fix: fix getOAuthGetParameters bug in Moodle

README.md

@@ -1,5 +1,5 @@
 <h1 align="center" style="border-bottom: none;">📦⚡️ Casdoor</h1>
-<h3 align="center">An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA and RADIUS</h3>
+<h3 align="center">An open-source AI-first Identity and Access Management (IAM) /AI MCP gateway and auth server with web UI supporting MCP, A2A, OAuth 2.1, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD</h3>
 <p align="center">
   <a href="#badge">
     <img alt="semantic-release" src="https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg">

authz/authz.go

@@ -68,6 +68,7 @@ p, *, *, POST, /api/upload-users, *, *
 p, *, *, GET, /api/get-resources, *, *
 p, *, *, GET, /api/get-records, *, *
 p, *, *, GET, /api/get-product, *, *
+p, *, *, GET, /api/get-products, *, *
 p, *, *, GET, /api/get-order, *, *
 p, *, *, GET, /api/get-orders, *, *
 p, *, *, GET, /api/get-user-orders, *, *

certificate/account.go

@@ -0,0 +1,107 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+import (
+	"crypto"
+
+	"github.com/casbin/lego/v4/acme"
+	"github.com/casbin/lego/v4/certcrypto"
+	"github.com/casbin/lego/v4/lego"
+	"github.com/casbin/lego/v4/registration"
+	"github.com/casdoor/casdoor/proxy"
+)
+
+type Account struct {
+	Email        string
+	Registration *registration.Resource
+	Key          crypto.PrivateKey
+}
+
+/** Implementation of the registration.User interface **/
+
+// GetEmail returns the email address for the account.
+func (a *Account) GetEmail() string {
+	return a.Email
+}
+
+// GetPrivateKey returns the private RSA account key.
+func (a *Account) GetPrivateKey() crypto.PrivateKey {
+	return a.Key
+}
+
+// GetRegistration returns the server registration.
+func (a *Account) GetRegistration() *registration.Resource {
+	return a.Registration
+}
+
+func getLegoClientAndAccount(email string, privateKey string, devMode bool) (*lego.Client, *Account, error) {
+	key, err := decodeEccKey(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	account := &Account{
+		Email: email,
+		Key:   key,
+	}
+
+	config := lego.NewConfig(account)
+	if devMode {
+		config.CADirURL = lego.LEDirectoryStaging
+	} else {
+		config.CADirURL = lego.LEDirectoryProduction
+	}
+
+	config.Certificate.KeyType = certcrypto.RSA2048
+	config.HTTPClient = proxy.ProxyHttpClient
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return client, account, err
+}
+
+// GetAcmeClient Incoming an email ,a privatekey and a Boolean value that controls the opening of the test environment
+// When this function is started for the first time, it will initialize the account-related configuration,
+// After initializing the configuration, It will try to obtain an account based on the private key,
+// if it fails, it will create an account based on the private key.
+// This account will be used during the running of the program
+func GetAcmeClient(email string, privateKey string, devMode bool) (*lego.Client, error) {
+	// Create a user. New accounts need an email and private key to start.
+	client, account, err := getLegoClientAndAccount(email, privateKey, devMode)
+
+	// try to obtain an account based on the private key
+	account.Registration, err = client.Registration.ResolveAccountByKey()
+	if err != nil {
+		acmeError, ok := err.(*acme.ProblemDetails)
+		if !ok {
+			return nil, err
+		}
+
+		if acmeError.Type != "urn:ietf:params:acme:error:accountDoesNotExist" {
+			return nil, acmeError
+		}
+
+		// Failed to get account, so create an account based on the private key.
+		account.Registration, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return client, nil
+}

certificate/account_test.go

@@ -0,0 +1,47 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skipCi
+// +build !skipCi
+
+package certificate
+
+import (
+	"testing"
+
+	"github.com/beego/beego/v2/server/web"
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/casdoor/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetClient(t *testing.T) {
+	err := web.LoadAppConfig("ini", "../conf/app.conf")
+	if err != nil {
+		panic(err)
+	}
+
+	proxy.InitHttpClient()
+
+	eccKey := util.ReadStringFromPath("acme_account.key")
+	println(eccKey)
+
+	client, err := GetAcmeClient("acme2@casbin.org", eccKey, false)
+	assert.Nil(t, err)
+	pem, key, err := ObtainCertificateAli(client, "casbin.com", accessKeyId, accessKeySecret)
+	assert.Nil(t, err)
+	println(pem)
+	println()
+	println(key)
+}

certificate/conf.go

@@ -0,0 +1,20 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+var (
+	accessKeyId     = ""
+	accessKeySecret = ""
+)

certificate/dns.go

@@ -0,0 +1,151 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/casbin/lego/v4/certificate"
+	"github.com/casbin/lego/v4/challenge/dns01"
+	"github.com/casbin/lego/v4/cmd"
+	"github.com/casbin/lego/v4/lego"
+	"github.com/casbin/lego/v4/providers/dns/alidns"
+	"github.com/casbin/lego/v4/providers/dns/godaddy"
+)
+
+type AliConf struct {
+	Domains       []string // The domain names for which you want to apply for a certificate
+	AccessKey     string   // Aliyun account's AccessKey, if this is not empty, Secret is required.
+	Secret        string
+	RAMRole       string // Use Ramrole to control aliyun account
+	SecurityToken string // Optional
+	Path          string // The path to store cert file
+	Timeout       int    // Maximum waiting time for certificate application, in minutes
+}
+
+type GodaddyConf struct {
+	Domains   []string // The domain names for which you want to apply for a certificate
+	APIKey    string   // GoDaddy account's API Key
+	APISecret string
+	Path      string // The path to store cert file
+	Timeout   int    // Maximum waiting time for certificate application, in minutes
+}
+
+// getCert Verify domain ownership, then obtain a certificate, and finally store it locally.
+// Need to pass in an AliConf struct, some parameters are required, other parameters can be left blank
+func getAliCert(client *lego.Client, conf AliConf) (string, string, error) {
+	if conf.Timeout <= 0 {
+		conf.Timeout = 3
+	}
+
+	config := alidns.NewDefaultConfig()
+	config.PropagationTimeout = time.Duration(conf.Timeout) * time.Minute
+	config.APIKey = conf.AccessKey
+	config.SecretKey = conf.Secret
+	config.RAMRole = conf.RAMRole
+	config.SecurityToken = conf.SecurityToken
+
+	dnsProvider, err := alidns.NewDNSProvider(config)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Choose a local DNS service provider to increase the authentication speed
+	servers := []string{"223.5.5.5:53"}
+	err = client.Challenge.SetDNS01Provider(dnsProvider, dns01.CondOption(len(servers) > 0, dns01.AddRecursiveNameservers(dns01.ParseNameservers(servers))), dns01.DisableCompletePropagationRequirement())
+	if err != nil {
+		return "", "", err
+	}
+
+	// Obtain the certificate
+	request := certificate.ObtainRequest{
+		Domains: conf.Domains,
+		Bundle:  true,
+	}
+	cert, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return "", "", err
+	}
+
+	return string(cert.Certificate), string(cert.PrivateKey), nil
+}
+
+func getGoDaddyCert(client *lego.Client, conf GodaddyConf) (string, string, error) {
+	if conf.Timeout <= 0 {
+		conf.Timeout = 3
+	}
+
+	config := godaddy.NewDefaultConfig()
+	config.PropagationTimeout = time.Duration(conf.Timeout) * time.Minute
+	config.PollingInterval = time.Duration(conf.Timeout) * time.Minute / 9
+	config.APIKey = conf.APIKey
+	config.APISecret = conf.APISecret
+
+	dnsProvider, err := godaddy.NewDNSProvider(config)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Choose a local DNS service provider to increase the authentication speed
+	servers := []string{"223.5.5.5:53"}
+	err = client.Challenge.SetDNS01Provider(dnsProvider, dns01.CondOption(len(servers) > 0, dns01.AddRecursiveNameservers(dns01.ParseNameservers(servers))), dns01.DisableCompletePropagationRequirement())
+	if err != nil {
+		return "", "", err
+	}
+
+	// Obtain the certificate
+	request := certificate.ObtainRequest{
+		Domains: conf.Domains,
+		Bundle:  true,
+	}
+	cert, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return "", "", err
+	}
+
+	return string(cert.Certificate), string(cert.PrivateKey), nil
+}
+
+func ObtainCertificateAli(client *lego.Client, domain string, accessKey string, accessSecret string) (string, string, error) {
+	conf := AliConf{
+		Domains:       []string{fmt.Sprintf("*.%s", domain), domain},
+		AccessKey:     accessKey,
+		Secret:        accessSecret,
+		RAMRole:       "",
+		SecurityToken: "",
+		Path:          "",
+		Timeout:       3,
+	}
+	return getAliCert(client, conf)
+}
+
+func ObtainCertificateGoDaddy(client *lego.Client, domain string, accessKey string, accessSecret string) (string, string, error) {
+	conf := GodaddyConf{
+		Domains:   []string{fmt.Sprintf("*.%s", domain), domain},
+		APIKey:    accessKey,
+		APISecret: accessSecret,
+		Path:      "",
+		Timeout:   3,
+	}
+	return getGoDaddyCert(client, conf)
+}
+
+func SaveCert(path, filename string, cert *certificate.Resource) {
+	// Store the certificate file locally
+	certsStorage := cmd.NewCertificatesStorageLib(path, filename, true)
+	certsStorage.CreateRootFolder()
+	certsStorage.SaveResource(cert)
+}

