?": "Máte problémy?",
    "Multi-factor authentication": "Vícefaktorové ověřování",
    "Multi-factor authentication - Tooltip ": "Dvoufaktorové ověřování - Tooltip",
-    "Multi-factor authentication description": "Popis dvoufaktorového ověřování",
    "Multi-factor methods": "Metody dvoufaktorového ověřování",
    "Multi-factor recover": "Obnovení dvoufaktorového ověřování",
    "Multi-factor recover description": "Popis obnovení dvoufaktorového ověřování",
@ -552,9 +578,10 @@
    "Use SMS": "Použít SMS",
    "Use SMS verification code": "Použít ověřovací kód SMS",
    "Use a recovery code": "Použít obnovovací kód",
-    "Verification failed": "Ověření selhalo",
    "Verify Code": "Ověřit kód",
    "Verify Password": "Ověřit heslo",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Váš email je",
    "Your phone is": "Váš telefon je",
    "preferred": "preferované"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Pokročilý editor",
+    "Basic Editor": "Základní editor",
    "Edit Model": "Upravit model",
    "Model text": "Text modelu",
    "Model text - Tooltip": "Casbin model řízení přístupu, včetně vestavěných modelů jako ACL, RBAC, ABAC, RESTful, atd. Můžete také vytvářet vlastní modely. Pro více informací navštivte webové stránky Casbin",
@ -583,6 +612,8 @@
    "Modify rule": "Upravit pravidlo",
    "New Organization": "Nová organizace",
    "Optional": "Volitelný",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Výzva",
    "Required": "Povinné",
    "Soft deletion": "Měkké smazání",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Koupit",
    "Buy Product": "Koupit produkt",
-    "CNY": "CNY",
    "Detail": "Detail",
    "Detail - Tooltip": "Detail produktu",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Testovací stránka nákupu..",
    "There is no payment channel for this product.": "Pro tento produkt neexistuje žádný platební kanál.",
    "This product is currently not in sale.": "Tento produkt není momentálně v prodeji.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "ID projektu",
    "Project Id - Tooltip": "Nápověda k ID projektu",
    "Prompted": "Vyzván",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL poskytovatele",
    "Provider URL - Tooltip": "URL pro konfiguraci poskytovatele služby, toto pole je pouze pro referenci a není použito v Casdoor",
    "Public key": "Veřejný klíč",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Upravit HTML pro registraci",
    "Signup HTML - Tooltip": "Vlastní HTML pro nahrazení výchozího stylu registrační stránky",
    "Signup group": "Skupina pro registraci",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Tiché",
    "Site key": "Klíč stránky",
    "Site key - Tooltip": "Nápověda ke klíči stránky",
@ -950,6 +981,7 @@
    "Have account?": "Máte účet?",
    "Label": "Štítek",
    "Label HTML": "HTML štítek",
+    "Options": "Options",
    "Placeholder": "Zástupný text",
    "Please accept the agreement!": "Prosím přijměte smlouvu!",
    "Please click the below button to sign in": "Prosím klikněte na tlačítko níže pro přihlášení",
@ -1146,6 +1178,7 @@
    "Keys": "Klíče",
    "Language": "Jazyk",
    "Language - Tooltip": "Jazyk - Nápověda",
+    "Last change password time": "Last change password time",
    "Link": "Odkaz",
    "Location": "Místo",
    "Location - Tooltip": "Město bydliště",
--- a/web/src/locales/de/data.json
+++ b/web/src/locales/de/data.json
@ -74,6 +74,7 @@
    "Left": "Links",
    "Logged in successfully": "Erfolgreich eingeloggt",
    "Logged out successfully": "Erfolgreich ausgeloggt",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Neue Anwendung",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Anmeldesession",
    "Signup items": "Registrierungs Items",
    "Signup items - Tooltip": "Items, die Benutzer ausfüllen müssen, wenn sie neue Konten registrieren",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "Die Anwendung erlaubt es nicht, ein neues Konto zu registrieren",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "Das Format des Access-Tokens",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Sie sind unerwartet auf diese Aufforderungsseite gelangt"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Sendet",
    "Submit and complete": "Einreichen und abschließen"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Aktion",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Tabellenname des Policy Stores",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Gehe zur beschreibbaren Demo-Website?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Zuhause",
    "Home - Tooltip": "Homepage der Anwendung",
    "ID": "ID",
    "ID - Tooltip": "Einzigartiger Zufallsstring",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Ist aktiviert",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Stellen Sie sicher, dass das Passwort korrekt ist",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Password complexity options - Tooltip",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Passwort-Salt",
    "Password salt - Tooltip": "Zufälliger Parameter, der für die Verschlüsselung von Passwörtern verwendet wird",
    "Password type": "Passworttyp",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Zahlungsprovider, die konfiguriert werden müssen, inkl. PayPal, Alipay, WeChat Pay usw.",
    "Providers": "Provider",
    "Providers - Tooltip": "Provider, die konfiguriert werden müssen, einschließlich Drittanbieter-Logins, Objektspeicherung, Verifizierungscode usw.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Echter Name",
    "Records": "Datensätze",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Passwort vergessen?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Erweiterter Editor",
+    "Basic Editor": "Basis-Editor",
    "Edit Model": "Modell bearbeiten",
    "Model text": "Modelltext",
    "Model text - Tooltip": "Casbin Zugriffskontrollmodell inklusive integrierter Modelle wie ACL, RBAC, ABAC, RESTful, usw. Sie können auch benutzerdefinierte Modelle erstellen. Weitere Informationen finden Sie auf der Casbin-Website",
@ -583,6 +612,8 @@
    "Modify rule": "Regel ändern",
    "New Organization": "Neue Organisation",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Softe Löschung",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Kaufen",
    "Buy Product": "Produkt kaufen",
-    "CNY": "CNY",
    "Detail": "Detail",
    "Detail - Tooltip": "Detail des Produkts",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Testkaufseite.",
    "There is no payment channel for this product.": "Es gibt keinen Zahlungskanal für dieses Produkt.",
    "This product is currently not in sale.": "Dieses Produkt steht derzeit nicht zum Verkauf.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "ausgelöst",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Anbieter-URL",
    "Provider URL - Tooltip": "URL zur Konfiguration des Dienstanbieters, dieses Feld dient nur als Referenz und wird in Casdoor nicht verwendet",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Registrierung HTML - Bearbeiten",
