feat: fix tour bug about orgIsTourVisible settings (#3965)

conf/conf.go

@@ -66,7 +66,11 @@ func GetConfigBool(key string) bool {
 func GetConfigInt64(key string) (int64, error) {
 	value := GetConfigString(key)
 	num, err := strconv.ParseInt(value, 10, 64)
-	return num, err
+	if err != nil {
+		return 0, fmt.Errorf("GetConfigInt64(%s) error, %s", key, err.Error())
+	}
+
+	return num, nil
 }
 
 func GetConfigDataSourceName() string {

controllers/account.go

@@ -42,6 +42,7 @@ type Response struct {
 	Name   string      `json:"name"`
 	Data   interface{} `json:"data"`
 	Data2  interface{} `json:"data2"`
+	Data3  interface{} `json:"data3"`
 }
 
 type Captcha struct {

controllers/auth.go

@@ -132,7 +132,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 	if form.Type == ResponseTypeLogin {
 		c.SetSessionUsername(userId)
 		util.LogInfo(c.Ctx, "API: [%s] signed in", userId)
-		resp = &Response{Status: "ok", Msg: "", Data: userId, Data2: user.NeedUpdatePassword}
+		resp = &Response{Status: "ok", Msg: "", Data: userId, Data3: user.NeedUpdatePassword}
 	} else if form.Type == ResponseTypeCode {
 		clientId := c.Input().Get("clientId")
 		responseType := c.Input().Get("responseType")
@@ -154,7 +154,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		}
 
 		resp = codeToResponse(code)
-		resp.Data2 = user.NeedUpdatePassword
+		resp.Data3 = user.NeedUpdatePassword
 		if application.EnableSigninSession || application.HasPromptPage() {
 			// The prompt page needs the user to be signed in
 			c.SetSessionUsername(userId)
@@ -168,7 +168,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			token, _ := object.GetTokenByUser(application, user, scope, nonce, c.Ctx.Request.Host)
 			resp = tokenToResponse(token)
 
-			resp.Data2 = user.NeedUpdatePassword
+			resp.Data3 = user.NeedUpdatePassword
 		}
 	} else if form.Type == ResponseTypeDevice {
 		authCache, ok := object.DeviceAuthMap.LoadAndDelete(form.UserCode)
@@ -195,14 +195,14 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 
 		object.DeviceAuthMap.Store(authCacheCast.UserName, deviceAuthCacheDeviceCodeCast)
 
-		resp = &Response{Status: "ok", Msg: "", Data: userId, Data2: user.NeedUpdatePassword}
+		resp = &Response{Status: "ok", Msg: "", Data: userId, Data3: user.NeedUpdatePassword}
 	} else if form.Type == ResponseTypeSaml { // saml flow
 		res, redirectUrl, method, err := object.GetSamlResponse(application, user, form.SamlRequest, c.Ctx.Request.Host)
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
 			return
 		}
-		resp = &Response{Status: "ok", Msg: "", Data: res, Data2: map[string]interface{}{"redirectUrl": redirectUrl, "method": method, "needUpdatePassword": user.NeedUpdatePassword}}
+		resp = &Response{Status: "ok", Msg: "", Data: res, Data2: map[string]interface{}{"redirectUrl": redirectUrl, "method": method}, Data3: user.NeedUpdatePassword}
 
 		if application.EnableSigninSession || application.HasPromptPage() {
 			// The prompt page needs the user to be signed in
@@ -355,20 +355,27 @@ func isProxyProviderType(providerType string) bool {
 
 func checkMfaEnable(c *ApiController, user *object.User, organization *object.Organization, verificationType string) bool {
 	if object.IsNeedPromptMfa(organization, user) {
-		// The prompt page needs the user to be srigned in
+		// The prompt page needs the user to be signed in
 		c.SetSessionUsername(user.GetId())
 		c.ResponseOk(object.RequiredMfa)
 		return true
 	}
 
 	if user.IsMfaEnabled() {
+		currentTime := util.String2Time(util.GetCurrentTime())
+		mfaRememberDeadline := util.String2Time(user.MfaRememberDeadline)
+		if user.MfaRememberDeadline != "" && mfaRememberDeadline.After(currentTime) {
+			return false
+		}
 		c.setMfaUserSession(user.GetId())
 		mfaList := object.GetAllMfaProps(user, true)
 		mfaAllowList := []*object.MfaProps{}
+		mfaRememberInHours := organization.MfaRememberInHours
 		for _, prop := range mfaList {
 			if prop.MfaType == verificationType || !prop.Enabled {
 				continue
 			}
+			prop.MfaRememberInHours = mfaRememberInHours
 			mfaAllowList = append(mfaAllowList, prop)
 		}
 		if len(mfaAllowList) >= 1 {
@@ -555,8 +562,11 @@ func (c *ApiController) Login() {
 				c.ResponseError(c.T("auth:The login method: login with LDAP is not enabled for the application"))
 				return
 			}
+
+			clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+
 			var enableCaptcha bool
-			if enableCaptcha, err = object.CheckToEnableCaptcha(application, authForm.Organization, authForm.Username); err != nil {
+			if enableCaptcha, err = object.CheckToEnableCaptcha(application, authForm.Organization, authForm.Username, clientIp); err != nil {
 				c.ResponseError(err.Error())
 				return
 			} else if enableCaptcha {
@@ -970,6 +980,28 @@ func (c *ApiController) Login() {
 			return
 		}
 
+		var application *object.Application
+		if authForm.ClientId == "" {
+			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+		} else {
+			application, err = object.GetApplicationByClientId(authForm.ClientId)
+		}
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if application == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
+			return
+		}
+
+		var organization *object.Organization
+		organization, err = object.GetOrganization(util.GetId("admin", application.Organization))
+		if err != nil {
+			c.ResponseError(c.T(err.Error()))
+		}
+
 		if authForm.Passcode != "" {
 			if authForm.MfaType == c.GetSession("verificationCodeType") {
 				c.ResponseError("Invalid multi-factor authentication type")
@@ -996,6 +1028,17 @@ func (c *ApiController) Login() {
 				}
 			}
 
+			if authForm.EnableMfaRemember {
+				mfaRememberInSeconds := organization.MfaRememberInHours * 3600
+				currentTime := util.String2Time(util.GetCurrentTime())
+				duration := time.Duration(mfaRememberInSeconds) * time.Second
+				user.MfaRememberDeadline = util.Time2String(currentTime.Add(duration))
+				_, err = object.UpdateUser(user.GetId(), user, []string{"mfa_remember_deadline"}, user.IsAdmin)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
+			}
 			c.SetSession("verificationCodeType", "")
 		} else if authForm.RecoveryCode != "" {
 			err = object.MfaRecover(user, authForm.RecoveryCode)
@@ -1008,22 +1051,6 @@ func (c *ApiController) Login() {
 			return
 		}
 
-		var application *object.Application
-		if authForm.ClientId == "" {
-			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
-		} else {
-			application, err = object.GetApplicationByClientId(authForm.ClientId)
-		}
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		if application == nil {
-			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
-			return
-		}
-
 		resp = c.HandleLoggedIn(application, user, &authForm)
 		c.setMfaUserSession("")
 
@@ -1222,27 +1249,26 @@ func (c *ApiController) GetQRCode() {
 func (c *ApiController) GetCaptchaStatus() {
 	organization := c.Input().Get("organization")
 	userId := c.Input().Get("userId")
-	user, err := object.GetUserByFields(organization, userId)
+	applicationName := c.Input().Get("application")
+
+	application, err := object.GetApplication(fmt.Sprintf("admin/%s", applicationName))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if application == nil {
-	captchaEnabled := false
+		c.ResponseError("application not found")
-	if user != nil {
+		return
-		var failedSigninLimit int
-		failedSigninLimit, _, err = object.GetFailedSigninConfigByUser(user)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		if user.SigninWrongTimes >= failedSigninLimit {
-			captchaEnabled = true
-		}
 	}
 
+	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+	captchaEnabled, err := object.CheckToEnableCaptcha(application, organization, userId, clientIp)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	c.ResponseOk(captchaEnabled)
+	return
 }
 
 // Callback

controllers/group_upload.go

@@ -0,0 +1,56 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+func (c *ApiController) UploadGroups() {
+	userId := c.GetSessionUsername()
+	owner, user := util.GetOwnerAndNameFromId(userId)
+
+	file, header, err := c.Ctx.Request.FormFile("file")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
+	path := util.GetUploadXlsxPath(fileId)
+	defer os.Remove(path)
+
+	err = saveFile(path, &file)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.UploadGroups(owner, path)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if affected {
+		c.ResponseOk()
+	} else {
+		c.ResponseError(c.T("general:Failed to import groups"))
+	}
+}

controllers/mfa.go

@@ -58,6 +58,12 @@ func (c *ApiController) MfaSetupInitiate() {
 		return
 	}
 
+	organization, err := object.GetOrganizationByUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	mfaProps, err := MfaUtil.Initiate(user.GetId())
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -66,6 +72,7 @@ func (c *ApiController) MfaSetupInitiate() {
 
 	recoveryCode := uuid.NewString()
 	mfaProps.RecoveryCodes = []string{recoveryCode}
+	mfaProps.MfaRememberInHours = organization.MfaRememberInHours
 
 	resp := mfaProps
 	c.ResponseOk(resp)

controllers/organization.go

@@ -98,6 +98,10 @@ func (c *ApiController) GetOrganization() {
 		return
 	}
 
+	if organization != nil && organization.MfaRememberInHours == 0 {
+		organization.MfaRememberInHours = 12
+	}
+
 	c.ResponseOk(organization)
 }
 

controllers/permission_upload.go

@@ -49,6 +49,6 @@ func (c *ApiController) UploadPermissions() {
 	if affected {
 		c.ResponseOk()
 	} else {
-		c.ResponseError(c.T("user_upload:Failed to import users"))
+		c.ResponseError(c.T("general:Failed to import users"))
 	}
 }

controllers/product.go

@@ -182,7 +182,7 @@ func (c *ApiController) BuyProduct() {
 	paidUserName := c.Input().Get("userName")
 	owner, _ := util.GetOwnerAndNameFromId(id)
 	userId := util.GetId(owner, paidUserName)
-	if paidUserName != "" && !c.IsAdmin() {
+	if paidUserName != "" && paidUserName != c.GetSessionUsername() && !c.IsAdmin() {
 		c.ResponseError(c.T("general:Only admin user can specify user"))
 		return
 	}

controllers/role_upload.go

@@ -49,6 +49,6 @@ func (c *ApiController) UploadRoles() {
 	if affected {
 		c.ResponseOk()
 	} else {
-		c.ResponseError(c.T("user_upload:Failed to import users"))
+		c.ResponseError(c.T("general:Failed to import users"))
 	}
 }

controllers/service.go

@@ -140,6 +140,9 @@ func (c *ApiController) SendEmail() {
 	}
 	content = strings.Replace(content, "%{user.friendlyName}", userString, 1)
 
+	matchContent := object.ResetLinkReg.Find([]byte(content))
+	content = strings.Replace(content, string(matchContent), "", -1)
+
 	for _, receiver := range emailForm.Receivers {
 		err = object.SendEmail(provider, emailForm.Title, content, receiver, emailForm.Sender)
 		if err != nil {

controllers/token.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 	"time"
 
 	"github.com/beego/beego/utils/pagination"
@@ -460,7 +461,18 @@ func (c *ApiController) IntrospectToken() {
 	}
 
 	if token != nil {
+		application, err = object.GetApplication(fmt.Sprintf("%s/%s", token.Owner, token.Application))
+		if err != nil {
+			c.ResponseTokenError(err.Error())
+			return
+		}
+		if application == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), token.Application))
+			return
+		}
+
 		introspectionResponse.TokenType = token.TokenType
+		introspectionResponse.ClientId = application.ClientId
 	}
 
 	c.Data["json"] = introspectionResponse

controllers/user.go

@@ -574,7 +574,7 @@ func (c *ApiController) SetPassword() {
 	targetUser.LastChangePasswordTime = util.GetCurrentTime()
 
 	if user.Ldap == "" {
-		_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type", "last_change_password_time"}, false)
+		_, err = object.UpdateUser(userId, targetUser, []string{"password", "password_salt", "need_update_password", "password_type", "last_change_password_time"}, false)
 	} else {
 		if isAdmin {
 			err = object.ResetLdapPassword(targetUser, "", newPassword, c.GetAcceptLanguage())

controllers/user_upload.go

@@ -67,6 +67,6 @@ func (c *ApiController) UploadUsers() {
 	if affected {
 		c.ResponseOk()
 	} else {
-		c.ResponseError(c.T("user_upload:Failed to import users"))
+		c.ResponseError(c.T("general:Failed to import users"))
 	}
 }

controllers/verification.go

@@ -258,7 +258,7 @@ func (c *ApiController) SendVerificationCode() {
 			return
 		}
 