certificate/ecc.go

@@ -0,0 +1,55 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// generateEccKey generates a public and private key pair.(NIST P-256)
+func generateEccKey() (*ecdsa.PrivateKey, error) {
+	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+}
+
+// encodeEccKey Return the input private key object as string type private key
+func encodeEccKey(privateKey *ecdsa.PrivateKey) (string, error) {
+	x509Encoded, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return "", err
+	}
+
+	pemEncoded := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: x509Encoded})
+	return string(pemEncoded), nil
+}
+
+// decodeEccKey Return the entered private key string as a private key object that can be used
+func decodeEccKey(pemEncoded string) (*ecdsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pemEncoded))
+	if block == nil {
+		return nil, fmt.Errorf("invalid PEM-encoded EC private key")
+	}
+	x509Encoded := block.Bytes
+	privateKey, err := x509.ParseECPrivateKey(x509Encoded)
+	if err != nil {
+		return nil, err
+	}
+
+	return privateKey, nil
+}

certificate/ecc_test.go

@@ -0,0 +1,34 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skipCi
+// +build !skipCi
+
+package certificate
+
+import (
+	"testing"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGenerateEccKey(t *testing.T) {
+	eccKey, err := generateEccKey()
+	assert.Nil(t, err)
+	eccKeyStr, err := encodeEccKey(eccKey)
+	assert.Nil(t, err)
+	println(eccKeyStr)
+	util.WriteStringToPath(eccKeyStr, "acme_account.key")
+}

controllers/account.go

@@ -323,6 +323,17 @@ func (c *ApiController) Signup() {
 
 	// If OAuth parameters are present, generate OAuth code and return it
 	if clientId != "" && responseType == ResponseTypeCode {
+		consentRequired, err := object.CheckConsentRequired(user, application, scope)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if consentRequired {
+			c.ResponseOk(map[string]bool{"required": true})
+			return
+		}
+
 		code, err := object.GetOAuthCode(userId, clientId, "", "password", responseType, redirectUri, scope, state, nonce, codeChallenge, "", c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
@@ -364,18 +375,11 @@ func (c *ApiController) Logout() {
 
 		c.ClearUserSession()
 		c.ClearTokenSession()
-		owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID(context.Background()))
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
 
-		util.LogInfo(c.Ctx, "API: [%s] logged out", user)
+		if err := c.deleteUserSession(user); err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 
 		application := c.GetSessionApplication()
 		if application == nil || application.Name == "app-built-in" || application.HomepageUrl == "" {
@@ -415,21 +419,13 @@ func (c *ApiController) Logout() {
 
 		c.ClearUserSession()
 		c.ClearTokenSession()
+
 		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
-		owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
-		if err != nil {
+		if err := c.deleteUserSession(user); err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID(context.Background()))
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		util.LogInfo(c.Ctx, "API: [%s] logged out", user)
-
 		if redirectUri == "" {
 			c.ResponseOk()
 			return
@@ -766,3 +762,24 @@ func (c *ApiController) GetCaptcha() {
 
 	c.ResponseOk(Captcha{Type: "none"})
 }
+
+func (c *ApiController) deleteUserSession(user string) error {
+	owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+	if err != nil {
+		return err
+	}
+
+	// Casdoor session ID derived from owner, username, and application
+	sessionId := util.GetSessionId(owner, username, object.CasdoorApplication)
+
+	// Explicitly get the Beego session ID from the context
+	beegoSessionId := c.Ctx.Input.CruSession.SessionID(context.Background())
+
+	_, err = object.DeleteSessionId(sessionId, beegoSessionId)
+	if err != nil {
+		return err
+	}
+
+	util.LogInfo(c.Ctx, "API: [%s] logged out", user)
+	return nil
+}

controllers/auth.go

@@ -167,6 +167,19 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			c.ResponseError(c.T("auth:Challenge method should be S256"))
 			return
 		}
+
+		consentRequired, err := object.CheckConsentRequired(user, application, scope)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if consentRequired {
+			resp = &Response{Status: "ok", Data: map[string]bool{"required": true}}
+			resp.Data3 = user.NeedUpdatePassword
+			return
+		}
+
 		code, err := object.GetOAuthCode(userId, clientId, form.Provider, form.SigninMethod, responseType, redirectUri, scope, state, nonce, codeChallenge, resource, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
@@ -185,10 +198,14 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		} else {
 			scope := c.Ctx.Input.Query("scope")
 			nonce := c.Ctx.Input.Query("nonce")
-			token, _ := object.GetTokenByUser(application, user, scope, nonce, c.Ctx.Request.Host)
-			resp = tokenToResponse(token)
+			if !object.IsScopeValid(scope, application) {
+				resp = &Response{Status: "error", Msg: "error: invalid_scope", Data: ""}
+			} else {
+				token, _ := object.GetTokenByUser(application, user, scope, nonce, c.Ctx.Request.Host)
+				resp = tokenToResponse(token)
 
-			resp.Data3 = user.NeedUpdatePassword
+				resp.Data3 = user.NeedUpdatePassword
+			}
 		}
 	} else if form.Type == ResponseTypeDevice {
 		authCache, ok := object.DeviceAuthMap.LoadAndDelete(form.UserCode)
@@ -739,7 +756,11 @@ func (c *ApiController) Login() {
 			}
 		} else if provider.Category == "OAuth" || provider.Category == "Web3" {
 			// OAuth
-			idpInfo := object.FromProviderToIdpInfo(c.Ctx, provider)
+			idpInfo, err := object.FromProviderToIdpInfo(c.Ctx, provider)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
 			idpInfo.CodeVerifier = authForm.CodeVerifier
 			var idProvider idp.IdProvider
 			idProvider, err = idp.GetIdProvider(idpInfo, authForm.RedirectUri)
@@ -950,11 +971,13 @@ func (c *ApiController) Login() {
 						RegisterSource:    fmt.Sprintf("%s/%s", application.Organization, application.Name),
 					}
 
-					// Set group from invitation code if available, otherwise use provider's signup group
+					// Set group from invitation code if available, otherwise use provider's signup group or application's default group
 					if invitation != nil && invitation.SignupGroup != "" {
 						user.Groups = []string{invitation.SignupGroup}
 					} else if providerItem.SignupGroup != "" {
 						user.Groups = []string{providerItem.SignupGroup}
+					} else if application.DefaultGroup != "" {
+						user.Groups = []string{application.DefaultGroup}
 					}
 
 					var affected bool

controllers/cert.go

@@ -183,3 +183,40 @@ func (c *ApiController) DeleteCert() {
 	c.Data["json"] = wrapActionResponse(object.DeleteCert(&cert))
 	c.ServeJSON()
 }
+
+// UpdateCertDomainExpire
+// @Title UpdateCertDomainExpire
+// @Tag Cert API
+// @Description update cert domain expire time
+// @Param   id     query   string  true        "The ID of the cert"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-cert-domain-expire [post]
+func (c *ApiController) UpdateCertDomainExpire() {
+	if _, ok := c.RequireSignedIn(); !ok {
+		return
+	}
+
+	id := c.Ctx.Input.Query("id")
+	cert, err := object.GetCert(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	domainExpireTime, err := object.GetDomainExpireTime(cert.Name)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if domainExpireTime == "" {
+		c.ResponseError("Failed to determine domain expiration time for domain " + cert.Name +
+			". Please verify that the domain is valid, publicly resolvable, and has a retrievable expiration date, " +
+			"or update the domain expiration time manually.")
+		return
+	}
+	cert.DomainExpireTime = domainExpireTime
+
+	c.Data["json"] = wrapActionResponse(object.UpdateCert(id, cert))
+	c.ServeJSON()
+}

