feat: cache theme in signup page (#3568 )

feat: fix bug due to null characters in descriptor when creating a payment intent (#3567 )
feat: add CLI version cache and proxy support (#3565 )
2025-07-21 22:33:50 +08:00 · 2025-02-09 15:12:35 +08:00 · 2025-02-08 19:35:51 +08:00 · 2025-02-08 19:34:19 +08:00 · 2025-02-07 19:22:56 +08:00 · 2025-02-07 19:19:30 +08:00
66 changed files with 1720 additions and 349 deletions
--- a/authz/authz.go
+++ b/authz/authz.go
@ -99,6 +99,7 @@ p, *, *, GET, /api/get-all-objects, *, *
 p, *, *, GET, /api/get-all-actions, *, *
 p, *, *, GET, /api/get-all-roles, *, *
 p, *, *, GET, /api/run-casbin-command, *, *
+p, *, *, POST, /api/refresh-engines, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
 p, *, *, GET, /api/faceid-signin-begin, *, *
 `
@ -156,7 +157,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o

 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/verify-code" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") || urlPath == "/api/webhook" || urlPath == "/api/get-qrcode" {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/verify-code" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") || urlPath == "/api/webhook" || urlPath == "/api/get-qrcode" || urlPath == "/api/refresh-engines" {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -306,6 +306,35 @@ func isProxyProviderType(providerType string) bool {
 	return false
 }

+func checkMfaEnable(c *ApiController, user *object.User, organization *object.Organization, verificationType string) bool {
+	if object.IsNeedPromptMfa(organization, user) {
+		// The prompt page needs the user to be srigned in
+		c.SetSessionUsername(user.GetId())
+		c.ResponseOk(object.RequiredMfa)
+		return true
+	}
+
+	if user.IsMfaEnabled() {
+		c.setMfaUserSession(user.GetId())
+		mfaList := object.GetAllMfaProps(user, true)
+		mfaAllowList := []*object.MfaProps{}
+		for _, prop := range mfaList {
+			if prop.MfaType == verificationType || !prop.Enabled {
+				continue
+			}
+			mfaAllowList = append(mfaAllowList, prop)
+		}
+		if len(mfaAllowList) >= 1 {
+			c.SetSession("verificationCodeType", verificationType)
+			c.Ctx.Input.CruSession.SessionRelease(c.Ctx.ResponseWriter)
+			c.ResponseOk(object.NextMfa, mfaAllowList)
+			return true
+		}
+	}
+
+	return false
+}
+
 // Login ...
 // @Title Login
 // @Tag Login API
@ -523,30 +552,10 @@ func (c *ApiController) Login() {
 				c.ResponseError(err.Error())
 			}

-			if object.IsNeedPromptMfa(organization, user) {
-				// The prompt page needs the user to be signed in
-				c.SetSessionUsername(user.GetId())
-				c.ResponseOk(object.RequiredMfa)
+			if checkMfaEnable(c, user, organization, verificationType) {
 				return
 			}

-			if user.IsMfaEnabled() {
-				c.setMfaUserSession(user.GetId())
-				mfaList := object.GetAllMfaProps(user, true)
-				mfaAllowList := []*object.MfaProps{}
-				for _, prop := range mfaList {
-					if prop.MfaType == verificationType || !prop.Enabled {
-						continue
-					}
-					mfaAllowList = append(mfaAllowList, prop)
-				}
-				if len(mfaAllowList) >= 1 {
-					c.SetSession("verificationCodeType", verificationType)
-					c.ResponseOk(object.NextMfa, mfaAllowList)
-					return
-				}
-			}
-
 			resp = c.HandleLoggedIn(application, user, &authForm)

 			c.Ctx.Input.SetParam("recordUserId", user.GetId())
@ -679,6 +688,11 @@ func (c *ApiController) Login() {
 					c.ResponseError(err.Error())
 					return
 				}
+
+				if checkMfaEnable(c, user, organization, verificationType) {
+					return
+				}
+
 				resp = c.HandleLoggedIn(application, user, &authForm)

 				c.Ctx.Input.SetParam("recordUserId", user.GetId())
@ -896,11 +910,20 @@ func (c *ApiController) Login() {
 				return
 			}

+			passed, err := c.checkOrgMasterVerificationCode(user, authForm.Passcode)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
+			if !passed {
 				err = mfaUtil.Verify(authForm.Passcode)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
 				}
+			}
+
 			c.SetSession("verificationCodeType", "")
 		} else if authForm.RecoveryCode != "" {
 			err = object.MfaRecover(user, authForm.RecoveryCode)
@ -914,7 +937,11 @@ func (c *ApiController) Login() {
 		}

 		var application *object.Application
+		if authForm.ClientId == "" {
 			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+		} else {
+			application, err = object.GetApplicationByClientId(authForm.ClientId)
+		}
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -944,6 +971,10 @@ func (c *ApiController) Login() {
 				return
 			}

+			if authForm.Provider == "" {
+				authForm.Provider = authForm.ProviderBack
+			}
+
 			user := c.getCurrentUser()
 			resp = c.HandleLoggedIn(application, user, &authForm)

--- a/controllers/casbin_cli_api.go
+++ b/controllers/casbin_cli_api.go
@ -15,13 +15,76 @@
 package controllers

 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"os"
 	"os/exec"
+	"sort"
 	"strings"
+	"sync"
+	"time"
 )

+type CLIVersionInfo struct {
+	Version    string
+	BinaryPath string
+	BinaryTime time.Time
+}
+
+var (
+	cliVersionCache = make(map[string]*CLIVersionInfo)
+	cliVersionMutex sync.RWMutex
+)
+
+// getCLIVersion
+// @Title getCLIVersion
+// @Description Get CLI version with cache mechanism
+// @Param language string The language of CLI (go/java/rust etc.)
+// @Return string The version string of CLI
+// @Return error Error if CLI execution fails
+func getCLIVersion(language string) (string, error) {
+	binaryName := fmt.Sprintf("casbin-%s-cli", language)
+
+	binaryPath, err := exec.LookPath(binaryName)
+	if err != nil {
+		return "", fmt.Errorf("executable file not found: %v", err)
+	}
+
+	fileInfo, err := os.Stat(binaryPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to get binary info: %v", err)
+	}
+
+	cliVersionMutex.RLock()
+	if info, exists := cliVersionCache[language]; exists {
+		if info.BinaryPath == binaryPath && info.BinaryTime == fileInfo.ModTime() {
+			cliVersionMutex.RUnlock()
+			return info.Version, nil
+		}
+	}
+	cliVersionMutex.RUnlock()
+
+	cmd := exec.Command(binaryName, "--version")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("failed to get CLI version: %v", err)
+	}
+
+	version := strings.TrimSpace(string(output))
+
+	cliVersionMutex.Lock()
+	cliVersionCache[language] = &CLIVersionInfo{
+		Version:    version,
+		BinaryPath: binaryPath,
+		BinaryTime: fileInfo.ModTime(),
+	}
+	cliVersionMutex.Unlock()
+
+	return version, nil
+}
+
 func processArgsToTempFiles(args []string) ([]string, []string, error) {
 	tempFiles := []string{}
 	newArgs := []string{}
@ -57,6 +120,11 @@ func processArgsToTempFiles(args []string) ([]string, []string, error) {
 // @Success 200 {object} controllers.Response The Response object
 // @router /run-casbin-command [get]
 func (c *ApiController) RunCasbinCommand() {
+	if err := validateIdentifier(c); err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	language := c.Input().Get("language")
 	argString := c.Input().Get("args")

