feat: fix SAML failed to redirect issue when login api returns RequiredMfa (#3364)

* feat: Force users to change their passwords after 3/6/12 months

* feat: Check if the password has expired by using the last_change_password_time field added to the user table

* feat: Use the created_time field of the user table to aid password expiration checking

* feat: Rename variable

.github/workflows/build.yml

@@ -114,12 +114,12 @@ jobs:
           wait-on-timeout: 210
           working-directory: ./web
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: cypress-screenshots
           path: ./web/cypress/screenshots
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: always()
         with:
           name: cypress-videos
@@ -147,7 +147,7 @@ jobs:
       - name: Release
         run: yarn global add semantic-release@17.4.4 && semantic-release
         env:
-          GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Fetch Current version
         id: get-current-tag

authz/authz.go

@@ -98,6 +98,7 @@ p, *, *, GET, /api/get-organization-names, *, *
 p, *, *, GET, /api/get-all-objects, *, *
 p, *, *, GET, /api/get-all-actions, *, *
 p, *, *, GET, /api/get-all-roles, *, *
+p, *, *, GET, /api/run-casbin-command, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
 p, *, *, GET, /api/faceid-signin-begin, *, *
 `

controllers/auth.go

@@ -854,6 +854,7 @@ func (c *ApiController) Login() {
 		}
 
 		if authForm.Passcode != "" {
+			user.CountryCode = user.GetCountryCode(user.CountryCode)
 			mfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferredMfaProps(false))
 			if mfaUtil == nil {
 				c.ResponseError("Invalid multi-factor authentication type")

controllers/casbin_cli_api.go

@@ -0,0 +1,114 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+func processArgsToTempFiles(args []string) ([]string, []string, error) {
+	tempFiles := []string{}
+	newArgs := []string{}
+	for i := 0; i < len(args); i++ {
+		if (args[i] == "-m" || args[i] == "-p") && i+1 < len(args) {
+			pattern := fmt.Sprintf("casbin_temp_%s_*.conf", args[i])
+			tempFile, err := os.CreateTemp("", pattern)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to create temp file: %v", err)
+			}
+
+			_, err = tempFile.WriteString(args[i+1])
+			if err != nil {
+				tempFile.Close()
+				return nil, nil, fmt.Errorf("failed to write to temp file: %v", err)
+			}
+
+			tempFile.Close()
+			tempFiles = append(tempFiles, tempFile.Name())
+			newArgs = append(newArgs, args[i], tempFile.Name())
+			i++
+		} else {
+			newArgs = append(newArgs, args[i])
+		}
+	}
+	return tempFiles, newArgs, nil
+}
+
+// RunCasbinCommand
+// @Title RunCasbinCommand
+// @Tag Enforcer API
+// @Description Call Casbin CLI commands
+// @Success 200 {object} controllers.Response The Response object
+// @router /run-casbin-command [get]
+func (c *ApiController) RunCasbinCommand() {
+	language := c.Input().Get("language")
+	argString := c.Input().Get("args")
+
+	if language == "" {
+		language = "go"
+	}
+	// use "casbin-go-cli" by default, can be also "casbin-java-cli", "casbin-node-cli", etc.
+	// the pre-built binary of "casbin-go-cli" can be found at: https://github.com/casbin/casbin-go-cli/releases
+	binaryName := fmt.Sprintf("casbin-%s-cli", language)
+
+	_, err := exec.LookPath(binaryName)
+	if err != nil {
+		c.ResponseError(fmt.Sprintf("executable file: %s not found in PATH", binaryName))
+		return
+	}
+
+	// RBAC model & policy example:
+	// https://door.casdoor.com/api/run-casbin-command?language=go&args=["enforce", "-m", "[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act\n\n[role_definition]\ng = _, _\n\n[policy_effect]\ne = some(where (p.eft == allow))\n\n[matchers]\nm = g(r.sub, p.sub) %26%26 r.obj == p.obj %26%26 r.act == p.act", "-p", "p, alice, data1, read\np, bob, data2, write\np, data2_admin, data2, read\np, data2_admin, data2, write\ng, alice, data2_admin", "alice", "data1", "read"]
+	// Casbin CLI usage:
+	// https://github.com/jcasbin/casbin-java-cli?tab=readme-ov-file#get-started
+	var args []string
+	err = json.Unmarshal([]byte(argString), &args)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	tempFiles, processedArgs, err := processArgsToTempFiles(args)
+	defer func() {
+		for _, file := range tempFiles {
+			os.Remove(file)
+		}
+	}()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	command := exec.Command(binaryName, processedArgs...)
+	outputBytes, err := command.CombinedOutput()
+	if err != nil {
+		errorString := err.Error()
+		if outputBytes != nil {
+			output := string(outputBytes)
+			errorString = fmt.Sprintf("%s, error: %s", output, err.Error())
+		}
+
+		c.ResponseError(errorString)
+		return
+	}
+
+	output := string(outputBytes)
+	output = strings.TrimSuffix(output, "\n")
+	c.ResponseOk(output)
+}

controllers/user.go

@@ -364,17 +364,13 @@ func (c *ApiController) AddUser() {
 		return
 	}
 
-	msg := object.CheckUsername(user.Name, c.GetAcceptLanguage())
+	emptyUser := object.User{}
+	msg := object.CheckUpdateUser(&emptyUser, &user, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
 	}
 
-	if err = object.CheckIpWhitelist(user.IpWhitelist, c.GetAcceptLanguage()); err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
 	c.Data["json"] = wrapActionResponse(object.AddUser(&user))
 	c.ServeJSON()
 }
@@ -565,8 +561,9 @@ func (c *ApiController) SetPassword() {
 	targetUser.Password = newPassword
 	targetUser.UpdateUserPassword(organization)
 	targetUser.NeedUpdatePassword = false
+	targetUser.LastChangePasswordTime = util.GetCurrentTime()
 