    "Signup HTML - Tooltip": "Benutzerdefiniertes HTML zur Ersetzung des Standard-Registrierungs-Seitenstils",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Site-Key",
    "Site key - Tooltip": "Seitenschlüssel",
@ -950,6 +981,7 @@
    "Have account?": "Haben Sie ein Konto?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Bitte akzeptieren Sie die Vereinbarung!",
    "Please click the below button to sign in": "Bitte klicken Sie auf den untenstehenden Button, um sich anzumelden",
@ -1146,6 +1178,7 @@
    "Keys": "Schlüssel",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Link",
    "Location": "Ort",
    "Location - Tooltip": "Stadt des Wohnsitzes",
--- a/web/src/locales/en/data.json
+++ b/web/src/locales/en/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "The format of access token",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Sending",
    "Submit and complete": "Submit and complete"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Go to writable demo site?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Home",
    "Home - Tooltip": "Home page of the application",
    "ID": "ID",
    "ID - Tooltip": "Unique random string",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Make sure the password is correct",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Different combinations of password complexity options",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Password salt",
    "Password salt - Tooltip": "Random parameter used for password encryption",
    "Password type": "Password type",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Advanced Editor",
+    "Basic Editor": "Basic Editor",
    "Edit Model": "Edit Model",
    "Model text": "Model text",
    "Model text - Tooltip": "Casbin access control model, including built-in models like ACL, RBAC, ABAC, RESTful, etc. You can also create custom models. For more information, please visit the Casbin website",
@ -583,6 +612,8 @@
    "Modify rule": "Modify rule",
    "New Organization": "New Organization",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Soft deletion",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Buy",
    "Buy Product": "Buy Product",
-    "CNY": "CNY",
    "Detail": "Detail",
    "Detail - Tooltip": "Detail of product",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
    "This product is currently not in sale.": "This product is currently not in sale.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Signup HTML - Edit",
    "Signup HTML - Tooltip": "Custom HTML for replacing the default signup page style",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Site key",
    "Site key - Tooltip": "Site key",
@ -950,6 +981,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1146,6 +1178,7 @@
    "Keys": "Keys",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
--- a/web/src/locales/es/data.json
+++ b/web/src/locales/es/data.json
@ -74,6 +74,7 @@
    "Left": "Izquierda",
    "Logged in successfully": "Acceso satisfactorio",
    "Logged out successfully": "Cerró sesión exitosamente",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Nueva aplicación",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Sesión de inicio de sesión",
    "Signup items": "Artículos de registro",
    "Signup items - Tooltip": "Elementos para que los usuarios los completen al registrar nuevas cuentas",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "La aplicación no permite registrarse una cuenta nueva",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "El formato del token de acceso",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Es inesperado ver esta página de inicio"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Envío",
    "Submit and complete": "Enviar y completar"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Acción",
    "Adapter": "Adaptador",
    "Adapter - Tooltip": "Nombre de la tabla de la tienda de políticas",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "¿Ir al sitio demo editable?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Hogar",
    "Home - Tooltip": "Página de inicio de la aplicación",
    "ID": "identificación",
    "ID - Tooltip": "Cadena aleatoria única",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Está habilitado",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Asegúrate de que la contraseña sea correcta",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Password complexity options - Tooltip",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Sal de contraseña",
    "Password salt - Tooltip": "Parámetro aleatorio utilizado para la encriptación de contraseñas",
    "Password type": "Tipo de contraseña",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Proveedores de pago a configurar, incluyendo PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Proveedores",
    "Providers - Tooltip": "Proveedores a configurar, incluyendo inicio de sesión de terceros, almacenamiento de objetos, código de verificación, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Nombre real",
    "Records": "Registros",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "¿Olvidaste tu contraseña?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Editor avanzado",
+    "Basic Editor": "Editor básico",
    "Edit Model": "Editar modelo",
    "Model text": "Texto modelo",
    "Model text - Tooltip": "Modelo de control de acceso Casbin, incluyendo modelos integrados como ACL, RBAC, ABAC, RESTful, etc. También puede crear modelos personalizados. Para obtener más información, visite el sitio web de Casbin",
@ -583,6 +612,8 @@
    "Modify rule": "Modificar regla",
    "New Organization": "Nueva organización",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Eliminación suave",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Comprar",
    "Buy Product": "Comprar producto",
-    "CNY": "Año Nuevo Chino (ANC)",
    "Detail": "Detalle",
    "Detail - Tooltip": "Detalle del producto",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Página de compra de prueba.",
    "There is no payment channel for this product.": "No hay canal de pago para este producto.",
    "This product is currently not in sale.": "Este producto actualmente no está a la venta.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Estimulado",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL del proveedor",
    "Provider URL - Tooltip": "Dirección URL para configurar el proveedor de servicios, este campo sólo se utiliza como referencia y no se utiliza en Casdoor",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Registro HTML - Editar",
    "Signup HTML - Tooltip": "HTML personalizado para reemplazar el estilo predeterminado de la página de registro",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Clave del sitio",
    "Site key - Tooltip": "Clave del sitio",
@ -950,6 +981,7 @@
    "Have account?": "¿Tiene una cuenta?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "¡Por favor, acepta el acuerdo!",