@ -84,6 +152,16 @@ func (c *ApiController) RunCasbinCommand() {
 		return
 	}

+	if len(args) > 0 && args[0] == "--version" {
+		version, err := getCLIVersion(language)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		c.ResponseOk(version)
+		return
+	}
+
 	tempFiles, processedArgs, err := processArgsToTempFiles(args)
 	defer func() {
 		for _, file := range tempFiles {
@ -112,3 +190,58 @@ func (c *ApiController) RunCasbinCommand() {
 	output = strings.TrimSuffix(output, "\n")
 	c.ResponseOk(output)
 }
+
+// validateIdentifier
+// @Title validateIdentifier
+// @Description Validate the request hash and timestamp
+// @Param hash string The SHA-256 hash string
+// @Return error Returns error if validation fails, nil if successful
+func validateIdentifier(c *ApiController) error {
+	language := c.Input().Get("language")
+	args := c.Input().Get("args")
+	hash := c.Input().Get("m")
+	timestamp := c.Input().Get("t")
+
+	if hash == "" || timestamp == "" || language == "" || args == "" {
+		return fmt.Errorf("invalid identifier")
+	}
+
+	requestTime, err := time.Parse(time.RFC3339, timestamp)
+	if err != nil {
+		return fmt.Errorf("invalid identifier")
+	}
+	timeDiff := time.Since(requestTime)
+	if timeDiff > 5*time.Minute || timeDiff < -5*time.Minute {
+		return fmt.Errorf("invalid identifier")
+	}
+
+	params := map[string]string{
+		"language": language,
+		"args":     args,
+	}
+
+	keys := make([]string, 0, len(params))
+	for k := range params {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	var paramParts []string
+	for _, k := range keys {
+		paramParts = append(paramParts, fmt.Sprintf("%s=%s", k, params[k]))
+	}
+	paramString := strings.Join(paramParts, "&")
+
+	version := "casbin-editor-v1"
+	rawString := fmt.Sprintf("%s|%s|%s", version, timestamp, paramString)
+
+	hasher := sha256.New()
+	hasher.Write([]byte(rawString))
+
+	calculatedHash := strings.ToLower(hex.EncodeToString(hasher.Sum(nil)))
+	if calculatedHash != strings.ToLower(hash) {
+		return fmt.Errorf("invalid identifier")
+	}
+
+	return nil
+}
--- a/controllers/cli_downloader.go
+++ b/controllers/cli_downloader.go
@ -0,0 +1,519 @@
+package controllers
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"compress/gzip"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/beego/beego"
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/casdoor/util"
+)
+
+const (
+	javaCliRepo    = "https://api.github.com/repos/jcasbin/casbin-java-cli/releases/latest"
+	goCliRepo      = "https://api.github.com/repos/casbin/casbin-go-cli/releases/latest"
+	rustCliRepo    = "https://api.github.com/repos/casbin-rs/casbin-rust-cli/releases/latest"
+	downloadFolder = "bin"
+)
+
+type ReleaseInfo struct {
+	TagName string `json:"tag_name"`
+	Assets  []struct {
+		Name string `json:"name"`
+		URL  string `json:"browser_download_url"`
+	} `json:"assets"`
+}
+
+// @Title getBinaryNames
+// @Description Get binary names for different platforms and architectures
+// @Success 200 {map[string]string} map[string]string "Binary names map"
+func getBinaryNames() map[string]string {
+	const (
+		golang = "go"
+		java   = "java"
+		rust   = "rust"
+	)
+
+	arch := runtime.GOARCH
+	archMap := map[string]struct{ goArch, rustArch string }{
+		"amd64": {"x86_64", "x86_64"},
+		"arm64": {"arm64", "aarch64"},
+	}
+
+	archNames, ok := archMap[arch]
+	if !ok {
+		archNames = struct{ goArch, rustArch string }{arch, arch}
+	}
+
+	switch runtime.GOOS {
+	case "windows":
+		return map[string]string{
+			golang: fmt.Sprintf("casbin-go-cli_Windows_%s.zip", archNames.goArch),
+			java:   "casbin-java-cli.jar",
+			rust:   fmt.Sprintf("casbin-rust-cli-%s-pc-windows-gnu", archNames.rustArch),
+		}
+	case "darwin":
+		return map[string]string{
+			golang: fmt.Sprintf("casbin-go-cli_Darwin_%s.tar.gz", archNames.goArch),
+			java:   "casbin-java-cli.jar",
+			rust:   fmt.Sprintf("casbin-rust-cli-%s-apple-darwin", archNames.rustArch),
+		}
+	case "linux":
+		return map[string]string{
+			golang: fmt.Sprintf("casbin-go-cli_Linux_%s.tar.gz", archNames.goArch),
+			java:   "casbin-java-cli.jar",
+			rust:   fmt.Sprintf("casbin-rust-cli-%s-unknown-linux-gnu", archNames.rustArch),
+		}
+	default:
+		return nil
+	}
+}
+
+// @Title getFinalBinaryName
+// @Description Get final binary name for specific language
+// @Param lang string true "Language type (go/java/rust)"
+// @Success 200 {string} string "Final binary name"
+func getFinalBinaryName(lang string) string {
+	switch lang {
+	case "go":
+		if runtime.GOOS == "windows" {
+			return "casbin-go-cli.exe"
+		}
+		return "casbin-go-cli"
+	case "java":
+		return "casbin-java-cli.jar"
+	case "rust":
+		if runtime.GOOS == "windows" {
+			return "casbin-rust-cli.exe"
+		}
+		return "casbin-rust-cli"
+	default:
+		return ""
+	}
+}
+
+// @Title getLatestCLIURL
+// @Description Get latest CLI download URL from GitHub
+// @Param repoURL string true "GitHub repository URL"
+// @Param language string true "Language type"
+// @Success 200 {string} string "Download URL and version"
+func getLatestCLIURL(repoURL string, language string) (string, string, error) {
+	client := proxy.GetHttpClient(repoURL)
+	resp, err := client.Get(repoURL)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to fetch release info: %v", err)
+	}
+	defer resp.Body.Close()
+
+	var release ReleaseInfo
+	if err := json.NewDecoder(resp.Body).Decode(&release); err != nil {
+		return "", "", err
+	}
+
+	binaryNames := getBinaryNames()
+	if binaryNames == nil {
+		return "", "", fmt.Errorf("unsupported OS: %s", runtime.GOOS)
+	}
+
+	binaryName := binaryNames[language]
+	for _, asset := range release.Assets {
+		if asset.Name == binaryName {
+			return asset.URL, release.TagName, nil
+		}
+	}
+
+	return "", "", fmt.Errorf("no suitable binary found for OS: %s, language: %s", runtime.GOOS, language)
+}
+
+// @Title extractGoCliFile
+// @Description Extract the Go CLI file
+// @Param filePath string true "The file path"
+// @Success 200 {string} string "The extracted file path"
+// @router /extractGoCliFile [post]
+func extractGoCliFile(filePath string) error {
+	tempDir := filepath.Join(downloadFolder, "temp")
+	if err := os.MkdirAll(tempDir, 0o755); err != nil {
+		return err
+	}
+	defer os.RemoveAll(tempDir)
+
+	if runtime.GOOS == "windows" {
+		if err := unzipFile(filePath, tempDir); err != nil {
+			return err
+		}
+	} else {
+		if err := untarFile(filePath, tempDir); err != nil {
+			return err
+		}
+	}
+
+	execName := "casbin-go-cli"
+	if runtime.GOOS == "windows" {
+		execName += ".exe"
+	}
+
+	var execPath string
+	err := filepath.Walk(tempDir, func(path string, info os.FileInfo, err error) error {
+		if info.Name() == execName {
+			execPath = path
+			return nil
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	finalPath := filepath.Join(downloadFolder, execName)
+	if err := os.Rename(execPath, finalPath); err != nil {
+		return err
+	}
+
+	return os.Remove(filePath)
+}
+
+// @Title unzipFile
+// @Description Unzip the file
+// @Param zipPath string true "The zip file path"
+// @Param destDir string true "The destination directory"
+// @Success 200 {string} string "The extracted file path"
+// @router /unzipFile [post]
+func unzipFile(zipPath, destDir string) error {
+	r, err := zip.OpenReader(zipPath)
+	if err != nil {
+		return err
+	}
+	defer r.Close()
+
+	for _, f := range r.File {
+		fpath := filepath.Join(destDir, f.Name)
+
+		if f.FileInfo().IsDir() {
+			os.MkdirAll(fpath, os.ModePerm)
+			continue
+		}
+
+		if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
+			return err
+		}
+
+		outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
+		if err != nil {
+			return err
+		}
+
+		rc, err := f.Open()
+		if err != nil {
+			outFile.Close()
+			return err
+		}
+
+		_, err = io.Copy(outFile, rc)
+		outFile.Close()
+		rc.Close()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// @Title untarFile
+// @Description Untar the file
+// @Param tarPath string true "The tar file path"
+// @Param destDir string true "The destination directory"
+// @Success 200 {string} string "The extracted file path"
+// @router /untarFile [post]
+func untarFile(tarPath, destDir string) error {
+	file, err := os.Open(tarPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	gzr, err := gzip.NewReader(file)
+	if err != nil {
+		return err
+	}
+	defer gzr.Close()
+
+	tr := tar.NewReader(gzr)
+
+	for {
+		header, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+
+		path := filepath.Join(destDir, header.Name)
+
+		switch header.Typeflag {
+		case tar.TypeDir:
+			if err := os.MkdirAll(path, 0o755); err != nil {
+				return err
+			}
+		case tar.TypeReg:
+			outFile, err := os.Create(path)
+			if err != nil {
+				return err
+			}
+			if _, err := io.Copy(outFile, tr); err != nil {
+				outFile.Close()
+				return err
+			}
+			outFile.Close()
+		}
+	}
+	return nil
+}
+
+// @Title createJavaCliWrapper
+// @Description Create the Java CLI wrapper
+// @Param binPath string true "The binary path"
+// @Success 200 {string} string "The created file path"
+// @router /createJavaCliWrapper [post]
+func createJavaCliWrapper(binPath string) error {
+	if runtime.GOOS == "windows" {
+		// Create a Windows CMD file
+		cmdPath := filepath.Join(binPath, "casbin-java-cli.cmd")
+		cmdContent := fmt.Sprintf(`@echo off
+java -jar "%s\casbin-java-cli.jar" %%*`, binPath)
+
+		err := os.WriteFile(cmdPath, []byte(cmdContent), 0o755)
+		if err != nil {
+			return fmt.Errorf("failed to create Java CLI wrapper: %v", err)
+		}
+	} else {
+		// Create Unix shell script
+		shPath := filepath.Join(binPath, "casbin-java-cli")
+		shContent := fmt.Sprintf(`#!/bin/sh
+java -jar "%s/casbin-java-cli.jar" "$@"`, binPath)
+
+		err := os.WriteFile(shPath, []byte(shContent), 0o755)
+		if err != nil {
+			return fmt.Errorf("failed to create Java CLI wrapper: %v", err)
+		}
+	}
+	return nil
+}
+
+// @Title downloadCLI
+// @Description Download and setup CLI tools
+// @Success 200 {error} error "Error if any"
+func downloadCLI() error {
+	pathEnv := os.Getenv("PATH")
+	binPath, err := filepath.Abs(downloadFolder)
+	if err != nil {
+		return fmt.Errorf("failed to get absolute path to download directory: %v", err)
+	}
+
+	if !strings.Contains(pathEnv, binPath) {
+		newPath := fmt.Sprintf("%s%s%s", binPath, string(os.PathListSeparator), pathEnv)
+		if err := os.Setenv("PATH", newPath); err != nil {
+			return fmt.Errorf("failed to update PATH environment variable: %v", err)
+		}
+	}
+
+	if err := os.MkdirAll(downloadFolder, 0o755); err != nil {
+		return fmt.Errorf("failed to create download directory: %v", err)
+	}
+
+	repos := map[string]string{
+		"java": javaCliRepo,
+		"go":   goCliRepo,
+		"rust": rustCliRepo,
+	}
+
+	for lang, repo := range repos {
+		cliURL, version, err := getLatestCLIURL(repo, lang)
+		if err != nil {
+			fmt.Printf("failed to get %s CLI URL: %v\n", lang, err)
+			continue
+		}
+
+		originalPath := filepath.Join(downloadFolder, getBinaryNames()[lang])
+		fmt.Printf("downloading %s CLI: %s\n", lang, cliURL)
+
+		client := proxy.GetHttpClient(cliURL)
+		resp, err := client.Get(cliURL)
+		if err != nil {
+			fmt.Printf("failed to download %s CLI: %v\n", lang, err)
+			continue
+		}
+
+		func() {
+			defer resp.Body.Close()
+
+			if err := os.MkdirAll(filepath.Dir(originalPath), 0o755); err != nil {
+				fmt.Printf("failed to create directory for %s CLI: %v\n", lang, err)
+				return
+			}
+
+			tmpFile := originalPath + ".tmp"
+			out, err := os.Create(tmpFile)
+			if err != nil {
+				fmt.Printf("failed to create or write %s CLI: %v\n", lang, err)
+				return
+			}
+			defer func() {
+				out.Close()
+				os.Remove(tmpFile)
+			}()
+
+			if _, err = io.Copy(out, resp.Body); err != nil ||
+				out.Close() != nil ||
+				os.Rename(tmpFile, originalPath) != nil {
+				fmt.Printf("failed to download %s CLI: %v\n", lang, err)
+				return
+			}
+		}()
+
+		if lang == "go" {
+			if err := extractGoCliFile(originalPath); err != nil {
+				fmt.Printf("failed to extract Go CLI: %v\n", err)
+				continue
+			}
+		} else {
+			finalPath := filepath.Join(downloadFolder, getFinalBinaryName(lang))
+			if err := os.Rename(originalPath, finalPath); err != nil {
+				fmt.Printf("failed to rename %s CLI: %v\n", lang, err)
+				continue
+			}
+		}
+
+		if runtime.GOOS != "windows" {
+			execPath := filepath.Join(downloadFolder, getFinalBinaryName(lang))
+			if err := os.Chmod(execPath, 0o755); err != nil {
+				fmt.Printf("failed to set %s CLI execution permission: %v\n", lang, err)
+				continue
+			}
+		}
+
+		fmt.Printf("downloaded %s CLI version: %s\n", lang, version)
+
+		if lang == "java" {
+			if err := createJavaCliWrapper(binPath); err != nil {
+				fmt.Printf("failed to create Java CLI wrapper: %v\n", err)
+				continue
+			}
+		}
+	}
+
+	return nil
+}
+
+// @Title RefreshEngines
+// @Tag CLI API
+// @Description Refresh all CLI engines
+// @Param m query string true "Hash for request validation"
+// @Param t query string true "Timestamp for request validation"
+// @Success 200 {object} controllers.Response The Response object
+// @router /refresh-engines [post]
+func (c *ApiController) RefreshEngines() {
+	if !beego.AppConfig.DefaultBool("isDemoMode", false) {
+		c.ResponseError("refresh engines is only available in demo mode")
+		return
+	}
+
+	hash := c.Input().Get("m")
+	timestamp := c.Input().Get("t")
+
+	if hash == "" || timestamp == "" {
+		c.ResponseError("invalid identifier")
+		return
+	}
+
+	requestTime, err := time.Parse(time.RFC3339, timestamp)
+	if err != nil {
+		c.ResponseError("invalid identifier")
+		return
+	}
+
+	timeDiff := time.Since(requestTime)
+	if timeDiff > 5*time.Minute || timeDiff < -5*time.Minute {
+		c.ResponseError("invalid identifier")
+		return
+	}
+
+	version := "casbin-editor-v1"
+	rawString := fmt.Sprintf("%s|%s", version, timestamp)
+
+	hasher := sha256.New()
+	hasher.Write([]byte(rawString))
+	calculatedHash := strings.ToLower(hex.EncodeToString(hasher.Sum(nil)))
+
+	if calculatedHash != strings.ToLower(hash) {
+		c.ResponseError("invalid identifier")
+		return
+	}
+
+	err = downloadCLI()
+	if err != nil {
+		c.ResponseError(fmt.Sprintf("failed to refresh engines: %v", err))
+		return
+	}
+
+	c.ResponseOk(map[string]string{
+		"status":  "success",
+		"message": "CLI engines updated successfully",
+	})
+}
+
+// @Title ScheduleCLIUpdater
+// @Description Start periodic CLI update scheduler
+func ScheduleCLIUpdater() {
+	if !beego.AppConfig.DefaultBool("isDemoMode", false) {
+		return
+	}
+
+	ticker := time.NewTicker(1 * time.Hour)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		err := downloadCLI()
+		if err != nil {
+			fmt.Printf("failed to update CLI: %v\n", err)
+		} else {
+			fmt.Println("CLI updated successfully")
+		}
+	}
+}
+
+// @Title DownloadCLI
+// @Description Download the CLI
+// @Success 200 {string} string "The downloaded file path"
+// @router /downloadCLI [post]
+func DownloadCLI() error {
+	return downloadCLI()
+}
+
+// @Title InitCLIDownloader
+// @Description Initialize CLI downloader and start update scheduler
+func InitCLIDownloader() {
+	if !beego.AppConfig.DefaultBool("isDemoMode", false) {
+		return
+	}
+
+	util.SafeGoroutine(func() {
+		err := DownloadCLI()
+		if err != nil {
+			fmt.Printf("failed to initialize CLI downloader: %v\n", err)
+		}
+
+		ScheduleCLIUpdater()
+	})
+}
--- a/controllers/group.go
+++ b/controllers/group.go
@ -70,7 +70,25 @@ func (c *ApiController) GetGroups() {
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
-		} else {
+		}
+		groupsHaveChildrenMap, err := object.GetGroupsHaveChildrenMap(groups)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		for _, group := range groups {
+			_, ok := groupsHaveChildrenMap[group.Name]
+			if ok {
+				group.HaveChildren = true
+			}
+
+			parent, ok := groupsHaveChildrenMap[group.ParentId]
+			if ok {
+				group.ParentName = parent.DisplayName
+			}
+		}
+
 		err = object.ExtendGroupsWithUsers(groups)
 		if err != nil {
 			c.ResponseError(err.Error())
@ -78,7 +96,7 @@ func (c *ApiController) GetGroups() {
 		}

 		c.ResponseOk(groups, paginator.Nums())
-		}
+
 	}
 }

--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -124,7 +124,9 @@ func (c *ApiController) UpdateOrganization() {
 		return
 	}