-		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, clientIp, vform.Dest)
+		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, clientIp, vform.Dest, vform.Method, c.Ctx.Request.Host, application.Name)
 	case object.VerifyTypePhone:
 		if vform.Method == LoginVerification || vform.Method == ForgetVerification {
 			if user != nil && util.GetMaskedPhone(user.Phone) == vform.Dest {

cred/argon2id.go

@@ -23,7 +23,7 @@ func NewArgon2idCredManager() *Argon2idCredManager {
 	return cm
 }
 
-func (cm *Argon2idCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (cm *Argon2idCredManager) GetHashedPassword(password string, salt string) string {
 	hash, err := argon2id.CreateHash(password, argon2id.DefaultParams)
 	if err != nil {
 		return ""
@@ -31,7 +31,7 @@ func (cm *Argon2idCredManager) GetHashedPassword(password string, userSalt strin
 	return hash
 }
 
-func (cm *Argon2idCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+func (cm *Argon2idCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, salt string) bool {
 	match, _ := argon2id.ComparePasswordAndHash(plainPwd, hashedPwd)
 	return match
 }

cred/bcrypt.go

@@ -9,7 +9,7 @@ func NewBcryptCredManager() *BcryptCredManager {
 	return cm
 }
 
-func (cm *BcryptCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (cm *BcryptCredManager) GetHashedPassword(password string, salt string) string {
 	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 	if err != nil {
 		return ""
@@ -17,7 +17,7 @@ func (cm *BcryptCredManager) GetHashedPassword(password string, userSalt string,
 	return string(bytes)
 }
 
-func (cm *BcryptCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+func (cm *BcryptCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, salt string) bool {
 	err := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(plainPwd))
 	return err == nil
 }

cred/manager.go

@@ -15,8 +15,8 @@
 package cred
 
 type CredManager interface {
-	GetHashedPassword(password string, userSalt string, organizationSalt string) string
+	GetHashedPassword(password string, salt string) string
-	IsPasswordCorrect(password string, passwordHash string, userSalt string, organizationSalt string) bool
+	IsPasswordCorrect(password string, passwordHash string, salt string) bool
 }
 
 func GetCredManager(passwordType string) CredManager {

cred/md5-user-salt.go

@@ -37,14 +37,10 @@ func NewMd5UserSaltCredManager() *Md5UserSaltCredManager {
 	return cm
 }
 
-func (cm *Md5UserSaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (cm *Md5UserSaltCredManager) GetHashedPassword(password string, salt string) string {
-	res := getMd5HexDigest(password)
+	return getMd5HexDigest(getMd5HexDigest(password) + salt)
-	if userSalt != "" {
-		res = getMd5HexDigest(res + userSalt)
-	}
-	return res
 }
 
-func (cm *Md5UserSaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+func (cm *Md5UserSaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, salt string) bool {
-	return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt)
+	return hashedPwd == cm.GetHashedPassword(plainPwd, salt)
 }

cred/pbkdf2-salt.go

@@ -28,13 +28,13 @@ func NewPbkdf2SaltCredManager() *Pbkdf2SaltCredManager {
 	return cm
 }
 
-func (cm *Pbkdf2SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (cm *Pbkdf2SaltCredManager) GetHashedPassword(password string, salt string) string {
 	// https://www.keycloak.org/docs/latest/server_admin/index.html#password-database-compromised
-	decodedSalt, _ := base64.StdEncoding.DecodeString(userSalt)
+	decodedSalt, _ := base64.StdEncoding.DecodeString(salt)
 	res := pbkdf2.Key([]byte(password), decodedSalt, 27500, 64, sha256.New)
 	return base64.StdEncoding.EncodeToString(res)
 }
 
-func (cm *Pbkdf2SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+func (cm *Pbkdf2SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, salt string) bool {
-	return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt)
+	return hashedPwd == cm.GetHashedPassword(plainPwd, salt)
 }

cred/pbkdf2_django.go

@@ -32,12 +32,8 @@ func NewPbkdf2DjangoCredManager() *Pbkdf2DjangoCredManager {
 	return cm
 }
 
-func (m *Pbkdf2DjangoCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (m *Pbkdf2DjangoCredManager) GetHashedPassword(password string, salt string) string {
 	iterations := 260000
-	salt := userSalt
-	if salt == "" {
-		salt = organizationSalt
-	}
 
 	saltBytes := []byte(salt)
 	passwordBytes := []byte(password)
@@ -46,7 +42,7 @@ func (m *Pbkdf2DjangoCredManager) GetHashedPassword(password string, userSalt st
 	return "pbkdf2_sha256$" + strconv.Itoa(iterations) + "$" + salt + "$" + hashBase64
 }
 
-func (m *Pbkdf2DjangoCredManager) IsPasswordCorrect(password string, passwordHash string, userSalt string, organizationSalt string) bool {
+func (m *Pbkdf2DjangoCredManager) IsPasswordCorrect(password string, passwordHash string, _salt string) bool {
 	parts := strings.Split(passwordHash, "$")
 	if len(parts) != 4 {
 		return false

cred/plain.go

@@ -21,10 +21,10 @@ func NewPlainCredManager() *PlainCredManager {
 	return cm
 }
 
-func (cm *PlainCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (cm *PlainCredManager) GetHashedPassword(password string, salt string) string {
 	return password
 }
 
-func (cm *PlainCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+func (cm *PlainCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, salt string) bool {
 	return hashedPwd == plainPwd
 }

cred/sha256-salt.go

@@ -37,14 +37,10 @@ func NewSha256SaltCredManager() *Sha256SaltCredManager {
 	return cm
 }
 
-func (cm *Sha256SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (cm *Sha256SaltCredManager) GetHashedPassword(password string, salt string) string {
-	res := getSha256HexDigest(password)
+	return getSha256HexDigest(getSha256HexDigest(password) + salt)
-	if organizationSalt != "" {
-		res = getSha256HexDigest(res + organizationSalt)
-	}
-	return res
 }
 
-func (cm *Sha256SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+func (cm *Sha256SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, salt string) bool {
-	return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt)
+	return hashedPwd == cm.GetHashedPassword(plainPwd, salt)
 }

cred/sha256-salt_test.go

@@ -23,12 +23,12 @@ func TestGetSaltedPassword(t *testing.T) {
 	password := "123456"
 	salt := "123"
 	cm := NewSha256SaltCredManager()
-	fmt.Printf("%s -> %s\n", password, cm.GetHashedPassword(password, "", salt))
+	fmt.Printf("%s -> %s\n", password, cm.GetHashedPassword(password, salt))
 }
 
 func TestGetPassword(t *testing.T) {
 	password := "123456"
 	cm := NewSha256SaltCredManager()
 	// https://passwordsgenerator.net/sha256-hash-generator/
-	fmt.Printf("%s -> %s\n", "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92", cm.GetHashedPassword(password, "", ""))
+	fmt.Printf("%s -> %s\n", "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92", cm.GetHashedPassword(password, ""))
 }

cred/sha512-salt.go

@@ -37,14 +37,10 @@ func NewSha512SaltCredManager() *Sha512SaltCredManager {
 	return cm
 }
 
-func (cm *Sha512SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+func (cm *Sha512SaltCredManager) GetHashedPassword(password string, salt string) string {
-	res := getSha512HexDigest(password)
+	return getSha512HexDigest(getSha512HexDigest(password) + salt)
-	if organizationSalt != "" {
-		res = getSha512HexDigest(res + organizationSalt)
-	}
-	return res
 }
 
-func (cm *Sha512SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+func (cm *Sha512SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, salt string) bool {
-	return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt)
+	return hashedPwd == cm.GetHashedPassword(plainPwd, salt)
 }

form/auth.go

@@ -61,9 +61,10 @@ type AuthForm struct {
 	CaptchaToken string `json:"captchaToken"`
 	ClientSecret string `json:"clientSecret"`
 
-	MfaType      string `json:"mfaType"`
+	MfaType           string `json:"mfaType"`
-	Passcode     string `json:"passcode"`
+	Passcode          string `json:"passcode"`
-	RecoveryCode string `json:"recoveryCode"`
+	RecoveryCode      string `json:"recoveryCode"`
+	EnableMfaRemember bool   `json:"enableMfaRemember"`
 
 	Plan    string `json:"plan"`
 	Pricing string `json:"pricing"`

i18n/locales/ar/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/cs/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Nepodařilo se importovat uživatele",
     "Missing parameter": "Chybějící parametr",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Prosím, přihlaste se nejprve",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Nové heslo nemůže obsahovat prázdné místo.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Nepodařilo se importovat uživatele"
-  },
   "util": {
     "No application is found for userId: %s": "Pro userId: %s nebyla nalezena žádná aplikace",
     "No provider for category: %s is found for application: %s": "Pro kategorii: %s nebyl nalezen žádný poskytovatel pro aplikaci: %s",

i18n/locales/de/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Fehler beim Importieren von Benutzern",
     "Missing parameter": "Fehlender Parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Bitte zuerst einloggen",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Das neue Passwort darf keine Leerzeichen enthalten.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Fehler beim Importieren von Benutzern"
-  },
   "util": {
     "No application is found for userId: %s": "Es wurde keine Anwendung für die Benutzer-ID gefunden: %s",
     "No provider for category: %s is found for application: %s": "Kein Anbieter für die Kategorie %s gefunden für die Anwendung: %s",

i18n/locales/en/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/es/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Error al importar usuarios",
     "Missing parameter": "Parámetro faltante",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Por favor, inicia sesión primero",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "La nueva contraseña no puede contener espacios en blanco.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Error al importar usuarios"
-  },
   "util": {
     "No application is found for userId: %s": "No se encuentra ninguna aplicación para el Id de usuario: %s",
     "No provider for category: %s is found for application: %s": "No se encuentra un proveedor para la categoría: %s para la aplicación: %s",

i18n/locales/fa/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "عدم موفقیت در وارد کردن کاربران",
     "Missing parameter": "پارامتر گمشده",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "لطفاً ابتدا وارد شوید",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "رمز عبور جدید نمی‌تواند حاوی فاصله خالی باشد.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "عدم موفقیت در وارد کردن کاربران"
-  },
   "util": {
     "No application is found for userId: %s": "هیچ برنامه‌ای برای userId: %s یافت نشد",
     "No provider for category: %s is found for application: %s": "هیچ ارائه‌دهنده‌ای برای دسته‌بندی: %s برای برنامه: %s یافت نشد",

i18n/locales/fi/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/fr/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Échec de l'importation des utilisateurs",
     "Missing parameter": "Paramètre manquant",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Veuillez d'abord vous connecter",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Le nouveau mot de passe ne peut pas contenir d'espace.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Échec de l'importation des utilisateurs"
-  },
   "util": {
     "No application is found for userId: %s": "Aucune application n'a été trouvée pour l'identifiant d'utilisateur : %s",
     "No provider for category: %s is found for application: %s": "Aucun fournisseur pour la catégorie: %s n'est trouvé pour l'application: %s",

i18n/locales/he/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/id/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Gagal mengimpor pengguna",
     "Missing parameter": "Parameter hilang",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Silahkan login terlebih dahulu",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Sandi baru tidak boleh mengandung spasi kosong.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Gagal mengimpor pengguna"
-  },
   "util": {
     "No application is found for userId: %s": "Tidak ditemukan aplikasi untuk userId: %s",
     "No provider for category: %s is found for application: %s": "Tidak ditemukan penyedia untuk kategori: %s untuk aplikasi: %s",

i18n/locales/it/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/ja/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "ユーザーのインポートに失敗しました",
     "Missing parameter": "不足しているパラメーター",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "最初にログインしてください",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "新しいパスワードにはスペースを含めることはできません。",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "ユーザーのインポートに失敗しました"
-  },
   "util": {
     "No application is found for userId: %s": "ユーザーIDに対するアプリケーションが見つかりません： %s",
     "No provider for category: %s is found for application: %s": "アプリケーション：%sのカテゴリ%sのプロバイダが見つかりません",

i18n/locales/kk/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/ko/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "사용자 가져오기를 실패했습니다",
     "Missing parameter": "누락된 매개변수",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "먼저 로그인 하십시오",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "새 비밀번호에는 공백이 포함될 수 없습니다.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "사용자 가져오기를 실패했습니다"
-  },
   "util": {
     "No application is found for userId: %s": "어플리케이션을 찾을 수 없습니다. userId: %s",
     "No provider for category: %s is found for application: %s": "어플리케이션 %s에서 %s 카테고리를 위한 공급자가 찾을 수 없습니다",

i18n/locales/ms/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/nl/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/pl/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/pt/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Falha ao importar usuários",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Falha ao importar usuários"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/ru/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Не удалось импортировать пользователей",
     "Missing parameter": "Отсутствующий параметр",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Пожалуйста, сначала войдите в систему",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Новый пароль не может содержать пробелы.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Не удалось импортировать пользователей"
-  },
   "util": {
     "No application is found for userId: %s": "Не найдено заявки для пользователя с идентификатором: %s",
     "No provider for category: %s is found for application: %s": "Нет провайдера для категории: %s для приложения: %s",