    "Please click the below button to sign in": "Por favor, haga clic en el botón de abajo para iniciar sesión",
@ -1146,6 +1178,7 @@
    "Keys": "Claves",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Enlace",
    "Location": "Ubicación",
    "Location - Tooltip": "Ciudad de residencia",
--- a/web/src/locales/fa/data.json
+++ b/web/src/locales/fa/data.json
--- a/web/src/locales/fi/data.json
+++ b/web/src/locales/fi/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "The format of access token",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Sending",
    "Submit and complete": "Submit and complete"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Go to writable demo site?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Home",
    "Home - Tooltip": "Home page of the application",
    "ID": "ID",
    "ID - Tooltip": "Unique random string",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Make sure the password is correct",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Different combinations of password complexity options",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Password salt",
    "Password salt - Tooltip": "Random parameter used for password encryption",
    "Password type": "Password type",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Advanced Editor",
+    "Basic Editor": "Basic Editor",
    "Edit Model": "Edit Model",
    "Model text": "Model text",
    "Model text - Tooltip": "Casbin access control model, including built-in models like ACL, RBAC, ABAC, RESTful, etc. You can also create custom models. For more information, please visit the Casbin website",
@ -583,6 +612,8 @@
    "Modify rule": "Modify rule",
    "New Organization": "New Organization",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Soft deletion",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Buy",
    "Buy Product": "Buy Product",
-    "CNY": "CNY",
    "Detail": "Detail",
    "Detail - Tooltip": "Detail of product",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
    "This product is currently not in sale.": "This product is currently not in sale.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Signup HTML - Edit",
    "Signup HTML - Tooltip": "Custom HTML for replacing the default signup page style",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Site key",
    "Site key - Tooltip": "Site key",
@ -950,6 +981,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1146,6 +1178,7 @@
    "Keys": "Keys",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
--- a/web/src/locales/fr/data.json
+++ b/web/src/locales/fr/data.json
@ -74,6 +74,7 @@
    "Left": "Gauche",
    "Logged in successfully": "Connexion réussie",
    "Logged out successfully": "Déconnexion réussie",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Nouvelle application",
    "No verification": "Aucune vérification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Session de connexion",
    "Signup items": "Champs d'inscription",
    "Signup items - Tooltip": "Champs à remplir lors de l'enregistrement de nouveaux comptes",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Seuls les comptes ayant leur étiquette listée dans les étiquettes de l'application peuvent se connecter",
    "The application does not allow to sign up new account": "L'application ne permet pas de créer un nouveau compte",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "Le format du jeton d'accès",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Il n'était pas prévu que vous voyez cette page de saisie"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Envoi en cours",
    "Submit and complete": "Soumettre et compléter"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Éditer l'exécuteur",
    "New Enforcer": "Ajouter un exécuteur"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Clé d'accès - Infobulle",
    "Access secret": "Clé secrète",
    "Access secret - Tooltip": "Clé secrète - Info-bulle",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adaptateur",
    "Adapter - Tooltip": "Nom de la table du magasin de règle",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Allez sur le site de démonstration modifiable ?",
    "Groups": "Groupes",
    "Groups - Tooltip": "Groupes - infobulle",
+    "Hide password": "Hide password",
    "Home": "Accueil",
    "Home - Tooltip": "Page d'accueil de l'application",
    "ID": "ID",
    "ID - Tooltip": "Chaîne unique aléatoire",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identité",
    "Invitations": "Invitations",
    "Is enabled": "Est activé",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Assurez-vous que le mot de passe soit correct",
    "Password complexity options": "Options de complexité du mot de passe",
    "Password complexity options - Tooltip": "Différentes combinaisons d'options de complexité de mot de passe",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Sel de mot de passe",
    "Password salt - Tooltip": "Paramètre aléatoire utilisé pour le chiffrement des mots de passe",
    "Password type": "Type de mot de passe",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Les fournisseurs de paiement à configurer, tels que PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Fournisseurs",
    "Providers - Tooltip": "Les fournisseurs à configurer, tels que la connexion via un service tiers, le stockage d'objets, le code de vérification, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Nom complet",
    "Records": "Enregistrements",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Échec de l'obtention de l'autorisation MetaMask",
    "Failed to obtain Web3-Onboard authorization": "Échec de l'obtention de l'autorisation MetaMask",
    "Forgot password?": "Mot de passe oublié ?",
@ -530,7 +557,6 @@
    "Have problems?": "Des problèmes ?",
    "Multi-factor authentication": "Authentification multifacteur",
    "Multi-factor authentication - Tooltip ": "Authentification multifacteur - infobulle ",
-    "Multi-factor authentication description": "Description de l'authentification multifacteur",
    "Multi-factor methods": "Méthodes d'authentification multifacteur",
    "Multi-factor recover": "Restauration de l'authentification multifacteur",
    "Multi-factor recover description": "Description de la restauration de l'authentification multifacteur",
@ -552,9 +578,10 @@
    "Use SMS": "Utiliser les SMS",
    "Use SMS verification code": "Utiliser la vérification par code SMS",
    "Use a recovery code": "Utiliser un code de récupération",
-    "Verification failed": "Échec de la vérification",
    "Verify Code": "Vérifier le code",
    "Verify Password": "Confirmez le mot de passe",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Votre e-mail est",
    "Your phone is": "Votre téléphone est",
    "preferred": "préféré"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Éditeur avancé",
+    "Basic Editor": "Éditeur de base",
    "Edit Model": "Modifier le modèle",