-	c.Data["json"] = wrapActionResponse(object.UpdateOrganization(id, &organization))
+	isGlobalAdmin, _ := c.isGlobalAdmin()
+
+	c.Data["json"] = wrapActionResponse(object.UpdateOrganization(id, &organization, isGlobalAdmin))
 	c.ServeJSON()
 }

--- a/controllers/scim.go
+++ b/controllers/scim.go
@ -21,6 +21,11 @@ import (
 )

 func (c *RootController) HandleScim() {
+	_, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+
 	path := c.Ctx.Request.URL.Path
 	c.Ctx.Request.URL.Path = strings.TrimPrefix(path, "/scim")
 	scim.Server.ServeHTTP(c.Ctx.ResponseWriter, c.Ctx.Request)
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -510,11 +510,18 @@ func (c *ApiController) VerifyCode() {
 		}
 	}

-	result, err := object.CheckVerificationCode(checkDest, authForm.Code, c.GetAcceptLanguage())
+	passed, err := c.checkOrgMasterVerificationCode(user, authForm.Code)
 	if err != nil {
 		c.ResponseError(c.T(err.Error()))
 		return
 	}
+
+	if !passed {
+		result, err := object.CheckVerificationCode(checkDest, authForm.Code, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 		if result.Code != object.VerificationSuccess {
 			c.ResponseError(result.Msg)
 			return
@ -525,6 +532,7 @@ func (c *ApiController) VerifyCode() {
 			c.ResponseError(err.Error())
 			return
 		}
+	}

 	c.SetSession("verifiedCode", authForm.Code)
 	c.SetSession("verifiedUserId", user.GetId())
--- a/controllers/verification_util.go
+++ b/controllers/verification_util.go
@ -0,0 +1,36 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+func (c *ApiController) checkOrgMasterVerificationCode(user *object.User, code string) (bool, error) {
+	organization, err := object.GetOrganizationByUser(user)
+	if err != nil {
+		return false, err
+	}
+	if organization == nil {
+		return false, fmt.Errorf("The organization: %s does not exist", user.Owner)
+	}
+
+	if organization.MasterVerificationCode != "" && organization.MasterVerificationCode == code {
+		return true, nil
+	}
+	return false, nil
+}
--- a/form/auth.go
+++ b/form/auth.go
@ -40,6 +40,7 @@ type AuthForm struct {
 	Application  string `json:"application"`
 	ClientId     string `json:"clientId"`
 	Provider     string `json:"provider"`
+	ProviderBack string `json:"providerBack"`
 	Code         string `json:"code"`
 	State        string `json:"state"`
 	RedirectUri  string `json:"redirectUri"`
--- a/main.go
+++ b/main.go
@ -22,6 +22,7 @@ import (
 	_ "github.com/beego/beego/session/redis"
 	"github.com/casdoor/casdoor/authz"
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/controllers"
 	"github.com/casdoor/casdoor/ldap"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
@ -45,6 +46,7 @@ func main() {
 	object.InitCasvisorConfig()

 	util.SafeGoroutine(func() { object.RunSyncUsersJob() })
+	util.SafeGoroutine(func() { controllers.InitCLIDownloader() })

 	// beego.DelStaticPath("/static")
 	// beego.SetStaticPath("/static", "web/build/static")
--- a/object/application.go
+++ b/object/application.go
@ -481,7 +481,10 @@ func GetApplicationByClientId(clientId string) (*Application, error) {
 }

 func GetApplication(id string) (*Application, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getApplication(owner, name)
 }

--- a/object/check.go
+++ b/object/check.go
@ -241,6 +241,10 @@ func CheckPassword(user *User, password string, lang string, options ...bool) er
 		return fmt.Errorf(i18n.Translate(lang, "check:Organization does not exist"))
 	}

+	if password == "" {
+		return fmt.Errorf(i18n.Translate(lang, "check:Password cannot be empty"))
+	}
+
 	passwordType := user.PasswordType
 	if passwordType == "" {
 		passwordType = organization.PasswordType
--- a/object/group.go
+++ b/object/group.go
@ -17,7 +17,6 @@ package object
 import (
 	"errors"
 	"fmt"
-	"sync"

 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
@ -36,11 +35,13 @@ type Group struct {
 	ContactEmail string   `xorm:"varchar(100)" json:"contactEmail"`
 	Type         string   `xorm:"varchar(100)" json:"type"`
 	ParentId     string   `xorm:"varchar(100)" json:"parentId"`
+	ParentName   string   `xorm:"-" json:"parentName"`
 	IsTopGroup   bool     `xorm:"bool" json:"isTopGroup"`
 	Users        []string `xorm:"-" json:"users"`

 	Title        string   `json:"title,omitempty"`
 	Key          string   `json:"key,omitempty"`
+	HaveChildren bool     `xorm:"-" json:"haveChildren"`
 	Children     []*Group `json:"children,omitempty"`

 	IsEnabled bool `json:"isEnabled"`
@ -79,6 +80,26 @@ func GetPaginationGroups(owner string, offset, limit int, field, value, sortFiel
 	return groups, nil
 }

+func GetGroupsHaveChildrenMap(groups []*Group) (map[string]*Group, error) {
+	groupsHaveChildren := []*Group{}
+	resultMap := make(map[string]*Group)
+
+	groupIds := []string{}
+	for _, group := range groups {
+		groupIds = append(groupIds, group.Name)
+		groupIds = append(groupIds, group.ParentId)
+	}
+
+	err := ormer.Engine.Cols("owner", "name", "parent_id", "display_name").Distinct("parent_id").In("parent_id", groupIds).Find(&groupsHaveChildren)
+	if err != nil {
+		return nil, err
+	}
+	for _, group := range groups {
+		resultMap[group.Name] = group
+	}
+	return resultMap, nil
+}
+
 func getGroup(owner string, name string) (*Group, error) {
 	if owner == "" || name == "" {
 		return nil, nil
@ -298,17 +319,11 @@ func ExtendGroupWithUsers(group *Group) error {
 		return nil
 	}

-	users, err := GetUsers(group.Owner)
-	if err != nil {
-		return err
-	}
-
 	groupId := group.GetId()
 	userIds := []string{}
-	for _, user := range users {
-		if util.InSlice(user.Groups, groupId) {
-			userIds = append(userIds, user.GetId())
-		}
+	userIds, err := userEnforcer.GetAllUsersByGroup(groupId)
+	if err != nil {
+		return err
 	}

 	group.Users = userIds
@ -316,29 +331,14 @@ func ExtendGroupWithUsers(group *Group) error {
 }

 func ExtendGroupsWithUsers(groups []*Group) error {
-	var wg sync.WaitGroup
-	errChan := make(chan error, len(groups))
-
 	for _, group := range groups {
-		wg.Add(1)
-		go func(group *Group) {
-			defer wg.Done()
-			err := ExtendGroupWithUsers(group)
-			if err != nil {
-				errChan <- err
-			}
-		}(group)
-	}
-
-	wg.Wait()
-	close(errChan)
-
-	for err := range errChan {
+		users, err := userEnforcer.GetAllUsersByGroup(group.GetId())
 		if err != nil {
 			return err
 		}
-	}

+		group.Users = users
+	}
 	return nil
 }

--- a/object/organization.go
+++ b/object/organization.go
@ -79,6 +79,7 @@ type Organization struct {
 	UseEmailAsUsername     bool       `json:"useEmailAsUsername"`
 	EnableTour             bool       `json:"enableTour"`
 	IpRestriction          string     `json:"ipRestriction"`
+	NavItems               []string   `xorm:"varchar(500)" json:"navItems"`

 	MfaItems     []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
 	AccountItems []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
@ -151,7 +152,10 @@ func getOrganization(owner string, name string) (*Organization, error) {
 }

 func GetOrganization(id string) (*Organization, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getOrganization(owner, name)
 }

@ -192,9 +196,10 @@ func GetMaskedOrganizations(organizations []*Organization, errs ...error) ([]*Or
 	return organizations, nil
 }

-func UpdateOrganization(id string, organization *Organization) (bool, error) {
+func UpdateOrganization(id string, organization *Organization, isGlobalAdmin bool) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	if org, err := getOrganization(owner, name); err != nil {
+	org, err := getOrganization(owner, name)
+	if err != nil {
 		return false, err
 	} else if org == nil {
 		return false, nil
@ -219,6 +224,10 @@ func UpdateOrganization(id string, organization *Organization) (bool, error) {
 		}
 	}

+	if !isGlobalAdmin {
+		organization.NavItems = org.NavItems
+	}
+
 	session := ormer.Engine.ID(core.PK{owner, name}).AllCols()

 	if organization.MasterPassword == "***" {
--- a/object/product.go
+++ b/object/product.go
@ -219,8 +219,11 @@ func BuyProduct(id string, user *User, providerName, pricingName, planName, host
 		ProductName:        product.Name,
 		PayerName:          payerName,
 		PayerId:            user.Id,
+		PayerEmail:         user.Email,
 		PaymentName:        paymentName,
 		ProductDisplayName: product.DisplayName,
+		ProductDescription: product.Description,
+		ProductImage:       product.Image,
 		Price:              product.Price,
 		Currency:           product.Currency,
 		ReturnUrl:          returnUrl,
--- a/object/provider.go
+++ b/object/provider.go
@ -325,6 +325,12 @@ func GetPaymentProvider(p *Provider) (pp.PaymentProvider, error) {
 			return nil, err
 		}
 		return pp, nil
+	} else if typ == "AirWallex" {
+		pp, err := pp.NewAirwallexPaymentProvider(p.ClientId, p.ClientSecret)
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
 	} else if typ == "Balance" {
 		pp, err := pp.NewBalancePaymentProvider()
 		if err != nil {
--- a/object/token.go
+++ b/object/token.go
@ -123,8 +123,7 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {

 func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
 	switch tokenTypeHint {
-	case "access_token":
-	case "access-token":
+	case "access_token", "access-token":
 		token, err := GetTokenByAccessToken(tokenValue)
 		if err != nil {
 			return nil, err
@ -132,8 +131,7 @@ func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
 		if token != nil {
 			return token, nil
 		}
-	case "refresh_token":
-	case "refresh-token":
+	case "refresh_token", "refresh-token":
 		token, err := GetTokenByRefreshToken(tokenValue)
 		if err != nil {
 			return nil, err
@ -146,13 +144,13 @@ func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
 	return nil, nil
 }

-func updateUsedByCode(token *Token) bool {
+func updateUsedByCode(token *Token) (bool, error) {
 	affected, err := ormer.Engine.Where("code=?", token.Code).Cols("code_is_used").Update(token)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