controllers/consent.go

@@ -0,0 +1,226 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+// RevokeConsent revokes a consent record
+// @Title RevokeConsent
+// @Tag Consent API
+// @Description revoke a consent record
+// @Param body body object.ConsentRecord true "The consent object"
+// @Success 200 {object} controllers.Response The Response object
+// @router /revoke-consent [post]
+func (c *ApiController) RevokeConsent() {
+	userId := c.GetSessionUsername()
+	if userId == "" {
+		c.ResponseError(c.T("general:Please login first"))
+		return
+	}
+
+	var consent object.ConsentRecord
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &consent)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Validate that consent.Application is not empty
+	if consent.Application == "" {
+		c.ResponseError(c.T("general:Application cannot be empty"))
+		return
+	}
+
+	// Validate that GrantedScopes is not empty when scope-specific revoke is requested
+	if len(consent.GrantedScopes) == 0 {
+		c.ResponseError(c.T("general:Granted scopes cannot be empty"))
+		return
+	}
+
+	userObj, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if userObj == nil {
+		c.ResponseError(c.T("general:The user doesn't exist"))
+		return
+	}
+
+	newScopes := []object.ConsentRecord{}
+	for _, record := range userObj.ApplicationScopes {
+		if record.Application != consent.Application {
+			// skip other applications
+			newScopes = append(newScopes, record)
+			continue
+		}
+		// revoke specified scopes
+		revokeSet := make(map[string]bool)
+		for _, s := range consent.GrantedScopes {
+			revokeSet[s] = true
+		}
+		remaining := []string{}
+		for _, s := range record.GrantedScopes {
+			if !revokeSet[s] {
+				remaining = append(remaining, s)
+			}
+		}
+		if len(remaining) > 0 {
+			// still have remaining scopes, keep the record and update
+			record.GrantedScopes = remaining
+			newScopes = append(newScopes, record)
+		}
+		// otherwise the application authorization is revoked, delete the whole record
+	}
+	userObj.ApplicationScopes = newScopes
+	success, err := object.UpdateUser(userObj.GetId(), userObj, nil, false)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.ResponseOk(success)
+}
+
+// GrantConsent grants consent for an OAuth application and returns authorization code
+// @Title GrantConsent
+// @Tag Consent API
+// @Description grant consent for an OAuth application and get authorization code
+// @Param body body object.ConsentRecord true "The consent object with OAuth parameters"
+// @Success 200 {object} controllers.Response The Response object
+// @router /grant-consent [post]
+func (c *ApiController) GrantConsent() {
+	userId := c.GetSessionUsername()
+	if userId == "" {
+		c.ResponseError(c.T("general:Please login first"))
+		return
+	}
+
+	var request struct {
+		Application  string   `json:"application"`
+		Scopes       []string `json:"grantedScopes"`
+		ClientId     string   `json:"clientId"`
+		Provider     string   `json:"provider"`
+		SigninMethod string   `json:"signinMethod"`
+		ResponseType string   `json:"responseType"`
+		RedirectUri  string   `json:"redirectUri"`
+		Scope        string   `json:"scope"`
+		State        string   `json:"state"`
+		Nonce        string   `json:"nonce"`
+		Challenge    string   `json:"challenge"`
+		Resource     string   `json:"resource"`
+	}
+
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &request)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Validate application by clientId
+	application, err := object.GetApplicationByClientId(request.ClientId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if application == nil {
+		c.ResponseError(c.T("general:Invalid client_id"))
+		return
+	}
+
+	// Verify that request.Application matches the application's actual ID
+	if request.Application != application.GetId() {
+		c.ResponseError(c.T("general:Invalid application"))
+		return
+	}
+
+	// Update user's ApplicationScopes
+	userObj, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if userObj == nil {
+		c.ResponseError(c.T("general:User not found"))
+		return
+	}
+
+	appId := application.GetId()
+	found := false
+	// Insert new scope into existing applicationScopes
+	for i, record := range userObj.ApplicationScopes {
+		if record.Application == appId {
+			existing := make(map[string]bool)
+			for _, s := range userObj.ApplicationScopes[i].GrantedScopes {
+				existing[s] = true
+			}
+			for _, s := range request.Scopes {
+				if !existing[s] {
+					userObj.ApplicationScopes[i].GrantedScopes = append(userObj.ApplicationScopes[i].GrantedScopes, s)
+					existing[s] = true
+				}
+			}
+			found = true
+			break
+		}
+	}
+	// create a new applicationScopes if not found
+	if !found {
+		uniqueScopes := []string{}
+		existing := make(map[string]bool)
+		for _, s := range request.Scopes {
+			if !existing[s] {
+				uniqueScopes = append(uniqueScopes, s)
+				existing[s] = true
+			}
+		}
+		userObj.ApplicationScopes = append(userObj.ApplicationScopes, object.ConsentRecord{
+			Application:   appId,
+			GrantedScopes: uniqueScopes,
+		})
+	}
+
+	_, err = object.UpdateUser(userObj.GetId(), userObj, []string{"application_scopes"}, false)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Now get the OAuth code
+	code, err := object.GetOAuthCode(
+		userId,
+		request.ClientId,
+		request.Provider,
+		request.SigninMethod,
+		request.ResponseType,
+		request.RedirectUri,
+		request.Scope,
+		request.State,
+		request.Nonce,
+		request.Challenge,
+		request.Resource,
+		c.Ctx.Request.Host,
+		c.GetAcceptLanguage(),
+	)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(code.Code)
+}

controllers/token.go

@@ -162,6 +162,9 @@ func (c *ApiController) DeleteToken() {
 func (c *ApiController) GetOAuthToken() {
 	clientId := c.Ctx.Input.Query("client_id")
 	clientSecret := c.Ctx.Input.Query("client_secret")
+	assertion := c.Ctx.Input.Query("assertion")
+	clientAssertion := c.Ctx.Input.Query("client_assertion")
+	clientAssertionType := c.Ctx.Input.Query("client_assertion_type")
 	grantType := c.Ctx.Input.Query("grant_type")
 	code := c.Ctx.Input.Query("code")
 	verifier := c.Ctx.Input.Query("code_verifier")
@@ -193,6 +196,12 @@ func (c *ApiController) GetOAuthToken() {
 			if clientSecret == "" {
 				clientSecret = tokenRequest.ClientSecret
 			}
+			if clientAssertion == "" {
+				clientAssertion = tokenRequest.ClientAssertion
+			}
+			if clientAssertionType == "" {
+				clientAssertionType = tokenRequest.ClientAssertionType
+			}
 			if grantType == "" {
 				grantType = tokenRequest.GrantType
 			}
@@ -235,9 +244,13 @@ func (c *ApiController) GetOAuthToken() {
 			if resource == "" {
 				resource = tokenRequest.Resource
 			}
+			if assertion == "" {
+				assertion = tokenRequest.Assertion
+			}
 		}
 	}
 
+	host := c.Ctx.Request.Host
 	if deviceCode != "" {
 		deviceAuthCache, ok := object.DeviceAuthMap.Load(deviceCode)
 		if !ok {
@@ -278,8 +291,7 @@ func (c *ApiController) GetOAuthToken() {
 		username = deviceAuthCacheCast.UserName
 	}
 
-	host := c.Ctx.Request.Host
-	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, audience, resource)
+	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, assertion, clientAssertion, clientAssertionType, audience, resource)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -323,7 +335,12 @@ func (c *ApiController) RefreshToken() {
 		}
 	}
 
-	refreshToken2, err := object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+	ok, application, clientId, _, err := c.ValidateOAuth(true)
+	if err != nil || !ok {
+		return
+	}
+
+	refreshToken2, err := object.RefreshToken(application, grantType, refreshToken, scope, clientId, clientSecret, host)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -334,14 +351,79 @@ func (c *ApiController) RefreshToken() {
 	c.ServeJSON()
 }
 
-func (c *ApiController) ResponseTokenError(errorMsg string) {
+func (c *ApiController) ResponseTokenError(errorMsg string, errorDescription string) {
 	c.Data["json"] = &object.TokenError{
-		Error: errorMsg,
+		Error:            errorMsg,
+		ErrorDescription: errorDescription,
 	}
 	c.SetTokenErrorHttpStatus()
 	c.ServeJSON()
 }
 
+func (c *ApiController) ValidateOAuth(ignoreValidSecret bool) (ok bool, application *object.Application, clientId, clientSecret string, err error) {
+	reqClientId := c.Ctx.Input.Query("client_id")
+	reqClientSecret := c.Ctx.Input.Query("client_secret")
+	clientAssertion := c.Ctx.Input.Query("client_assertion")
+	clientAssertionType := c.Ctx.Input.Query("client_assertion_type")
+
+	if reqClientId == "" && clientAssertionType == "" {
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			reqClientId = tokenRequest.ClientId
+			reqClientSecret = tokenRequest.ClientSecret
+			clientAssertion = tokenRequest.ClientAssertion
+			clientAssertionType = tokenRequest.ClientAssertionType
+		}
+	}
+
+	if clientAssertionType == "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" {
+		ok, application, err = object.ValidateClientAssertion(clientAssertion, c.Ctx.Request.Host)
+		if err != nil {
+			c.ResponseTokenError(object.InvalidClient, err.Error())
+			return
+		}
+
+		if !ok || application == nil {
+			c.ResponseTokenError(object.InvalidClient, "client_assertion is invalid")
+			return
+		}
+
+		clientSecret = application.ClientSecret
+		clientId = application.ClientId
+		ok = true
+		return
+	}
+
+	if reqClientId == "" && reqClientSecret == "" {
+		clientId, clientSecret, ok = c.Ctx.Request.BasicAuth()
+		if !ok {
+			clientId = c.Ctx.Input.Query("client_id")
+			clientSecret = c.Ctx.Input.Query("client_secret")
+			if clientId == "" || clientSecret == "" {
+				c.ResponseTokenError(object.InvalidRequest, "")
+				return
+			}
+		}
+	} else {
+		clientId = reqClientId
+		clientSecret = reqClientSecret
+	}
+
+	application, err = object.GetApplicationByClientId(clientId)
+	if err != nil {
+		c.ResponseTokenError(object.InvalidClient, err.Error())
+		return
+	}
+
+	if application == nil || (application.ClientSecret != clientSecret && !ignoreValidSecret) {
+		c.ResponseTokenError(object.InvalidClient, c.T("token:Invalid application or wrong clientSecret"))
+		return
+	}
+
+	ok = true
+	return
+}
+
 // IntrospectToken
 // @Title IntrospectToken
 // @Tag Login API
@@ -349,7 +431,7 @@ func (c *ApiController) ResponseTokenError(errorMsg string) {
 // parameter representing an OAuth 2.0 token and returns a JSON document
 // representing the meta information surrounding the
 // token, including whether this token is currently active.
-// This endpoint only support Basic Authorization.
+// This endpoint support Basic Authorization and authorization defined in RFC 7523.
 //
 // @Param token formData string true "access_token's value or refresh_token's value"
 // @Param token_type_hint formData string true "the token type access_token or refresh_token"
@@ -359,24 +441,9 @@ func (c *ApiController) ResponseTokenError(errorMsg string) {
 // @router /login/oauth/introspect [post]
 func (c *ApiController) IntrospectToken() {
 	tokenValue := c.Ctx.Input.Query("token")
-	clientId, clientSecret, ok := c.Ctx.Request.BasicAuth()
-	if !ok {
-		clientId = c.Ctx.Input.Query("client_id")
-		clientSecret = c.Ctx.Input.Query("client_secret")
-		if clientId == "" || clientSecret == "" {
-			c.ResponseTokenError(object.InvalidRequest)
-			return
-		}
-	}
 
-	application, err := object.GetApplicationByClientId(clientId)
-	if err != nil {
-		c.ResponseTokenError(err.Error())
-		return
-	}
-
-	if application == nil || application.ClientSecret != clientSecret {
-		c.ResponseTokenError(c.T("token:Invalid application or wrong clientSecret"))
+	ok, application, clientId, _, err := c.ValidateOAuth(false)
+	if err != nil || !ok {
 		return
 	}
 