-	_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type"}, false)
+	_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type", "last_change_password_time"}, false)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/verification.go

@@ -294,6 +294,7 @@ func (c *ApiController) SendVerificationCode() {
 			}
 
 			vform.CountryCode = mfaProps.CountryCode
+			vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 		}
 
 		provider, err = application.GetSmsProvider(vform.Method, vform.CountryCode)

i18n/locales/ru/data.json

@@ -15,10 +15,10 @@
     "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Аккаунт для провайдера: %s и имя пользователя: %s (%s) не существует и не может быть зарегистрирован как новый аккаунт. Пожалуйста, обратитесь в службу поддержки IT",
     "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Аккаунт поставщика: %s и имя пользователя: %s (%s) уже связаны с другим аккаунтом: %s (%s)",
     "The application: %s does not exist": "Приложение: %s не существует",
-    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
-    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
-    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
-    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
+    "The login method: login with LDAP is not enabled for the application": "Метод входа в систему: вход с помощью LDAP не включен для приложения",
+    "The login method: login with SMS is not enabled for the application": "Метод входа: вход с помощью SMS не включен для приложения",
+    "The login method: login with email is not enabled for the application": "Метод входа: вход с помощью электронной почты не включен для приложения",
+    "The login method: login with face is not enabled for the application": "Метод входа: вход с помощью лица не включен для приложения",
     "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
     "The organization: %s does not exist": "The organization: %s does not exist",
     "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
@@ -53,16 +53,16 @@
     "Phone already exists": "Телефон уже существует",
     "Phone cannot be empty": "Телефон не может быть пустым",
     "Phone number is invalid": "Номер телефона является недействительным",
-    "Please register using the email corresponding to the invitation code": "Please register using the email corresponding to the invitation code",
-    "Please register using the phone  corresponding to the invitation code": "Please register using the phone  corresponding to the invitation code",
-    "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
+    "Please register using the email corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя электронную почту, соответствующую коду приглашения",
+    "Please register using the phone  corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь по телефону, соответствующему коду приглашения",
+    "Please register using the username corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя имя пользователя, соответствующее коду приглашения",
     "Session outdated, please login again": "Сессия устарела, пожалуйста, войдите снова",
     "The invitation code has already been used": "The invitation code has already been used",
     "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
     "The user: %s doesn't exist in LDAP server": "Пользователь %s не существует на LDAP сервере",
     "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Имя пользователя может состоять только из буквенно-цифровых символов, нижних подчеркиваний или дефисов, не может содержать последовательные дефисы или подчеркивания, а также не может начинаться или заканчиваться на дефис или подчеркивание.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Значение \\\"%s\\\" для поля аккаунта \\\"%s\\\" не соответствует регулярному значению",
+    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Значение \\\"%s\\\" поля регистрации \\\"%s\\\" не соответствует регулярному выражению приложения \\\"%s\\\"",
     "Username already exists": "Имя пользователя уже существует",
     "Username cannot be an email address": "Имя пользователя не может быть адресом электронной почты",
     "Username cannot contain white spaces": "Имя пользователя не может содержать пробелы",
@@ -78,11 +78,11 @@
   "general": {
     "Missing parameter": "Отсутствующий параметр",
     "Please login first": "Пожалуйста, сначала войдите в систему",
-    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
+    "The organization: %s should have one application at least": "Организация: %s должна иметь хотя бы одно приложение",
     "The user: %s doesn't exist": "Пользователь %s не существует",
     "don't support captchaProvider: ": "неподдерживаемый captchaProvider: ",
     "this operation is not allowed in demo mode": "эта операция не разрешена в демо-режиме",
-    "this operation requires administrator to perform": "this operation requires administrator to perform"
+    "this operation requires administrator to perform": "для выполнения этой операции требуется администратор"
   },
   "ldap": {
     "Ldap server exist": "LDAP-сервер существует"
@@ -101,11 +101,11 @@
     "Unknown modify rule %s.": "Неизвестное изменение правила %s."
   },
   "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \\\"%s\\\" doesn't exist": "Разрешение: \\\"%s\\\" не существует"
   },
   "provider": {
     "Invalid application id": "Неверный идентификатор приложения",
-    "the provider: %s does not exist": "провайдер: %s не существует"
+    "the provider: %s does not exist": "Провайдер: %s не существует"
   },
   "resource": {
     "User is nil for tag: avatar": "Пользователь равен нулю для тега: аватар",
@@ -115,7 +115,7 @@
     "Application %s not found": "Приложение %s не найдено"
   },
   "saml_sp": {
-    "provider %s's category is not SAML": "категория провайдера %s не является SAML"
+    "provider %s's category is not SAML": "Категория провайдера %s не является SAML"
   },
   "service": {
     "Empty parameters for emailForm: %v": "Пустые параметры для emailForm: %v",
@@ -148,7 +148,7 @@
   "verification": {
     "Invalid captcha provider.": "Недействительный поставщик CAPTCHA.",
     "Phone number is invalid in your region %s": "Номер телефона недействителен в вашем регионе %s",
-    "The verification code has not been sent yet!": "The verification code has not been sent yet!",
+    "The verification code has not been sent yet!": "Код проверки еще не отправлен!",
     "The verification code has not been sent yet, or has already been used!": "The verification code has not been sent yet, or has already been used!",
     "Turing test failed.": "Тест Тьюринга не удался.",
     "Unable to get the email modify rule.": "Невозможно получить правило изменения электронной почты.",
@@ -156,8 +156,8 @@
     "Unknown type": "Неизвестный тип",
     "Wrong verification code!": "Неправильный код подтверждения!",
     "You should verify your code in %d min!": "Вы должны проверить свой код через %d минут!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика SMS в список \\\"Провайдеры\\\" для приложения: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "Пожалуйста, добавьте поставщика электронной почты в список \\\"Провайдеры\\\" для приложения: %s",
     "the user does not exist, please sign up first": "Пользователь не существует, пожалуйста, сначала зарегистрируйтесь"
   },
   "webauthn": {

object/application.go

@@ -723,8 +723,15 @@ func (application *Application) GetId() string {
 }
 
 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app", ".chromiumapp.org"}, application.RedirectUris...)
-	for _, targetUri := range redirectUris {
+	isValid, err := util.IsValidOrigin(redirectUri)
+	if err != nil {
+		panic(err)
+	}
+	if isValid {
+		return true
+	}
+
+	for _, targetUri := range application.RedirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
 			return true

object/check.go

@@ -381,7 +381,13 @@ func CheckUserPassword(organization string, username string, password string, la
 		if err != nil {
 			return nil, err
 		}
+
+		err = checkPasswordExpired(user, lang)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	return user, nil
 }
 