i18n/locales/sk/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Nepodarilo sa importovať používateľov",
     "Missing parameter": "Chýbajúci parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Najskôr sa prosím prihláste",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Nové heslo nemôže obsahovať medzery.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Nepodarilo sa importovať používateľov"
-  },
   "util": {
     "No application is found for userId: %s": "Nebola nájdená žiadna aplikácia pre userId: %s",
     "No provider for category: %s is found for application: %s": "Pre aplikáciu: %s nebol nájdený žiadny poskytovateľ pre kategóriu: %s",

i18n/locales/sv/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/tr/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Yeni şifreniz boşluk karakteri içeremez.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/uk/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Failed to import users",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "New password cannot contain blank space.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Failed to import users"
-  },
   "util": {
     "No application is found for userId: %s": "No application is found for userId: %s",
     "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",

i18n/locales/vi/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "the adapter: %s is not found"
   },
   "general": {
+    "Failed to import groups": "Failed to import groups",
+    "Failed to import users": "Không thể nhập người dùng",
     "Missing parameter": "Thiếu tham số",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Vui lòng đăng nhập trước",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "Mật khẩu mới không thể chứa dấu trắng.",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
-  "user_upload": {
-    "Failed to import users": "Không thể nhập người dùng"
-  },
   "util": {
     "No application is found for userId: %s": "Không tìm thấy ứng dụng cho ID người dùng: %s",
     "No provider for category: %s is found for application: %s": "Không tìm thấy nhà cung cấp cho danh mục: %s cho ứng dụng: %s",

i18n/locales/zh/data.json

@@ -92,6 +92,8 @@
     "the adapter: %s is not found": "适配器: %s 未找到"
   },
   "general": {
+    "Failed to import groups": "导入群组失败",
+    "Failed to import users": "导入用户失败",
     "Missing parameter": "缺少参数",
     "Only admin user can specify user": "仅管理员用户可以指定用户",
     "Please login first": "请先登录",
@@ -162,9 +164,6 @@
     "New password cannot contain blank space.": "新密码不可以包含空格",
     "the user's owner and name should not be empty": "用户的组织和名称不能为空"
   },
-  "user_upload": {
-    "Failed to import users": "导入用户失败"
-  },
   "util": {
     "No application is found for userId: %s": "未找到用户: %s的应用",
     "No provider for category: %s is found for application: %s": "未找到类别为: %s的提供商来满足应用: %s",

idp/douyin.go

@@ -190,7 +190,7 @@ func (idp *DouyinIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 
 	userInfo := UserInfo{
 		Id:          douyinUserInfo.Data.OpenId,
-		Username:    douyinUserInfo.Data.Nickname,
+		Username:    douyinUserInfo.Data.OpenId,
 		DisplayName: douyinUserInfo.Data.Nickname,
 		AvatarUrl:   douyinUserInfo.Data.Avatar,
 	}

idp/lark.go

@@ -27,16 +27,22 @@ import (
 )
 
 type LarkIdProvider struct {
-	Client *http.Client
+	Client     *http.Client
-	Config *oauth2.Config
+	Config     *oauth2.Config
+	LarkDomain string
 }
 
-func NewLarkIdProvider(clientId string, clientSecret string, redirectUrl string) *LarkIdProvider {
+func NewLarkIdProvider(clientId string, clientSecret string, redirectUrl string, useGlobalEndpoint bool) *LarkIdProvider {
 	idp := &LarkIdProvider{}
 
+	if useGlobalEndpoint {
+		idp.LarkDomain = "https://open.larksuite.com"
+	} else {
+		idp.LarkDomain = "https://open.feishu.cn"
+	}
+
 	config := idp.getConfig(clientId, clientSecret, redirectUrl)
 	idp.Config = config
-
 	return idp
 }
 
@@ -47,7 +53,7 @@ func (idp *LarkIdProvider) SetHttpClient(client *http.Client) {
 // getConfig return a point of Config, which describes a typical 3-legged OAuth2 flow
 func (idp *LarkIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
 	endpoint := oauth2.Endpoint{
-		TokenURL: "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal",
+		TokenURL: idp.LarkDomain + "/open-apis/auth/v3/tenant_access_token/internal",
 	}
 
 	config := &oauth2.Config{
@@ -162,6 +168,7 @@ type LarkUserInfo struct {
 	} `json:"data"`
 }
 
+// GetUserInfo use LarkAccessToken gotten before return LinkedInUserInf
 // GetUserInfo use LarkAccessToken gotten before return LinkedInUserInfo
 // get more detail via: https://docs.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin?context=linkedin/consumer/context
 func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
@@ -175,7 +182,7 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 		return nil, err
 	}
 
-	req, err := http.NewRequest("POST", "https://open.feishu.cn/open-apis/authen/v1/access_token", strings.NewReader(string(data)))
+	req, err := http.NewRequest("POST", idp.LarkDomain+"/open-apis/authen/v1/access_token", strings.NewReader(string(data)))
 	if err != nil {
 		return nil, err
 	}

idp/provider.go

@@ -87,7 +87,7 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error
 			return nil, fmt.Errorf("WeCom provider subType: %s is not supported", idpInfo.SubType)
 		}
 	case "Lark":
-		return NewLarkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+		return NewLarkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.DisableSsl), nil
 	case "GitLab":
 		return NewGitlabIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "ADFS":

main.go

@@ -45,6 +45,7 @@ func main() {
 	object.InitUserManager()
 	object.InitFromFile()
 	object.InitCasvisorConfig()
+	object.InitCleanupTokens()
 
 	util.SafeGoroutine(func() { object.RunSyncUsersJob() })
 	util.SafeGoroutine(func() { controllers.InitCLIDownloader() })

object/check.go

@@ -220,10 +220,15 @@ func checkSigninErrorTimes(user *User, lang string) error {
 }
 
 func CheckPassword(user *User, password string, lang string, options ...bool) error {
+	if password == "" {
+		return fmt.Errorf(i18n.Translate(lang, "check:Password cannot be empty"))
+	}
+
 	enableCaptcha := false
 	if len(options) > 0 {
 		enableCaptcha = options[0]
 	}
+
 	// check the login error times
 	if !enableCaptcha {
 		err := checkSigninErrorTimes(user, lang)
@@ -236,35 +241,41 @@ func CheckPassword(user *User, password string, lang string, options ...bool) er
 	if err != nil {
 		return err
 	}
-
 	if organization == nil {
 		return fmt.Errorf(i18n.Translate(lang, "check:Organization does not exist"))
 	}
 
-	if password == "" {
-		return fmt.Errorf(i18n.Translate(lang, "check:Password cannot be empty"))
-	}
-
 	passwordType := user.PasswordType
 	if passwordType == "" {
 		passwordType = organization.PasswordType
 	}
-	credManager := cred.GetCredManager(passwordType)
-	if credManager != nil {
-		if organization.MasterPassword != "" {
-			if password == organization.MasterPassword || credManager.IsPasswordCorrect(password, organization.MasterPassword, "", organization.PasswordSalt) {
-				return resetUserSigninErrorTimes(user)
-			}
-		}
 
-		if credManager.IsPasswordCorrect(password, user.Password, user.PasswordSalt, organization.PasswordSalt) {
+	credManager := cred.GetCredManager(passwordType)
+	if credManager == nil {
+		return fmt.Errorf(i18n.Translate(lang, "check:unsupported password type: %s"), passwordType)
+	}
+
+	if organization.MasterPassword != "" {
+		if password == organization.MasterPassword || credManager.IsPasswordCorrect(password, organization.MasterPassword, organization.PasswordSalt) {
 			return resetUserSigninErrorTimes(user)
 		}
-
-		return recordSigninErrorInfo(user, lang, enableCaptcha)
-	} else {
-		return fmt.Errorf(i18n.Translate(lang, "check:unsupported password type: %s"), organization.PasswordType)
 	}
+
+	if !credManager.IsPasswordCorrect(password, user.Password, organization.PasswordSalt) && !credManager.IsPasswordCorrect(password, user.Password, user.PasswordSalt) {
+		return recordSigninErrorInfo(user, lang, enableCaptcha)
+	}
+
+	isOutdated := passwordType != organization.PasswordType
+	if isOutdated {
+		user.Password = password
+		user.UpdateUserPassword(organization)
+		_, err = UpdateUser(user.GetId(), user, []string{"password", "password_type", "password_salt"}, true)
+		if err != nil {
+			return err
+		}
+	}
+
+	return resetUserSigninErrorTimes(user)
 }
 
 func CheckPasswordComplexityByOrg(organization *Organization, password string) string {
@@ -593,31 +604,41 @@ func CheckUpdateUser(oldUser, user *User, lang string) string {
 	return ""
 }
 
-func CheckToEnableCaptcha(application *Application, organization, username string) (bool, error) {
+func CheckToEnableCaptcha(application *Application, organization, username string, clientIp string) (bool, error) {
 	if len(application.Providers) == 0 {
 		return false, nil
 	}
 
 	for _, providerItem := range application.Providers {
-		if providerItem.Provider == nil {
+		if providerItem.Provider == nil || providerItem.Provider.Category != "Captcha" {
 			continue
 		}
-		if providerItem.Provider.Category == "Captcha" {
+
-			if providerItem.Rule == "Dynamic" {
+		if providerItem.Rule == "Internet-Only" {
-				user, err := GetUserByFields(organization, username)
+			if util.IsInternetIp(clientIp) {
+				return true, nil
+			}
+		}
+
+		if providerItem.Rule == "Dynamic" {
+			user, err := GetUserByFields(organization, username)
+			if err != nil {
+				return false, err
+			}
+
+			if user != nil {
+				failedSigninLimit, _, err := GetFailedSigninConfigByUser(user)
 				if err != nil {
 					return false, err
 				}
 
-				failedSigninLimit := application.FailedSigninLimit
+				return user.SigninWrongTimes >= failedSigninLimit, nil
-				if failedSigninLimit == 0 {
-					failedSigninLimit = DefaultFailedSigninLimit
-				}
-
-				return user != nil && user.SigninWrongTimes >= failedSigninLimit, nil
 			}
-			return providerItem.Rule == "Always", nil
+
+			return false, nil
 		}
+
+		return providerItem.Rule == "Always", nil
 	}
 
 	return false, nil

object/get-dashboard.go

@@ -103,7 +103,7 @@ func GetDashboard(owner string) (*map[string][]int64, error) {
 func countCreatedBefore(dashboardMapItem DashboardMapItem, before time.Time) int64 {
 	count := dashboardMapItem.itemCount
 	for _, e := range dashboardMapItem.dashboardDateItems {
-		createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", e.CreatedTime)
+		createdTime, _ := time.Parse(time.RFC3339, e.CreatedTime)
 		if createdTime.Before(before) {
 			count++
 		}

object/group.go

@@ -181,6 +181,41 @@ func AddGroups(groups []*Group) (bool, error) {
 	return affected != 0, nil
 }
 