@@ -390,7 +457,7 @@ func (c *ApiController) IntrospectToken() {
 	if tokenTypeHint != "" {
 		token, err = object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
 		if err != nil {
-			c.ResponseTokenError(err.Error())
+			c.ResponseTokenError(object.InvalidRequest, err.Error())
 			return
 		}
 		if token == nil || token.ExpiresIn <= 0 {
@@ -467,7 +534,7 @@ func (c *ApiController) IntrospectToken() {
 	if tokenTypeHint == "" {
 		token, err = object.GetTokenByTokenValue(tokenValue, introspectionResponse.TokenType)
 		if err != nil {
-			c.ResponseTokenError(err.Error())
+			c.ResponseTokenError(object.InvalidRequest, err.Error())
 			return
 		}
 		if token == nil || token.ExpiresIn <= 0 {
@@ -479,7 +546,7 @@ func (c *ApiController) IntrospectToken() {
 	if token != nil {
 		application, err = object.GetApplication(fmt.Sprintf("%s/%s", token.Owner, token.Application))
 		if err != nil {
-			c.ResponseTokenError(err.Error())
+			c.ResponseTokenError(object.InvalidClient, err.Error())
 			return
 		}
 		if application == nil {

controllers/types.go

@@ -15,20 +15,23 @@
 package controllers
 
 type TokenRequest struct {
-	ClientId         string `json:"client_id"`
-	ClientSecret     string `json:"client_secret"`
-	GrantType        string `json:"grant_type"`
-	Code             string `json:"code"`
-	Verifier         string `json:"code_verifier"`
-	Scope            string `json:"scope"`
-	Nonce            string `json:"nonce"`
-	Username         string `json:"username"`
-	Password         string `json:"password"`
-	Tag              string `json:"tag"`
-	Avatar           string `json:"avatar"`
-	RefreshToken     string `json:"refresh_token"`
-	SubjectToken     string `json:"subject_token"`
-	SubjectTokenType string `json:"subject_token_type"`
-	Audience         string `json:"audience"`
-	Resource         string `json:"resource"` // RFC 8707 Resource Indicator
+	Assertion           string `json:"assertion"`
+	ClientId            string `json:"client_id"`
+	ClientSecret        string `json:"client_secret"`
+	ClientAssertion     string `json:"client_assertion"`
+	ClientAssertionType string `json:"client_assertion_type"`
+	GrantType           string `json:"grant_type"`
+	Code                string `json:"code"`
+	Verifier            string `json:"code_verifier"`
+	Scope               string `json:"scope"`
+	Nonce               string `json:"nonce"`
+	Username            string `json:"username"`
+	Password            string `json:"password"`
+	Tag                 string `json:"tag"`
+	Avatar              string `json:"avatar"`
+	RefreshToken        string `json:"refresh_token"`
+	SubjectToken        string `json:"subject_token"`
+	SubjectTokenType    string `json:"subject_token_type"`
+	Audience            string `json:"audience"`
+	Resource            string `json:"resource"` // RFC 8707 Resource Indicator
 }

email/provider.go

@@ -19,13 +19,16 @@ type EmailProvider interface {
 }
 
 func GetEmailProvider(typ string, clientId string, clientSecret string, host string, port int, sslMode string, endpoint string, method string, httpHeaders map[string]string, bodyMapping map[string]string, contentType string, enableProxy bool) EmailProvider {
-	if typ == "Azure ACS" {
+	switch typ {
+	case "Azure ACS":
 		return NewAzureACSEmailProvider(clientSecret, host)
-	} else if typ == "Custom HTTP Email" {
+	case "Custom HTTP Email":
 		return NewHttpEmailProvider(endpoint, method, httpHeaders, bodyMapping, contentType)
-	} else if typ == "SendGrid" {
+	case "SendGrid":
 		return NewSendgridEmailProvider(clientSecret, host, endpoint)
-	} else {
+	case "Resend":
+		return NewResendEmailProvider(clientSecret)
+	default:
 		return NewSmtpEmailProvider(clientId, clientSecret, host, port, typ, sslMode, enableProxy)
 	}
 }

email/resend.go

@@ -0,0 +1,48 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package email
+
+import (
+	"fmt"
+
+	"github.com/resend/resend-go/v3"
+)
+
+type ResendEmailProvider struct {
+	Client *resend.Client
+}
+
+func NewResendEmailProvider(apiKey string) *ResendEmailProvider {
+	client := resend.NewClient(apiKey)
+	client.UserAgent += " Casdoor"
+	return &ResendEmailProvider{Client: client}
+}
+
+func (s *ResendEmailProvider) Send(fromAddress string, fromName string, toAddresses []string, subject string, content string) error {
+	from := fromAddress
+	if fromName != "" {
+		from = fmt.Sprintf("%s <%s>", fromName, fromAddress)
+	}
+	params := &resend.SendEmailRequest{
+		From:    from,
+		To:      toAddresses,
+		Subject: subject,
+		Html:    content,
+	}
+	if _, err := s.Client.Emails.Send(params); err != nil {
+		return err
+	}
+	return nil
+}

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/beego/beego/v2 v2.3.8
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.77.2
+	github.com/casbin/lego/v4 v4.5.4
 	github.com/casdoor/go-sms-sender v0.25.0
 	github.com/casdoor/gomail/v2 v2.2.0
 	github.com/casdoor/ldapserver v1.2.0
@@ -47,6 +48,8 @@ require (
 	github.com/json-iterator/go v1.1.12
 	github.com/lestrrat-go/jwx v1.2.29
 	github.com/lib/pq v1.10.9
+	github.com/likexian/whois v1.15.1
+	github.com/likexian/whois-parser v1.24.9
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
 	github.com/markbates/goth v1.82.0
 	github.com/microsoft/go-mssqldb v1.9.0
@@ -57,6 +60,7 @@ require (
 	github.com/prometheus/client_golang v1.19.0
 	github.com/prometheus/client_model v0.6.0
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
+	github.com/resend/resend-go/v3 v3.1.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
@@ -129,6 +133,7 @@ require (
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
 	github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -188,6 +193,7 @@ require (
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/likexian/gokit v0.25.13 // indirect
 	github.com/line/line-bot-sdk-go v7.8.0+incompatible // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/markbates/going v1.0.0 // indirect
@@ -195,6 +201,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-ieproxy v0.0.1 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.43 // indirect
 	github.com/mileusna/viber v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -211,14 +218,17 @@ require (
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/qiniu/go-sdk/v7 v7.12.1 // indirect
+	github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2 // indirect
 	github.com/redis/go-redis/v9 v9.5.5 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/scim2/filter-parser/v2 v2.2.0 // indirect
 	github.com/sendgrid/rest v2.6.9+incompatible // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
@@ -238,6 +248,7 @@ require (
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/twilio/twilio-go v1.13.0 // indirect
 	github.com/ucloud/ucloud-sdk-go v0.22.5 // indirect
+	github.com/urfave/cli v1.22.5 // indirect
 	github.com/utahta/go-linenotify v0.5.0 // indirect
 	github.com/volcengine/volc-sdk-golang v1.0.117 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
@@ -272,6 +283,7 @@ require (
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect

go.sum

@@ -778,6 +778,7 @@ github.com/alibabacloud-go/tea-xml v1.1.1/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE
 github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
 github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0=
 github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
+github.com/aliyun/alibaba-cloud-sdk-go v1.61.1183/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 h1:qagvUyrgOnBIlVRQWOyCZGVKUIYbMBdGdJ104vBpRFU=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.107/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ=
 github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible h1:9gWa46nstkJ9miBReJcN8Gq34cBFbzSpQZVVT9N09TM=
@@ -850,6 +851,8 @@ github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRt
 github.com/casbin/casbin/v2 v2.37.0/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
 github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
+github.com/casbin/lego/v4 v4.5.4 h1:WdVEj1A5KmKZheNuFNLF/5+UUkpXLt9mEOrLX3E81Vo=
+github.com/casbin/lego/v4 v4.5.4/go.mod h1:JjTyJgN5pyrDPcg3+aAM1NtFQIXl8zDgsoSS1TnVpJ8=
 github.com/casdoor/casdoor-go-sdk v0.50.0 h1:bUYbz/MzJuWfLKJbJM0+U0YpYewAur+THp5TKnufWZM=
 github.com/casdoor/casdoor-go-sdk v0.50.0/go.mod h1:cMnkCQJgMYpgAlgEx8reSt1AVaDIQLcJ1zk5pzBaz+4=
 github.com/casdoor/go-sms-sender v0.25.0 h1:eF4cOCSbjVg7+0uLlJQnna/FQ0BWW+Fp/x4cXhzQu1Y=
@@ -911,6 +914,8 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb h1:7X9nrm+LNWdxzQOiCjy0G51rNUxbH35IDHCjAMvogyM=
 github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb/go.mod h1:RfQ9wji3fjcSEsQ+uFCtIh3+BXgcZum8Kt3JxvzYzlk=
@@ -1308,6 +1313,7 @@ github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aW
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/configor v1.2.1 h1:OKk9dsR8i6HPOCZR8BcMtcEImAFjIhbJFZNyn5GCZko=
 github.com/jinzhu/configor v1.2.1/go.mod h1:nX89/MOmDba7ZX7GCyU/VIaQ2Ar2aizBl2d3JLF/rDc=
+github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -1321,7 +1327,9 @@ github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUB
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
+github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -1390,6 +1398,12 @@ github.com/lib/pq v1.7.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/likexian/gokit v0.25.13 h1:p2Uw3+6fGG53CwdU2Dz0T6bOycdb2+bAFAa3ymwWVkM=
+github.com/likexian/gokit v0.25.13/go.mod h1:qQhEWFBEfqLCO3/vOEo2EDKd+EycekVtUK4tex+l2H4=
+github.com/likexian/whois v1.15.1 h1:6vTMI8n9s1eJdmcO4R9h1x99aQWIZZX1CD3am68gApU=
+github.com/likexian/whois v1.15.1/go.mod h1:/nxmQ6YXvLz+qTxC/QFtEJNAt0zLuRxJrKiWpBJX8X0=
+github.com/likexian/whois-parser v1.24.9 h1:BT6fzO3lj3F07yzVv0YXoaj+K4Ush0/cF+Yp6tvJJgk=
+github.com/likexian/whois-parser v1.24.9/go.mod h1:b6STMHHDaSKbd4PzGrP50wWE5NzeBUETa/hT9gI0G9I=
 github.com/line/line-bot-sdk-go v7.8.0+incompatible h1:Uf9/OxV0zCVfqyvwZPH8CrdiHXXmMRa/L91G3btQblQ=
 github.com/line/line-bot-sdk-go v7.8.0+incompatible/go.mod h1:0RjLjJEAU/3GIcHkC3av6O4jInAbt25nnZVmOFUgDBg=
 github.com/localtunnel/go-localtunnel v0.0.0-20170326223115-8a804488f275 h1:IZycmTpoUtQK3PD60UYBwjaCUHUP7cML494ao9/O8+Q=
@@ -1434,6 +1448,7 @@ github.com/microsoft/go-mssqldb v1.9.0 h1:5Vq+u2f4LDujJNeZn62Z4kBDEC9MjLv0ukRzOu
 github.com/microsoft/go-mssqldb v1.9.0/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
+github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/mileusna/viber v1.0.1 h1:gWB6/lKoWYVxkH0Jb8jRnGIRZ/9DEM7RBZRJHRfdYWs=
 github.com/mileusna/viber v1.0.1/go.mod h1:Pxu/iPMnYjnHgu+bEp3SiKWHWmlf/kDp/yOX8XUdYrQ=
@@ -1572,12 +1587,16 @@ github.com/qiniu/dyn v1.3.0/go.mod h1:E8oERcm8TtwJiZvkQPbcAh0RL8jO1G0VXJMW3FAWdk
 github.com/qiniu/go-sdk/v7 v7.12.1 h1:FZG5dhs2MZBV/mHVhmHnsgsQ+j1gSE0RqIoA2WwEDwY=
 github.com/qiniu/go-sdk/v7 v7.12.1/go.mod h1:btsaOc8CA3hdVloULfFdDgDc+g4f3TDZEFsDY0BLE+w=
 github.com/qiniu/x v1.10.5/go.mod h1:03Ni9tj+N2h2aKnAz+6N0Xfl8FwMEDRC2PAlxekASDs=
+github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2 h1:dq90+d51/hQRaHEqRAsQ1rE/pC1GUS4sc2rCbbFsAIY=
+github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/redis/go-redis/v9 v9.5.5 h1:51VEyMF8eOO+NUHFm8fpg+IOc1xFuFOhxs3R+kPu1FM=
 github.com/redis/go-redis/v9 v9.5.5/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 h1:OdAsTTz6OkFY5QxjkYwrChwuRruF69c169dPK26NUlk=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/resend/resend-go/v3 v3.1.0 h1:bJpU5gYCDcczLdhCo37oy9mOmdtSVlOzM6IfWX9zhMw=
+github.com/resend/resend-go/v3 v3.1.0/go.mod h1:iI7VA0NoGjWvsNii5iNC5Dy0llsI3HncXPejhniYzwE=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
@@ -1595,6 +1614,7 @@ github.com/russellhaering/gosaml2 v0.9.0 h1:CNMnH42z/GirrKjdmNrSS6bAAs47F9bPdl4P
 github.com/russellhaering/gosaml2 v0.9.0/go.mod h1:byViER/1YPUa0Puj9ROZblpoq2jsE7h/CJmitzX0geU=
 github.com/russellhaering/goxmldsig v1.2.0 h1:Y6GTTc9Un5hCxSzVz4UIWQ/zuVwDvzJk80guqzwx6Vg=
 github.com/russellhaering/goxmldsig v1.2.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
+github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
@@ -1616,6 +1636,7 @@ github.com/shirou/gopsutil/v4 v4.25.9 h1:JImNpf6gCVhKgZhtaAHJ0serfFGtlfIlSC08eaK
 github.com/shirou/gopsutil/v4 v4.25.9/go.mod h1:gxIxoC+7nQRwUl/xNhutXlD8lq+jxTgpIkEf3rADHL8=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 h1:pntxY8Ary0t43dCZ5dqY4YTJCObLY1kIXl0uzMv+7DE=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
+github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726 h1:xT+JlYxNGqyT+XcU8iUrN18JYed2TvG9yN5ULG2jATM=
 github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726/go.mod h1:3yhqj7WBBfRhbBlzyOC3gUxftwsU0u8gqevxwIHQpMw=
@@ -1636,7 +1657,9 @@ github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQ
 github.com/slack-go/slack v0.15.0 h1:LE2lj2y9vqqiOf+qIIy0GvEoxgF1N5yLGZffmEZykt0=
 github.com/slack-go/slack v0.15.0/go.mod h1:hlGi5oXA+Gt+yWTPP0plCdRKmjsDxecdHxYQdlMQKOw=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/assertions v1.0.1/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
+github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM=
@@ -1653,6 +1676,7 @@ github.com/streadway/handy v0.0.0-20200128134331-0f66f006fb2e/go.mod h1:qNTQ5P5J
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -1712,6 +1736,8 @@ github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVK
 github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
 github.com/ucloud/ucloud-sdk-go v0.22.5 h1:GIltVwMDUqQj4iPL/emsZAMhEYWjLTwZqpOxdkdDrM8=
 github.com/ucloud/ucloud-sdk-go v0.22.5/go.mod h1:dyLmFHmUfgb4RZKYQP9IArlvQ2pxzFthfhwxRzOEPIw=
+github.com/urfave/cli v1.22.5 h1:lNq9sAHXK2qfdI8W+GRItjCEkI+2oR4d+MEHy1CKXoU=
+github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 github.com/utahta/go-linenotify v0.5.0 h1:E1tJaB/XhqRY/iz203FD0MaHm10DjQPOq5/Mem2A3Gs=
 github.com/utahta/go-linenotify v0.5.0/go.mod h1:KsvBXil2wx+ByaCR0e+IZKTbp4pDesc7yjzRigLf6pE=
@@ -2632,13 +2658,17 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
+gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=

i18n/locales/de/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Gruppen importieren fehlgeschlagen",
     "Failed to import users": "Fehler beim Importieren von Benutzern",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Guthaben %v wäre unter dem Kreditlimit %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Organisationsguthaben %v wäre unter dem Kreditlimit %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Unzureichendes Guthaben: neues Guthaben %v würde das Kreditlimit %v überschreiten",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Unzureichendes Guthaben: neues Organisationsguthaben %v würde das Kreditlimit %v überschreiten",
     "Missing parameter": "Fehlender Parameter",
     "Only admin user can specify user": "Nur Administrator kann Benutzer angeben",
     "Please login first": "Bitte zuerst einloggen",

i18n/locales/en/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Failed to import groups",
     "Failed to import users": "Failed to import users",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Insufficient balance: new balance %v would be below credit limit %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Insufficient balance: new organization balance %v would be below credit limit %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Insufficient balance: new balance %v would exceed the credit limit %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Insufficient balance: new organization balance %v would exceed the credit limit %v",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",

i18n/locales/es/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Error al importar grupos",
     "Failed to import users": "Error al importar usuarios",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo %v estaría por debajo del límite de crédito %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo de la organización %v estaría por debajo del límite de crédito %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Saldo insuficiente: el nuevo saldo %v excedería el límite de crédito %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Saldo insuficiente: el nuevo saldo de la organización %v excedería el límite de crédito %v",
     "Missing parameter": "Parámetro faltante",
     "Only admin user can specify user": "Solo el usuario administrador puede especificar usuario",
     "Please login first": "Por favor, inicia sesión primero",

i18n/locales/fr/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Échec de l'importation des groupes",
     "Failed to import users": "Échec de l'importation des utilisateurs",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde %v serait inférieur à la limite de crédit %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde de l'organisation %v serait inférieur à la limite de crédit %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Solde insuffisant : le nouveau solde %v dépasserait la limite de crédit %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Solde insuffisant : le nouveau solde de l'organisation %v dépasserait la limite de crédit %v",
     "Missing parameter": "Paramètre manquant",
     "Only admin user can specify user": "Seul un administrateur peut désigner un utilisateur",
     "Please login first": "Veuillez d'abord vous connecter",

i18n/locales/ja/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "グループのインポートに失敗しました",
     "Failed to import users": "ユーザーのインポートに失敗しました",
-    "Insufficient balance: new balance %v would be below credit limit %v": "残高不足：新しい残高 %v がクレジット制限 %v を下回ります",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "残高不足：新しい組織残高 %v がクレジット制限 %v を下回ります",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "残高不足：新しい残高 %v がクレジット制限 %v を超過します",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "残高不足：新しい組織残高 %v がクレジット制限 %v を超過します",
     "Missing parameter": "不足しているパラメーター",
     "Only admin user can specify user": "管理者ユーザーのみがユーザーを指定できます",
     "Please login first": "最初にログインしてください",

i18n/locales/pl/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Nie udało się zaimportować grup",
     "Failed to import users": "Nie udało się zaimportować użytkowników",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Niewystarczające saldo: nowe saldo %v byłoby poniżej limitu kredytowego %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Niewystarczające saldo: nowe saldo organizacji %v byłoby poniżej limitu kredytowego %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Niewystarczające saldo: nowe saldo %v przekroczyłoby limit kredytowy %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Niewystarczające saldo: nowe saldo organizacji %v przekroczyłoby limit kredytowy %v",
     "Missing parameter": "Brakujący parametr",
     "Only admin user can specify user": "Tylko administrator może wskazać użytkownika",
     "Please login first": "Najpierw się zaloguj",