@@ -520,11 +526,46 @@ func CheckUsername(username string, lang string) string {
 	return ""
 }
 
+func CheckUsernameWithEmail(username string, lang string) string {
+	if username == "" {
+		return i18n.Translate(lang, "check:Empty username.")
+	} else if len(username) > 39 {
+		return i18n.Translate(lang, "check:Username is too long (maximum is 39 characters).")
+	}
+
+	// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
+
+	if !util.ReUserNameWithEmail.MatchString(username) {
+		return i18n.Translate(lang, "check:Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.")
+	}
+	return ""
+}
+
 func CheckUpdateUser(oldUser, user *User, lang string) string {
 	if oldUser.Name != user.Name {
-		if msg := CheckUsername(user.Name, lang); msg != "" {
-			return msg
+		organizationName := oldUser.Owner
+		if organizationName == "" {
+			organizationName = user.Owner
 		}
+
+		organization, err := getOrganization("admin", organizationName)
+		if err != nil {
+			return err.Error()
+		}
+		if organization == nil {
+			return fmt.Sprintf(i18n.Translate(lang, "auth:The organization: %s does not exist"), organizationName)
+		}
+
+		if organization.UseEmailAsUsername {
+			if msg := CheckUsernameWithEmail(user.Name, lang); msg != "" {
+				return msg
+			}
+		} else {
+			if msg := CheckUsername(user.Name, lang); msg != "" {
+				return msg
+			}
+		}
+
 		if HasUserByField(user.Owner, "name", user.Name) {
 			return i18n.Translate(lang, "check:Username already exists")
 		}

object/check_ip.go

@@ -43,6 +43,8 @@ func CheckEntryIp(clientIp string, user *User, application *Application, organiz
 		if err != nil {
 			application.IpRestriction = err.Error() + application.Name
 			return fmt.Errorf(err.Error() + application.Name)
+		} else {
+			application.IpRestriction = ""
 		}
 
 		if organization == nil && application.OrganizationObj != nil {
@@ -55,6 +57,8 @@ func CheckEntryIp(clientIp string, user *User, application *Application, organiz
 		if err != nil {
 			organization.IpRestriction = err.Error() + organization.Name
 			return fmt.Errorf(err.Error() + organization.Name)
+		} else {
+			organization.IpRestriction = ""
 		}
 	}
 

object/check_password_expired.go

@@ -0,0 +1,53 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/casdoor/casdoor/i18n"
+	"github.com/casdoor/casdoor/util"
+)
+
+func checkPasswordExpired(user *User, lang string) error {
+	organization, err := GetOrganizationByUser(user)
+	if err != nil {
+		return err
+	}
+	if organization == nil {
+		return fmt.Errorf(i18n.Translate(lang, "check:Organization does not exist"))
+	}
+
+	passwordExpireDays := organization.PasswordExpireDays
+	if passwordExpireDays <= 0 {
+		return nil
+	}
+
+	lastChangePasswordTime := user.LastChangePasswordTime
+	if lastChangePasswordTime == "" {
+		if user.CreatedTime == "" {
+			return fmt.Errorf(i18n.Translate(lang, "check:Your password has expired. Please reset your password by clicking \"Forgot password\""))
+		}
+		lastChangePasswordTime = user.CreatedTime
+	}
+
+	lastTime := util.String2Time(lastChangePasswordTime)
+	expireTime := lastTime.AddDate(0, 0, passwordExpireDays)
+	if time.Now().After(expireTime) {
+		return fmt.Errorf(i18n.Translate(lang, "check:Your password has expired. Please reset your password by clicking \"Forgot password\""))
+	}
+	return nil
+}

object/organization.go

@@ -62,6 +62,7 @@ type Organization struct {
 	PasswordOptions        []string   `xorm:"varchar(100)" json:"passwordOptions"`
 	PasswordObfuscatorType string     `xorm:"varchar(100)" json:"passwordObfuscatorType"`
 	PasswordObfuscatorKey  string     `xorm:"varchar(100)" json:"passwordObfuscatorKey"`
+	PasswordExpireDays     int        `json:"passwordExpireDays"`
 	CountryCodes           []string   `xorm:"varchar(200)"  json:"countryCodes"`
 	DefaultAvatar          string     `xorm:"varchar(200)" json:"defaultAvatar"`
 	DefaultApplication     string     `xorm:"varchar(100)" json:"defaultApplication"`

object/saml_idp.go

@@ -26,6 +26,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strings"
 	"time"
 