-	return affected != 0
+	return affected != 0, nil
 }

 func GetToken(id string) (*Token, error) {
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@ -248,7 +248,10 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code

 	token.CodeIsUsed = true

-	go updateUsedByCode(token)
+	_, err = updateUsedByCode(token)
+	if err != nil {
+		return nil, err
+	}

 	tokenWrapper := &TokenWrapper{
 		AccessToken:  token.AccessToken,
--- a/object/user.go
+++ b/object/user.go
@ -965,6 +965,11 @@ func DeleteUser(user *User) (bool, error) {
 		return false, err
 	}

+	_, err = userEnforcer.DeleteGroupsForUser(user.GetId())
+	if err != nil {
+		return false, err
+	}
+
 	organization, err := GetOrganizationByUser(user)
 	if err != nil {
 		return false, err
--- a/pp/airwallex.go
+++ b/pp/airwallex.go
@ -0,0 +1,289 @@
+package pp
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/casdoor/casdoor/conf"
+)
+
+type AirwallexPaymentProvider struct {
+	Client *AirwallexClient
+}
+
+func NewAirwallexPaymentProvider(clientId string, apiKey string) (*AirwallexPaymentProvider, error) {
+	isProd := conf.GetConfigString("runmode") == "prod"
+	apiEndpoint := "https://api-demo.airwallex.com/api/v1"
+	apiCheckout := "https://checkout-demo.airwallex.com/#/standalone/checkout?"
+	if isProd {
+		apiEndpoint = "https://api.airwallex.com/api/v1"
+		apiCheckout = "https://checkout.airwallex.com/#/standalone/checkout?"
+	}
+	client := &AirwallexClient{
+		ClientId:    clientId,
+		APIKey:      apiKey,
+		APIEndpoint: apiEndpoint,
+		APICheckout: apiCheckout,
+		client:      &http.Client{Timeout: 15 * time.Second},
+	}
+	pp := &AirwallexPaymentProvider{
+		Client: client,
+	}
+	return pp, nil
+}
+
+func (pp *AirwallexPaymentProvider) Pay(r *PayReq) (*PayResp, error) {
+	// Create a payment intent
+	intent, err := pp.Client.CreateIntent(r)
+	if err != nil {
+		return nil, err
+	}
+	payUrl, err := pp.Client.GetCheckoutUrl(intent, r)
+	if err != nil {
+		return nil, err
+	}
+	return &PayResp{
+		PayUrl:  payUrl,
+		OrderId: intent.MerchantOrderId,
+	}, nil
+}
+
+func (pp *AirwallexPaymentProvider) Notify(body []byte, orderId string) (*NotifyResult, error) {
+	notifyResult := &NotifyResult{}
+	intent, err := pp.Client.GetIntentByOrderId(orderId)
+	if err != nil {
+		return nil, err
+	}
+	// Check intent status
+	switch intent.Status {
+	case "PENDING", "REQUIRES_PAYMENT_METHOD", "REQUIRES_CUSTOMER_ACTION", "REQUIRES_CAPTURE":
+		notifyResult.PaymentStatus = PaymentStateCreated
+		return notifyResult, nil
+	case "CANCELLED":
+		notifyResult.PaymentStatus = PaymentStateCanceled
+		return notifyResult, nil
+	case "EXPIRED":
+		notifyResult.PaymentStatus = PaymentStateTimeout
+		return notifyResult, nil
+	case "SUCCEEDED":
+		// Skip
+	default:
+		notifyResult.PaymentStatus = PaymentStateError
+		notifyResult.NotifyMessage = fmt.Sprintf("unexpected airwallex checkout status: %v", intent.Status)
+		return notifyResult, nil
+	}
+	// Check attempt status
+	if intent.PaymentStatus != "" {
+		switch intent.PaymentStatus {
+		case "CANCELLED", "EXPIRED", "RECEIVED", "AUTHENTICATION_REDIRECTED", "AUTHORIZED", "CAPTURE_REQUESTED":
+			notifyResult.PaymentStatus = PaymentStateCreated
+			return notifyResult, nil
+		case "PAID", "SETTLED":
+			// Skip
+		default:
+			notifyResult.PaymentStatus = PaymentStateError
+			notifyResult.NotifyMessage = fmt.Sprintf("unexpected airwallex checkout payment status: %v", intent.PaymentStatus)
+			return notifyResult, nil
+		}
+	}
+	// The Payment has succeeded.
+	var productDisplayName, productName, providerName string
+	if description, ok := intent.Metadata["description"]; ok {
+		productName, productDisplayName, providerName, _ = parseAttachString(description.(string))
+	}
+	orderId = intent.MerchantOrderId
+	return &NotifyResult{
+		PaymentName:        orderId,
+		PaymentStatus:      PaymentStatePaid,
+		ProductName:        productName,
+		ProductDisplayName: productDisplayName,
+		ProviderName:       providerName,
+		Price:              priceStringToFloat64(intent.Amount.String()),
+		Currency:           intent.Currency,
+		OrderId:            orderId,
+	}, nil
+}
+
+func (pp *AirwallexPaymentProvider) GetInvoice(paymentName, personName, personIdCard, personEmail, personPhone, invoiceType, invoiceTitle, invoiceTaxId string) (string, error) {
+	return "", nil
+}
+
+func (pp *AirwallexPaymentProvider) GetResponseError(err error) string {
+	if err == nil {
+		return "success"
+	}
+	return "fail"
+}
+
+/*
+ * Airwallex Client implementation (to be removed upon official SDK release)
+ */
+
+type AirwallexClient struct {
+	ClientId    string
+	APIKey      string
+	APIEndpoint string
+	APICheckout string
+	client      *http.Client
+	tokenCache  *AirWallexTokenInfo
+	tokenMutex  sync.RWMutex
+}
+
+type AirWallexTokenInfo struct {
+	Token           string `json:"token"`
+	ExpiresAt       string `json:"expires_at"`
+	parsedExpiresAt time.Time
+}
+
+type AirWallexIntentResp struct {
+	Id              string `json:"id"`
+	ClientSecret    string `json:"client_secret"`
+	MerchantOrderId string `json:"merchant_order_id"`
+}
+
+func (c *AirwallexClient) GetToken() (string, error) {
+	c.tokenMutex.Lock()
+	defer c.tokenMutex.Unlock()
+	if c.tokenCache != nil && time.Now().Before(c.tokenCache.parsedExpiresAt) {
+		return c.tokenCache.Token, nil
+	}
+	req, _ := http.NewRequest("POST", c.APIEndpoint+"/authentication/login", bytes.NewBuffer([]byte("{}")))
+	req.Header.Set("x-client-id", c.ClientId)
+	req.Header.Set("x-api-key", c.APIKey)
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	var result AirWallexTokenInfo
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", err
+	}
+	if result.Token == "" {
+		return "", fmt.Errorf("invalid token response")
+	}
+	expiresAt := strings.Replace(result.ExpiresAt, "+0000", "+00:00", 1)
+	result.parsedExpiresAt, _ = time.Parse(time.RFC3339, expiresAt)
+	c.tokenCache = &result
+	return result.Token, nil
+}
+
+func (c *AirwallexClient) authRequest(method, url string, body interface{}) (map[string]interface{}, error) {
+	token, err := c.GetToken()
+	if err != nil {
+		return nil, err
+	}
+	b, _ := json.Marshal(body)
+	req, _ := http.NewRequest(method, url, bytes.NewBuffer(b))
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	var result map[string]interface{}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return nil, err
+	}
+	return result, nil
+}
+
+func (c *AirwallexClient) CreateIntent(r *PayReq) (*AirWallexIntentResp, error) {
+	description := joinAttachString([]string{r.ProductName, r.ProductDisplayName, r.ProviderName})
+	orderId := r.PaymentName
+	intentReq := map[string]interface{}{
+		"currency":          r.Currency,
+		"amount":            r.Price,
+		"merchant_order_id": orderId,
+		"request_id":        orderId,
+		"descriptor":        strings.ReplaceAll(string([]rune(description)[:32]), "\x00", ""),
+		"metadata":          map[string]interface{}{"description": description},
+		"order":             map[string]interface{}{"products": []map[string]interface{}{{"name": r.ProductDisplayName, "quantity": 1, "desc": r.ProductDescription, "image_url": r.ProductImage}}},
+		"customer":          map[string]interface{}{"merchant_customer_id": r.PayerId, "email": r.PayerEmail, "first_name": r.PayerName, "last_name": r.PayerName},
+	}
+	intentUrl := fmt.Sprintf("%s/pa/payment_intents/create", c.APIEndpoint)
+	intentRes, err := c.authRequest("POST", intentUrl, intentReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create payment intent: %v", err)
+	}
+	return &AirWallexIntentResp{
+		Id:              intentRes["id"].(string),
+		ClientSecret:    intentRes["client_secret"].(string),
+		MerchantOrderId: intentRes["merchant_order_id"].(string),
+	}, nil
+}
+
+type AirwallexIntent struct {
+	Amount               json.Number `json:"amount"`
+	Currency             string      `json:"currency"`
+	Id                   string      `json:"id"`
+	Status               string      `json:"status"`
+	Descriptor           string      `json:"descriptor"`
+	MerchantOrderId      string      `json:"merchant_order_id"`
+	LatestPaymentAttempt struct {
+		Status string `json:"status"`
+	} `json:"latest_payment_attempt"`
+	Metadata map[string]interface{} `json:"metadata"`
+}
+
+type AirwallexIntents struct {
+	Items []AirwallexIntent `json:"items"`
+}
+
+type AirWallexIntentInfo struct {
+	Amount          json.Number
+	Currency        string
+	Id              string
+	Status          string
+	Descriptor      string
+	MerchantOrderId string
+	PaymentStatus   string
+	Metadata        map[string]interface{}
+}
+
+func (c *AirwallexClient) GetIntentByOrderId(orderId string) (*AirWallexIntentInfo, error) {
+	intentUrl := fmt.Sprintf("%s/pa/payment_intents/?merchant_order_id=%s", c.APIEndpoint, orderId)
+	intentRes, err := c.authRequest("GET", intentUrl, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get payment intent: %v", err)
+	}
+	items := intentRes["items"].([]interface{})
+	if len(items) == 0 {
+		return nil, fmt.Errorf("no payment intent found for order id: %s", orderId)
+	}
+	var intent AirwallexIntent
+	if b, err := json.Marshal(items[0]); err == nil {
+		json.Unmarshal(b, &intent)
+	}
+	return &AirWallexIntentInfo{
+		Id:              intent.Id,
+		Amount:          intent.Amount,
+		Currency:        intent.Currency,
+		Status:          intent.Status,
+		Descriptor:      intent.Descriptor,
+		MerchantOrderId: intent.MerchantOrderId,
+		PaymentStatus:   intent.LatestPaymentAttempt.Status,
+		Metadata:        intent.Metadata,
+	}, nil
+}
+
+func (c *AirwallexClient) GetCheckoutUrl(intent *AirWallexIntentResp, r *PayReq) (string, error) {
+	return fmt.Sprintf("%sintent_id=%s&client_secret=%s&mode=payment&currency=%s&amount=%v&requiredBillingContactFields=%s&successUrl=%s&failUrl=%s&logoUrl=%s",
+		c.APICheckout,
+		intent.Id,
+		intent.ClientSecret,
+		r.Currency,
+		r.Price,
+		url.QueryEscape(`["address"]`),
+		r.ReturnUrl,
+		r.ReturnUrl,
+		"data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=", // replace default logo
+	), nil
+}
--- a/pp/provider.go
+++ b/pp/provider.go
@ -33,8 +33,11 @@ type PayReq struct {
 	ProductName        string
 	PayerName          string
 	PayerId            string
+	PayerEmail         string
 	PaymentName        string
 	ProductDisplayName string
+	ProductDescription string
+	ProductImage       string
 	Price              float64
 	Currency           string

--- a/routers/router.go
+++ b/routers/router.go
@ -175,6 +175,7 @@ func initAPI() {
 	beego.Router("/api/get-all-roles", &controllers.ApiController{}, "GET:GetAllRoles")

 	beego.Router("/api/run-casbin-command", &controllers.ApiController{}, "GET:RunCasbinCommand")
+	beego.Router("/api/refresh-engines", &controllers.ApiController{}, "POST:RefreshEngines")

 	beego.Router("/api/get-sessions", &controllers.ApiController{}, "GET:GetSessions")
 	beego.Router("/api/get-session", &controllers.ApiController{}, "GET:GetSingleSession")
--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@ -80,6 +80,15 @@ func fastAutoSignin(ctx *context.Context) (string, error) {
 		return "", nil
 	}