i18n/locales/pt/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Falha ao importar grupos",
     "Failed to import users": "Falha ao importar usuários",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Saldo insuficiente: o novo saldo %v estaria abaixo do limite de crédito %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Saldo insuficiente: o novo saldo da organização %v estaria abaixo do limite de crédito %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Saldo insuficiente: o novo saldo %v excederia o limite de crédito %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Saldo insuficiente: o novo saldo da organização %v excederia o limite de crédito %v",
     "Missing parameter": "Parâmetro ausente",
     "Only admin user can specify user": "Apenas um administrador pode especificar um usuário",
     "Please login first": "Por favor, faça login primeiro",

i18n/locales/tr/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Gruplar içe aktarılamadı",
     "Failed to import users": "Kullanıcılar içe aktarılamadı",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Yetersiz bakiye: yeni bakiye %v kredi limitinin altında olacak %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Yetersiz bakiye: yeni organizasyon bakiyesi %v kredi limitinin altında olacak %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Yetersiz bakiye: yeni bakiye %v kredi limitini aşacak %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Yetersiz bakiye: yeni organizasyon bakiyesi %v kredi limitini aşacak %v",
     "Missing parameter": "Eksik parametre",
     "Only admin user can specify user": "Yalnızca yönetici kullanıcı kullanıcı belirleyebilir",
     "Please login first": "Lütfen önce giriş yapın",

i18n/locales/uk/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Не вдалося імпортувати групи",
     "Failed to import users": "Не вдалося імпортувати користувачів",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Недостатній баланс: новий баланс %v буде нижче кредитного ліміту %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Недостатній баланс: новий баланс організації %v буде нижче кредитного ліміту %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Недостатній баланс: новий баланс %v перевищить кредитний ліміт %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Недостатній баланс: новий баланс організації %v перевищить кредитний ліміт %v",
     "Missing parameter": "Відсутній параметр",
     "Only admin user can specify user": "Лише адміністратор може вказати користувача",
     "Please login first": "Спочатку увійдіть",

i18n/locales/vi/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "Không thể nhập nhóm",
     "Failed to import users": "Không thể nhập người dùng",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Số dư không đủ: số dư mới %v sẽ thấp hơn giới hạn tín dụng %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Số dư không đủ: số dư tổ chức mới %v sẽ thấp hơn giới hạn tín dụng %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "Số dư không đủ: số dư mới %v sẽ vượt quá giới hạn tín dụng %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "Số dư không đủ: số dư tổ chức mới %v sẽ vượt quá giới hạn tín dụng %v",
     "Missing parameter": "Thiếu tham số",
     "Only admin user can specify user": "Chỉ người dùng quản trị mới có thể chỉ định người dùng",
     "Please login first": "Vui lòng đăng nhập trước",

i18n/locales/zh/data.json

@@ -106,8 +106,8 @@
   "general": {
     "Failed to import groups": "导入群组失败",
     "Failed to import users": "导入用户失败",
-    "Insufficient balance: new balance %v would be below credit limit %v": "余额不足：新余额 %v 将低于信用限额 %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "余额不足：新组织余额 %v 将低于信用限额 %v",
+    "Insufficient balance: new balance %v would exceed the credit limit %v": "余额不足：新余额 %v 将超过信用限额 %v",
+    "Insufficient balance: new organization balance %v would exceed the credit limit %v": "余额不足：新组织余额 %v 将超过信用限额 %v",
     "Missing parameter": "缺少参数",
     "Only admin user can specify user": "仅管理员用户可以指定用户",
     "Please login first": "请先登录",

i18n/util.go

@@ -98,15 +98,22 @@ func Translate(language string, errorText string) string {
 	if langMap[language] == nil {
 		file, err := f.ReadFile(fmt.Sprintf("locales/%s/data.json", language))
 		if err != nil {
-			return fmt.Sprintf("Translate error: the language \"%s\" is not supported, err = %s", language, err.Error())
+			originalLanguage := language
+			language = "en"
+			file, err = f.ReadFile(fmt.Sprintf("locales/%s/data.json", language))
+			if err != nil {
+				return fmt.Sprintf("Translate error: the language \"%s\" is not supported, err = %s", originalLanguage, err.Error())
+			}
 		}
 
-		data := I18nData{}
-		err = util.JsonToStruct(string(file), &data)
-		if err != nil {
-			panic(err)
+		if langMap[language] == nil {
+			data := I18nData{}
+			err = util.JsonToStruct(string(file), &data)
+			if err != nil {
+				panic(err)
+			}
+			langMap[language] = data
 		}
-		langMap[language] = data
 	}
 
 	res := langMap[language][tokens[0]][tokens[1]]

idp/alipay.go

@@ -264,27 +264,31 @@ func rsaSignWithRSA256(signContent string, privateKey string) (string, error) {
 
 // privateKey in database is a string, format it to PEM style
 func formatPrivateKey(privateKey string) string {
-	// each line length is 64
-	preFmtPrivateKey := ""
-	for i := 0; ; {
-		if i+64 <= len(privateKey) {
-			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:i+64] + "\n"
-			i += 64
-		} else {
-			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:]
-			break
+	// Check if the key is already in PEM format
+	if strings.HasPrefix(privateKey, "-----BEGIN PRIVATE KEY-----") ||
+		strings.HasPrefix(privateKey, "-----BEGIN RSA PRIVATE KEY-----") {
+		// Key is already in PEM format, return as is
+		return privateKey
+	}
+
+	// Remove any whitespace from the key
+	privateKey = strings.ReplaceAll(privateKey, "\n", "")
+	privateKey = strings.ReplaceAll(privateKey, "\r", "")
+	privateKey = strings.ReplaceAll(privateKey, " ", "")
+
+	// Format the key with line breaks every 64 characters using strings.Builder
+	var builder strings.Builder
+	for i := 0; i < len(privateKey); i += 64 {
+		end := i + 64
+		if end > len(privateKey) {
+			end = len(privateKey)
+		}
+		builder.WriteString(privateKey[i:end])
+		if end < len(privateKey) {
+			builder.WriteString("\n")
 		}
 	}
-	privateKey = strings.Trim(preFmtPrivateKey, "\n")
 
 	// add pkcs#8 BEGIN and END
-	PemBegin := "-----BEGIN PRIVATE KEY-----\n"
-	PemEnd := "\n-----END PRIVATE KEY-----"
-	if !strings.HasPrefix(privateKey, PemBegin) {
-		privateKey = PemBegin + privateKey
-	}
-	if !strings.HasSuffix(privateKey, PemEnd) {
-		privateKey = privateKey + PemEnd
-	}
-	return privateKey
+	return "-----BEGIN PRIVATE KEY-----\n" + builder.String() + "\n-----END PRIVATE KEY-----"
 }

init_data.json.template

@@ -67,6 +67,8 @@
         {"name": "ID", "visible": true, "viewRule": "Public", "modifyRule": "Immutable"},
         {"name": "Name", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
         {"name": "Display name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
+        {"name": "First name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
+        {"name": "Last name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
         {"name": "Avatar", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
         {"name": "User type", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
         {"name": "Password", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
@@ -81,6 +83,7 @@
         {"name": "Title", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
         {"name": "ID card type", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
         {"name": "ID card", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
+        {"name": "ID card info", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
         {"name": "Real name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
         {"name": "ID verification", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
         {"name": "Homepage", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
@@ -101,6 +104,7 @@
         {"name": "Signup application", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
         {"name": "Register type", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
         {"name": "Register source", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
+        {"name": "API key", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
         {"name": "Roles", "visible": true, "viewRule": "Public", "modifyRule": "Immutable"},
         {"name": "Permissions", "visible": true, "viewRule": "Public", "modifyRule": "Immutable"},
         {"name": "Groups", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
@@ -110,9 +114,14 @@
         {"name": "Is forbidden", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
         {"name": "Is deleted", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
         {"name": "Multi-factor authentication", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
+        {"name": "MFA items", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
         {"name": "WebAuthn credentials", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
+        {"name": "Last change password time", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
         {"name": "Managed accounts", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
-        {"name": "MFA accounts", "visible": true, "viewRule": "Self", "modifyRule": "Self"}
+        {"name": "Face ID", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
+        {"name": "MFA accounts", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
+        {"name": "Need update password", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
+        {"name": "IP whitelist", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"}
       ]
     }
   ],

mcp/auth.go

@@ -15,6 +15,7 @@
 package mcp
 
 import (
+	"strings"
 	"time"
 