 	"github.com/beevik/etree"
@@ -222,10 +223,13 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 	originFrontend, originBackend := getOriginFromHost(host)
 
 	idpLocation := ""
+	idpBinding := ""
 	if enablePostBinding {
 		idpLocation = fmt.Sprintf("%s/api/saml/redirect/%s/%s", originBackend, application.Owner, application.Name)
+		idpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 	} else {
 		idpLocation = fmt.Sprintf("%s/login/saml/authorize/%s/%s", originFrontend, application.Owner, application.Name)
+		idpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 	}
 
 	d := IdpEntityDescriptor{
@@ -258,7 +262,7 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 				{Xmlns: "urn:oasis:names:tc:SAML:2.0:assertion", Name: "Name", NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", FriendlyName: "Name"},
 			},
 			SingleSignOnService: SingleSignOnService{
-				Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+				Binding:  idpBinding,
 				Location: idpLocation,
 			},
 			ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
@@ -273,29 +277,38 @@ func GetSamlMeta(application *Application, host string, enablePostBinding bool)
 func GetSamlResponse(application *Application, user *User, samlRequest string, host string) (string, string, string, error) {
 	// request type
 	method := "GET"
-
+	samlRequest = strings.ReplaceAll(samlRequest, " ", "+")
 	// base64 decode
 	defated, err := base64.StdEncoding.DecodeString(samlRequest)
 	if err != nil {
 		return "", "", "", fmt.Errorf("err: Failed to decode SAML request, %s", err.Error())
 	}
 
-	// decompress
-	var buffer bytes.Buffer
-	rdr := flate.NewReader(bytes.NewReader(defated))
+	var requestByte []byte
 
-	for {
-		_, err = io.CopyN(&buffer, rdr, 1024)
-		if err != nil {
-			if err == io.EOF {
-				break
+	if strings.Contains(string(defated), "xmlns:") {
+		requestByte = defated
+	} else {
+		// decompress
+		var buffer bytes.Buffer
+		rdr := flate.NewReader(bytes.NewReader(defated))
+
+		for {
+
+			_, err = io.CopyN(&buffer, rdr, 1024)
+			if err != nil {
+				if err == io.EOF {
+					break
+				}
+				return "", "", "", err
 			}
-			return "", "", "", err
 		}
+
+		requestByte = buffer.Bytes()
 	}
 
 	var authnRequest saml.AuthNRequest
-	err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
+	err = xml.Unmarshal(requestByte, &authnRequest)
 	if err != nil {
 		return "", "", "", fmt.Errorf("err: Failed to unmarshal AuthnRequest, please check the SAML request, %s", err.Error())
 	}

object/token.go

@@ -102,14 +102,6 @@ func GetTokenByAccessToken(accessToken string) (*Token, error) {
 		return nil, err
 	}
 
-	if !existed {
-		token = Token{AccessToken: accessToken}
-		existed, err = ormer.Engine.Get(&token)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	if !existed {
 		return nil, nil
 	}
@@ -123,14 +115,6 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 		return nil, err
 	}
 
-	if !existed {
-		token = Token{RefreshToken: refreshToken}
-		existed, err = ormer.Engine.Get(&token)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	if !existed {
 		return nil, nil
 	}

object/user.go

@@ -200,8 +200,9 @@ type User struct {
 	Permissions []*Permission `json:"permissions"`
 	Groups      []string      `xorm:"groups varchar(1000)" json:"groups"`
 
-	LastSigninWrongTime string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
-	SigninWrongTimes    int    `json:"signinWrongTimes"`
+	LastChangePasswordTime string `xorm:"varchar(100)" json:"lastChangePasswordTime"`
+	LastSigninWrongTime    string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
+	SigninWrongTimes       int    `json:"signinWrongTimes"`
 
 	ManagedAccounts    []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
 	MfaAccounts        []MfaAccount     `xorm:"mfaAccounts blob" json:"mfaAccounts"`
@@ -690,7 +691,7 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 			"owner", "display_name", "avatar", "first_name", "last_name",
 			"location", "address", "country_code", "region", "language", "affiliation", "title", "id_card_type", "id_card", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application",
 			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "managedAccounts", "face_ids", "mfaAccounts",
-			"signin_wrong_times", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled",
+			"signin_wrong_times", "last_change_password_time", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled",
 			"github", "google", "qq", "wechat", "facebook", "dingtalk", "weibo", "gitee", "linkedin", "wecom", "lark", "gitlab", "adfs",
 			"baidu", "alipay", "casdoor", "infoflow", "apple", "azuread", "azureadb2c", "slack", "steam", "bilibili", "okta", "douyin", "line", "amazon",
 			"auth0", "battlenet", "bitbucket", "box", "cloudfoundry", "dailymotion", "deezer", "digitalocean", "discord", "dropbox",
@@ -816,6 +817,10 @@ func AddUser(user *User) (bool, error) {
 		user.UpdateUserPassword(organization)
 	}
 
+	if user.CreatedTime == "" {
+		user.CreatedTime = util.GetCurrentTime()
+	}
+
 	err = user.UpdateUserHash()
 	if err != nil {
 		return false, err

routers/cors_filter.go

@@ -16,11 +16,11 @@ package routers
 
 import (
 	"net/http"
-	"strings"
 
 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )
 
 const (
@@ -52,7 +52,13 @@ func CorsFilter(ctx *context.Context) {
 		origin = ""
 	}
 
-	if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "https://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") || strings.HasPrefix(origin, "http://casdoor-app") || strings.Contains(origin, ".chromiumapp.org") {
+	isValid, err := util.IsValidOrigin(origin)
+	if err != nil {
+		ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
+		responseError(ctx, err.Error())
+		return
+	}
+	if isValid {
 		setCorsHeaders(ctx, origin)
 		return
 	}

routers/router.go

@@ -174,6 +174,8 @@ func initAPI() {
 	beego.Router("/api/get-all-actions", &controllers.ApiController{}, "GET:GetAllActions")
 	beego.Router("/api/get-all-roles", &controllers.ApiController{}, "GET:GetAllRoles")
 
+	beego.Router("/api/run-casbin-command", &controllers.ApiController{}, "GET:RunCasbinCommand")
+
 	beego.Router("/api/get-sessions", &controllers.ApiController{}, "GET:GetSessions")
 	beego.Router("/api/get-session", &controllers.ApiController{}, "GET:GetSingleSession")
 	beego.Router("/api/update-session", &controllers.ApiController{}, "POST:UpdateSession")

util/validation.go

@@ -17,6 +17,7 @@ package util
 import (
 	"fmt"
 	"net/mail"
+	"net/url"
 	"regexp"
 	"strings"
 