    "Model text": "Définition du modèle",
    "Model text - Tooltip": "Modèle de contrôle d'accès Casbin, comprenant des modèles intégrés tels que ACL, RBAC, ABAC, RESTful, etc. Vous pouvez également créer des modèles personnalisés. Pour plus d'informations, veuillez visiter le site web de Casbin",
@ -583,6 +612,8 @@
    "Modify rule": "Règle de modification",
    "New Organization": "Nouvelle organisation",
    "Optional": "Optionnel",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Requis",
    "Soft deletion": "Suppression douce",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Acheter",
    "Buy Product": "Acheter un produit",
-    "CNY": "CNY",
    "Detail": "Détail",
    "Detail - Tooltip": "Détail du produit",
    "Dummy": "Exemple",
@ -731,7 +761,6 @@
    "Test buy page..": "Page d'achat de test.",
    "There is no payment channel for this product.": "Il n'y a aucun canal de paiement pour ce produit.",
    "This product is currently not in sale.": "Ce produit n'est actuellement pas en vente.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "ID du projet",
    "Project Id - Tooltip": "ID du projet - Infobulle",
    "Prompted": "Incité",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL du fournisseur",
    "Provider URL - Tooltip": "URL pour configurer le fournisseur de services, ce champ est uniquement utilisé à titre de référence et n'est pas utilisé dans Casdoor",
    "Public key": "Clé publique",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "HTML de la page d'inscription - Modifier",
    "Signup HTML - Tooltip": "HTML personnalisé pour remplacer le style par défaut de la page d'inscription",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silencieux",
    "Site key": "Clé de site",
    "Site key - Tooltip": "Clé de site",
@ -950,6 +981,7 @@
    "Have account?": "Avez-vous un compte ?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Veuillez accepter l'accord !",
    "Please click the below button to sign in": "Veuillez cliquer sur le bouton ci-dessous pour vous connecter",
@ -1146,6 +1178,7 @@
    "Keys": "Clés",
    "Language": "Langue",
    "Language - Tooltip": "Langue - Infobulle",
+    "Last change password time": "Last change password time",
    "Link": "Lier",
    "Location": "Localisation",
    "Location - Tooltip": "Ville de résidence",
--- a/web/src/locales/he/data.json
+++ b/web/src/locales/he/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "The format of access token",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Sending",
    "Submit and complete": "Submit and complete"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Go to writable demo site?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Home",
    "Home - Tooltip": "Home page of the application",
    "ID": "ID",
    "ID - Tooltip": "Unique random string",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Make sure the password is correct",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Different combinations of password complexity options",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Password salt",
    "Password salt - Tooltip": "Random parameter used for password encryption",
    "Password type": "Password type",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Advanced Editor",
+    "Basic Editor": "Basic Editor",
    "Edit Model": "Edit Model",
    "Model text": "Model text",
    "Model text - Tooltip": "Casbin access control model, including built-in models like ACL, RBAC, ABAC, RESTful, etc. You can also create custom models. For more information, please visit the Casbin website",
@ -583,6 +612,8 @@
    "Modify rule": "Modify rule",
    "New Organization": "New Organization",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Soft deletion",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Buy",
    "Buy Product": "Buy Product",
-    "CNY": "CNY",
    "Detail": "Detail",
    "Detail - Tooltip": "Detail of product",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
    "This product is currently not in sale.": "This product is currently not in sale.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Signup HTML - Edit",
    "Signup HTML - Tooltip": "Custom HTML for replacing the default signup page style",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Site key",
    "Site key - Tooltip": "Site key",
@ -950,6 +981,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1146,6 +1178,7 @@
    "Keys": "Keys",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
--- a/web/src/locales/id/data.json
+++ b/web/src/locales/id/data.json
@ -74,6 +74,7 @@
    "Left": "Kiri",
    "Logged in successfully": "Berhasil masuk",
    "Logged out successfully": "Berhasil keluar dari sistem",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "Aplikasi Baru",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Sesi masuk",
    "Signup items": "Item pendaftaran",
    "Signup items - Tooltip": "Item-item yang harus diisi pengguna saat mendaftar untuk akun baru",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "Aplikasi tidak memperbolehkan untuk mendaftar akun baru",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "Format dari token akses",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "Anda tidak mengharapkan untuk melihat halaman prompt ini"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Mengirimkan",
    "Submit and complete": "Kirim dan selesaikan"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Aksi",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Nama tabel dari penyimpanan kebijakan",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Pergi ke situs demo yang dapat ditulis?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Rumah",
    "Home - Tooltip": "Halaman utama aplikasi",
    "ID": "ID",
    "ID - Tooltip": "Karakter acak unik",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Diaktifkan",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Pastikan kata sandi yang benar",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Password complexity options - Tooltip",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Garam sandi",
    "Password salt - Tooltip": "Parameter acak yang digunakan untuk enkripsi kata sandi",
    "Password type": "Jenis kata sandi",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Penyedia pembayaran harus dikonfigurasi, termasuk PayPal, Alipay, WeChat Pay, dan sebagainya.",
    "Providers": "Penyedia-penyedia",
    "Providers - Tooltip": "Penyedia harus dikonfigurasi, termasuk login pihak ketiga, penyimpanan objek, kode verifikasi, dan lain-lain.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Nama asli",
    "Records": "Catatan",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Lupa kata sandi?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Editor lanjutan",
+    "Basic Editor": "Editor dasar",
    "Edit Model": "Mengedit Model",
    "Model text": "Teks Model",