+func AddGroupsInBatch(groups []*Group) (bool, error) {
+	if len(groups) == 0 {
+		return false, nil
+	}
+
+	session := ormer.Engine.NewSession()
+	defer session.Close()
+	err := session.Begin()
+	if err != nil {
+		return false, err
+	}
+
+	for _, group := range groups {
+		err = checkGroupName(group.Name)
+		if err != nil {
+			return false, err
+		}
+
+		affected, err := session.Insert(group)
+		if err != nil {
+			return false, err
+		}
+		if affected == 0 {
+			return false, nil
+		}
+	}
+
+	err = session.Commit()
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
 func deleteGroup(group *Group) (bool, error) {
 	affected, err := ormer.Engine.ID(core.PK{group.Owner, group.Name}).Delete(&Group{})
 	if err != nil {

object/group_upload.go

@@ -0,0 +1,61 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"github.com/casdoor/casdoor/xlsx"
+)
+
+func getGroupMap(owner string) (map[string]*Group, error) {
+	m := map[string]*Group{}
+
+	groups, err := GetGroups(owner)
+	if err != nil {
+		return m, err
+	}
+
+	for _, group := range groups {
+		m[group.GetId()] = group
+	}
+
+	return m, nil
+}
+
+func UploadGroups(owner string, path string) (bool, error) {
+	table := xlsx.ReadXlsxFile(path)
+
+	oldGroupMap, err := getGroupMap(owner)
+	if err != nil {
+		return false, err
+	}
+
+	transGroups, err := StringArrayToStruct[Group](table)
+	if err != nil {
+		return false, err
+	}
+
+	newGroups := []*Group{}
+	for _, group := range transGroups {
+		if _, ok := oldGroupMap[group.GetId()]; !ok {
+			newGroups = append(newGroups, group)
+		}
+	}
+
+	if len(newGroups) == 0 {
+		return false, nil
+	}
+
+	return AddGroupsInBatch(newGroups)
+}

object/init_data_dump_test.go

@@ -20,6 +20,7 @@ package object
 import "testing"
 
 func TestDumpToFile(t *testing.T) {
+	createDatabase = false
 	InitConfig()
 
 	err := DumpToFile("./init_data_dump.json")

object/ldap_conn.go

@@ -260,15 +260,15 @@ func AutoAdjustLdapUser(users []LdapUser) []LdapUser {
 	res := make([]LdapUser, len(users))
 	for i, user := range users {
 		res[i] = LdapUser{
-			UidNumber:         user.UidNumber,
+			UidNumber:   user.UidNumber,
-			Uid:               user.Uid,
+			Uid:         user.Uid,
-			Cn:                user.Cn,
+			Cn:          user.Cn,
-			GroupId:           user.GidNumber,
+			GroupId:     user.GidNumber,
-			Uuid:              user.GetLdapUuid(),
+			Uuid:        user.GetLdapUuid(),
-			DisplayName:       user.DisplayName,
+			DisplayName: user.DisplayName,
-			Email:             util.ReturnAnyNotEmpty(user.Email, user.EmailAddress, user.Mail),
+			Email:       util.ReturnAnyNotEmpty(user.Email, user.EmailAddress, user.Mail),
-			Mobile:            util.ReturnAnyNotEmpty(user.Mobile, user.MobileTelephoneNumber, user.TelephoneNumber),
+			Mobile:      util.ReturnAnyNotEmpty(user.Mobile, user.MobileTelephoneNumber, user.TelephoneNumber),
-			RegisteredAddress: util.ReturnAnyNotEmpty(user.PostalAddress, user.RegisteredAddress),
+			Address:     util.ReturnAnyNotEmpty(user.Address, user.PostalAddress, user.RegisteredAddress),
 		}
 	}
 	return res

object/mfa.go

@@ -21,13 +21,14 @@ import (
 )
 
 type MfaProps struct {
-	Enabled       bool     `json:"enabled"`
+	Enabled            bool     `json:"enabled"`
-	IsPreferred   bool     `json:"isPreferred"`
+	IsPreferred        bool     `json:"isPreferred"`
-	MfaType       string   `json:"mfaType" form:"mfaType"`
+	MfaType            string   `json:"mfaType" form:"mfaType"`
-	Secret        string   `json:"secret,omitempty"`
+	Secret             string   `json:"secret,omitempty"`
-	CountryCode   string   `json:"countryCode,omitempty"`
+	CountryCode        string   `json:"countryCode,omitempty"`
-	URL           string   `json:"url,omitempty"`
+	URL                string   `json:"url,omitempty"`
-	RecoveryCodes []string `json:"recoveryCodes,omitempty"`
+	RecoveryCodes      []string `json:"recoveryCodes,omitempty"`
+	MfaRememberInHours int      `json:"mfaRememberInHours"`
 }
 
 type MfaInterface interface {

object/organization.go

@@ -84,8 +84,9 @@ type Organization struct {
 	NavItems               []string   `xorm:"varchar(1000)" json:"navItems"`
 	WidgetItems            []string   `xorm:"varchar(1000)" json:"widgetItems"`
 
-	MfaItems     []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
+	MfaItems           []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
-	AccountItems []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
+	MfaRememberInHours int            `json:"mfaRememberInHours"`
+	AccountItems       []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
 }
 
 func GetOrganizationCount(owner, name, field, value string) (int64, error) {
@@ -222,7 +223,7 @@ func UpdateOrganization(id string, organization *Organization, isGlobalAdmin boo
 	if organization.MasterPassword != "" && organization.MasterPassword != "***" {
 		credManager := cred.GetCredManager(organization.PasswordType)
 		if credManager != nil {
-			hashedPassword := credManager.GetHashedPassword(organization.MasterPassword, "", organization.PasswordSalt)
+			hashedPassword := credManager.GetHashedPassword(organization.MasterPassword, organization.PasswordSalt)
 			organization.MasterPassword = hashedPassword
 		}
 	}
@@ -536,7 +537,13 @@ func IsNeedPromptMfa(org *Organization, user *User) bool {
 	if org == nil || user == nil {
 		return false
 	}
-	for _, item := range org.MfaItems {
+
+	mfaItems := org.MfaItems
+
+	if len(user.MfaItems) > 0 {
+		mfaItems = user.MfaItems
+	}
+	for _, item := range mfaItems {
 		if item.Rule == "Required" {
 			if item.Name == EmailType && !user.MfaEmailEnabled {
 				return true

object/plan.go

@@ -49,17 +49,21 @@ func (plan *Plan) GetId() string {
 	return fmt.Sprintf("%s/%s", plan.Owner, plan.Name)
 }
 
-func GetDuration(period string) (startTime time.Time, endTime time.Time) {
+func getDuration(period string) (string, string, error) {
+	startTime := time.Now()
+	var endTime time.Time
+
 	if period == PeriodYearly {
-		startTime = time.Now()
 		endTime = startTime.AddDate(1, 0, 0)
 	} else if period == PeriodMonthly {
-		startTime = time.Now()
 		endTime = startTime.AddDate(0, 1, 0)
 	} else {
-		panic(fmt.Sprintf("invalid period: %s", period))
+		return "", "", fmt.Errorf("invalid period: %s", period)
 	}
-	return
+
+	startTimeString := startTime.Format(time.RFC3339)
+	endTimeString := endTime.Format(time.RFC3339)
+	return startTimeString, endTimeString, nil
 }
 
 func GetPlanCount(owner, field, value string) (int64, error) {

object/product.go

@@ -42,6 +42,7 @@ type Product struct {
 	IsRecharge  bool     `json:"isRecharge"`
 	Providers   []string `xorm:"varchar(255)" json:"providers"`
 	ReturnUrl   string   `xorm:"varchar(1000)" json:"returnUrl"`
+	SuccessUrl  string   `xorm:"varchar(1000)" json:"successUrl"`
 
 	State string `xorm:"varchar(100)" json:"state"`
 
@@ -205,14 +206,24 @@ func BuyProduct(id string, user *User, providerName, pricingName, planName, host
 			if plan == nil {
 				return nil, nil, fmt.Errorf("the plan: %s does not exist", planName)
 			}
-			sub := NewSubscription(owner, user.Name, plan.Name, paymentName, plan.Period)
+
+			sub, err := NewSubscription(owner, user.Name, plan.Name, paymentName, plan.Period)
+			if err != nil {
+				return nil, nil, err
+			}
+
 			_, err = AddSubscription(sub)
 			if err != nil {
 				return nil, nil, err
 			}
+
 			returnUrl = fmt.Sprintf("%s/buy-plan/%s/%s/result?subscription=%s", originFrontend, owner, pricingName, sub.Name)
 		}
 	}
+
+	if product.SuccessUrl != "" {
+		returnUrl = fmt.Sprintf("%s?transactionOwner=%s&transactionName=%s", product.SuccessUrl, owner, paymentName)
+	}
 	// Create an order
 	payReq := &pp.PayReq{
 		ProviderName:       providerName,

object/subscription.go

@@ -48,8 +48,8 @@ type Subscription struct {
 	Plan    string `xorm:"varchar(100)" json:"plan"`
 	Payment string `xorm:"varchar(100)" json:"payment"`
 
-	StartTime time.Time         `json:"startTime"`
+	StartTime string            `xorm:"varchar(100)" json:"startTime"`
-	EndTime   time.Time         `json:"endTime"`
+	EndTime   string            `xorm:"varchar(100)" json:"endTime"`
 	Period    string            `xorm:"varchar(100)" json:"period"`
 	State     SubscriptionState `xorm:"varchar(100)" json:"state"`
 }
@@ -84,9 +84,19 @@ func (sub *Subscription) UpdateState() error {
 	}
 
 	if sub.State == SubStateActive || sub.State == SubStateUpcoming || sub.State == SubStateExpired {
-		if sub.EndTime.Before(time.Now()) {
+		startTime, err := time.Parse(time.RFC3339, sub.StartTime)
+		if err != nil {
+			return err
+		}
+
+		endTime, err := time.Parse(time.RFC3339, sub.EndTime)
+		if err != nil {
+			return err
+		}
+
+		if endTime.Before(time.Now()) {
 			sub.State = SubStateExpired
-		} else if sub.StartTime.After(time.Now()) {
+		} else if startTime.After(time.Now()) {
 			sub.State = SubStateUpcoming
 		} else {
 			sub.State = SubStateActive
@@ -103,10 +113,15 @@ func (sub *Subscription) UpdateState() error {
 	return nil
 }
 
-func NewSubscription(owner, userName, planName, paymentName, period string) *Subscription {
+func NewSubscription(owner, userName, planName, paymentName, period string) (*Subscription, error) {
-	startTime, endTime := GetDuration(period)
+	startTime, endTime, err := getDuration(period)
+	if err != nil {
+		return nil, err
+	}
+
 	id := util.GenerateId()[:6]
-	return &Subscription{
+
+	res := &Subscription{
 		Owner:       owner,
 		Name:        "sub_" + id,
 		DisplayName: "New Subscription - " + id,
@@ -121,6 +136,7 @@ func NewSubscription(owner, userName, planName, paymentName, period string) *Sub
 		Period:    period,
 		State:     SubStatePending, // waiting for payment complete
 	}
+	return res, nil
 }
 
 func GetSubscriptionCount(owner, field, value string) (int64, error) {

object/token_cleanup.go

@@ -0,0 +1,93 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/robfig/cron/v3"
+)
+
+func CleanupTokens(tokenRetentionIntervalAfterExpiry int) error {
+	var sessions []*Token
+	err := ormer.Engine.Find(&sessions)
+	if err != nil {
+		return fmt.Errorf("failed to query expired tokens: %w", err)
+	}
+
+	currentTime := time.Now()
+	deletedCount := 0
+
+	for _, session := range sessions {
+		tokenString := session.AccessToken
+		token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
+		if err != nil {
+			fmt.Printf("Failed to parse token %s: %v\n", session.Name, err)
+			continue
+		}
+
+		if claims, ok := token.Claims.(jwt.MapClaims); ok {
+			exp, ok := claims["exp"].(float64)
+			if !ok {
+				fmt.Printf("Token %s does not have an 'exp' claim\n", session.Name)
+				continue
+			}
+			expireTime := time.Unix(int64(exp), 0)
+			tokenAfterExpiry := currentTime.Sub(expireTime).Seconds()
+			if tokenAfterExpiry > float64(tokenRetentionIntervalAfterExpiry) {
+				_, err = ormer.Engine.Delete(session)
+				if err != nil {
+					return fmt.Errorf("failed to delete expired token %s: %w", session.Name, err)
+				}
+				fmt.Printf("[%d] Deleted expired token: %s | Created: %s | Org: %s | App: %s | User: %s\n",
+					deletedCount, session.Name, session.CreatedTime, session.Organization, session.Application, session.User)
+				deletedCount++
+			}
+		} else {
+			fmt.Printf("Token %s is not valid\n", session.Name)
+		}
+	}
+	return nil
+}
+
+func getTokenRetentionInterval(days int) int {
+	if days <= 0 {
+		days = 30
+	}
+	return days * 24 * 3600
+}
+
+func InitCleanupTokens() {
+	schedule := "0 0 * * *"
+	interval := getTokenRetentionInterval(30)
+
+	if err := CleanupTokens(interval); err != nil {
+		fmt.Printf("Error cleaning up tokens at startup: %v\n", err)
+	}
+
+	cronJob := cron.New()
+	_, err := cronJob.AddFunc(schedule, func() {
+		if err := CleanupTokens(interval); err != nil {
+			fmt.Printf("Error cleaning up tokens: %v\n", err)
+		}
+	})
+	if err != nil {
+		fmt.Printf("Error scheduling token cleanup: %v\n", err)
+		return
+	}
+	cronJob.Start()
+}

object/user.go

@@ -210,10 +210,12 @@ type User struct {
 	LastSigninWrongTime    string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
 	SigninWrongTimes       int    `json:"signinWrongTimes"`
 