@@ -24,10 +25,11 @@ import (
 )
 
 var (
-	rePhone          *regexp.Regexp
-	ReWhiteSpace     *regexp.Regexp
-	ReFieldWhiteList *regexp.Regexp
-	ReUserName       *regexp.Regexp
+	rePhone             *regexp.Regexp
+	ReWhiteSpace        *regexp.Regexp
+	ReFieldWhiteList    *regexp.Regexp
+	ReUserName          *regexp.Regexp
+	ReUserNameWithEmail *regexp.Regexp
 )
 
 func init() {
@@ -35,6 +37,7 @@ func init() {
 	ReWhiteSpace, _ = regexp.Compile(`\s`)
 	ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*$")
+	ReUserNameWithEmail, _ = regexp.Compile(`^([a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*)|([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$`) // Add support for email formats
 }
 
 func IsEmailValid(email string) bool {
@@ -100,3 +103,21 @@ func GetCountryCode(prefix string, phone string) (string, error) {
 func FilterField(field string) bool {
 	return ReFieldWhiteList.MatchString(field)
 }
+
+func IsValidOrigin(origin string) (bool, error) {
+	urlObj, err := url.Parse(origin)
+	if err != nil {
+		return false, err
+	}
+	if urlObj == nil {
+		return false, nil
+	}
+
+	originHostOnly := ""
+	if urlObj.Host != "" {
+		originHostOnly = fmt.Sprintf("%s://%s", urlObj.Scheme, urlObj.Hostname())
+	}
+
+	res := originHostOnly == "http://localhost" || originHostOnly == "https://localhost" || originHostOnly == "http://127.0.0.1" || originHostOnly == "http://casdoor-app" || strings.HasSuffix(originHostOnly, ".chromiumapp.org")
+	return res, nil
+}

web/src/ApplicationEditPage.js

@@ -603,7 +603,7 @@ class ApplicationEditPage extends React.Component {
             {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
           </Col>
           <Col span={22} >
-            <Input placeholder = {this.state.application.organizationObj?.ipWhitelist} value={this.state.application.ipWhiteList} onChange={e => {
+            <Input placeholder = {this.state.application.organizationObj?.ipWhitelist} value={this.state.application.ipWhitelist} onChange={e => {
               this.updateApplicationField("ipWhitelist", e.target.value);
             }} />
           </Col>
@@ -765,7 +765,7 @@ class ApplicationEditPage extends React.Component {
             />
             <br />
             <Button style={{marginBottom: "10px"}} type="primary" shape="round" icon={<CopyOutlined />} onClick={() => {
-              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}&post=${this.state.application.enableSamlPostBinding}`);
+              copy(`${window.location.origin}/api/saml/metadata?application=admin/${encodeURIComponent(this.state.applicationName)}&enablePostBinding=${this.state.application.enableSamlPostBinding}`);
               Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
             }}
             >

web/src/ManagementPage.js

@@ -198,11 +198,11 @@ function ManagementPage(props) {
             </div>
           </Tooltip>
           <OpenTour />
-          {Setting.isAdminUser(props.account) && !Setting.isMobile() && (props.uri.indexOf("/trees") === -1) &&
+          {Setting.isAdminUser(props.account) && (props.uri.indexOf("/trees") === -1) &&
                         <OrganizationSelect
                           initValue={Setting.getOrganization()}
                           withAll={true}
-                          style={{marginRight: "20px", width: "180px", display: "flex"}}
+                          style={{marginRight: "20px", width: "180px", display: !Setting.isMobile() ? "flex" : "none"}}
                           onChange={(value) => {
                             Setting.setOrganization(value);
                           }}

web/src/OrganizationEditPage.js

@@ -339,6 +339,16 @@ class OrganizationEditPage extends React.Component {
             </Col>
           </Row>)
         }
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("organization:Password expire days"), i18next.t("organization:Password expire days - Tooltip"))} :
+          </Col>
+          <Col span={4} >
+            <InputNumber value={this.state.organization.passwordExpireDays} onChange={value => {
+              this.updateOrganizationField("passwordExpireDays", value);
+            }} />
+          </Col>
+        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("general:Supported country codes"), i18next.t("general:Supported country codes - Tooltip"))} :

web/src/OrganizationListPage.js

@@ -37,6 +37,7 @@ class OrganizationListPage extends BaseListPage {
       passwordOptions: [],
       passwordObfuscatorType: "Plain",
       passwordObfuscatorKey: "",
+      passwordExpireDays: 0,
       countryCodes: ["US"],
       defaultAvatar: `${Setting.StaticBaseUrl}/img/casbin.svg`,
       defaultApplication: "",

web/src/ProviderEditPage.js

@@ -908,7 +908,7 @@ class ProviderEditPage extends React.Component {
                 </Col>
               </Row>
             )}
-            {["Custom HTTP SMS", "Qiniu Cloud Kodo", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
+            {["Custom HTTP SMS", "Synology", "Casdoor"].includes(this.state.provider.type) ? null : (
               <Row style={{marginTop: "20px"}} >
                 <Col style={{marginTop: "5px"}} span={2}>
                   {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :

web/src/RoleEditPage.js

@@ -187,7 +187,7 @@ class RoleEditPage extends React.Component {
             {Setting.getLabel(i18next.t("role:Sub users"), i18next.t("role:Sub users - Tooltip"))} :
           </Col>
           <Col span={22} >
-            <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
+            <Select virtual={true} mode="multiple" style={{width: "100%"}} value={this.state.role.users}
               onChange={(value => {this.updateRoleField("users", value);})}
               options={this.state.users.map((user) => Setting.getOption(`${user.owner}/${user.name}`, `${user.owner}/${user.name}`))}
             />

web/src/UserEditPage.js

@@ -1009,6 +1009,19 @@ class UserEditPage extends React.Component {
           </Col>
         </Row>
       );
+    } else if (accountItem.name === "Last change password time") {
+      return (
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("user:Last change password time"), i18next.t("user:Last change password time"))} :
+          </Col>
+          <Col span={22}>
+            <Input value={this.state.user.lastChangePasswordTime} onChange={e => {
+              this.updateUserField("lastChangePasswordTime", e.target.value);
+            }} />
+          </Col>
+        </Row>
+      );
     } else if (accountItem.name === "Managed accounts") {
       return (
         <Row style={{marginTop: "20px"}} >

web/src/auth/LoginPage.js

@@ -227,7 +227,26 @@ class LoginPage extends React.Component {
     return "password";
   }
 