+	isAllowed, err := object.CheckLoginPermission(userId, application)
+	if err != nil {
+		return "", err
+	}
+
+	if !isAllowed {
+		return "", nil
+	}
+
 	code, err := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, ctx.Request.Host, getAcceptLanguage(ctx))
 	if err != nil {
 		return "", err
@ -133,6 +142,9 @@ func StaticFilter(ctx *context.Context) {
 		path += urlPath
 	}

+	// Preventing synchronization problems from concurrency
+	ctx.Input.CruSession = nil
+
 	organizationThemeCookie, err := appendThemeCookie(ctx, urlPath)
 	if err != nil {
 		fmt.Println(err)
--- a/routers/theme_filter.go
+++ b/routers/theme_filter.go
@ -32,77 +32,79 @@ type OrganizationThemeCookie struct {
 }

 func appendThemeCookie(ctx *context.Context, urlPath string) (*OrganizationThemeCookie, error) {
-	if urlPath == "/login" {
-		application, err := object.GetDefaultApplication(fmt.Sprintf("admin/built-in"))
+	organizationThemeCookie, err := getOrganizationThemeCookieFromUrlPath(ctx, urlPath)
 	if err != nil {
 		return nil, err
 	}
-		organization := application.OrganizationObj
-		if organization == nil {
-			organization, err = object.GetOrganization(fmt.Sprintf("admin/built-in"))
-			if err != nil {
-				return nil, err
-			}
-		}
-		if organization != nil {
-			organizationThemeCookie := &OrganizationThemeCookie{
-				application.ThemeData,
-				application.Logo,
-				application.FooterHtml,
-				organization.Favicon,
-				organization.DisplayName,
-			}
-
-			if application.ThemeData != nil {
-				organizationThemeCookie.ThemeData = organization.ThemeData
-			}
+	if organizationThemeCookie != nil {
 		return organizationThemeCookie, setThemeDataCookie(ctx, organizationThemeCookie)
 	}
-	} else if strings.HasPrefix(urlPath, "/login/oauth/authorize") {
+
+	return nil, nil
+}
+
+func getOrganizationThemeCookieFromUrlPath(ctx *context.Context, urlPath string) (*OrganizationThemeCookie, error) {
+	var application *object.Application
+	var organization *object.Organization
+	var err error
+	if urlPath == "/login" || urlPath == "/signup" {
+		application, err = object.GetDefaultApplication(fmt.Sprintf("admin/built-in"))
+		if err != nil {
+			return nil, err
+		}
+	} else if strings.HasSuffix(urlPath, "/oauth/authorize") {
 		clientId := ctx.Input.Query("client_id")
 		if clientId == "" {
 			return nil, nil
 		}
-		application, err := object.GetApplicationByClientId(clientId)
+		application, err = object.GetApplicationByClientId(clientId)
 		if err != nil {
 			return nil, err
 		}
-		if application != nil {
-			organization := application.OrganizationObj
-			if organization == nil {
-				organization, err = object.GetOrganization(fmt.Sprintf("admin/%s", application.Owner))
+	} else if strings.HasPrefix(urlPath, "/login/saml") {
+		owner, _ := strings.CutPrefix(urlPath, "/login/saml/authorize/")
+		application, err = object.GetApplication(owner)
 		if err != nil {
 			return nil, err
 		}
-			}
-			organizationThemeCookie := &OrganizationThemeCookie{
-				application.ThemeData,
-				application.Logo,
-				application.FooterHtml,
-				organization.Favicon,
-				organization.DisplayName,
-			}
-
-			if application.ThemeData != nil {
-				organizationThemeCookie.ThemeData = organization.ThemeData
-			}
-			return organizationThemeCookie, setThemeDataCookie(ctx, organizationThemeCookie)
-		}
 	} else if strings.HasPrefix(urlPath, "/login/") {
-		owner := strings.Replace(urlPath, "/login/", "", -1)
-		if owner != "undefined" && owner != "oauth/undefined" {
-			application, err := object.GetDefaultApplication(fmt.Sprintf("admin/%s", owner))
+		owner, _ := strings.CutPrefix(urlPath, "/login/")
+		if owner == "undefined" || strings.Count(owner, "/") > 0 {
+			return nil, nil
+		}
+		application, err = object.GetDefaultApplication(fmt.Sprintf("admin/%s", owner))
 		if err != nil {
 			return nil, err
 		}
-			organization := application.OrganizationObj
+	} else if strings.HasPrefix(urlPath, "/signup/") {
+		owner, _ := strings.CutPrefix(urlPath, "/signup/")
+		if owner == "undefined" || strings.Count(owner, "/") > 0 {
+			return nil, nil
+		}
+		application, err = object.GetDefaultApplication(fmt.Sprintf("admin/%s", owner))
+		if err != nil {
+			return nil, err
+		}
+	} else if strings.HasPrefix(urlPath, "/cas/") && strings.HasSuffix(urlPath, "/login") {
+		owner, _ := strings.CutPrefix(urlPath, "/cas/")
+		owner, _ = strings.CutSuffix(owner, "/login")
+		application, err = object.GetApplication(owner)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if application == nil {
+		return nil, nil
+	}
+	organization = application.OrganizationObj
 	if organization == nil {
-				organization, err = object.GetOrganization(fmt.Sprintf("admin/%s", owner))
+		organization, err = object.GetOrganization(fmt.Sprintf("admin/%s", application.Organization))
 		if err != nil {
 			return nil, err
 		}
 	}
-			if organization != nil {
+
 	organizationThemeCookie := &OrganizationThemeCookie{
 		application.ThemeData,
 		application.Logo,
@ -111,15 +113,7 @@ func appendThemeCookie(ctx *context.Context, urlPath string) (*OrganizationTheme
 		organization.DisplayName,
 	}

-				if application.ThemeData != nil {
-					organizationThemeCookie.ThemeData = organization.ThemeData
-				}
-				return organizationThemeCookie, setThemeDataCookie(ctx, organizationThemeCookie)
-			}
-		}
-	}
-
-	return nil, nil
+	return organizationThemeCookie, nil
 }

 func setThemeDataCookie(ctx *context.Context, organizationThemeCookie *OrganizationThemeCookie) error {
--- a/util/validation.go
+++ b/util/validation.go
@ -118,6 +118,6 @@ func IsValidOrigin(origin string) (bool, error) {
 		originHostOnly = fmt.Sprintf("%s://%s", urlObj.Scheme, urlObj.Hostname())
 	}

-	res := originHostOnly == "http://localhost" || originHostOnly == "https://localhost" || originHostOnly == "http://127.0.0.1" || originHostOnly == "http://casdoor-app" || strings.HasSuffix(originHostOnly, ".chromiumapp.org")
+	res := originHostOnly == "http://localhost" || originHostOnly == "https://localhost" || originHostOnly == "http://127.0.0.1" || originHostOnly == "http://casdoor-authenticator" || strings.HasSuffix(originHostOnly, ".chromiumapp.org")
 	return res, nil
 }
--- a/web/src/App.js
+++ b/web/src/App.js
@ -361,6 +361,14 @@ class App extends Component {
    }
  };

+  onLoginSuccess(redirectUrl) {
+    window.google?.accounts?.id?.cancel();
+    if (redirectUrl) {
+      localStorage.setItem("mfaRedirectUrl", redirectUrl);
+    }
+    this.getAccount();
+  }
+
  renderPage() {
    if (this.isDoorPages()) {
      let themeData = this.state.themeData;
@ -401,19 +409,13 @@ class App extends Component {
                          application: application,
                        });
                      }}
-                      onLoginSuccess={(redirectUrl) => {
-                        window.google?.accounts?.id?.cancel();
-                        if (redirectUrl) {
-                          localStorage.setItem("mfaRedirectUrl", redirectUrl);
-                        }
-                        this.getAccount();
-                      }}
+                      onLoginSuccess={(redirectUrl) => {this.onLoginSuccess(redirectUrl);}}
                      onUpdateAccount={(account) => this.onUpdateAccount(account)}
                      updataThemeData={this.setTheme}
                    /> :
                    <Switch>
-                      <Route exact path="/callback" component={AuthCallback} />
-                      <Route exact path="/callback/saml" component={SamlCallback} />
+                      <Route exact path="/callback" render={(props) => <AuthCallback {...props} {...this.props} application={this.state.application} onLoginSuccess={(redirectUrl) => {this.onLoginSuccess(redirectUrl);}} />} />
+                      <Route exact path="/callback/saml" render={(props) => <SamlCallback {...props} {...this.props} application={this.state.application} onLoginSuccess={(redirectUrl) => {this.onLoginSuccess(redirectUrl);}} />} />
                      <Route path="" render={() => <Result status="404" title="404 NOT FOUND" subTitle={i18next.t("general:Sorry, the page you visited does not exist.")}
                        extra={<a href="/"><Button type="primary">{i18next.t("general:Back Home")}</Button></a>} />} />
                    </Switch>
--- a/web/src/GroupListPage.js
+++ b/web/src/GroupListPage.js
@ -33,18 +33,6 @@ class GroupListPage extends BaseListPage {
  }
  UNSAFE_componentWillMount() {
    super.UNSAFE_componentWillMount();
-    this.getGroups(this.state.owner);
-  }
-
-  getGroups(organizationName) {
-    GroupBackend.getGroups(organizationName)
-      .then((res) => {
-        if (res.status === "ok") {
-          this.setState({
-            groups: res.data,
-          });
-        }
-      });
  }

  newGroup() {
@ -188,12 +176,8 @@ class GroupListPage extends BaseListPage {
              {record.parentId}
            </Link>;
          }
-          const parentGroup = this.state.groups.find((group) => group.name === text);
-          if (parentGroup === undefined) {
-            return "";
-          }
-          return <Link to={`/groups/${parentGroup.owner}/${parentGroup.name}`}>
-            {parentGroup?.displayName}
+          return <Link to={`/groups/${record.owner}/${record.parentId}`}>
+            {record?.parentName}
          </Link>;
        },
      },
@ -215,12 +199,11 @@ class GroupListPage extends BaseListPage {
        width: "180px",
        fixed: (Setting.isMobile()) ? "false" : "right",
        render: (text, record, index) => {
-          const haveChildren = this.state.groups.find((group) => group.parentId === record.id) !== undefined;
          return (
            <div>
              <Button style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} type="primary" onClick={() => this.props.history.push(`/groups/${record.owner}/${record.name}`)}>{i18next.t("general:Edit")}</Button>
              <PopconfirmModal
-                disabled={haveChildren}
+                disabled={record.haveChildren}
                title={i18next.t("general:Sure to delete") + `: ${record.name} ?`}
                onConfirm={() => this.deleteGroup(index)}
              >
--- a/web/src/ManagementPage.js
+++ b/web/src/ManagementPage.js
@ -241,7 +241,7 @@ function ManagementPage(props) {
            <Link to="/">
              <img className="logo" src={logo ?? props.logo} alt="logo" />
            </Link>,
-      disabled: true,
+      disabled: true, key: "logo",
      style: {
        padding: 0,
        height: "auto",
@ -323,9 +323,37 @@ function ManagementPage(props) {
      }
    }

+    const navItems = props.account.organization.navItems;
+
+    if (!Array.isArray(navItems)) {
      return res;
    }

+    if (navItems.includes("all")) {
+      return res;
+    }
+
+    const resFiltered = res.map(item => {
+      if (!Array.isArray(item.children)) {
+        return item;
+      }
+      const filteredChildren = [];
+      item.children.forEach(itemChild => {
+        if (navItems.includes(itemChild.key)) {
+          filteredChildren.push(itemChild);
+        }
+      });
+
+      item.children = filteredChildren;
+      return item;
+    });
+
+    return resFiltered.filter(item => {
+      if (item.key === "#" || item.key === "logo") {return true;}
+      return Array.isArray(item.children) && item.children.length > 0;
+    });
+  }
+
  function renderLoginIfNotLoggedIn(component) {
    if (props.account === null) {
      sessionStorage.setItem("from", window.location.pathname);
--- a/web/src/OrganizationEditPage.js
+++ b/web/src/OrganizationEditPage.js
@ -26,6 +26,7 @@ import LdapTable from "./table/LdapTable";
 import AccountTable from "./table/AccountTable";
 import ThemeEditor from "./common/theme/ThemeEditor";
 import MfaTable from "./table/MfaTable";
+import {NavItemTree} from "./common/NavItemTree";

 const {Option} = Select;