    "Model text - Tooltip": "Model kontrol akses Casbin, termasuk model bawaan seperti ACL, RBAC, ABAC, RESTful, dll. Anda juga dapat membuat model kustom. Untuk informasi lebih lanjut, silakan kunjungi situs web Casbin",
@ -583,6 +612,8 @@
    "Modify rule": "Mengubah aturan",
    "New Organization": "Organisasi baru",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Penghapusan lunak",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Beli",
    "Buy Product": "Beli Produk",
-    "CNY": "CNY",
    "Detail": "Rincian",
    "Detail - Tooltip": "Detail produk",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Halaman pembelian uji coba.",
    "There is no payment channel for this product.": "Tidak ada saluran pembayaran untuk produk ini.",
    "This product is currently not in sale.": "Produk ini saat ini tidak dijual.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Mendorong",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "URL penyedia",
    "Provider URL - Tooltip": "URL untuk melakukan konfigurasi service provider, kolom ini hanya digunakan sebagai referensi dan tidak digunakan dalam Casdoor",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Pendaftaran HTML - Sunting",
    "Signup HTML - Tooltip": "HTML khusus untuk mengganti gaya halaman pendaftaran bawaan",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Kunci situs",
    "Site key - Tooltip": "Kunci situs atau kunci halaman web",
@ -950,6 +981,7 @@
    "Have account?": "Punya akun?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Tolong terima perjanjian ini!",
    "Please click the below button to sign in": "Silakan klik tombol di bawah ini untuk masuk",
@ -1146,6 +1178,7 @@
    "Keys": "Kunci",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Tautan",
    "Location": "Lokasi",
    "Location - Tooltip": "Kota tempat tinggal",
--- a/web/src/locales/it/data.json
+++ b/web/src/locales/it/data.json
@ -74,6 +74,7 @@
    "Left": "Left",
    "Logged in successfully": "Logged in successfully",
    "Logged out successfully": "Logged out successfully",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "New Application",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "Signin session",
    "Signup items": "Signup items",
    "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "The format of access token",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "You are unexpected to see this prompt page"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "Sending",
    "Submit and complete": "Submit and complete"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "Action",
    "Adapter": "Adapter",
    "Adapter - Tooltip": "Table name of the policy store",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "Go to writable demo site?",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "Home",
    "Home - Tooltip": "Home page of the application",
    "ID": "ID",
    "ID - Tooltip": "Unique random string",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "Is enabled",
@ -307,6 +327,10 @@
    "Password - Tooltip": "Make sure the password is correct",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Different combinations of password complexity options",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "Password salt",
    "Password salt - Tooltip": "Random parameter used for password encryption",
    "Password type": "Password type",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "Payment providers to be configured, including PayPal, Alipay, WeChat Pay, etc.",
    "Providers": "Providers",
    "Providers - Tooltip": "Providers to be configured, including 3rd-party login, object storage, verification code, etc.",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "Real name",
    "Records": "Records",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "Forgot password?",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Advanced Editor",
+    "Basic Editor": "Basic Editor",
    "Edit Model": "Edit Model",
    "Model text": "Model text",
    "Model text - Tooltip": "Casbin access control model, including built-in models like ACL, RBAC, ABAC, RESTful, etc. You can also create custom models. For more information, please visit the Casbin website",
@ -583,6 +612,8 @@
    "Modify rule": "Modify rule",
    "New Organization": "New Organization",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "Soft deletion",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "Buy",
    "Buy Product": "Buy Product",
-    "CNY": "CNY",
    "Detail": "Detail",
    "Detail - Tooltip": "Detail of product",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
    "This product is currently not in sale.": "This product is currently not in sale.",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "Prompted",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "Provider URL",
    "Provider URL - Tooltip": "URL for configuring the service provider, this field is only used for reference and is not used in Casdoor",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "Signup HTML - Edit",
    "Signup HTML - Tooltip": "Custom HTML for replacing the default signup page style",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "Site key",
    "Site key - Tooltip": "Site key",
@ -950,6 +981,7 @@
    "Have account?": "Have account?",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "Please accept the agreement!",
    "Please click the below button to sign in": "Please click the below button to sign in",
@ -1146,6 +1178,7 @@
    "Keys": "Keys",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "Link",
    "Location": "Location",
    "Location - Tooltip": "City of residence",
--- a/web/src/locales/ja/data.json
+++ b/web/src/locales/ja/data.json
@ -74,6 +74,7 @@
    "Left": "左",
    "Logged in successfully": "正常にログインしました",
    "Logged out successfully": "正常にログアウトしました",
+    "Multiple Choices": "Multiple Choices",
    "New Application": "新しいアプリケーション",
    "No verification": "No verification",
    "Normal": "Normal",
@ -112,6 +113,7 @@
    "Signin session": "サインインセッション",
    "Signup items": "サインアップアイテム",
    "Signup items - Tooltip": "新しいアカウントを登録する際にユーザーが入力するアイテム",
+    "Single Choice": "Single Choice",
    "Small icon": "Small icon",
    "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
    "The application does not allow to sign up new account": "アプリケーションでは新しいアカウントの登録ができません",
@ -123,6 +125,8 @@
    "Token format - Tooltip": "アクセストークンのフォーマット",
    "Token signing method": "Token signing method",
    "Token signing method - Tooltip": "Signing method of JWT token, needs to be the same algorithm as the certificate",
+    "Use Email as NameID": "Use Email as NameID",
+    "Use Email as NameID - Tooltip": "Use Email as NameID - Tooltip",
    "You are unexpected to see this prompt page": "このプロンプトページを見ることは予期せぬことである"
  },
  "cert": {
@ -157,6 +161,18 @@
    "Sending": "送信",
    "Submit and complete": "提出して完了してください"
  },
+  "currency": {
+    "AUD": "AUD",
+    "CAD": "CAD",
+    "CHF": "CHF",
+    "CNY": "CNY",
+    "EUR": "EUR",
+    "GBP": "GBP",
+    "HKD": "HKD",
+    "JPY": "JPY",