-  getPlaceholder() {
+  getCurrentLoginMethod() {
+    if (this.state.loginMethod === "password") {
+      return "Password";
+    } else if (this.state.loginMethod?.includes("verificationCode")) {
+      return "Verification code";
+    } else if (this.state.loginMethod === "webAuthn") {
+      return "WebAuthn";
+    } else if (this.state.loginMethod === "ldap") {
+      return "LDAP";
+    } else if (this.state.loginMethod === "faceId") {
+      return "Face ID";
+    } else {
+      return "Password";
+    }
+  }
+
+  getPlaceholder(defaultPlaceholder = null) {
+    if (defaultPlaceholder) {
+      return defaultPlaceholder;
+    }
     switch (this.state.loginMethod) {
     case "verificationCode": return i18next.t("login:Email or phone");
     case "verificationCodeEmail": return i18next.t("login:Email");
@@ -262,17 +281,7 @@ class LoginPage extends React.Component {
       values["organization"] = this.getApplicationObj().organization;
     }
 
-    if (this.state.loginMethod === "password") {
-      values["signinMethod"] = "Password";
-    } else if (this.state.loginMethod?.includes("verificationCode")) {
-      values["signinMethod"] = "Verification code";
-    } else if (this.state.loginMethod === "webAuthn") {
-      values["signinMethod"] = "WebAuthn";
-    } else if (this.state.loginMethod === "ldap") {
-      values["signinMethod"] = "LDAP";
-    } else if (this.state.loginMethod === "faceId") {
-      values["signinMethod"] = "Face ID";
-    }
+    values["signinMethod"] = this.getCurrentLoginMethod();
     const oAuthParams = Util.getOAuthGetParameters();
 
     values["type"] = oAuthParams?.responseType ?? this.state.type;
@@ -409,6 +418,7 @@ class LoginPage extends React.Component {
     if (this.state.type === "cas") {
       // CAS
       const casParams = Util.getCasParameters();
+      values["signinMethod"] = this.getCurrentLoginMethod();
       values["type"] = this.state.type;
       AuthBackend.loginCas(values, casParams).then((res) => {
         const loginHandler = (res) => {
@@ -437,8 +447,8 @@ class LoginPage extends React.Component {
                     formValues={values}
                     authParams={casParams}
                     application={this.getApplicationObj()}
-                    onFail={() => {
-                      Setting.showMessage("error", i18next.t("mfa:Verification failed"));
+                    onFail={(errorMessage) => {
+                      Setting.showMessage("error", errorMessage);
                     }}
                     onSuccess={(res) => loginHandler(res)}
                   />);
@@ -478,6 +488,10 @@ class LoginPage extends React.Component {
               const accessToken = res.data;
               Setting.goToLink(`${oAuthParams.redirectUri}#${amendatoryResponseType}=${accessToken}&state=${oAuthParams.state}&token_type=bearer`);
             } else if (responseType === "saml") {
+              if (res.data === RequiredMfa) {
+                this.props.onLoginSuccess(window.location.href);
+                return;
+              }
               if (res.data2.needUpdatePassword) {
                 sessionStorage.setItem("signinUrl", window.location.href);
                 Setting.goToLink(this, `/forget/${this.state.applicationName}`);
@@ -506,8 +520,8 @@ class LoginPage extends React.Component {
                       formValues={values}
                       authParams={oAuthParams}
                       application={this.getApplicationObj()}
-                      onFail={() => {
-                        Setting.showMessage("error", i18next.t("mfa:Verification failed"));
+                      onFail={(errorMessage) => {
+                        Setting.showMessage("error", errorMessage);
                       }}
                       onSuccess={(res) => loginHandler(res)}
                     />);
@@ -672,7 +686,7 @@ class LoginPage extends React.Component {
               id="input"
               className="login-username-input"
               prefix={<UserOutlined className="site-form-item-icon" />}
-              placeholder={this.getPlaceholder()}
+              placeholder={this.getPlaceholder(signinItem.placeholder)}
               onChange={e => {
                 this.setState({
                   username: e.target.value,
@@ -1086,7 +1100,7 @@ class LoginPage extends React.Component {
                 className="login-password-input"
                 prefix={<LockOutlined className="site-form-item-icon" />}
                 type="password"
-                placeholder={i18next.t("general:Password")}
+                placeholder={signinItem.placeholder ? signinItem.placeholder : i18next.t("general:Password")}
                 disabled={this.state.loginMethod === "password" ? !Setting.isPasswordEnabled(application) : !Setting.isLdapEnabled(application)}
               />
             </Form.Item>

web/src/auth/MfaSetupPage.js

@@ -37,7 +37,7 @@ class MfaSetupPage extends React.Component {
     this.state = {
       account: props.account,
       application: null,
-      applicationName: props.account.signupApplication ?? "",
+      applicationName: props.account.signupApplication ?? localStorage.getItem("applicationName") ?? "",
       current: location.state?.from !== undefined ? 1 : 0,
       mfaProps: null,
       mfaType: params.get("mfaType") ?? SmsMfaType,

web/src/auth/Obfuscator.js

@@ -14,6 +14,7 @@
 
 import CryptoJS from "crypto-js";
 import i18next from "i18next";
+import {Buffer} from "buffer";
 
 export function getRandomKeyForObfuscator(obfuscatorType) {
   if (obfuscatorType === "DES") {

web/src/auth/Util.js

@@ -113,6 +113,9 @@ export function getCasLoginParameters(owner, name) {
 
 export function getOAuthGetParameters(params) {
   const queries = (params !== undefined) ? params : new URLSearchParams(window.location.search);
+  const lowercaseQueries = {};
+  queries.forEach((val, key) => {lowercaseQueries[key.toLowerCase()] = val;});
+
   const clientId = getRefinedValue(queries.get("client_id"));
   const responseType = getRefinedValue(queries.get("response_type"));
 