@ -522,6 +523,21 @@ class OrganizationEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:Navbar items"), i18next.t("general:Navbar items - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <NavItemTree
+              disabled={!Setting.isAdminUser(this.props.account)}
+              checkedKeys={this.state.organization.navItems ?? ["all"]}
+              defaultExpandedKeys={["all"]}
+              onCheck={(checked, _) => {
+                this.updateOrganizationField("navItems", checked);
+              }}
+            />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("organization:Account items"), i18next.t("organization:Account items - Tooltip"))} :
--- a/web/src/PaymentResultPage.js
+++ b/web/src/PaymentResultPage.js
@ -122,7 +122,7 @@ class PaymentResultPage extends React.Component {
        payment: payment,
      });
      if (payment.state === "Created") {
-        if (["PayPal", "Stripe", "Alipay", "WeChat Pay", "Balance"].includes(payment.type)) {
+        if (["PayPal", "Stripe", "AirWallex", "Alipay", "WeChat Pay", "Balance"].includes(payment.type)) {
          this.setState({
            timeout: setTimeout(async() => {
              await PaymentBackend.notifyPayment(this.state.owner, this.state.paymentName);
--- a/web/src/ProductBuyPage.js
+++ b/web/src/ProductBuyPage.js
@ -238,6 +238,8 @@ class ProductBuyPage extends React.Component {
      text = i18next.t("product:PayPal");
    } else if (provider.type === "Stripe") {
      text = i18next.t("product:Stripe");
+    } else if (provider.type === "AirWallex") {
+      text = i18next.t("product:AirWallex");
    }

    return (
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@ -467,6 +467,39 @@ class ProviderEditPage extends React.Component {
    this.updateProviderField("issuerUrl", issuerUrl);
  }

+  fetchSamlMetadata() {
+    this.setState({
+      metadataLoading: true,
+    });
+    fetch(this.state.requestUrl, {
+      method: "GET",
+    }).then(res => {
+      if (!res.ok) {
+        return Promise.reject("error");
+      }
+      return res.text();
+    }).then(text => {
+      this.updateProviderField("metadata", text);
+      this.parseSamlMetadata();
+      Setting.showMessage("success", i18next.t("general:Successfully added"));
+    }).catch(err => {
+      Setting.showMessage("error", err.message);
+    }).finally(() => {
+      this.setState({
+        metadataLoading: false,
+      });
+    });
+  }
+
+  parseSamlMetadata() {
+    try {
+      this.loadSamlConfiguration();
+      Setting.showMessage("success", i18next.t("provider:Parse metadata successfully"));
+    } catch (err) {
+      Setting.showMessage("error", i18next.t("provider:Can not parse metadata"));
+    }
+  }
+
  renderProvider() {
    return (
      <Card size="small" title={
@ -1242,6 +1275,21 @@ class ProviderEditPage extends React.Component {
                  }} />
                </Col>
              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("provider:Metadata url"), i18next.t("provider:Metadata url - Tooltip"))} :
+                </Col>
+                <Col span={6} >
+                  <Input value={this.state.requestUrl} onChange={e => {
+                    this.setState({
+                      requestUrl: e.target.value,
+                    });
+                  }} />
+                </Col>
+                <Col span={16} >
+                  <Button type="primary" loading={this.state.metadataLoading} onClick={() => {this.fetchSamlMetadata();}}>{i18next.t("general:Request")}</Button>
+                </Col>
+              </Row>
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                  {Setting.getLabel(i18next.t("provider:Metadata"), i18next.t("provider:Metadata - Tooltip"))} :
@ -1255,14 +1303,7 @@ class ProviderEditPage extends React.Component {
              <Row style={{marginTop: "20px"}}>
                <Col style={{marginTop: "5px"}} span={2} />
                <Col span={2}>
-                  <Button type="primary" onClick={() => {
-                    try {
-                      this.loadSamlConfiguration();
-                      Setting.showMessage("success", i18next.t("provider:Parse metadata successfully"));
-                    } catch (err) {
-                      Setting.showMessage("error", i18next.t("provider:Can not parse metadata"));
-                    }
-                  }}>
+                  <Button type="primary" onClick={() => {this.parseSamlMetadata();}}>
                    {i18next.t("provider:Parse")}
                  </Button>
                </Col>
--- a/web/src/Setting.js
+++ b/web/src/Setting.js
@ -14,7 +14,7 @@

 import React from "react";
 import {Link} from "react-router-dom";
-import {Select, Tag, Tooltip, message, theme} from "antd";
+import {Button, Select, Tag, Tooltip, message, theme} from "antd";
 import {QuestionCircleTwoTone} from "@ant-design/icons";
 import {isMobile as isMobileDevice} from "react-device-detect";
 import "./i18n";
@ -25,6 +25,8 @@ import {Helmet} from "react-helmet";
 import * as Conf from "./Conf";
 import * as phoneNumber from "libphonenumber-js";
 import moment from "moment";
+import {MfaAuthVerifyForm, NextMfa, RequiredMfa} from "./auth/mfa/MfaAuthVerifyForm";
+import {EmailMfaType, SmsMfaType, TotpMfaType} from "./auth/MfaSetupPage";

 const {Option} = Select;

@ -277,6 +279,10 @@ export const OtherProviderInfo = {
      logo: `${StaticBaseUrl}/img/social_stripe.png`,
      url: "https://stripe.com/",
    },
+    "AirWallex": {
+      logo: `${StaticBaseUrl}/img/payment_airwallex.svg`,
+      url: "https://airwallex.com/",
+    },
    "GC": {
      logo: `${StaticBaseUrl}/img/payment_gc.png`,
      url: "https://gc.org",
@ -1104,6 +1110,7 @@ export function getProviderTypeOptions(category) {
      {id: "WeChat Pay", name: "WeChat Pay"},
      {id: "PayPal", name: "PayPal"},
      {id: "Stripe", name: "Stripe"},
+      {id: "AirWallex", name: "AirWallex"},
      {id: "GC", name: "GC"},
    ]);
  } else if (category === "Captcha") {
@ -1396,7 +1403,13 @@ export function getTag(color, text, icon) {
 }

 export function getApplicationName(application) {
-  return `${application?.owner}/${application?.name}`;
+  let name = `${application?.owner}/${application?.name}`;
+
+  if (application?.isShared && application?.organization) {
+    name += `-org-${application.organization}`;
+  }
+
+  return name;
 }

 export function getApplicationDisplayName(application) {
@ -1588,3 +1601,114 @@ export function getCurrencyText(product) {
 export function isDarkTheme(themeAlgorithm) {
  return themeAlgorithm && themeAlgorithm.includes("dark");
 }
+
+function getPreferredMfaProp(mfaProps) {
+  for (const i in mfaProps) {
+    if (mfaProps[i].isPreffered) {
+      return mfaProps[i];
+    }
+  }
+  return mfaProps[0];
+}
+
+export function checkLoginMfa(res, body, params, handleLogin, componentThis, requireRedirect = null) {
+  if (res.data === RequiredMfa) {
+    if (!requireRedirect) {
+      componentThis.props.onLoginSuccess(window.location.href);
+    } else {
+      componentThis.props.onLoginSuccess(requireRedirect);
+    }
+  } else if (res.data === NextMfa) {
+    componentThis.setState({
+      mfaProps: res.data2,
+      selectedMfaProp: getPreferredMfaProp(res.data2),
+    }, () => {
+      body["providerBack"] = body["provider"];
+      body["provider"] = "";
+      componentThis.setState({
+        getVerifyTotp: () => renderMfaAuthVerifyForm(body, params, handleLogin, componentThis),
+      });
+    });
+  } else if (res.data === "SelectPlan") {
+    // paid-user does not have active or pending subscription, go to application default pricing page to select-plan
+    const pricing = res.data2;
+    goToLink(`/select-plan/${pricing.owner}/${pricing.name}?user=${body.username}`);
+  } else if (res.data === "BuyPlanResult") {
+    // paid-user has pending subscription, go to buy-plan/result apge to notify payment result
+    const sub = res.data2;
+    goToLink(`/buy-plan/${sub.owner}/${sub.pricing}/result?subscription=${sub.name}`);
+  } else {
+    handleLogin(res);
+  }
+}
+
+export function getApplicationObj(componentThis) {
+  return componentThis.props.application;
+}
+
+export function parseOffset(offset) {
+  if (offset === 2 || offset === 4 || inIframe() || isMobile()) {
+    return "0 auto";
+  }
+  if (offset === 1) {
+    return "0 10%";
+  }
+  if (offset === 3) {
+    return "0 60%";
+  }
+}
+
+function renderMfaAuthVerifyForm(values, authParams, onSuccess, componentThis) {
+  return (
+    <div>
+      <MfaAuthVerifyForm
+        mfaProps={componentThis.state.selectedMfaProp}
+        formValues={values}
+        authParams={authParams}
+        application={getApplicationObj(componentThis)}
+        onFail={(errorMessage) => {
+          showMessage("error", errorMessage);
+        }}
+        onSuccess={(res) => onSuccess(res)}
+      />
+      <div>
+        {
+          componentThis.state.mfaProps.map((mfa) => {
+            if (componentThis.state.selectedMfaProp.mfaType === mfa.mfaType) {return null;}
+            let mfaI18n = "";
+            switch (mfa.mfaType) {
+            case SmsMfaType: mfaI18n = i18next.t("mfa:Use SMS"); break;
+            case TotpMfaType: mfaI18n = i18next.t("mfa:Use Authenticator App"); break ;
+            case EmailMfaType: mfaI18n = i18next.t("mfa:Use Email") ;break;
+            }
+            return <div key={mfa.mfaType}><Button type={"link"} onClick={() => {
+              componentThis.setState({
+                selectedMfaProp: mfa,
+              });
+            }}>{mfaI18n}</Button></div>;
+          })
+        }
+      </div>
+    </div>);
+}
+
+export function renderLoginPanel(application, getInnerComponent, componentThis) {
+  return (
+    <div className="login-content" style={{margin: componentThis.props.preview ?? parseOffset(application.formOffset)}}>
+      {inIframe() || isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCss}} />}
+      {inIframe() || !isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCssMobile}} />}
+      <div className={isDarkTheme(componentThis.props.themeAlgorithm) ? "login-panel-dark" : "login-panel"}>
+        <div className="side-image" style={{display: application.formOffset !== 4 ? "none" : null}}>
+          <div dangerouslySetInnerHTML={{__html: application.formSideHtml}} />
+        </div>
+        <div className="login-form">
+          <div>
+            {
+              getInnerComponent()
+            }
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
--- a/web/src/auth/AuthCallback.js
+++ b/web/src/auth/AuthCallback.js
@ -21,6 +21,7 @@ import {authConfig} from "./Auth";
 import * as Setting from "../Setting";
 import i18next from "i18next";
 import RedirectForm from "../common/RedirectForm";
+import {renderLoginPanel} from "../Setting";

 class AuthCallback extends React.Component {
  constructor(props) {
@ -131,6 +132,7 @@ class AuthCallback extends React.Component {
      // user is using casdoor as cas sso server, and wants the ticket to be acquired
      AuthBackend.loginCas(body, {"service": casService}).then((res) => {
        if (res.status === "ok") {
+          const handleCasLogin = (res) => {
            let msg = "Logged in successfully.";
            if (casService === "") {
              // If service was not specified, Casdoor must display a message notifying the client that it has successfully initiated a single sign-on session.
@ -144,6 +146,9 @@ class AuthCallback extends React.Component {
              newUrl.searchParams.append("ticket", st);
              window.location.href = newUrl.toString();
            }
+          };
+
+          Setting.checkLoginMfa(res, body, {"service": casService}, handleCasLogin, this);
        } else {
          Setting.showMessage("error", `${i18next.t("application:Failed to sign in")}: ${res.msg}`);
        }
@ -159,6 +164,7 @@ class AuthCallback extends React.Component {
      .then((res) => {
        if (res.status === "ok") {
          const responseType = this.getResponseType();
+          const handleLogin = (res) => {
            if (responseType === "login") {
              if (res.data2) {
                sessionStorage.setItem("signinUrl", signinUrl);
@ -207,6 +213,9 @@ class AuthCallback extends React.Component {
                Setting.goToLink(`${redirectUri}${redirectUri.includes("?") ? "&" : "?"}SAMLResponse=${encodeURIComponent(SAMLResponse)}&RelayState=${oAuthParams.relayState}`);
              }
            }
+          };
+
+          Setting.checkLoginMfa(res, body, oAuthParams, handleLogin, this, window.location.origin);
        } else {
          this.setState({
            msg: res.msg,
@ -220,6 +229,11 @@ class AuthCallback extends React.Component {
      return <RedirectForm samlResponse={this.state.samlResponse} redirectUrl={this.state.redirectUrl} relayState={this.state.relayState} />;
    }