-	ManagedAccounts    []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
+	ManagedAccounts     []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
-	MfaAccounts        []MfaAccount     `xorm:"mfaAccounts blob" json:"mfaAccounts"`
+	MfaAccounts         []MfaAccount     `xorm:"mfaAccounts blob" json:"mfaAccounts"`
-	NeedUpdatePassword bool             `json:"needUpdatePassword"`
+	MfaItems            []*MfaItem       `xorm:"varchar(300)" json:"mfaItems"`
-	IpWhitelist        string           `xorm:"varchar(200)" json:"ipWhitelist"`
+	MfaRememberDeadline string           `xorm:"varchar(100)" json:"mfaRememberDeadline"`
+	NeedUpdatePassword  bool             `json:"needUpdatePassword"`
+	IpWhitelist         string           `xorm:"varchar(200)" json:"ipWhitelist"`
 }
 
 type Userinfo struct {
@@ -791,11 +793,11 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 			"eveonline", "fitbit", "gitea", "heroku", "influxcloud", "instagram", "intercom", "kakao", "lastfm", "mailru", "meetup",
 			"microsoftonline", "naver", "nextcloud", "onedrive", "oura", "patreon", "paypal", "salesforce", "shopify", "soundcloud",
 			"spotify", "strava", "stripe", "type", "tiktok", "tumblr", "twitch", "twitter", "typetalk", "uber", "vk", "wepay", "xero", "yahoo",
-			"yammer", "yandex", "zoom", "custom", "need_update_password", "ip_whitelist",
+			"yammer", "yandex", "zoom", "custom", "need_update_password", "ip_whitelist", "mfa_items", "mfa_remember_deadline",
 		}
 	}
 	if isAdmin {
-		columns = append(columns, "name", "id", "email", "phone", "country_code", "type", "balance")
+		columns = append(columns, "name", "id", "email", "phone", "country_code", "type", "balance", "mfa_items")
 	}
 
 	columns = append(columns, "updated_time")

object/user_cred.go

@@ -42,8 +42,9 @@ func (user *User) UpdateUserHash() error {
 func (user *User) UpdateUserPassword(organization *Organization) {
 	credManager := cred.GetCredManager(organization.PasswordType)
 	if credManager != nil {
-		hashedPassword := credManager.GetHashedPassword(user.Password, user.PasswordSalt, organization.PasswordSalt)
+		hashedPassword := credManager.GetHashedPassword(user.Password, organization.PasswordSalt)
 		user.Password = hashedPassword
 		user.PasswordType = organization.PasswordType
+		user.PasswordSalt = organization.PasswordSalt
 	}
 }

object/user_upload.go

@@ -81,7 +81,7 @@ func UploadUsers(owner string, path string) (bool, error) {
 		return false, err
 	}
 
-	transUsers, err := StringArrayToUser(table)
+	transUsers, err := StringArrayToStruct[User](table)
 	if err != nil {
 		return false, err
 	}

object/user_util.go

@@ -724,14 +724,14 @@ func setReflectAttr[T any](fieldValue *reflect.Value, fieldString string) error
 	return nil
 }
 
-func StringArrayToUser(stringArray [][]string) ([]*User, error) {
+func StringArrayToStruct[T any](stringArray [][]string) ([]*T, error) {
 	fieldNames := stringArray[0]
 	excelMap := []map[string]string{}
-	userFieldMap := map[string]int{}
+	structFieldMap := map[string]int{}
 
-	reflectedUser := reflect.TypeOf(User{})
+	reflectedStruct := reflect.TypeOf(*new(T))
-	for i := 0; i < reflectedUser.NumField(); i++ {
+	for i := 0; i < reflectedStruct.NumField(); i++ {
-		userFieldMap[strings.ToLower(reflectedUser.Field(i).Name)] = i
+		structFieldMap[strings.ToLower(reflectedStruct.Field(i).Name)] = i
 	}
 
 	for idx, field := range stringArray {
@@ -746,22 +746,23 @@ func StringArrayToUser(stringArray [][]string) ([]*User, error) {
 		excelMap = append(excelMap, tempMap)
 	}
 
-	users := []*User{}
+	instances := []*T{}
 	var err error
 
-	for _, u := range excelMap {
+	for _, m := range excelMap {
-		user := User{}
+		instance := new(T)
-		reflectedUser := reflect.ValueOf(&user).Elem()
+		reflectedInstance := reflect.ValueOf(instance).Elem()
-		for k, v := range u {
+
+		for k, v := range m {
 			if v == "" || v == "null" || v == "[]" || v == "{}" {
 				continue
 			}
 			fName := strings.ToLower(strings.ReplaceAll(k, "_", ""))
-			fieldIdx, ok := userFieldMap[fName]
+			fieldIdx, ok := structFieldMap[fName]
 			if !ok {
 				continue
 			}
-			fv := reflectedUser.Field(fieldIdx)
+			fv := reflectedInstance.Field(fieldIdx)
 			if !fv.IsValid() {
 				continue
 			}
@@ -806,8 +807,8 @@ func StringArrayToUser(stringArray [][]string) ([]*User, error) {
 				return nil, err
 			}
 		}
-		users = append(users, &user)
+		instances = append(instances, instance)
 	}
 
-	return users, nil
+	return instances, nil
 }

object/verification.go

@@ -19,6 +19,8 @@ import (
 	"fmt"
 	"math"
 	"math/rand"
+	"net/url"
+	"regexp"
 	"strings"
 	"time"
 
@@ -33,6 +35,8 @@ type VerifyResult struct {
 	Msg  string
 }
 
+var ResetLinkReg *regexp.Regexp
+
 const (
 	VerificationSuccess = iota
 	wrongCodeError
@@ -45,6 +49,10 @@ const (
 	VerifyTypeEmail = "email"
 )
 
+func init() {
+	ResetLinkReg = regexp.MustCompile("(?s)<reset-link>(.*?)</reset-link>")
+}
+
 type VerificationRecord struct {
 	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
@@ -81,7 +89,7 @@ func IsAllowSend(user *User, remoteAddr, recordType string) error {
 	return nil
 }
 
-func SendVerificationCodeToEmail(organization *Organization, user *User, provider *Provider, remoteAddr string, dest string) error {
+func SendVerificationCodeToEmail(organization *Organization, user *User, provider *Provider, remoteAddr string, dest string, method string, host string, applicationName string) error {
 	sender := organization.DisplayName
 	title := provider.Title
 
@@ -93,6 +101,23 @@ func SendVerificationCodeToEmail(organization *Organization, user *User, provide
 	// "You have requested a verification code at Casdoor. Here is your code: %s, please enter in 5 minutes."
 	content := strings.Replace(provider.Content, "%s", code, 1)
 
+	if method == "forget" {
+		originFrontend, _ := getOriginFromHost(host)
+
+		query := url.Values{}
+		query.Add("code", code)
+		query.Add("username", user.Name)
+		query.Add("dest", util.GetMaskedEmail(dest))
+		forgetURL := originFrontend + "/forget/" + applicationName + "?" + query.Encode()
+
+		content = strings.Replace(content, "%link", forgetURL, -1)
+		content = strings.Replace(content, "<reset-link>", "", -1)
+		content = strings.Replace(content, "</reset-link>", "", -1)
+	} else {
+		matchContent := ResetLinkReg.Find([]byte(content))
+		content = strings.Replace(content, string(matchContent), "", -1)
+	}
+
 	userString := "Hi"
 	if user != nil {
 		userString = user.GetFriendlyName()

routers/auto_signin_filter.go

@@ -66,6 +66,10 @@ func AutoSigninFilter(ctx *context.Context) {
 			responseError(ctx, err.Error())
 			return
 		}
+		if application == nil {
+			responseError(ctx, fmt.Sprintf("No application is found for userId: app/%s", token.Application))
+			return
+		}
 
 		setSessionUser(ctx, userId)
 		setSessionOidc(ctx, token.Scope, application.ClientId)

routers/base.go

@@ -185,17 +185,3 @@ func removePort(s string) string {
 	}
 	return ipStr
 }
-
-func isHostIntranet(s string) bool {
-	ipStr, _, err := net.SplitHostPort(s)
-	if err != nil {
-		ipStr = s
-	}
-
-	ip := net.ParseIP(ipStr)
-	if ip == nil {
-		return false
-	}
-
-	return ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast()
-}

routers/cors_filter.go

@@ -83,7 +83,7 @@ func CorsFilter(ctx *context.Context) {
 			setCorsHeaders(ctx, origin)
 		} else if originHostname == host {
 			setCorsHeaders(ctx, origin)
-		} else if isHostIntranet(host) {
+		} else if util.IsHostIntranet(host) {
 			setCorsHeaders(ctx, origin)
 		} else {
 			ok, err := object.IsOriginAllowed(origin)

routers/field_validation_filter.go

@@ -23,7 +23,7 @@ import (
 	"github.com/beego/beego/context"
 )
 
-var forbiddenChars = `/?:@#&%=+;`
+var forbiddenChars = `/?:#&%=+;`
 
 func FieldValidationFilter(ctx *context.Context) {
 	if ctx.Input.Method() != "POST" {

routers/router.go

@@ -81,6 +81,7 @@ func initAPI() {
 	beego.Router("/api/update-group", &controllers.ApiController{}, "POST:UpdateGroup")
 	beego.Router("/api/add-group", &controllers.ApiController{}, "POST:AddGroup")
 	beego.Router("/api/delete-group", &controllers.ApiController{}, "POST:DeleteGroup")
+	beego.Router("/api/upload-groups", &controllers.ApiController{}, "POST:UploadGroups")
 
 	beego.Router("/api/get-global-users", &controllers.ApiController{}, "GET:GetGlobalUsers")
 	beego.Router("/api/get-users", &controllers.ApiController{}, "GET:GetUsers")

util/network.go

@@ -0,0 +1,47 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"net"
+)
+
+func IsInternetIp(ip string) bool {
+	ipStr, _, err := net.SplitHostPort(ip)
+	if err != nil {
+		ipStr = ip
+	}
+
+	parsedIP := net.ParseIP(ipStr)
+	if parsedIP == nil {
+		return false
+	}
+
+	return !parsedIP.IsPrivate() && !parsedIP.IsLoopback() && !parsedIP.IsMulticast() && !parsedIP.IsUnspecified()
+}
+
+func IsHostIntranet(ip string) bool {
+	ipStr, _, err := net.SplitHostPort(ip)
+	if err != nil {
+		ipStr = ip
+	}
+
+	parsedIP := net.ParseIP(ipStr)
+	if parsedIP == nil {
+		return false
+	}
+
+	return parsedIP.IsPrivate() || parsedIP.IsLoopback() || parsedIP.IsLinkLocalUnicast() || parsedIP.IsLinkLocalMulticast()
+}

web/src/App.js

@@ -404,6 +404,7 @@ class App extends Component {
                       account={this.state.account}
                       theme={this.state.themeData}
                       themeAlgorithm={this.state.themeAlgorithm}
+                      requiredEnableMfa={this.state.requiredEnableMfa}
                       updateApplication={(application) => {
                         this.setState({
                           application: application,

web/src/GroupListPage.js

@@ -14,7 +14,8 @@
 
 import React from "react";
 import {Link} from "react-router-dom";
-import {Button, Table, Tooltip} from "antd";
+import {Button, Table, Tooltip, Upload} from "antd";
+import {UploadOutlined} from "@ant-design/icons";
 import moment from "moment";
 import * as Setting from "./Setting";
 import * as GroupBackend from "./backend/GroupBackend";
@@ -87,6 +88,42 @@ class GroupListPage extends BaseListPage {
       });
   }
 
+  uploadFile(info) {
+    const {status, response: res} = info.file;
+    if (status === "done") {
+      if (res.status === "ok") {
+        Setting.showMessage("success", "Groups uploaded successfully, refreshing the page");
+        const {pagination} = this.state;
+        this.fetch({pagination});
+      } else {
+        Setting.showMessage("error", `Groups failed to upload: ${res.msg}`);
+      }
+    } else if (status === "error") {
+      Setting.showMessage("error", "File failed to upload");
+    }
+  }
+
+  renderUpload() {
+    const props = {
+      name: "file",
+      accept: ".xlsx",
+      method: "post",
+      action: `${Setting.ServerUrl}/api/upload-groups`,
+      withCredentials: true,
+      onChange: (info) => {
+        this.uploadFile(info);
+      },
+    };
+
+    return (
+      <Upload {...props}>
+        <Button icon={<UploadOutlined />} id="upload-button" type="primary" size="small">
+          {i18next.t("group:Upload (.xlsx)")}
+        </Button>
+      </Upload>
+    );
+  }
+
   renderTable(data) {
     const columns = [
       {
@@ -231,7 +268,10 @@ class GroupListPage extends BaseListPage {
           title={() => (
             <div>
               {i18next.t("general:Groups")}&nbsp;&nbsp;&nbsp;&nbsp;
-              <Button type="primary" size="small" onClick={this.addGroup.bind(this)}>{i18next.t("general:Add")}</Button>
+              <Button style={{marginRight: "5px"}} type="primary" size="small" onClick={this.addGroup.bind(this)}>{i18next.t("general:Add")}</Button>
+              {
+                this.renderUpload()
+              }
             </div>
           )}
           loading={this.state.loading}

web/src/OrganizationEditPage.js

@@ -603,6 +603,16 @@ class OrganizationEditPage extends React.Component {
             />
           </Col>
         </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("application:MFA remember time"), i18next.t("application:MFA remember time - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <InputNumber style={{width: "150px"}} value={this.state.organization.mfaRememberInHours} min={1} step={1} precision={0} addonAfter="Hours" onChange={value => {
+              this.updateOrganizationField("mfaRememberInHours", value);
+            }} />
+          </Col>
+        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("general:MFA items"), i18next.t("general:MFA items - Tooltip"))} :