 	"github.com/casdoor/casdoor/object"
@@ -120,3 +121,58 @@ func (c *McpController) GetAcceptLanguage() string {
 	}
 	return language
 }
+
+// GetTokenFromRequest extracts the Bearer token from the Authorization header
+func (c *McpController) GetTokenFromRequest() string {
+	authHeader := c.Ctx.Request.Header.Get("Authorization")
+	if authHeader == "" {
+		return ""
+	}
+
+	// Extract Bearer token
+	parts := strings.SplitN(authHeader, " ", 2)
+	if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") {
+		return ""
+	}
+
+	return parts[1]
+}
+
+// GetClaimsFromToken parses and validates the JWT token and returns the claims
+// Returns nil if no token is present or if token is invalid
+func (c *McpController) GetClaimsFromToken() *object.Claims {
+	tokenString := c.GetTokenFromRequest()
+	if tokenString == "" {
+		return nil
+	}
+
+	// Try to find the application for this token
+	// For MCP, we'll try to parse using the first available application's certificate
+	// In a production scenario, you might want to use a specific MCP application
+	token, err := object.GetTokenByAccessToken(tokenString)
+	if err != nil || token == nil {
+		return nil
+	}
+
+	application, err := object.GetApplication(token.Application)
+	if err != nil || application == nil {
+		return nil
+	}
+
+	claims, err := object.ParseJwtTokenByApplication(tokenString, application)
+	if err != nil {
+		return nil
+	}
+
+	return claims
+}
+
+// GetScopesFromClaims extracts the scopes from JWT claims and returns them as a slice
+func GetScopesFromClaims(claims *object.Claims) []string {
+	if claims == nil || claims.Scope == "" {
+		return []string{}
+	}
+
+	// Scopes are space-separated in OAuth 2.0
+	return strings.Split(claims.Scope, " ")
+}

mcp/base.go

@@ -268,7 +268,160 @@ func (c *McpController) handlePing(req McpRequest) {
 }
 
 func (c *McpController) handleToolsList(req McpRequest) {
-	tools := []McpTool{
+	allTools := c.getAllTools()
+
+	// Get JWT claims from the request
+	claims := c.GetClaimsFromToken()
+
+	// If no token is present, check session authentication
+	if claims == nil {
+		username := c.GetSessionUsername()
+		// If user is authenticated via session, return all tools (backward compatibility)
+		if username != "" {
+			result := McpListToolsResult{
+				Tools: allTools,
+			}
+			c.McpResponseOk(req.ID, result)
+			return
+		}
+
+		// Unauthenticated request - return all tools for discovery
+		// This allows clients to see what tools are available before authenticating
+		result := McpListToolsResult{
+			Tools: allTools,
+		}
+		c.McpResponseOk(req.ID, result)
+		return
+	}
+
+	// Token-based authentication - filter tools by scopes
+	grantedScopes := GetScopesFromClaims(claims)
+	allowedTools := GetToolsForScopes(grantedScopes, BuiltinScopes)
+
+	// Filter tools based on allowed scopes
+	var filteredTools []McpTool
+	for _, tool := range allTools {
+		if allowedTools[tool.Name] {
+			filteredTools = append(filteredTools, tool)
+		}
+	}
+
+	result := McpListToolsResult{
+		Tools: filteredTools,
+	}
+
+	c.McpResponseOk(req.ID, result)
+}
+
+func (c *McpController) handleToolsCall(req McpRequest) {
+	var params McpCallToolParams
+	err := json.Unmarshal(req.Params, &params)
+	if err != nil {
+		c.sendInvalidParamsError(req.ID, err.Error())
+		return
+	}
+
+	// Check scope-tool permission
+	if !c.checkToolPermission(req.ID, params.Name) {
+		return // Error already sent by checkToolPermission
+	}
+
+	// Route to the appropriate tool handler
+	switch params.Name {
+	case "get_applications":
+		var args GetApplicationsArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleGetApplicationsTool(req.ID, args)
+	case "get_application":
+		var args GetApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleGetApplicationTool(req.ID, args)
+	case "add_application":
+		var args AddApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleAddApplicationTool(req.ID, args)
+	case "update_application":
+		var args UpdateApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleUpdateApplicationTool(req.ID, args)
+	case "delete_application":
+		var args DeleteApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleDeleteApplicationTool(req.ID, args)
+	default:
+		c.McpResponseError(req.ID, -32602, "Invalid tool name", fmt.Sprintf("Tool '%s' not found", params.Name))
+	}
+}
+
+// checkToolPermission validates that the current token has the required scope for the tool
+// Returns false and sends an error response if permission is denied
+func (c *McpController) checkToolPermission(id interface{}, toolName string) bool {
+	// Get JWT claims from the request
+	claims := c.GetClaimsFromToken()
+
+	// If no token is present, check if the user is authenticated via session
+	if claims == nil {
+		username := c.GetSessionUsername()
+		// If user is authenticated via session (e.g., session cookie), allow access
+		// This maintains backward compatibility with existing session-based auth
+		if username != "" {
+			return true
+		}
+
+		// No authentication present - deny access
+		c.sendInsufficientScopeError(id, toolName, []string{})
+		return false
+	}
+
+	// Extract scopes from claims
+	grantedScopes := GetScopesFromClaims(claims)
+
+	// Get allowed tools for the granted scopes
+	allowedTools := GetToolsForScopes(grantedScopes, BuiltinScopes)
+
+	// Check if the requested tool is allowed
+	if !allowedTools[toolName] {
+		c.sendInsufficientScopeError(id, toolName, grantedScopes)
+		return false
+	}
+
+	return true
+}
+
+// sendInsufficientScopeError sends an error response for insufficient scope
+func (c *McpController) sendInsufficientScopeError(id interface{}, toolName string, grantedScopes []string) {
+	// Find required scope for this tool
+	requiredScope := GetRequiredScopeForTool(toolName, BuiltinScopes)
+
+	errorData := map[string]interface{}{
+		"tool":           toolName,
+		"granted_scopes": grantedScopes,
+	}
+	if requiredScope != "" {
+		errorData["required_scope"] = requiredScope
+	}
+
+	c.McpResponseError(id, -32001, "insufficient_scope", errorData)
+}
+
+// getAllTools returns all available MCP tools
+func (c *McpController) getAllTools() []McpTool {
+	return []McpTool{
 		{
 			Name:        "get_applications",
 			Description: "Get all applications for a specific owner",
@@ -344,60 +497,4 @@ func (c *McpController) handleToolsList(req McpRequest) {
 			},
 		},
 	}
-
-	result := McpListToolsResult{
-		Tools: tools,
-	}
-
-	c.McpResponseOk(req.ID, result)
-}
-
-func (c *McpController) handleToolsCall(req McpRequest) {
-	var params McpCallToolParams
-	err := json.Unmarshal(req.Params, &params)
-	if err != nil {
-		c.sendInvalidParamsError(req.ID, err.Error())
-		return
-	}
-
-	// Route to the appropriate tool handler
-	switch params.Name {
-	case "get_applications":
-		var args GetApplicationsArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleGetApplicationsTool(req.ID, args)
-	case "get_application":
-		var args GetApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleGetApplicationTool(req.ID, args)
-	case "add_application":
-		var args AddApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleAddApplicationTool(req.ID, args)
-	case "update_application":
-		var args UpdateApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleUpdateApplicationTool(req.ID, args)
-	case "delete_application":
-		var args DeleteApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleDeleteApplicationTool(req.ID, args)
-	default:
-		c.McpResponseError(req.ID, -32602, "Invalid tool name", fmt.Sprintf("Tool '%s' not found", params.Name))
-	}
 }

mcp/permission.go

@@ -0,0 +1,158 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mcp
+
+import (
+	"github.com/casdoor/casdoor/object"
+)
+
+// BuiltinScopes defines the default scope-to-tool mappings for Casdoor's MCP server
+var BuiltinScopes = []*object.ScopeItem{
+	{
+		Name:        "application:read",
+		DisplayName: "Read Applications",
+		Description: "View application list and details",
+		Tools:       []string{"get_applications", "get_application"},
+	},
+	{
+		Name:        "application:write",
+		DisplayName: "Manage Applications",
+		Description: "Create, update, and delete applications",
+		Tools:       []string{"add_application", "update_application", "delete_application"},
+	},
+	{
+		Name:        "user:read",
+		DisplayName: "Read Users",
+		Description: "View user list and details",
+		Tools:       []string{"get_users", "get_user"},
+	},
+	{
+		Name:        "user:write",
+		DisplayName: "Manage Users",
+		Description: "Create, update, and delete users",
+		Tools:       []string{"add_user", "update_user", "delete_user"},
+	},
+	{
+		Name:        "organization:read",
+		DisplayName: "Read Organizations",
+		Description: "View organization list and details",
+		Tools:       []string{"get_organizations", "get_organization"},
+	},
+	{
+		Name:        "organization:write",
+		DisplayName: "Manage Organizations",
+		Description: "Create, update, and delete organizations",
+		Tools:       []string{"add_organization", "update_organization", "delete_organization"},
+	},
+	{
+		Name:        "permission:read",
+		DisplayName: "Read Permissions",
+		Description: "View permission list and details",
+		Tools:       []string{"get_permissions", "get_permission"},
+	},
+	{
+		Name:        "permission:write",
+		DisplayName: "Manage Permissions",
+		Description: "Create, update, and delete permissions",
+		Tools:       []string{"add_permission", "update_permission", "delete_permission"},
+	},
+	{
+		Name:        "role:read",
+		DisplayName: "Read Roles",
+		Description: "View role list and details",
+		Tools:       []string{"get_roles", "get_role"},
+	},
+	{
+		Name:        "role:write",
+		DisplayName: "Manage Roles",
+		Description: "Create, update, and delete roles",
+		Tools:       []string{"add_role", "update_role", "delete_role"},
+	},
+	{
+		Name:        "provider:read",
+		DisplayName: "Read Providers",
+		Description: "View provider list and details",
+		Tools:       []string{"get_providers", "get_provider"},
+	},
+	{
+		Name:        "provider:write",
+		DisplayName: "Manage Providers",
+		Description: "Create, update, and delete providers",
+		Tools:       []string{"add_provider", "update_provider", "delete_provider"},
+	},
+	{
+		Name:        "token:read",
+		DisplayName: "Read Tokens",
+		Description: "View token list and details",
+		Tools:       []string{"get_tokens", "get_token"},
+	},
+	{
+		Name:        "token:write",
+		DisplayName: "Manage Tokens",
+		Description: "Delete tokens",
+		Tools:       []string{"delete_token"},
+	},
+}
+
+// ConvenienceScopes defines alias scopes that expand to multiple resource scopes
+var ConvenienceScopes = map[string][]string{
+	"read":  {"application:read", "user:read", "organization:read", "permission:read", "role:read", "provider:read", "token:read"},
+	"write": {"application:write", "user:write", "organization:write", "permission:write", "role:write", "provider:write", "token:write"},
+	"admin": {"application:read", "application:write", "user:read", "user:write", "organization:read", "organization:write", "permission:read", "permission:write", "role:read", "role:write", "provider:read", "provider:write", "token:read", "token:write"},
+}
+
+// GetToolsForScopes returns a map of tools allowed by the given scopes
+// The grantedScopes are the scopes present in the token
+// The registry contains the scope-to-tool mappings (either BuiltinScopes or Application.Scopes)
+func GetToolsForScopes(grantedScopes []string, registry []*object.ScopeItem) map[string]bool {
+	allowed := make(map[string]bool)
+
+	// Expand convenience scopes first
+	expandedScopes := make([]string, 0)
+	for _, scopeName := range grantedScopes {
+		if expansion, isConvenience := ConvenienceScopes[scopeName]; isConvenience {
+			expandedScopes = append(expandedScopes, expansion...)
+		} else {
+			expandedScopes = append(expandedScopes, scopeName)
+		}
+	}
+
+	// Map scopes to tools
+	for _, scopeName := range expandedScopes {
+		for _, item := range registry {
+			if item.Name == scopeName {
+				for _, tool := range item.Tools {
+					allowed[tool] = true
+				}
+				break
+			}
+		}
+	}
+
+	return allowed
+}
+
+// GetRequiredScopeForTool returns the first scope that provides access to the given tool
+// Returns an empty string if no scope is found for the tool
+func GetRequiredScopeForTool(toolName string, registry []*object.ScopeItem) string {
+	for _, scopeItem := range registry {
+		for _, tool := range scopeItem.Tools {
+			if tool == toolName {
+				return scopeItem.Name
+			}
+		}
+	}
+	return ""
+}