+    if (this.state.getVerifyTotp !== undefined) {
+      const application = Setting.getApplicationObj(this);
+      return renderLoginPanel(application, this.state.getVerifyTotp, this);
+    }
+
    return (
      <div style={{display: "flex", justifyContent: "center", alignItems: "center"}}>
        {
--- a/web/src/auth/ForgetPage.js
+++ b/web/src/auth/ForgetPage.js
@ -264,6 +264,9 @@ class ForgetPage extends React.Component {
            )
          }
          onValuesChange={(changedValues, allValues) => {
+            if (!changedValues.dest) {
+              return;
+            }
            const verifyType = changedValues.dest?.indexOf("@") === -1 ? "phone" : "email";
            this.setState({
              dest: changedValues.dest,
--- a/web/src/auth/LoginPage.js
+++ b/web/src/auth/LoginPage.js
@ -34,10 +34,9 @@ import {SendCodeInput} from "../common/SendCodeInput";
 import LanguageSelect from "../common/select/LanguageSelect";
 import {CaptchaModal, CaptchaRule} from "../common/modal/CaptchaModal";
 import RedirectForm from "../common/RedirectForm";
-import {MfaAuthVerifyForm, NextMfa, RequiredMfa} from "./mfa/MfaAuthVerifyForm";
+import {RequiredMfa} from "./mfa/MfaAuthVerifyForm";
 import {GoogleOneTapLoginVirtualButton} from "./GoogleLoginButton";
 import * as ProviderButton from "./ProviderButton";
-import {EmailMfaType, SmsMfaType, TotpMfaType} from "./MfaSetupPage";
 const FaceRecognitionModal = lazy(() => import("../common/modal/FaceRecognitionModal"));

 class LoginPage extends React.Component {
@ -439,18 +438,7 @@ class LoginPage extends React.Component {
        };

        if (res.status === "ok") {
-          if (res.data === NextMfa) {
-            this.setState({
-              mfaProps: res.data2,
-              selectedMfaProp: this.getPreferredMfaProp(res.data2),
-            }, () => {
-              this.setState({
-                getVerifyTotp: () => this.renderMfaAuthVerifyForm(values, casParams, loginHandler),
-              });
-            });
-          } else {
-            loginHandler(res);
-          }
+          Setting.checkLoginMfa(res, values, casParams, loginHandler, this);
        } else {
          Setting.showMessage("error", `${i18next.t("application:Failed to sign in")}: ${res.msg}`);
        }
@ -505,26 +493,7 @@ class LoginPage extends React.Component {
          };

          if (res.status === "ok") {
-            if (res.data === NextMfa) {
-              this.setState({
-                mfaProps: res.data2,
-                selectedMfaProp: this.getPreferredMfaProp(res.data2),
-              }, () => {
-                this.setState({
-                  getVerifyTotp: () => this.renderMfaAuthVerifyForm(values, oAuthParams, loginHandler),
-                });
-              });
-            } else if (res.data === "SelectPlan") {
-              // paid-user does not have active or pending subscription, go to application default pricing page to select-plan
-              const pricing = res.data2;
-              Setting.goToLink(`/select-plan/${pricing.owner}/${pricing.name}?user=${values.username}`);
-            } else if (res.data === "BuyPlanResult") {
-              // paid-user has pending subscription, go to buy-plan/result apge to notify payment result
-              const sub = res.data2;
-              Setting.goToLink(`/buy-plan/${sub.owner}/${sub.pricing}/result?subscription=${sub.name}`);
-            } else {
-              loginHandler(res);
-            }
+            Setting.checkLoginMfa(res, values, oAuthParams, loginHandler, this);
          } else {
            Setting.showMessage("error", `${i18next.t("application:Failed to sign in")}: ${res.msg}`);
          }
@ -532,49 +501,6 @@ class LoginPage extends React.Component {
    }
  }

-  renderMfaAuthVerifyForm(values, authParams, onSuccess) {
-    return (
-      <div>
-        <MfaAuthVerifyForm
-          mfaProps={this.state.selectedMfaProp}
-          formValues={values}
-          authParams={authParams}
-          application={this.getApplicationObj()}
-          onFail={(errorMessage) => {
-            Setting.showMessage("error", errorMessage);
-          }}
-          onSuccess={(res) => onSuccess(res)}
-        />
-        <div>
-          {
-            this.state.mfaProps.map((mfa) => {
-              if (this.state.selectedMfaProp.mfaType === mfa.mfaType) {return null;}
-              let mfaI18n = "";
-              switch (mfa.mfaType) {
-              case SmsMfaType: mfaI18n = i18next.t("mfa:Use SMS"); break;
-              case TotpMfaType: mfaI18n = i18next.t("mfa:Use Authenticator App"); break ;
-              case EmailMfaType: mfaI18n = i18next.t("mfa:Use Email") ;break;
-              }
-              return <div key={mfa.mfaType}><Button type={"link"} onClick={() => {
-                this.setState({
-                  selectedMfaProp: mfa,
-                });
-              }}>{mfaI18n}</Button></div>;
-            })
-          }
-        </div>
-      </div>);
-  }
-
-  getPreferredMfaProp(mfaProps) {
-    for (const i in mfaProps) {
-      if (mfaProps[i].isPreffered) {
-        return mfaProps[i];
-      }
-    }
-    return mfaProps[0];
-  }
-
  isProviderVisible(providerItem) {
    if (this.state.mode === "signup") {
      return Setting.isProviderVisibleForSignUp(providerItem);
--- a/web/src/auth/ProviderButton.js
+++ b/web/src/auth/ProviderButton.js
@ -44,6 +44,7 @@ import KwaiLoginButton from "./KwaiLoginButton";
 import LoginButton from "./LoginButton";
 import * as AuthBackend from "./AuthBackend";
 import {WechatOfficialAccountModal} from "./Util";
+import * as Setting from "../Setting";

 function getSigninButton(provider) {
  const text = i18next.t("login:Sign in with {type}").replace("{type}", provider.displayName !== "" ? provider.displayName : provider.type);
@ -114,11 +115,15 @@ function goToSamlUrl(provider, location) {

  const relayState = `${clientId}&${state}&${providerName}&${realRedirectUri}&${redirectUri}`;
  AuthBackend.getSamlLogin(`${provider.owner}/${providerName}`, btoa(relayState)).then((res) => {
+    if (res.status === "ok") {
      if (res.data2 === "POST") {
        document.write(res.data);
      } else {
        window.location.href = res.data;
      }
+    } else {
+      Setting.showMessage("error", res.msg);
+    }
  });
 }

--- a/web/src/auth/SamlCallback.js
+++ b/web/src/auth/SamlCallback.js
@ -20,6 +20,7 @@ import * as Util from "./Util";
 import * as Setting from "../Setting";
 import i18next from "i18next";
 import {authConfig} from "./Auth";
+import {renderLoginPanel} from "../Setting";

 class SamlCallback extends React.Component {
  constructor(props) {
@ -81,13 +82,26 @@ class SamlCallback extends React.Component {
      .then((res) => {
        if (res.status === "ok") {
          const responseType = this.getResponseType(redirectUri);
+          const handleLogin = (res2) => {
            if (responseType === "login") {
              Setting.showMessage("success", "Logged in successfully");
              Setting.goToLink("/");
            } else if (responseType === "code") {
-            const code = res.data;
+              const code = res2.data;
              Setting.goToLink(`${redirectUri}?code=${code}&state=${state}`);
            }
+          };
+          Setting.checkLoginMfa(res, body, {
+            clientId: clientId,
+            responseType: responseType,
+            redirectUri: messages[3],
+            state: state,
+            nonce: "",
+            scope: "read",
+            challengeMethod: "",
+            codeChallenge: "",
+            type: "code",
+          }, handleLogin, this);
        } else {
          this.setState({
            msg: res.msg,
@ -97,6 +111,11 @@ class SamlCallback extends React.Component {
  }

  render() {
+    if (this.state.getVerifyTotp !== undefined) {
+      const application = Setting.getApplicationObj(this);
+      return renderLoginPanel(application, this.state.getVerifyTotp, this, window.location.origin);
+    }
+
    return (
      <div style={{display: "flex", justifyContent: "center", alignItems: "center"}}>
        {
--- a/web/src/common/CasdoorAppConnector.js
+++ b/web/src/common/CasdoorAppConnector.js
@ -27,7 +27,7 @@ export const generateCasdoorAppUrl = (accessToken, forQrCode = true) => {
    return {qrUrl, error};
  }

-  qrUrl = `casdoor-app://login?serverUrl=${window.location.origin}&accessToken=${accessToken}`;
+  qrUrl = `casdoor-authenticator://login?serverUrl=${window.location.origin}&accessToken=${accessToken}`;