web/src/OrganizationListPage.js

@@ -25,6 +25,7 @@ import PopconfirmModal from "./common/modal/PopconfirmModal";
 class OrganizationListPage extends BaseListPage {
   newOrganization() {
     const randomName = Setting.getRandomName();
+    const DefaultMfaRememberInHours = 12;
     return {
       owner: "admin", // this.props.account.organizationname,
       name: `organization_${randomName}`,
@@ -48,6 +49,7 @@ class OrganizationListPage extends BaseListPage {
       enableSoftDeletion: false,
       isProfilePublic: true,
       enableTour: true,
+      mfaRememberInHours: DefaultMfaRememberInHours,
       accountItems: [
         {name: "Organization", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "ID", visible: true, viewRule: "Public", modifyRule: "Immutable"},

web/src/PlanEditPage.js

@@ -241,6 +241,21 @@ class PlanEditPage extends React.Component {
                   {id: "HKD", name: "HKD"},
                   {id: "SGD", name: "SGD"},
                   {id: "BRL", name: "BRL"},
+                  {id: "PLN", name: "PLN"},
+                  {id: "KRW", name: "KRW"},
+                  {id: "INR", name: "INR"},
+                  {id: "RUB", name: "RUB"},
+                  {id: "MXN", name: "MXN"},
+                  {id: "ZAR", name: "ZAR"},
+                  {id: "TRY", name: "TRY"},
+                  {id: "SEK", name: "SEK"},
+                  {id: "NOK", name: "NOK"},
+                  {id: "DKK", name: "DKK"},
+                  {id: "THB", name: "THB"},
+                  {id: "MYR", name: "MYR"},
+                  {id: "TWD", name: "TWD"},
+                  {id: "CZK", name: "CZK"},
+                  {id: "HUF", name: "HUF"},
                 ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
               }
             </Select>

web/src/ProductBuyPage.js

@@ -141,6 +141,36 @@ class ProductBuyPage extends React.Component {
       return "S$";
     } else if (product?.currency === "BRL") {
       return "R$";
+    } else if (product?.currency === "PLN") {
+      return "zł";
+    } else if (product?.currency === "KRW") {
+      return "₩";
+    } else if (product?.currency === "INR") {
+      return "₹";
+    } else if (product?.currency === "RUB") {
+      return "₽";
+    } else if (product?.currency === "MXN") {
+      return "$";
+    } else if (product?.currency === "ZAR") {
+      return "R";
+    } else if (product?.currency === "TRY") {
+      return "₺";
+    } else if (product?.currency === "SEK") {
+      return "kr";
+    } else if (product?.currency === "NOK") {
+      return "kr";
+    } else if (product?.currency === "DKK") {
+      return "kr";
+    } else if (product?.currency === "THB") {
+      return "฿";
+    } else if (product?.currency === "MYR") {
+      return "RM";
+    } else if (product?.currency === "TWD") {
+      return "NT$";
+    } else if (product?.currency === "CZK") {
+      return "Kč";
+    } else if (product?.currency === "HUF") {
+      return "Ft";
     } else {
       return "(Unknown currency)";
     }

web/src/ProductEditPage.js

@@ -218,6 +218,21 @@ class ProductEditPage extends React.Component {
                   {id: "HKD", name: "HKD"},
                   {id: "SGD", name: "SGD"},
                   {id: "BRL", name: "BRL"},
+                  {id: "PLN", name: "PLN"},
+                  {id: "KRW", name: "KRW"},
+                  {id: "INR", name: "INR"},
+                  {id: "RUB", name: "RUB"},
+                  {id: "MXN", name: "MXN"},
+                  {id: "ZAR", name: "ZAR"},
+                  {id: "TRY", name: "TRY"},
+                  {id: "SEK", name: "SEK"},
+                  {id: "NOK", name: "NOK"},
+                  {id: "DKK", name: "DKK"},
+                  {id: "THB", name: "THB"},
+                  {id: "MYR", name: "MYR"},
+                  {id: "TWD", name: "TWD"},
+                  {id: "CZK", name: "CZK"},
+                  {id: "HUF", name: "HUF"},
                 ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
               }
             </Select>
@@ -288,6 +303,16 @@ class ProductEditPage extends React.Component {
             }} />
           </Col>
         </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("product:Success URL"), i18next.t("product:Success URL - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Input prefix={<LinkOutlined />} value={this.state.product.successUrl} onChange={e => {
+              this.updateProductField("successUrl", e.target.value);
+            }} />
+          </Col>
+        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("general:State"), i18next.t("general:State - Tooltip"))} :

web/src/ProviderEditPage.js

@@ -931,10 +931,12 @@ class ProviderEditPage extends React.Component {
           )
         }
         {
-          this.state.provider.type !== "Google" ? null : (
+          this.state.provider.type !== "Google" && this.state.provider.type !== "Lark" ? null : (
             <Row style={{marginTop: "20px"}} >
               <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                {Setting.getLabel(i18next.t("provider:Get phone number"), i18next.t("provider:Get phone number - Tooltip"))} :
+                {this.state.provider.type === "Google" ?
+                  Setting.getLabel(i18next.t("provider:Get phone number"), i18next.t("provider:Get phone number - Tooltip"))
+                  : Setting.getLabel(i18next.t("provider:Use global endpoint"), i18next.t("provider:Use global endpoint - Tooltip"))} :
               </Col>
               <Col span={1} >
                 <Switch disabled={!this.state.provider.clientId} checked={this.state.provider.disableSsl} onChange={checked => {
@@ -1227,7 +1229,7 @@ class ProviderEditPage extends React.Component {
                 </Col>
                 <Col span={22} >
                   <Row style={{marginTop: "20px"}} >
-                    <Button style={{marginLeft: "10px", marginBottom: "5px"}} onClick={() => this.updateProviderField("content", "You have requested a verification code at Casdoor. Here is your code: %s, please enter in 5 minutes.")} >
+                    <Button style={{marginLeft: "10px", marginBottom: "5px"}} onClick={() => this.updateProviderField("content", "You have requested a verification code at Casdoor. Here is your code: %s, please enter in 5 minutes. <reset-link>Or click %link to reset</reset-link>")} >
                       {i18next.t("provider:Reset to Default Text")}
                     </Button>
                     <Button style={{marginLeft: "10px", marginBottom: "5px"}} type="primary" onClick={() => this.updateProviderField("content", Setting.getDefaultHtmlEmailContent())} >

web/src/Setting.js

@@ -696,18 +696,27 @@ export const MfaRulePrompted = "Prompted";
 export const MfaRuleOptional = "Optional";
 
 export function isRequiredEnableMfa(user, organization) {
-  if (!user || !organization || !organization.mfaItems) {
+  if (!user || !organization || (!organization.mfaItems && !user.mfaItems)) {
     return false;
   }
   return getMfaItemsByRules(user, organization, [MfaRuleRequired]).length > 0;
 }
 
 export function getMfaItemsByRules(user, organization, mfaRules = []) {
-  if (!user || !organization || !organization.mfaItems) {
+  if (!user || !organization || (!organization.mfaItems && !user.mfaItems)) {
     return [];
   }
 
-  return organization.mfaItems.filter((mfaItem) => mfaRules.includes(mfaItem.rule))
+  let mfaItems = organization.mfaItems;
+  if (user.mfaItems && user.mfaItems.length !== 0) {
+    mfaItems = user.mfaItems;
+  }
+
+  if (mfaItems === null) {
+    return [];
+  }
+
+  return mfaItems.filter((mfaItem) => mfaRules.includes(mfaItem.rule))
     .filter((mfaItem) => user.multiFactorAuths.some((mfa) => mfa.mfaType === mfaItem.name && !mfa.enabled));
 }
 
@@ -1507,6 +1516,54 @@ export function getCurrencySymbol(currency) {
     return "$";
   } else if (currency === "CNY" || currency === "cny") {
     return "¥";
+  } else if (currency === "EUR" || currency === "eur") {
+    return "€";
+  } else if (currency === "JPY" || currency === "jpy") {
+    return "¥";
+  } else if (currency === "GBP" || currency === "gbp") {
+    return "£";
+  } else if (currency === "AUD" || currency === "aud") {
+    return "A$";
+  } else if (currency === "CAD" || currency === "cad") {
+    return "C$";
+  } else if (currency === "CHF" || currency === "chf") {
+    return "CHF";
+  } else if (currency === "HKD" || currency === "hkd") {
+    return "HK$";
+  } else if (currency === "SGD" || currency === "sgd") {
+    return "S$";
+  } else if (currency === "BRL" || currency === "brl") {
+    return "R$";
+  } else if (currency === "PLN" || currency === "pln") {
+    return "zł";
+  } else if (currency === "KRW" || currency === "krw") {
+    return "₩";
+  } else if (currency === "INR" || currency === "inr") {
+    return "₹";
+  } else if (currency === "RUB" || currency === "rub") {
+    return "₽";
+  } else if (currency === "MXN" || currency === "mxn") {
+    return "$";
+  } else if (currency === "ZAR" || currency === "zar") {
+    return "R";
+  } else if (currency === "TRY" || currency === "try") {
+    return "₺";
+  } else if (currency === "SEK" || currency === "sek") {
+    return "kr";
+  } else if (currency === "NOK" || currency === "nok") {
+    return "kr";
+  } else if (currency === "DKK" || currency === "dkk") {
+    return "kr";
+  } else if (currency === "THB" || currency === "thb") {
+    return "฿";
+  } else if (currency === "MYR" || currency === "myr") {
+    return "RM";
+  } else if (currency === "TWD" || currency === "twd") {
+    return "NT$";
+  } else if (currency === "CZK" || currency === "czk") {
+    return "Kč";
+  } else if (currency === "HUF" || currency === "huf") {
+    return "Ft";
   } else {
     return currency;
   }
@@ -1571,6 +1628,11 @@ export function getDefaultHtmlEmailContent() {
     <div class="code">
         %s
     </div>
+    <reset-link>
+      <div class="link">
+         Or click this <a href="%link">link</a> to reset
+      </div>
+    </reset-link>
     <p>Thanks</p>
     <p>Casbin Team</p>
     <hr>
@@ -1605,6 +1667,36 @@ export function getCurrencyText(product) {
     return i18next.t("currency:SGD");
   } else if (product?.currency === "BRL") {
     return i18next.t("currency:BRL");
+  } else if (product?.currency === "PLN") {
+    return i18next.t("currency:PLN");
+  } else if (product?.currency === "KRW") {
+    return i18next.t("currency:KRW");
+  } else if (product?.currency === "INR") {
+    return i18next.t("currency:INR");
+  } else if (product?.currency === "RUB") {
+    return i18next.t("currency:RUB");
+  } else if (product?.currency === "MXN") {
+    return i18next.t("currency:MXN");
+  } else if (product?.currency === "ZAR") {
+    return i18next.t("currency:ZAR");
+  } else if (product?.currency === "TRY") {
+    return i18next.t("currency:TRY");
+  } else if (product?.currency === "SEK") {
+    return i18next.t("currency:SEK");
+  } else if (product?.currency === "NOK") {
+    return i18next.t("currency:NOK");
+  } else if (product?.currency === "DKK") {
+    return i18next.t("currency:DKK");
+  } else if (product?.currency === "THB") {
+    return i18next.t("currency:THB");
+  } else if (product?.currency === "MYR") {
+    return i18next.t("currency:MYR");
+  } else if (product?.currency === "TWD") {
+    return i18next.t("currency:TWD");
+  } else if (product?.currency === "CZK") {
+    return i18next.t("currency:CZK");
+  } else if (product?.currency === "HUF") {
+    return i18next.t("currency:HUF");
   } else {
     return "(Unknown currency)";
   }

web/src/TourConfig.js

@@ -208,10 +208,14 @@ let orgIsTourVisible = true;
 
 export function setOrgIsTourVisible(visible) {
   orgIsTourVisible = visible;
+  if (orgIsTourVisible === false) {
+    setIsTourVisible(false);
+  }
 }
 
 export function setIsTourVisible(visible) {
   localStorage.setItem("isTourVisible", visible);
+  window.dispatchEvent(new Event("storageTourChanged"));
 }
 
 export function setTourLogo(tourLogoSrc) {
@@ -221,7 +225,7 @@ export function setTourLogo(tourLogoSrc) {
 }
 
 export function getTourVisible() {
-  return localStorage.getItem("isTourVisible") !== "false" && orgIsTourVisible;
+  return localStorage.getItem("isTourVisible") !== "false";
 }
 
 export function getNextButtonChild(nextPathName) {

web/src/UserEditPage.js

@@ -42,6 +42,7 @@ import * as MfaBackend from "./backend/MfaBackend";
 import AccountAvatar from "./account/AccountAvatar";
 import FaceIdTable from "./table/FaceIdTable";
 import MfaAccountTable from "./table/MfaAccountTable";
+import MfaTable from "./table/MfaTable";
 
 const {Option} = Select;
 