@@ -138,9 +141,9 @@ export function getOAuthGetParameters(params) {
   const nonce = getRefinedValue(queries.get("nonce"));
   const challengeMethod = getRefinedValue(queries.get("code_challenge_method"));
   const codeChallenge = getRefinedValue(queries.get("code_challenge"));
-  const samlRequest = getRefinedValue(queries.get("SAMLRequest"));
-  const relayState = getRefinedValue(queries.get("RelayState"));
-  const noRedirect = getRefinedValue(queries.get("noRedirect"));
+  const samlRequest = getRefinedValue(lowercaseQueries["samlRequest".toLowerCase()]);
+  const relayState = getRefinedValue(lowercaseQueries["RelayState".toLowerCase()]);
+  const noRedirect = getRefinedValue(lowercaseQueries["noRedirect".toLowerCase()]);
 
   if (clientId === "" && samlRequest === "") {
     // login

web/src/common/CasdoorAppConnector.js

@@ -0,0 +1,121 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React from "react";
+import {Alert, Button, QRCode} from "antd";
+import * as Setting from "../Setting";
+import i18next from "i18next";
+
+export const generateCasdoorAppUrl = (accessToken, forQrCode = true) => {
+  let qrUrl = "";
+  let error = null;
+
+  if (!accessToken) {
+    error = i18next.t("general:Access token is empty");
+    return {qrUrl, error};
+  }
+
+  qrUrl = `casdoor-app://login?serverUrl=${window.location.origin}&accessToken=${accessToken}`;
+
+  if (forQrCode && qrUrl.length >= 2000) {
+    qrUrl = "";
+    error = i18next.t("general:QR code is too large");
+  }
+
+  return {qrUrl, error};
+};
+
+export const CasdoorAppQrCode = ({accessToken, icon}) => {
+  const {qrUrl, error} = generateCasdoorAppUrl(accessToken, true);
+
+  if (error) {
+    return <Alert message={error} type="error" showIcon />;
+  }
+
+  return (
+    <QRCode
+      value={qrUrl}
+      icon={icon}
+      errorLevel="M"
+      size={230}
+      bordered={false}
+    />
+  );
+};
+
+export const CasdoorAppUrl = ({accessToken}) => {
+  const {qrUrl, error} = generateCasdoorAppUrl(accessToken, false);
+
+  const handleCopyUrl = async() => {
+    if (!window.isSecureContext) {
+      return;
+    }
+
+    try {
+      await navigator.clipboard.writeText(qrUrl);
+      Setting.showMessage("success", i18next.t("general:Copied to clipboard"));
+    } catch (err) {
+      Setting.showMessage("error", i18next.t("general:Failed to copy"));
+    }
+  };
+
+  if (error) {
+    return <Alert message={error} type="error" showIcon />;
+  }
+
+  return (
+    <div>
+      <div style={{
+        display: "flex",
+        justifyContent: "space-between",
+        alignItems: "center",
+        marginBottom: "10px",
+      }}>
+        <span>{i18next.t("general:URL String")}</span>
+        {window.isSecureContext && (
+          <Button
+            size="small"
+            onClick={handleCopyUrl}
+            style={{marginLeft: "10px"}}
+          >
+            {i18next.t("general:Copy URL")}
+          </Button>
+        )}
+      </div>
+      <div
+        style={{
+          padding: "10px",
+          maxWidth: "400px",
+          maxHeight: "100px",
+          overflow: "auto",
+          wordBreak: "break-all",
+          whiteSpace: "pre-wrap",
+          cursor: "pointer",
+          userSelect: "all",
+          backgroundColor: "#f5f5f5",
+          borderRadius: "4px",
+        }}
+        onClick={(e) => {
+          const selection = window.getSelection();
+          const range = document.createRange();
+          range.selectNodeContents(e.target);
+          selection.removeAllRanges();
+          selection.addRange(range);
+        }}
+      >
+        {qrUrl}
+      </div>
+    </div>
+  );
+};