  if (forQrCode && qrUrl.length >= 2000) {
    qrUrl = "";
--- a/web/src/common/NavItemTree.js
+++ b/web/src/common/NavItemTree.js
@ -0,0 +1,97 @@
+import i18next from "i18next";
+import {Tree} from "antd";
+import React from "react";
+
+export const NavItemTree = ({disable, checkedKeys, defaultExpandedKeys, onCheck}) => {
+  const NavItemNodes = [
+    {
+      title: i18next.t("organization:All"),
+      key: "all",
+      children: [
+        {
+          title: i18next.t("general:Home"),
+          key: "/home-top",
+          children: [
+            {title: i18next.t("general:Dashboard"), key: "/"},
+            {title: i18next.t("general:Shortcuts"), key: "/shortcuts"},
+            {title: i18next.t("general:Apps"), key: "/apps"},
+          ],
+        },
+        {
+          title: i18next.t("general:User Management"),
+          key: "/orgs-top",
+          children: [
+            {title: i18next.t("general:Organizations"), key: "/organizations"},
+            {title: i18next.t("general:Groups"), key: "/groups"},
+            {title: i18next.t("general:Users"), key: "/users"},
+            {title: i18next.t("general:Invitations"), key: "/invitations"},
+          ],
+        },
+        {
+          title: i18next.t("general:Identity"),
+          key: "/applications-top",
+          children: [
+            {title: i18next.t("general:Applications"), key: "/applications"},
+            {title: i18next.t("general:Providers"), key: "/providers"},
+            {title: i18next.t("general:Resources"), key: "/resources"},
+            {title: i18next.t("general:Certs"), key: "/certs"},
+          ],
+        },
+        {
+          title: i18next.t("general:Authorization"),
+          key: "/roles-top",
+          children: [
+            {title: i18next.t("general:Applications"), key: "/roles"},
+            {title: i18next.t("general:Permissions"), key: "/permissions"},
+            {title: i18next.t("general:Models"), key: "/models"},
+            {title: i18next.t("general:Adapters"), key: "/adapters"},
+            {title: i18next.t("general:Enforcers"), key: "/enforcers"},
+          ],
+        },
+        {
+          title: i18next.t("general:Logging & Auditing"),
+          key: "/sessions-top",
+          children: [
+            {title: i18next.t("general:Sessions"), key: "/sessions"},
+            {title: i18next.t("general:Records"), key: "/records"},
+            {title: i18next.t("general:Tokens"), key: "/tokens"},
+            {title: i18next.t("general:Verifications"), key: "/verifications"},
+          ],
+        },
+        {
+          title: i18next.t("general:Business & Payments"),
+          key: "/business-top",
+          children: [
+            {title: i18next.t("general:Products"), key: "/products"},
+            {title: i18next.t("general:Payments"), key: "/payments"},
+            {title: i18next.t("general:Plans"), key: "/plans"},
+            {title: i18next.t("general:Pricings"), key: "/pricings"},
+            {title: i18next.t("general:Subscriptions"), key: "/subscriptions"},
+            {title: i18next.t("general:Transactions"), key: "/transactions"},
+          ],
+        },
+        {
+          title: i18next.t("general:Admin"),
+          key: "/admin-top",
+          children: [
+            {title: i18next.t("general:System Info"), key: "/sysinfo"},
+            {title: i18next.t("general:Syncers"), key: "/syncers"},
+            {title: i18next.t("general:Webhooks"), key: "/webhooks"},
+            {title: i18next.t("general:Swagger"), key: "/swagger"},
+          ],
+        },
+      ],
+    },
+  ];
+
+  return (
+    <Tree
+      disabled={disable}
+      checkable
+      checkedKeys={checkedKeys}
+      defaultExpandedKeys={defaultExpandedKeys}
+      onCheck={onCheck}
+      treeData={NavItemNodes}
+    />
+  );
+};
--- a/web/src/locales/ar/data.json
+++ b/web/src/locales/ar/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/cs/data.json
+++ b/web/src/locales/cs/data.json
@ -757,6 +757,7 @@
    "Sold": "Prodáno",
    "Sold - Tooltip": "Prodávané množství",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Štítek produktu",
    "Test buy page..": "Testovací stránka nákupu..",
    "There is no payment channel for this product.": "Pro tento produkt neexistuje žádný platební kanál.",
--- a/web/src/locales/de/data.json
+++ b/web/src/locales/de/data.json
@ -757,6 +757,7 @@
    "Sold": "Verkauft",
    "Sold - Tooltip": "Menge verkauft",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag des Produkts",
    "Test buy page..": "Testkaufseite.",
    "There is no payment channel for this product.": "Es gibt keinen Zahlungskanal für dieses Produkt.",
--- a/web/src/locales/en/data.json
+++ b/web/src/locales/en/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/es/data.json
+++ b/web/src/locales/es/data.json
@ -757,6 +757,7 @@
    "Sold": "Vendido",
    "Sold - Tooltip": "Cantidad vendida",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Etiqueta de producto",
    "Test buy page..": "Página de compra de prueba.",
    "There is no payment channel for this product.": "No hay canal de pago para este producto.",
--- a/web/src/locales/fa/data.json
+++ b/web/src/locales/fa/data.json
@ -757,6 +757,7 @@
    "Sold": "فروخته شده",
    "Sold - Tooltip": "تعداد فروخته شده",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "برچسب محصول",
    "Test buy page..": "صفحه تست خرید..",
    "There is no payment channel for this product.": "برای این محصول کانال پرداختی وجود ندارد.",
--- a/web/src/locales/fi/data.json
+++ b/web/src/locales/fi/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/fr/data.json
+++ b/web/src/locales/fr/data.json
@ -757,6 +757,7 @@
    "Sold": "Vendu",
    "Sold - Tooltip": "Quantité vendue",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Étiquette de produit",
    "Test buy page..": "Page d'achat de test.",
    "There is no payment channel for this product.": "Il n'y a aucun canal de paiement pour ce produit.",
--- a/web/src/locales/he/data.json
+++ b/web/src/locales/he/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/id/data.json
+++ b/web/src/locales/id/data.json
@ -757,6 +757,7 @@
    "Sold": "Terjual",
    "Sold - Tooltip": "Jumlah terjual",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag produk",
    "Test buy page..": "Halaman pembelian uji coba.",
    "There is no payment channel for this product.": "Tidak ada saluran pembayaran untuk produk ini.",
--- a/web/src/locales/it/data.json
+++ b/web/src/locales/it/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/ja/data.json
+++ b/web/src/locales/ja/data.json
@ -757,6 +757,7 @@
    "Sold": "売れました",
    "Sold - Tooltip": "販売数量",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "製品のタグ",
    "Test buy page..": "テスト購入ページ。",
    "There is no payment channel for this product.": "この製品には支払いチャネルがありません。",
--- a/web/src/locales/kk/data.json
+++ b/web/src/locales/kk/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/ko/data.json
+++ b/web/src/locales/ko/data.json
@ -757,6 +757,7 @@
    "Sold": "팔렸습니다",
    "Sold - Tooltip": "판매량",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "제품 태그",
    "Test buy page..": "시험 구매 페이지.",
    "There is no payment channel for this product.": "이 제품에 대한 결제 채널이 없습니다.",
--- a/web/src/locales/ms/data.json
+++ b/web/src/locales/ms/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/nl/data.json
+++ b/web/src/locales/nl/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/pl/data.json
+++ b/web/src/locales/pl/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/pt/data.json
+++ b/web/src/locales/pt/data.json
@ -757,6 +757,7 @@
    "Sold": "Vendido",
    "Sold - Tooltip": "Quantidade vendida",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag do produto",
    "Test buy page..": "Página de teste de compra...",
    "There is no payment channel for this product.": "Não há canal de pagamento disponível para este produto.",
--- a/web/src/locales/ru/data.json
+++ b/web/src/locales/ru/data.json
@ -757,6 +757,7 @@
    "Sold": "Продано",
    "Sold - Tooltip": "Количество проданных",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Метка продукта",
    "Test buy page..": "Страница для тестовой покупки.",
    "There is no payment channel for this product.": "Для этого продукта нет канала оплаты.",
--- a/web/src/locales/sk/data.json
+++ b/web/src/locales/sk/data.json
@ -757,6 +757,7 @@
    "Sold": "Predané",
    "Sold - Tooltip": "Množstvo predaných kusov",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Štítok produktu",
    "Test buy page..": "Testovať stránku nákupu..",
    "There is no payment channel for this product.": "Pre tento produkt neexistuje platobný kanál.",
--- a/web/src/locales/sv/data.json
+++ b/web/src/locales/sv/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/tr/data.json
+++ b/web/src/locales/tr/data.json
@ -757,6 +757,7 @@
    "Sold": "Sold",
    "Sold - Tooltip": "Quantity sold",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Tag of product",
    "Test buy page..": "Test buy page..",
    "There is no payment channel for this product.": "There is no payment channel for this product.",
--- a/web/src/locales/uk/data.json
+++ b/web/src/locales/uk/data.json
@ -757,6 +757,7 @@
    "Sold": "Продано",
    "Sold - Tooltip": "Продана кількість",
    "Stripe": "смужка",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Тег товару",
    "Test buy page..": "Сторінка тестової покупки..",
    "There is no payment channel for this product.": "Для цього продукту немає платіжного каналу.",
--- a/web/src/locales/vi/data.json
+++ b/web/src/locales/vi/data.json
@ -757,6 +757,7 @@
    "Sold": "Đã bán",
    "Sold - Tooltip": "Số lượng bán ra",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "Nhãn sản phẩm",
    "Test buy page..": "Trang mua thử.",
    "There is no payment channel for this product.": "Không có kênh thanh toán cho sản phẩm này.",
--- a/web/src/locales/zh/data.json
+++ b/web/src/locales/zh/data.json
@ -757,6 +757,7 @@
    "Sold": "售出",
    "Sold - Tooltip": "已售出的数量",
    "Stripe": "Stripe",
+    "AirWallex": "AirWallex",
    "Tag - Tooltip": "商品类别",
    "Test buy page..": "测试购买页面..",
    "There is no payment channel for this product.": "该商品没有付款方式。",
Author	SHA1	Message	Date
DacongDA	c181006661	feat: cache theme in signup page (#3568 )	2025-02-09 15:12:35 +08:00
Cutsin	2e83e49492	feat: fix bug due to null characters in descriptor when creating a payment intent (#3567 )	2025-02-08 19:35:51 +08:00
Coki	5661942175	feat: add CLI version cache and proxy support (#3565 ) * feat: add CLI version cache mechanism * feat: add /api/refresh-engines to allowed endpoints in demo mode * feat: add proxy support for cli downloader * feat: add SafeGoroutine for CLIDownloader initialization * refactor: optimize code structure	2025-02-08 19:34:19 +08:00
Coki	7f9f7c6468	feat: add CLI tools auto-downloader and updater (#3559 ) * feat: add CLI downloader feature * feat: add CLI refresh endpoint and scheduler * feat: improve binary names mapping for different platforms and architectures * fix: format binary names in getBinaryNames function * fix: change file permission notation to octal in cli_downloader.go * feat: add isDemoMode check for CLI downloader features	2025-02-07 19:22:56 +08:00
Cutsin	b7a818e2d3	feat: support AirWallex payment provider (#3558 ) * feat: support AirWallex payment provider * chore: add some information due to AirWallex's risk control policy	2025-02-07 19:19:30 +08:00
DacongDA	1a8cfe4ee6	feat: can fetch SAML metadata from URL (#3560 )	2025-02-06 23:50:39 +08:00
hsluoyz	b3526de675	feat: add checkOrgMasterVerificationCode()	2025-02-06 23:46:22 +08:00
Mayank	3b9e08b70d	feat: Fix reset password flow for shared application (#3556 )	2025-02-06 18:03:23 +08:00
IZUMI-Zu	cfc6015aca	feat: rename Casdoor app URL to authenticator (#3553 )	2025-02-05 23:08:06 +08:00
hsluoyz	1600a6799a	feat: return error for updateUsedByCode()	2025-02-05 13:40:41 +08:00
DacongDA	ca60cc3a33	feat: show SAML cert parse error better in frontend (#3551 )	2025-02-05 10:06:02 +08:00
DacongDA	df295717f0	feat: can define what Casdoor pages an org admin can see via Organization.NavItems (#3539 ) * feat: support define what Casdoor pages an org admin can see * feat: remove useless code * fix: fix NavItemNodes i18next invalid * fix: only global admin can edit navItems * fix: move navItem tree to extra file	2025-02-03 00:40:21 +08:00
DacongDA	e3001671a2	feat: fix bug that can not delete user if user doesn't belong to any group (#3544 )	2025-02-02 17:54:05 +08:00
DacongDA	bbe2162e27	feat: fix bug in GetTokenByTokenValue() (#3541 )	2025-01-30 00:48:20 +08:00
Coki	92b5ce3722	feat: add identifier validation for security in RunCasbinCommand (#3535 ) * feat: add identifier validation for security in RunCasbinCommand * refactor: update identifier validation to use SHA-256 hash and timestamp	2025-01-29 18:30:06 +08:00
hsluoyz	bad21fb6bb	feat: check empty password in CheckPassword()	2025-01-28 21:13:59 +08:00
DacongDA	5a78dcf06d	feat: fix Casbin Permissions Not Working When Auto-login is Enabled (#3537 ) * fix: fix Casbin Permissions Not Working When Auto-login is Enabled * fix: fix oauth fastLogin not support permission	2025-01-28 19:15:53 +08:00
DacongDA	558b168477	feat: can verify OTP during OAuth login (#3531 ) * feat: support verify OTP during OAuth login * fix: fail to login if mfa not enable * fix: fail to login if mfa not enable * fix: fix mfaRequired not valid in saml/auth	2025-01-27 19:37:26 +08:00
DacongDA	802b6812a9	feat: fix strange "Email is invalid" error in forget password page (#3527 )	2025-01-23 14:35:11 +08:00
DacongDA	a5a627f92e	feat: optimize get-groups API and GroupListPage (#3518 ) * fix: optimize get-groups api and GroupListPage * fix: fix linter issue	2025-01-23 09:47:39 +08:00
DacongDA	9701818a6e	feat: delete groups for user while deleting user (#3525 )	2025-01-23 09:46:33 +08:00
DacongDA	06986fbd41	feat: fix theme filter for other URLs like SAML (#3523 ) * fix: fix error cause by theme filter * fix: add saml url to theme filter and use getGetOwnerAndNameFromIdWithError instead of using GetOwnerAndNameFromId * fix: fix code error * fix: add support for cas and pack judgement into a function * fix: fix linter err	2025-01-22 19:12:12 +08:00
hsluoyz	3d12ac8dc2	feat: improve HandleScim()	2025-01-22 16:15:19 +08:00