+    "SGD": "SGD",
+    "USD": "USD"
+  },
  "enforcer": {
    "Edit Enforcer": "Edit Enforcer",
    "New Enforcer": "New Enforcer"
@ -179,6 +195,7 @@
    "Access key - Tooltip": "Access key - Tooltip",
    "Access secret": "Access secret",
    "Access secret - Tooltip": "Access secret - Tooltip",
+    "Access token is empty": "Access token is empty",
    "Action": "アクション",
    "Adapter": "アダプター",
    "Adapter - Tooltip": "ポリシー・ストアのテーブル名",
@ -261,10 +278,13 @@
    "Go to writable demo site?": "書き込み可能なデモサイトに移動しますか？",
    "Groups": "Groups",
    "Groups - Tooltip": "Groups - Tooltip",
+    "Hide password": "Hide password",
    "Home": "ホーム",
    "Home - Tooltip": "アプリケーションのホームページ",
    "ID": "ID",
    "ID - Tooltip": "ユニークなランダム文字列",
+    "IP whitelist": "IP whitelist",
+    "IP whitelist - Tooltip": "IP whitelist - Tooltip",
    "Identity": "Identity",
    "Invitations": "Invitations",
    "Is enabled": "可能になっています",
@ -307,6 +327,10 @@
    "Password - Tooltip": "パスワードが正しいことを確認してください",
    "Password complexity options": "Password complexity options",
    "Password complexity options - Tooltip": "Password complexity options - Tooltip",
+    "Password obf key": "Password obf key",
+    "Password obf key - Tooltip": "Password obf key - Tooltip",
+    "Password obfuscator": "Password obfuscator",
+    "Password obfuscator - Tooltip": "Password obfuscator - Tooltip",
    "Password salt": "パスワードのソルト",
    "Password salt - Tooltip": "ランダムパラメーターは、パスワードの暗号化に使用されます",
    "Password type": "パスワードタイプ",
@ -334,6 +358,8 @@
    "Provider - Tooltip": "支払いプロバイダーを設定する必要があります。これには、PayPal、Alipay、WeChat Payなどが含まれます。",
    "Providers": "プロバイダー",
    "Providers - Tooltip": "設定するプロバイダーには、サードパーティのログイン、オブジェクトストレージ、検証コードなどが含まれます。",
+    "QR Code": "QR Code",
+    "QR code is too large": "QR code is too large",
    "Real name": "本名",
    "Records": "記録",
    "Request URI": "Request URI",
@ -478,6 +504,7 @@
    "Face ID": "Face ID",
    "Face Recognition": "Face Recognition",
    "Face recognition failed": "Face recognition failed",
+    "Failed to log out": "Failed to log out",
    "Failed to obtain MetaMask authorization": "Failed to obtain MetaMask authorization",
    "Failed to obtain Web3-Onboard authorization": "Failed to obtain Web3-Onboard authorization",
    "Forgot password?": "パスワードを忘れましたか？",
@ -530,7 +557,6 @@
    "Have problems?": "Have problems?",
    "Multi-factor authentication": "Multi-factor authentication",
    "Multi-factor authentication - Tooltip ": "Multi-factor authentication - Tooltip ",
-    "Multi-factor authentication description": "Multi-factor authentication description",
    "Multi-factor methods": "Multi-factor methods",
    "Multi-factor recover": "Multi-factor recover",
    "Multi-factor recover description": "Multi-factor recover description",
@ -552,9 +578,10 @@
    "Use SMS": "Use SMS",
    "Use SMS verification code": "Use SMS verification code",
    "Use a recovery code": "Use a recovery code",
-    "Verification failed": "Verification failed",
    "Verify Code": "Verify Code",
    "Verify Password": "Verify Password",
+    "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue": "You have enabled Multi-Factor Authentication, Please click 'Send Code' to continue",
+    "You have enabled Multi-Factor Authentication, please enter the TOTP code": "You have enabled Multi-Factor Authentication, please enter the TOTP code",
    "Your email is": "Your email is",
    "Your phone is": "Your phone is",
    "preferred": "preferred"
@ -565,6 +592,8 @@
    "Secret Key": "Secret Key"
  },
  "model": {
+    "Advanced Editor": "Advanced Editor",
+    "Basic Editor": "Basic Editor",
    "Edit Model": "編集モデル",
    "Model text": "モデルテキスト",
    "Model text - Tooltip": "Casbinのアクセス制御モデルには、ACL、RBAC、ABAC、RESTfulなどの組み込みモデルが含まれています。カスタムモデルも作成できます。詳細については、Casbinのウェブサイトをご覧ください",
@ -583,6 +612,8 @@
    "Modify rule": "ルールを変更する",
    "New Organization": "新しい組織",
    "Optional": "Optional",
+    "Password expire days": "Password expire days",
+    "Password expire days - Tooltip": "Password expire days - Tooltip",
    "Prompt": "Prompt",
    "Required": "Required",
    "Soft deletion": "ソフト削除",
@ -700,7 +731,6 @@
    "Alipay": "Alipay",
    "Buy": "購入",
    "Buy Product": "製品を購入する",
-    "CNY": "CNY",
    "Detail": "詳細",
    "Detail - Tooltip": "製品の詳細",
    "Dummy": "Dummy",
@ -731,7 +761,6 @@
    "Test buy page..": "テスト購入ページ。",
    "There is no payment channel for this product.": "この製品には支払いチャネルがありません。",
    "This product is currently not in sale.": "この製品は現在販売されていません。",
-    "USD": "USD",
    "WeChat Pay": "WeChat Pay"
  },
  "provider": {
@ -831,6 +860,7 @@
    "Project Id": "Project Id",
    "Project Id - Tooltip": "Project Id - Tooltip",
    "Prompted": "促された",
+    "Provider - Tooltip": "Provider - Tooltip",
    "Provider URL": "プロバイダーURL",
    "Provider URL - Tooltip": "サービスプロバイダーの設定用URL。このフィールドは参照用にのみ使用され、Casdoorでは使用されません",
    "Public key": "Public key",
@ -883,6 +913,7 @@
    "Signup HTML - Edit": "サインアップ HTML - 編集",
    "Signup HTML - Tooltip": "デフォルトのサインアップページスタイルを置き換えるためのカスタムHTML",
    "Signup group": "Signup group",
+    "Signup group - Tooltip": "Signup group - Tooltip",
    "Silent": "Silent",
    "Site key": "サイトキー",
    "Site key - Tooltip": "サイトキー",
@ -950,6 +981,7 @@
    "Have account?": "アカウントはありますか？",
    "Label": "Label",
    "Label HTML": "Label HTML",
+    "Options": "Options",
    "Placeholder": "Placeholder",
    "Please accept the agreement!": "合意に同意してください！",
    "Please click the below button to sign in": "以下のボタンをクリックしてログインしてください",
@ -1146,6 +1178,7 @@
    "Keys": "鍵",
    "Language": "Language",
    "Language - Tooltip": "Language - Tooltip",
+    "Last change password time": "Last change password time",
    "Link": "リンク",
    "Location": "場所",
    "Location - Tooltip": "居住都市",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
hsluoyz	43bebc03b9	feat: fix crash in roleChangeTrigger()	2025-01-09 16:41:56 +08:00
WindSpiritSR	c5f25cbc7d	feat: getPidByPort() supports alpine now (#3483 ) Signed-off-by: WindSpiritSR <simon343riley@gmail.com>	2025-01-08 12:18:46 +08:00
Cutsin	3feb6ce84d	feat: add Kwai OAuth provider (#3480 ) * feat: add Kwai OAuth provider * fix: incorrect parameter in getAuthUrl	2025-01-08 00:09:16 +08:00
hsluoyz	08d6b45fc5	feat: keeps "build" folder during yarn build	2025-01-07 23:38:50 +08:00
hsluoyz	56d0de64dc	feat: support StopOldInstance()	2025-01-07 21:39:21 +08:00
DacongDA	1813e8e8c7	feat: return goroutine error in get-dashboard API (#3479 )	2025-01-07 10:35:45 +08:00
DacongDA	e27c764a55	feat: fix bug that GitHub oauth provider shows error if failed to fetch user's email (#3474 ) * fix: fix github idp will stop login if it cannot fetch user's email through al restful api * Update github.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2025-01-05 20:25:42 +08:00
DacongDA	e5a2057382	feat: fix empty scope bug in RefreshToken API (#3467 ) * fix: fix scope will be empty when user not passing scope in refresh api * fix: promote code format	2025-01-02 12:53:17 +08:00