@@ -926,6 +927,19 @@ class UserEditPage extends React.Component {
           </Col>
         </Row>
       );
+    } else if (accountItem.name === "MFA items") {
+      return (<Row style={{marginTop: "20px"}} >
+        <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+          {Setting.getLabel(i18next.t("general:MFA items"), i18next.t("general:MFA items - Tooltip"))} :
+        </Col>
+        <Col span={22} >
+          <MfaTable
+            title={i18next.t("general:MFA items")}
+            table={this.state.user.mfaItems ?? []}
+            onUpdateTable={(value) => {this.updateUserField("mfaItems", value);}}
+          />
+        </Col>
+      </Row>);
     } else if (accountItem.name === "Multi-factor authentication") {
       return (
         !this.isSelfOrAdmin() ? null : (

web/src/auth/AuthBackend.js

@@ -163,7 +163,7 @@ export function getWechatQRCode(providerId) {
 }
 
 export function getCaptchaStatus(values) {
-  return fetch(`${Setting.ServerUrl}/api/get-captcha-status?organization=${values["organization"]}&userId=${values["username"]}`, {
+  return fetch(`${Setting.ServerUrl}/api/get-captcha-status?organization=${values["organization"]}&userId=${values["username"]}&application=${values["application"]}`, {
     method: "GET",
     credentials: "include",
     headers: {

web/src/auth/AuthCallback.js

@@ -166,7 +166,7 @@ class AuthCallback extends React.Component {
           const responseType = this.getResponseType();
           const handleLogin = (res) => {
             if (responseType === "login") {
-              if (res.data2) {
+              if (res.data3) {
                 sessionStorage.setItem("signinUrl", signinUrl);
                 Setting.goToLinkSoft(this, `/forget/${applicationName}`);
                 return;
@@ -176,7 +176,7 @@ class AuthCallback extends React.Component {
               const link = Setting.getFromLink();
               Setting.goToLink(link);
             } else if (responseType === "code") {
-              if (res.data2) {
+              if (res.data3) {
                 sessionStorage.setItem("signinUrl", signinUrl);
                 Setting.goToLinkSoft(this, `/forget/${applicationName}`);
                 return;
@@ -185,7 +185,7 @@ class AuthCallback extends React.Component {
               Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`);
             // Setting.showMessage("success", `Authorization code: ${res.data}`);
             } else if (responseType === "token" || responseType === "id_token") {
-              if (res.data2) {
+              if (res.data3) {
                 sessionStorage.setItem("signinUrl", signinUrl);
                 Setting.goToLinkSoft(this, `/forget/${applicationName}`);
                 return;
@@ -207,7 +207,7 @@ class AuthCallback extends React.Component {
                   relayState: oAuthParams.relayState,
                 });
               } else {
-                if (res.data2.needUpdatePassword) {
+                if (res.data3) {
                   sessionStorage.setItem("signinUrl", signinUrl);
                   Setting.goToLinkSoft(this, `/forget/${applicationName}`);
                   return;

web/src/auth/ForgetPage.js

@@ -13,7 +13,7 @@
 // limitations under the License.
 
 import React from "react";
-import {Button, Col, Form, Input, Row, Select, Steps} from "antd";
+import {Button, Col, Form, Input, Popover, Row, Select, Steps} from "antd";
 import * as AuthBackend from "./AuthBackend";
 import * as ApplicationBackend from "../backend/ApplicationBackend";
 import * as Util from "./Util";
@@ -31,18 +31,21 @@ const {Option} = Select;
 class ForgetPage extends React.Component {
   constructor(props) {
     super(props);
+    const queryParams = new URLSearchParams(location.search);
     this.state = {
       classes: props,
       applicationName: props.applicationName ?? props.match.params?.applicationName,
       msg: null,
-      name: props.account ? props.account.name : "",
+      name: props.account ? props.account.name : queryParams.get("username"),
       username: props.account ? props.account.name : "",
       phone: "",
       email: "",
       dest: "",
       isVerifyTypeFixed: false,
       verifyType: "", // "email", "phone"
-      current: 0,
+      current: queryParams.get("code") ? 2 : 0,
+      code: queryParams.get("code"),
+      queryParams: queryParams,
     };
     this.form = React.createRef();
   }
@@ -148,9 +151,26 @@ class ForgetPage extends React.Component {
     }
   }
 
-  onFinish(values) {
+  async onFinish(values) {
     values.username = this.state.name;
     values.userOwner = this.getApplicationObj()?.organizationObj.name;
+
+    if (this.state.queryParams.get("code")) {
+      const res = await UserBackend.verifyCode({
+        application: this.getApplicationObj().name,
+        organization: values.userOwner,
+        username: this.state.queryParams.get("dest"),
+        name: this.state.name,
+        code: this.state.code,
+        type: "login",
+      });
+
+      if (res.status !== "ok") {
+        Setting.showMessage("error", res.msg);
+        return;
+      }
+    }
+
     UserBackend.setPassword(values.userOwner, values.username, "", values?.newPassword, this.state.code).then(res => {
       if (res.status === "ok") {
         const linkInStorage = sessionStorage.getItem("signinUrl");
@@ -385,30 +405,48 @@ class ForgetPage extends React.Component {
                 },
               ]}
             />
-            <Form.Item
+            <Popover placement={window.innerWidth >= 960 ? "right" : "top"} content={this.state.passwordPopover} open={this.state.passwordPopoverOpen}>
-              name="newPassword"
+              <Form.Item
-              hidden={this.state.current !== 2}
+                name="newPassword"
-              rules={[
+                hidden={this.state.current !== 2}
-                {
+                rules={[
-                  required: true,
+                  {
-                  validateTrigger: "onChange",
+                    required: true,
-                  validator: (rule, value) => {
+                    validateTrigger: "onChange",
-                    const errorMsg = PasswordChecker.checkPasswordComplexity(value, application.organizationObj.passwordOptions);
+                    validator: (rule, value) => {
-                    if (errorMsg === "") {
+                      const errorMsg = PasswordChecker.checkPasswordComplexity(value, application.organizationObj.passwordOptions);
-                      return Promise.resolve();
+                      if (errorMsg === "") {
-                    } else {
+                        return Promise.resolve();
-                      return Promise.reject(errorMsg);
+                      } else {
-                    }
+                        return Promise.reject(errorMsg);
+                      }
+                    },
                   },
-                },
+                ]}
-              ]}
+                hasFeedback
-              hasFeedback
+              >
-            >
+                <Input.Password
-              <Input.Password
+                  prefix={<LockOutlined />}
-                prefix={<LockOutlined />}
+                  placeholder={i18next.t("general:Password")}
-                placeholder={i18next.t("general:Password")}
+                  onChange={(e) => {
-              />
+                    this.setState({
-            </Form.Item>
+                      passwordPopover: PasswordChecker.renderPasswordPopover(application.organizationObj.passwordOptions, e.target.value),
+                    });
+                  }}
+                  onFocus={() => {
+                    this.setState({
+                      passwordPopoverOpen: application.organizationObj.passwordOptions?.length > 0,
+                      passwordPopover: PasswordChecker.renderPasswordPopover(application.organizationObj.passwordOptions, this.form.current?.getFieldValue("newPassword") ?? ""),
+                    });
+                  }}
+                  onBlur={() => {
+                    this.setState({
+                      passwordPopoverOpen: false,
+                    });
+                  }}
+                />
+              </Form.Item>
+            </Popover>
             <Form.Item
               name="confirm"
               dependencies={["newPassword"]}

web/src/auth/LoginPage.js

@@ -134,6 +134,8 @@ class LoginPage extends React.Component {
         return CaptchaRule.Always;
       } else if (captchaProviderItems.some(providerItem => providerItem.rule === "Dynamic")) {
         return CaptchaRule.Dynamic;
+      } else if (captchaProviderItems.some(providerItem => providerItem.rule === "Internet-Only")) {
+        return CaptchaRule.InternetOnly;
       } else {
         return CaptchaRule.Never;
       }
@@ -443,6 +445,9 @@ class LoginPage extends React.Component {
       } else if (captchaRule === CaptchaRule.Dynamic) {
         this.checkCaptchaStatus(values);
         return;
+      } else if (captchaRule === CaptchaRule.InternetOnly) {
+        this.checkCaptchaStatus(values);
+        return;
       }
     }
     this.login(values);
@@ -491,9 +496,9 @@ class LoginPage extends React.Component {
             const responseType = values["type"];
 
             if (responseType === "login") {
-              if (res.data2) {
+              if (res.data3) {
                 sessionStorage.setItem("signinUrl", window.location.pathname + window.location.search);
-                Setting.goToLink(this, `/forget/${this.state.applicationName}`);
+                Setting.goToLinkSoft(this, `/forget/${this.state.applicationName}`);
               }
               Setting.showMessage("success", i18next.t("application:Logged in successfully"));
               this.props.onLoginSuccess();
@@ -505,9 +510,9 @@ class LoginPage extends React.Component {
                 userCodeStatus: "success",
               });
             } else if (responseType === "token" || responseType === "id_token") {
-              if (res.data2) {
+              if (res.data3) {
                 sessionStorage.setItem("signinUrl", window.location.pathname + window.location.search);
-                Setting.goToLink(this, `/forget/${this.state.applicationName}`);
+                Setting.goToLinkSoft(this, `/forget/${this.state.applicationName}`);
               }
               const amendatoryResponseType = responseType === "token" ? "access_token" : responseType;
               const accessToken = res.data;
@@ -517,9 +522,9 @@ class LoginPage extends React.Component {
                 this.props.onLoginSuccess(window.location.href);
                 return;
               }
-              if (res.data2.needUpdatePassword) {
+              if (res.data3) {
                 sessionStorage.setItem("signinUrl", window.location.pathname + window.location.search);
-                Setting.goToLink(this, `/forget/${this.state.applicationName}`);
+                Setting.goToLinkSoft(this, `/forget/${this.state.applicationName}`);
               }
               if (res.data2.method === "POST") {
                 this.setState({
@@ -961,9 +966,23 @@ class LoginPage extends React.Component {
     const captchaProviderItems = this.getCaptchaProviderItems(application);
     const alwaysProviderItems = captchaProviderItems.filter(providerItem => providerItem.rule === "Always");
     const dynamicProviderItems = captchaProviderItems.filter(providerItem => providerItem.rule === "Dynamic");
-    const provider = alwaysProviderItems.length > 0
+    const internetOnlyProviderItems = captchaProviderItems.filter(providerItem => providerItem.rule === "Internet-Only");
-      ? alwaysProviderItems[0].provider
+
-      : dynamicProviderItems[0].provider;
+    // Select provider based on the active captcha rule, not fixed priority
+    const captchaRule = this.getCaptchaRule(this.getApplicationObj());
+    let provider = null;
+
+    if (captchaRule === CaptchaRule.Always && alwaysProviderItems.length > 0) {
+      provider = alwaysProviderItems[0].provider;
+    } else if (captchaRule === CaptchaRule.Dynamic && dynamicProviderItems.length > 0) {
+      provider = dynamicProviderItems[0].provider;
+    } else if (captchaRule === CaptchaRule.InternetOnly && internetOnlyProviderItems.length > 0) {
+      provider = internetOnlyProviderItems[0].provider;
+    }
+
+    if (!provider) {
+      return null;
+    }
 
     return <CaptchaModal
       owner={provider.owner}
@@ -1021,6 +1040,10 @@ class LoginPage extends React.Component {
       return null;
     }
 
+    if (this.props.requiredEnableMfa) {
+      return null;
+    }
+
     if (this.state.userCode && this.state.userCodeStatus === "success") {
       return null;
     }

web/src/auth/Provider.js

@@ -68,6 +68,7 @@ const authInfo = {
   Lark: {
     // scope: "email",
     endpoint: "https://open.feishu.cn/open-apis/authen/v1/index",
+    endpoint2: "https://accounts.larksuite.com/open-apis/authen/v1/authorize",
   },
   GitLab: {
     scope: "read_user+profile",
@@ -278,7 +279,7 @@ const authInfo = {
     endpoint: "https://www.tiktok.com/auth/authorize/",
   },
   Tumblr: {
-    scope: "email",
+    scope: "basic",
     endpoint: "https://www.tumblr.com/oauth2/authorize",
   },
   Twitch: {
@@ -406,6 +407,8 @@ export function getAuthUrl(application, provider, method, code) {
     if (provider.domain) {
       endpoint = `${provider.domain}/apps/oauth2/authorize`;
     }
+  } else if (provider.type === "Lark" && provider.disableSsl) {
+    endpoint = authInfo[provider.type].endpoint2;
   }
 
   if (provider.type === "Google" || provider.type === "GitHub" || provider.type === "Facebook"
@@ -460,6 +463,9 @@ export function getAuthUrl(application, provider, method, code) {
       return `https://error:not-supported-provider-sub-type:${provider.subType}`;
     }
   } else if (provider.type === "Lark") {
+    if (provider.disableSsl) {
+      redirectUri = encodeURIComponent(redirectUri);
+    }
     return `${endpoint}?app_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}`;
   } else if (provider.type === "ADFS") {
     return `${provider.domain}/adfs/oauth2/authorize?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&nonce=casdoor&scope=openid`;

web/src/auth/SignupPage.js

@@ -13,7 +13,7 @@
 // limitations under the License.
 