web/src/locales/ru/data.json

@@ -972,7 +972,7 @@
     "Please input your affiliation!": "Пожалуйста, укажите свою принадлежность!",
     "Please input your display name!": "Пожалуйста, введите своё отображаемое имя!",
     "Please input your first name!": "Пожалуйста, введите свое имя!",
-    "Please input your invitation code!": "Please input your invitation code!",
+    "Please input your invitation code!": "Пожалуйста, введите код приглашения!",
     "Please input your last name!": "Введите свою фамилию!",
     "Please input your phone number!": "Пожалуйста, введите свой номер телефона!",
     "Please input your real name!": "Пожалуйста, введите своё настоящее имя!",
@@ -1163,9 +1163,9 @@
     "MFA accounts": "MFA accounts",
     "Managed accounts": "Управляемые аккаунты",
     "Modify password...": "Изменить пароль...",
-    "Multi-factor authentication": "Multi-factor authentication",
-    "Need update password": "Need update password",
-    "Need update password - Tooltip": "Force user update password after login",
+    "Multi-factor authentication": "Многофакторная аутентификация",
+    "Need update password": "Необходимо обновить пароль",
+    "Need update password - Tooltip": "Заставить пользователя обновить пароль после входа в систему",
     "New Email": "Новое электронное письмо",
     "New Password": "Новый пароль",
     "New User": "Новый пользователь",
@@ -1189,26 +1189,26 @@
     "Set password...": "Установить пароль...",
     "Tag": "Метка",
     "Tag - Tooltip": "Тег пользователя",
-    "The password must contain at least one special character": "The password must contain at least one special character",
-    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "The password must contain at least one uppercase letter, one lowercase letter and one digit",
-    "The password must have at least 6 characters": "The password must have at least 6 characters",
-    "The password must have at least 8 characters": "The password must have at least 8 characters",
-    "The password must not contain any repeated characters": "The password must not contain any repeated characters",
-    "This field value doesn't match the pattern rule": "This field value doesn't match the pattern rule",
+    "The password must contain at least one special character": "Пароль должен содержать хотя бы один специальный символ",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Пароль должен содержать как минимум одну заглавную букву, одну строчную букву и одну цифру",
+    "The password must have at least 6 characters": "Пароль должен быть минимум 6 символов",
+    "The password must have at least 8 characters": "Пароль должен быть минимум 8 символов",
+    "The password must not contain any repeated characters": "Пароль не должен содержать повторяющиеся символы",
+    "This field value doesn't match the pattern rule": "Значение поля не соответствует шаблону",
     "Title": "Заголовок",
     "Title - Tooltip": "Положение в аффилиации",
     "Two passwords you typed do not match.": "Два введенных вами пароля не совпадают.",
     "Unlink": "Отсоединить",
     "Upload (.xlsx)": "Загрузить (.xlsx)",
-    "Upload ID card back picture": "Upload ID card back picture",
-    "Upload ID card front picture": "Upload ID card front picture",
-    "Upload ID card with person picture": "Upload ID card with person picture",
+    "Upload ID card back picture": "Загрузите заднюю сторону удостоверения личности",
+    "Upload ID card front picture": "Загрузите переднюю сторону удостоверения личности",
+    "Upload ID card with person picture": "Загрузите удостоверение личности с фотографией",
     "Upload a photo": "Загрузить фото",
-    "User Profile": "User Profile",
+    "User Profile": "Профиль пользователя",
     "Values": "Значения",
     "Verification code sent": "Код подтверждения отправлен",
     "WebAuthn credentials": "WebAuthn удостоверения",
-    "You have changed the username, please save your change first before modifying the password": "You have changed the username, please save your change first before modifying the password",
+    "You have changed the username, please save your change first before modifying the password": "Имя было изменено, сохраните изменения перед сменой пароля",
     "input password": "введите пароль"
   },
   "verification": {

web/src/table/MfaAccountTable.js

@@ -14,9 +14,10 @@
 
 import React from "react";
 import {DeleteOutlined, DownOutlined, UpOutlined} from "@ant-design/icons";
-import {Alert, Button, Col, Image, Input, Popover, QRCode, Row, Table, Tooltip} from "antd";
+import {Button, Col, Image, Input, Popover, Row, Table, Tooltip} from "antd";
 import * as Setting from "../Setting";
 import i18next from "i18next";
+import {CasdoorAppQrCode, CasdoorAppUrl} from "../common/CasdoorAppConnector";
 
 class MfaAccountTable extends React.Component {
   constructor(props) {
@@ -76,42 +77,6 @@ class MfaAccountTable extends React.Component {
     this.updateTable(table);
   }
 
-  getQrUrl() {
-    const {accessToken} = this.props;
-    let qrUrl = `casdoor-app://login?serverUrl=${window.location.origin}&accessToken=${accessToken}`;
-    let error = null;
-
-    if (!accessToken) {
-      qrUrl = "";
-      error = i18next.t("general:Access token is empty");
-    }
-
-    if (qrUrl.length >= 2000) {
-      qrUrl = "";
-      error = i18next.t("general:QR code is too large");
-    }
-
-    return {qrUrl, error};
-  }
-
-  renderQrCode() {
-    const {qrUrl, error} = this.getQrUrl();
-
-    if (error) {
-      return <Alert message={error} type="error" showIcon />;
-    } else {
-      return (
-        <QRCode
-          value={qrUrl}
-          icon={this.state.icon}
-          errorLevel="M"
-          size={230}
-          bordered={false}
-        />
-      );
-    }
-  }
-
   renderTable(table) {
     const columns = [
       {
@@ -194,10 +159,25 @@ class MfaAccountTable extends React.Component {
         title={() => (
           <div>
             {this.props.title}&nbsp;&nbsp;&nbsp;&nbsp;
-            <Button style={{marginRight: "10px"}} type="primary" size="small" onClick={() => this.addRow(table)}>{i18next.t("general:Add")}</Button>
-            <Popover trigger="focus" overlayInnerStyle={{padding: 0}}
-              content={this.renderQrCode()}>
-              <Button style={{marginLeft: "5px"}} type="primary" size="small">{i18next.t("general:QR Code")}</Button>
+            <Button style={{marginRight: "10px"}} type="primary" size="small" onClick={() => this.addRow(table)}>
+              {i18next.t("general:Add")}
+            </Button>
+            <Popover
+              trigger="focus"
+              overlayInnerStyle={{padding: 0}}
+              content={<CasdoorAppQrCode accessToken={this.props.accessToken} icon={this.state.icon} />}
+            >
+              <Button style={{marginRight: "10px"}} type="primary" size="small">
+                {i18next.t("general:QR Code")}
+              </Button>
+            </Popover>
+            <Popover
+              trigger="click"
+              content={<CasdoorAppUrl accessToken={this.props.accessToken} />}
+            >
+              <Button type="primary" size="small">
+                {i18next.t("general:Show URL")}
+              </Button>
             </Popover>
           </div>
         )}