Yang Luo	8457ff7433	feat: support radiusDefaultOrganization in app.conf	2025-01-02 00:10:58 +08:00
DacongDA	888a6f2feb	feat: add regex to restrict Email addresses in OAuth provider (#3465 ) * feat: support use regex expression to limit email receiver address * feat: limit in correct pos * feat: promote code format * feat: promote code format * fix: fix linter issue	2025-01-02 00:00:57 +08:00
IZUMI-Zu	b57b64fc36	feat: add origin field for mfaAccountTable (#3463 )	2024-12-29 22:51:21 +08:00
DacongDA	0d239ba1cf	feat: improve the error message of GitHub OAuth provider (#3462 )	2024-12-29 21:54:54 +08:00
DacongDA	8927e08217	feat: speed up GetDashboard() by only fetching last 30 days data (#3458 ) * feat: only check 30 days data * refactor: refactor GetDashboard to reduce code line * refactor: refactor GetDashboard to reduce code line * refactor: remove unused where * fix: fix error code	2024-12-29 16:15:52 +08:00
DacongDA	0636069584	feat: only fetch created_time field to reduce data size in get-dashboard API (#3457 )	2024-12-28 23:52:19 +08:00
Yang Luo	4d0f73c84e	feat: fix Casdoor OAuth provider doesn't use domain field bug	2024-12-28 10:01:56 +08:00
reserved	74a2478e10	feat: Make MinIO storage provider region setting configurable (#3433 ) * fix: Make MinIO provider region setting configurable * Fix: Correct the issue where modifications to MinIO's default logic caused behavioral discrepancies	2024-12-23 16:07:14 +08:00
nano	acc6f3e887	feat: escape the avatal URL in CAS response (#3434 )	2024-12-20 17:11:58 +08:00
Xin-Fax	185ab9750a	feat: fix VerificationRecord.IsUsed JSON Field Mapping	2024-12-18 13:56:54 +08:00
Cliff	48adc050d6	feat: can pass empty user id on user update (#3443 )	2024-12-18 07:56:44 +08:00
Coki	b0e318c9db	feat: add localized tab titles for Basic and Advanced Editors (#3431 ) * feat: add localized tab titles for Basic and Advanced Editors * docs: update translations for model editor labels in multiple locales	2024-12-16 08:34:13 +08:00
Coki	f9a6efc00f	feat: advanced model editor should support changing UI language (#3430 )	2024-12-15 15:53:29 +08:00
DacongDA	bd4a6775dd	feat: get github user email with `user/emails` api (#3428 ) * feat: get user email use `user/emails` api * feat: improve code format * feat: improve code format	2024-12-15 10:28:18 +08:00
Coki	e3a43d0062	feat: improve the advanced editor of model edit page (#3427 )	2024-12-15 02:07:02 +08:00
DacongDA	0cf281cac0	feat: fix record's password regex bug (#3421 )	2024-12-11 08:43:03 +08:00
XIAOZHUOWU	7322f67ae0	feat: add model, adapter and enforcer to the dashboard page chart (#3413 ) * [feature] Add more data (Model, Adapter, Enforcer) to the dashboard page chart #3379 * feat: add model, adapter, enforcer to dashboard	2024-12-09 16:07:39 +08:00
Xin-Fax	b927c6d7b4	feat: support LDAP's SetPassword (#3395 ) * fix: Resolve the issue mentioned in #3392 * fix: Change checkLdapUserPassword to CheckLdapUserPassword. * fix: the issue mentioned by hsluoyz. * fix: Check if the user parameter is nil * fix: use existing i18n message	2024-12-09 16:06:24 +08:00
nohup	01212cd1f3	feat: add AiAssistantUrl to frontend config (#3385 )	2024-12-08 20:44:28 +08:00
Xinyu Ge	bf55f94d41	feat: support CUCloud OSS storage provider (#3400 )	2024-12-08 20:24:38 +08:00
Yang Luo	f14711d315	feat: fix frontend bug	2024-12-07 21:53:01 +08:00
DacongDA	58e1c28f7c	feat: support LDAPS protocol (#3390 ) * feat: support ldaps * fix: unencrypted port 389 not work after enable SSL fix: remove useless conf and set ldapsCertId to empty fix: return and log getTLSconfig error * fix: remove unused setting * fix: check nil condition * fix: not log fail when certId is empty	2024-12-07 21:26:07 +08:00
Yang Luo	922b19c64b	feat: reduce i18n items	2024-12-07 21:22:57 +08:00
DacongDA	1d21c3fa90	feat: fix issue that introspectionResponse uses Bearer instead of raw tokenType (#3399 )	2024-12-05 20:59:30 +08:00
DacongDA	6175fd6764	feat: make token_type_hint optional (#3397 )	2024-12-04 20:10:15 +08:00
Luckery	2ceb54f058	feat: support most popular currencies (#3388 )	2024-12-01 21:46:44 +08:00
DacongDA	aaeaa7fefa	feat: update go sms sender (#3386 )	2024-11-29 23:00:34 +08:00
DacongDA	d522247552	feat: fix countryCode param bug in MFA login (#3384 )	2024-11-29 21:46:06 +08:00
DacongDA	79dbdab6c9	feat: fix "dest is missing" bug in MFA login (#3383 ) * feat: support stateless mfa setup * Revert "feat: support stateless mfa setup" This reverts commit `bd843b2ff3`. * feat: use new implement * fix: missing set field on login	2024-11-29 19:59:30 +08:00
DacongDA	fe40910e3b	feat: support stateless MFA setup (#3382 )	2024-11-29 19:50:10 +08:00
Xinyu Ge	2d1736f13a	feat: Add more data to the dashboard page chart #3365 (#3375 ) * test * feat: #3365 add more dada to the dashboard page chart * feat: #3365 Add more data to the dashboard page chart	2024-11-26 09:16:35 +08:00
ming.zhang	12b4d1c7cd	feat: change LDAP attribute from cn to title for correct username mapping (#3378 )	2024-11-26 09:13:05 +08:00
hamidreza abedi	a45d2b87c1	feat: Add translations for Persian (#3372 )	2024-11-23 16:24:07 +08:00
DacongDA	8484465d09	feat: fix SAML failed to redirect issue when login api returns RequiredMfa (#3364 )	2024-11-21 20:31:56 +08:00
Luckery	dff65eee20	feat: Force users to change their passwords after 3/6/12 months (#3352 ) * feat: Force users to change their passwords after 3/6/12 months * feat: Check if the password has expired by using the last_change_password_time field added to the user table * feat: Use the created_time field of the user table to aid password expiration checking * feat: Rename variable	2024-11-19 21:06:52 +08:00
Eng Zer Jun	596016456c	feat: update CI's upload-artifact and download-artifact actions to v4 (#3361 ) v3 of `actions/upload-artifact` and `actions/download-artifact` will be fully deprecated by 5 December 2024. Jobs that are scheduled to run during the brownout periods will also fail. See [1][2]. [1]: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/ [2]: https://github.blog/changelog/2024-11-05-notice-of-breaking-changes-for-github-actions/ Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2024-11-19 00:07:59 +08:00
DacongDA	673261c258	feat: fix placeholder bug in signin page (#3359 )	2024-11-17 00:14:26 +08:00
DacongDA	3c5985a3c0	fix: fix several bugs in samlRequest (#3358 )	2024-11-17 00:14:04 +08:00
DacongDA	4f3d62520a	feat: fix the dashboard page shows zero data in mobile phone (#3356 )	2024-11-16 22:02:49 +08:00
DacongDA	96f8b3d937	feat: fix SAML metadata URL and XML generation issue when enablePostBinding is enabled (#3354 )	2024-11-16 15:35:30 +08:00
Yang Luo	7ab5a5ade1	feat: add processArgsToTempFiles() to RunCasbinCommand()	2024-11-15 20:25:48 +08:00
Yang Luo	5cbd0a96ca	Use json format for argString in RunCasbinCommand()	2024-11-15 18:27:25 +08:00
Yang Luo	7ccd8c4d4f	feat: add RunCasbinCommand() API	2024-11-15 17:44:57 +08:00
ZhaoYP 2001	b0fa3fc484	feat: add Casbin CLI API to Casdoor (#3351 )	2024-11-15 16:10:22 +08:00