 import React from "react";
-import {Button, Form, Input, Radio, Result, Row, Select, message} from "antd";
+import {Button, Form, Input, Popover, Radio, Result, Row, Select, message} from "antd";
 import * as Setting from "../Setting";
 import * as AuthBackend from "./AuthBackend";
 import * as ProviderButton from "./ProviderButton";
@@ -607,28 +607,45 @@ class SignupPage extends React.Component {
       }
     } else if (signupItem.name === "Password") {
       return (
-        <Form.Item
+        <Popover placement={window.innerWidth >= 960 ? "right" : "top"} content={this.state.passwordPopover} open={this.state.passwordPopoverOpen}>
-          name="password"
+          <Form.Item
-          className="signup-password"
+            name="password"
-          label={signupItem.label ? signupItem.label : i18next.t("general:Password")}
+            className="signup-password"
-          rules={[
+            label={signupItem.label ? signupItem.label : i18next.t("general:Password")}
-            {
+            rules={[
-              required: required,
+              {
-              validateTrigger: "onChange",
+                required: required,
-              validator: (rule, value) => {
+                validateTrigger: "onChange",
-                const errorMsg = PasswordChecker.checkPasswordComplexity(value, application.organizationObj.passwordOptions);
+                validator: (rule, value) => {
-                if (errorMsg === "") {
+                  const errorMsg = PasswordChecker.checkPasswordComplexity(value, application.organizationObj.passwordOptions);
-                  return Promise.resolve();
+                  if (errorMsg === "") {
-                } else {
+                    return Promise.resolve();
-                  return Promise.reject(errorMsg);
+                  } else {
-                }
+                    return Promise.reject(errorMsg);
+                  }
+                },
               },
-            },
+            ]}
-          ]}
+            hasFeedback
-          hasFeedback
+          >
-        >
+            <Input.Password className="signup-password-input" placeholder={signupItem.placeholder} onChange={(e) => {
-          <Input.Password className="signup-password-input" placeholder={signupItem.placeholder} />
+              this.setState({
-        </Form.Item>
+                passwordPopover: PasswordChecker.renderPasswordPopover(application.organizationObj.passwordOptions, e.target.value),
+              });
+            }}
+            onFocus={() => {
+              this.setState({
+                passwordPopoverOpen: application.organizationObj.passwordOptions?.length > 0,
+                passwordPopover: PasswordChecker.renderPasswordPopover(application.organizationObj.passwordOptions, this.form.current?.getFieldValue("password") ?? ""),
+              });
+            }}
+            onBlur={() => {
+              this.setState({
+                passwordPopoverOpen: false,
+              });
+            }} />
+          </Form.Item>
+        </Popover>
       );
     } else if (signupItem.name === "Confirm password") {
       return (

web/src/auth/mfa/MfaAuthVerifyForm.js

@@ -31,9 +31,9 @@ export function MfaAuthVerifyForm({formValues, authParams, mfaProps, application
   const [mfaType, setMfaType] = useState(mfaProps.mfaType);
   const [recoveryCode, setRecoveryCode] = useState("");
 
-  const verify = ({passcode}) => {
+  const verify = ({passcode, enableMfaRemember}) => {
     setLoading(true);
-    const values = {...formValues, passcode};
+    const values = {...formValues, passcode, enableMfaRemember};
     values["mfaType"] = mfaProps.mfaType;
     const loginFunction = formValues.type === "cas" ? AuthBackend.loginCas : AuthBackend.login;
     loginFunction(values, authParams).then((res) => {

web/src/auth/mfa/MfaVerifySmsForm.js

@@ -1,5 +1,5 @@
 import {UserOutlined} from "@ant-design/icons";
-import {Button, Form, Input, Space} from "antd";
+import {Button, Checkbox, Form, Input, Space} from "antd";
 import i18next from "i18next";
 import React, {useEffect} from "react";
 import {CountryCodeSelect} from "../../common/select/CountryCodeSelect";
@@ -12,6 +12,13 @@ export const MfaVerifySmsForm = ({mfaProps, application, onFinish, method, user}
   const [dest, setDest] = React.useState("");
   const [form] = Form.useForm();
 
+  const handleFinish = (values) => {
+    onFinish({
+      passcode: values.passcode,
+      enableMfaRemember: values.enableMfaRemember,
+    });
+  };
+
   useEffect(() => {
     if (method === mfaAuth) {
       setDest(mfaProps.secret);
@@ -51,9 +58,10 @@ export const MfaVerifySmsForm = ({mfaProps, application, onFinish, method, user}
     <Form
       form={form}
       style={{width: "300px"}}
-      onFinish={onFinish}
+      onFinish={handleFinish}
       initialValues={{
         countryCode: mfaProps.countryCode,
+        enableMfaRemember: false,
       }}
     >
       {isShowText() ?
@@ -109,6 +117,14 @@ export const MfaVerifySmsForm = ({mfaProps, application, onFinish, method, user}
           application={application}
         />
       </Form.Item>
+      <Form.Item
+        name="enableMfaRemember"
+        valuePropName="checked"
+      >
+        <Checkbox>
+          {i18next.t("mfa:Remember this account for {hour} hours").replace("{hour}", mfaProps?.mfaRememberInHours)}
+        </Checkbox>
+      </Form.Item>
       <Form.Item>
         <Button
           style={{marginTop: 24}}

web/src/auth/mfa/MfaVerifyTotpForm.js

@@ -1,5 +1,5 @@
-import {CopyOutlined, UserOutlined} from "@ant-design/icons";
+import {CopyOutlined} from "@ant-design/icons";
-import {Button, Col, Form, Input, QRCode, Space} from "antd";
+import {Button, Checkbox, Col, Form, Input, QRCode, Space} from "antd";
 import copy from "copy-to-clipboard";
 import i18next from "i18next";
 import React from "react";
@@ -8,6 +8,13 @@ import * as Setting from "../../Setting";
 export const MfaVerifyTotpForm = ({mfaProps, onFinish}) => {
   const [form] = Form.useForm();
 
+  const handleFinish = (values) => {
+    onFinish({
+      passcode: values.passcode,
+      enableMfaRemember: values.enableMfaRemember,
+    });
+  };
+
   const renderSecret = () => {
     if (!mfaProps.secret) {
       return null;
@@ -40,20 +47,31 @@ export const MfaVerifyTotpForm = ({mfaProps, onFinish}) => {
     <Form
       form={form}
       style={{width: "300px"}}
-      onFinish={onFinish}
+      onFinish={handleFinish}
+      initialValues={{
+        enableMfaRemember: false,
+      }}
     >
       {renderSecret()}
       <Form.Item
         name="passcode"
         rules={[{required: true, message: "Please input your passcode"}]}
       >
-        <Input
+        <Input.OTP
           style={{marginTop: 24}}
-          prefix={<UserOutlined />}
+          onChange={() => {
-          placeholder={i18next.t("mfa:Passcode")}
+            form.submit();
-          autoComplete="off"
+          }}
         />
       </Form.Item>
+      <Form.Item
+        name="enableMfaRemember"
+        valuePropName="checked"
+      >
+        <Checkbox>
+          {i18next.t("mfa:Remember this account for {hour} hours").replace("{hour}", mfaProps?.mfaRememberInHours)}
+        </Checkbox>
+      </Form.Item>
       <Form.Item>
         <Button
           style={{marginTop: 24}}

web/src/common/PasswordChecker.js

@@ -13,6 +13,8 @@
 // limitations under the License.
 
 import i18next from "i18next";
+import React from "react";
+import {CheckCircleTwoTone, CloseCircleTwoTone} from "@ant-design/icons";
 
 function isValidOption_AtLeast6(password) {
   if (password.length < 6) {
@@ -52,8 +54,35 @@ function isValidOption_NoRepeat(password) {
   return "";
 }
 
+const checkers = {
+  AtLeast6: isValidOption_AtLeast6,
+  AtLeast8: isValidOption_AtLeast8,
+  Aa123: isValidOption_Aa123,
+  SpecialChar: isValidOption_SpecialChar,
+  NoRepeat: isValidOption_NoRepeat,
+};
+
+function getOptionDescription(option, password) {
+  switch (option) {
+  case "AtLeast6": return i18next.t("user:The password must have at least 6 characters");
+  case "AtLeast8": return i18next.t("user:The password must have at least 8 characters");
+  case "Aa123": return i18next.t("user:The password must contain at least one uppercase letter, one lowercase letter and one digit");
+  case "SpecialChar": return i18next.t("user:The password must contain at least one special character");
+  case "NoRepeat": return i18next.t("user:The password must not contain any repeated characters");
+  }
+}
+
+export function renderPasswordPopover(options, password) {
+  return <div style={{width: 240}} >
+    {options.map((option, idx) => {
+      return <div key={idx}>{checkers[option](password) === "" ? <CheckCircleTwoTone twoToneColor={"#52c41a"} /> :
+        <CloseCircleTwoTone twoToneColor={"#ff4d4f"} />} {getOptionDescription(option, password)}</div>;
+    })}
+  </div>;
+}
+
 export function checkPasswordComplexity(password, options) {
-  if (password.length === 0) {
+  if (!password?.length) {
     return i18next.t("login:Please input your password!");
   }
 
@@ -61,14 +90,6 @@ export function checkPasswordComplexity(password, options) {
     return "";
   }
 
-  const checkers = {
-    AtLeast6: isValidOption_AtLeast6,
-    AtLeast8: isValidOption_AtLeast8,
-    Aa123: isValidOption_Aa123,
-    SpecialChar: isValidOption_SpecialChar,
-    NoRepeat: isValidOption_NoRepeat,
-  };
-
   for (const option of options) {
     const checkerFunc = checkers[option];
     if (checkerFunc) {

web/src/common/modal/CaptchaModal.js

@@ -181,4 +181,5 @@ export const CaptchaRule = {
   Always: "Always",
   Never: "Never",
   Dynamic: "Dynamic",
+  InternetOnly: "Internet-Only",
 };

web/src/common/modal/PasswordModal.js

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import {Button, Col, Input, Modal, Row} from "antd";
+import {Button, Col, Input, Modal, Popover, Row} from "antd";
 import i18next from "i18next";
 import React from "react";
 import * as UserBackend from "../../backend/UserBackend";
@@ -35,6 +35,8 @@ export const PasswordModal = (props) => {
   const [rePasswordValid, setRePasswordValid] = React.useState(false);
   const [newPasswordErrorMessage, setNewPasswordErrorMessage] = React.useState("");
   const [rePasswordErrorMessage, setRePasswordErrorMessage] = React.useState("");
+  const [passwordPopoverOpen, setPasswordPopoverOpen] = React.useState(false);
+  const [passwordPopover, setPasswordPopover] = React.useState();
 
   React.useEffect(() => {
     if (organization) {
@@ -130,12 +132,26 @@ export const PasswordModal = (props) => {
             </Row>
           ) : null}
           <Row style={{width: "100%", marginBottom: "20px"}}>
-            <Input.Password
+            <Popover placement={window.innerWidth >= 960 ? "right" : "top"} content={passwordPopover} open={passwordPopoverOpen}>
-              addonBefore={i18next.t("user:New Password")}
+              <Input.Password
-              placeholder={i18next.t("user:input password")}
+                addonBefore={i18next.t("user:New Password")}
-              onChange={(e) => {handleNewPassword(e.target.value);}}
+                placeholder={i18next.t("user:input password")}
-              status={(!newPasswordValid && newPasswordErrorMessage) ? "error" : undefined}
+                onChange={(e) => {
-            />
+                  handleNewPassword(e.target.value);
+                  setPasswordPopoverOpen(passwordOptions?.length > 0);
+                  setPasswordPopover(PasswordChecker.renderPasswordPopover(passwordOptions, e.target.value));
+
+                }}
+                onFocus={() => {
+                  setPasswordPopoverOpen(passwordOptions?.length > 0);
+                  setPasswordPopover(PasswordChecker.renderPasswordPopover(passwordOptions, newPassword));
+                }}
+                onBlur={() => {
+                  setPasswordPopoverOpen(false);
+                }}
+                status={(!newPasswordValid && newPasswordErrorMessage) ? "error" : undefined}
+              />
+            </Popover>
           </Row>
           {!newPasswordValid && newPasswordErrorMessage && <div style={{color: "red", marginTop: "-20px"}}>{newPasswordErrorMessage}</div>}
           <Row style={{width: "100%", marginBottom: "20px"}}>