Yang Luo	af01c4226a	feat: add Organization.PasswordExpireDays field	2024-11-15 11:33:28 +08:00
DacongDA	7a3d85a29a	feat: update github token to fix CI cannot release issue (#3348 )	2024-11-14 18:05:56 +08:00
IZUMI-Zu	fd5ccd8d41	feat: support copying token to clipboard for casdoor-app (#3345 ) * feat: support copy token to clipboard for casdoor-app auth * feat: abstract casdoor-app related code	2024-11-13 17:06:09 +08:00
Yang Luo	a439c5195d	feat: get token only by hash now, remove get-by-value backward-compatible code	2024-11-13 17:04:27 +08:00
Yang Luo	ba2e997d54	feat: fix CheckUpdateUser() logic to fix add-user error	2024-11-06 08:34:13 +08:00
Luckery	0818de85d1	feat: fix username checks when organization.UseEmailAsUsername is enabled (#3329 ) * feat: Username support email format * feat: Only fulfill the first requirement * fix: Improve code robustness	2024-11-05 20:38:47 +08:00
Yang Luo	457c6098a4	feat: fix MFA empty CountryCode bug and show MFA error better in frontend	2024-11-04 16:17:24 +08:00
Yang Luo	60f979fbb5	feat: fix MfaSetupPage empty bug when user's signup application is empty	2024-11-04 00:04:47 +08:00
Luckery	ff53e44fa6	feat: use virtual select UI in role edit page (#3322 )	2024-11-03 20:05:34 +08:00
Yang Luo	1832de47db	feat: fix bug in CheckEntryIp()	2024-11-03 20:00:52 +08:00
Yang Luo	535eb0c465	fix: fix IP Whitelist field bug in application edit page	2024-11-03 19:55:59 +08:00
ithilelda	c190634cf3	feat: show Domain field for Qiniu storage provider (#3318 ) allow Qiniu Provider to edit the Domain property in the edit page.	2024-10-27 14:10:58 +08:00
Cliff	f7559aa040	feat: set created time if not presented in AddUser() API (#3315 )	2024-10-24 23:06:05 +08:00
DacongDA	1e0b709c73	feat: pass signin method to CAS login to fix bug (#3313 )	2024-10-24 14:56:12 +08:00
DacongDA	c0800b7fb3	feat: add util.IsValidOrigin() to improve CORS filter (#3301 ) * fix: CORS check issue * fix: promote format * fix: promote format * fix: promote format * fix: promote format * Update application.go * Update cors_filter.go * Update validation.go --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-20 20:09:21 +08:00
eya46	6fcdad2100	feat: fix bug that fails to login when PasswordObfuscator is enabled (#3299 )	2024-10-19 23:09:59 +08:00
Cliff	69d26d5c21	feat: add-user/update-user API should check if username/id/email/phone has duplicated with existing user (#3295 )	2024-10-18 22:18:37 +08:00
DacongDA	94e6b5ecb8	feat: fix bug in SetPassword() API (#3296 )	2024-10-18 20:50:43 +08:00
DacongDA	95e8bdcd36	feat: add initDataNewOnly to app.conf to skip overriding existing data in initDataFromFile() (#3294 ) * feat: support control whether overwrite existing data during initDataFromFile * feat: change conf var name * feat: change conf var name	2024-10-18 00:08:08 +08:00
liuaiolos	6f1f93725e	feat: fix GetAllActions()'s bug (#3289 )	2024-10-16 21:55:06 +08:00
DacongDA	7ae067e369	feat: only admin can specify user in BuyProduct() (#3287 ) * fix: balance can be used without login * fix: balance can be used without login * fix: fix bug * fix: fix bug	2024-10-16 00:02:04 +08:00
Yang Luo	dde936e935	feat: fix null application crash in CheckEntryIp()	2024-10-15 22:11:15 +08:00
Yang Luo	fb561a98c8	feat: fix null user crash in RefreshToken()	2024-10-15 21:38:33 +08:00
ZhaoYP 2001	7cd8f030ee	feat: support IP limitation for user entry pages (#3267 ) * feat: support IP limitation for user entry pages * fix: error message, ip whiteList, check_entry_ip * fix: perform checks on the backend * fix: change the implementation of checking IpWhitelist * fix: add entryIpCheck in SetPassword and remove it from VerifyCode * fix: remove additional error message pop-ups * fix: add isRestricted and show ip error in EntryPage.js * fix: error message * Update auth.go * Update check_ip.go * Update check_ip.go * fix: update return value of the check function from string to error * fix: remoteAddress position * fix: IP whitelist * fix: clientIp * fix:add util.GetClientIpFromRequest * fix: remove duplicate IP and port separation codes and remove extra special characters after clientIp * fix: gofumpt * fix: getIpInfo and localhost --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-15 20:40:14 +08:00
Yang Luo	a3f8ded10c	feat: refactor util.GetClientIpFromRequest()	2024-10-15 12:22:38 +08:00
DacongDA	e3d135bc6e	feat: improve MFA desc text (#3284 ) * fix: fix i18n error for mfa * fix: fix i18n error for mfa * fix: promote translate	2024-10-14 18:31:48 +08:00
千石	fc864b0de4	feat: support ".login-panel-dark" CSS for signup/login pages (#3269 ) * feat: add custom dark mode CSS for login and registration forms. * refactor: extract dark theme check to Setting.js	2024-10-13 22:31:54 +08:00
ZhaoYP 2001	3211bcc777	feat: add getCaptchaRule() to fix bug (#3281 ) * feat: update captcha rule when the login page component is mounted * fix: remove enableCaptchaModel from the state of the login page to avoid inconsistency issues * fix: use this.getApplicationObj() instead of this.props.application	2024-10-12 10:02:45 +08:00
DacongDA	9f4430ed04	feat: fix MFA's i18n error (#3273 )	2024-10-08 21:58:06 +08:00
Yang Luo	05830b9ff6	feat: update import lib: github.com/casdoor/ldapserver	2024-10-08 19:18:56 +08:00
千石	347b25676f	feat: dark mode now works for login/signup pages too (#3252 ) * fix: trying to fix dark mode not applying on login/registration interface * fix: trying to fix dark mode not applying on login/registration interface * fix: trying to fix dark mode not applying on login/registration interface * fix: Clean up unused code * fix: loginBackgroundDark move to App.less * fix: fix typo	2024-10-05 21:26:25 +08:00
DacongDA	2417ff84e6	feat: support initial group assignment for new invited users via invitation.SignupGroup field (#3266 )	2024-10-04 20:15:51 +08:00
DacongDA	468631e654	feat: support "All" in organization's country codes (#3264 )	2024-10-03 22:58:09 +08:00
ZhaoYP 2001	e1dea9f697	feat: add organization's PasswordObfuscator to obfuscate login API's password (#3260 ) * feat: add PasswordObfuscator to the login API * fix: change key error message * fix: remove unnecessary change * fix: fix one * fix: fix two * fix: fix three * fix: fix five * fix: disable organization update when key is invalid * fix: fix six * fix: use Form.Item to control key * fix: update obfuscator.js * Update obfuscator.go * Update obfuscator.go * Update auth.go * fix: remove real-time key monitoring --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-03 10:38:37 +08:00
Corey Gaspard	c0f22bae43	feat: better handling of organization.AccountItems on init_data import (#3263 ) * Better handling of accountitems on init_data import. * Removed commented code. * Update init_data.go * Update init_data.go --------- Co-authored-by: Yang Luo <hsluoyz@qq.com>	2024-10-03 08:49:09 +08:00
DacongDA	c9635d9e2b	feat: improve i18n (#3259 )	2024-10-01 00:10:49 +08:00
DacongDA	3bd52172ea	feat: add Hide-Password option for signin method rule field (#3258 )	2024-09-30 23:31:41 +08:00