object/application.go

@@ -68,9 +68,10 @@ type JwtItem struct {
 }
 
 type ScopeItem struct {
-	Name        string `json:"name"`
-	DisplayName string `json:"displayName"`
-	Description string `json:"description"`
+	Name        string   `json:"name"`
+	DisplayName string   `json:"displayName"`
+	Description string   `json:"description"`
+	Tools       []string `json:"tools"` // MCP tools allowed by this scope
 }
 
 type Application struct {
@@ -124,6 +125,7 @@ type Application struct {
 
 	ClientId                string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret            string     `xorm:"varchar(100)" json:"clientSecret"`
+	ClientCert              string     `xorm:"varchar(100)" json:"clientCert"`
 	RedirectUris            []string   `xorm:"varchar(1000)" json:"redirectUris"`
 	ForcedRedirectOrigin    string     `xorm:"varchar(100)" json:"forcedRedirectOrigin"`
 	TokenFormat             string     `xorm:"varchar(100)" json:"tokenFormat"`
@@ -153,6 +155,15 @@ type Application struct {
 	FailedSigninLimit      int `json:"failedSigninLimit"`
 	FailedSigninFrozenTime int `json:"failedSigninFrozenTime"`
 	CodeResendTimeout      int `json:"codeResendTimeout"`
+
+	CustomScopes []*ScopeDescription `xorm:"mediumtext" json:"customScopes"`
+
+	// Reverse proxy fields
+	Domain       string   `xorm:"varchar(100)" json:"domain"`
+	OtherDomains []string `xorm:"varchar(1000)" json:"otherDomains"`
+	UpstreamHost string   `xorm:"varchar(100)" json:"upstreamHost"`
+	SslMode      string   `xorm:"varchar(100)" json:"sslMode"`
+	SslCert      string   `xorm:"varchar(100)" json:"sslCert"`
 }
 
 func GetApplicationCount(owner, field, value string) (int64, error) {
@@ -737,6 +748,11 @@ func UpdateApplication(id string, application *Application, isGlobalAdmin bool,
 		return false, err
 	}
 
+	err = validateCustomScopes(application.CustomScopes, lang)
+	if err != nil {
+		return false, err
+	}
+
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}
@@ -792,6 +808,11 @@ func AddApplication(application *Application) (bool, error) {
 		return false, err
 	}
 
+	err = validateCustomScopes(application.CustomScopes, "en")
+	if err != nil {
+		return false, err
+	}
+
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}

object/cert.go

@@ -17,6 +17,7 @@ package object
 import (
 	"fmt"
 
+	"github.com/casdoor/casdoor/certificate"
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
 )
@@ -33,6 +34,13 @@ type Cert struct {
 	BitSize         int    `json:"bitSize"`
 	ExpireInYears   int    `json:"expireInYears"`
 
+	ExpireTime       string `xorm:"varchar(100)" json:"expireTime"`
+	DomainExpireTime string `xorm:"varchar(100)" json:"domainExpireTime"`
+	Provider         string `xorm:"varchar(100)" json:"provider"`
+	Account          string `xorm:"varchar(100)" json:"account"`
+	AccessKey        string `xorm:"varchar(100)" json:"accessKey"`
+	AccessSecret     string `xorm:"varchar(100)" json:"accessSecret"`
+
 	Certificate string `xorm:"mediumtext" json:"certificate"`
 	PrivateKey  string `xorm:"mediumtext" json:"privateKey"`
 }
@@ -224,6 +232,20 @@ func (p *Cert) populateContent() error {
 		return nil
 	}
 
+	if p.Type == "SSL" {
+		if p.Certificate != "" {
+			expireTime, err := util.GetCertExpireTime(p.Certificate)
+			if err != nil {
+				return err
+			}
+
+			p.ExpireTime = expireTime
+		} else {
+			p.ExpireTime = ""
+		}
+		return nil
+	}
+
 	if len(p.CryptoAlgorithm) < 3 {
 		err := fmt.Errorf("populateContent() error, unsupported crypto algorithm: %s", p.CryptoAlgorithm)
 		return err
@@ -258,6 +280,42 @@ func (p *Cert) populateContent() error {
 	return nil
 }
 
+func RenewCert(cert *Cert) (bool, error) {
+	useProxy := false
+	if cert.Provider == "GoDaddy" {
+		useProxy = true
+	}
+
+	client, err := GetAcmeClient(useProxy)
+	if err != nil {
+		return false, err
+	}
+
+	var certStr, privateKey string
+	if cert.Provider == "Aliyun" {
+		certStr, privateKey, err = certificate.ObtainCertificateAli(client, cert.Name, cert.AccessKey, cert.AccessSecret)
+	} else if cert.Provider == "GoDaddy" {
+		certStr, privateKey, err = certificate.ObtainCertificateGoDaddy(client, cert.Name, cert.AccessKey, cert.AccessSecret)
+	} else {
+		return false, fmt.Errorf("unknown provider: %s", cert.Provider)
+	}
+
+	if err != nil {
+		return false, err
+	}
+
+	expireTime, err := util.GetCertExpireTime(certStr)
+	if err != nil {
+		return false, err
+	}
+
+	cert.ExpireTime = expireTime
+	cert.Certificate = certStr
+	cert.PrivateKey = privateKey
+
+	return UpdateCert(cert.GetId(), cert)
+}
+
 func getCertByApplication(application *Application) (*Cert, error) {
 	if application.Cert != "" {
 		return getCertByName(application.Cert)

object/cert_whois.go

@@ -0,0 +1,75 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"strings"
+	"time"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/likexian/whois"
+	whoisparser "github.com/likexian/whois-parser"
+)
+
+func getDomainExpireTime(domainName string) (string, error) {
+	domainName, err := util.GetBaseDomain(domainName)
+	if err != nil {
+		return "", err
+	}
+
+	server := ""
+	if strings.HasSuffix(domainName, ".com") || strings.HasSuffix(domainName, ".net") {
+		server = "whois.verisign-grs.com"
+	} else if strings.HasSuffix(domainName, ".org") {
+		server = "whois.pir.org"
+	} else if strings.HasSuffix(domainName, ".io") {
+		server = "whois.nic.io"
+	} else if strings.HasSuffix(domainName, ".co") {
+		server = "whois.nic.co"
+	} else if strings.HasSuffix(domainName, ".cn") {
+		server = "whois.cnnic.cn"
+	} else if strings.HasSuffix(domainName, ".run") {
+		server = "whois.nic.run"
+	} else {
+		server = "grs-whois.hichina.com" // com, net, cc, tv
+	}
+
+	client := whois.NewClient()
+	//if server != "whois.cnnic.cn" && server != "grs-whois.hichina.com" {
+	//	dialer := proxy.GetProxyDialer()
+	//	if dialer != nil {
+	//		client.SetDialer(dialer)
+	//	}
+	//}
+
+	data, err := client.Whois(domainName, server)
+	if err != nil {
+		if !strings.HasSuffix(domainName, ".run") || data == "" {
+			return "", err
+		}
+	}
+
+	whoisInfo, err := whoisparser.Parse(data)
+	if err != nil {
+		return "", err
+	}
+
+	res := whoisInfo.Domain.ExpirationDateInTime.Local().Format(time.RFC3339)
+	return res, nil
+}
+
+func GetDomainExpireTime(domainName string) (string, error) {
+	return getDomainExpireTime(domainName)
+}

object/init.go

@@ -53,6 +53,8 @@ func getBuiltInAccountItems() []*AccountItem {
 		{Name: "ID", Visible: true, ViewRule: "Public", ModifyRule: "Immutable"},
 		{Name: "Name", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
 		{Name: "Display name", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
+		{Name: "First name", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
+		{Name: "Last name", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "Avatar", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "User type", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
 		{Name: "Password", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
@@ -67,6 +69,7 @@ func getBuiltInAccountItems() []*AccountItem {
 		{Name: "Title", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "ID card type", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "ID card", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
+		{Name: "ID card info", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Real name", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "ID verification", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Homepage", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
@@ -87,18 +90,25 @@ func getBuiltInAccountItems() []*AccountItem {
 		{Name: "Signup application", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
 		{Name: "Register type", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
 		{Name: "Register source", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
+		{Name: "API key", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Roles", Visible: true, ViewRule: "Public", ModifyRule: "Immutable"},
 		{Name: "Permissions", Visible: true, ViewRule: "Public", ModifyRule: "Immutable"},
 		{Name: "Groups", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
+		{Name: "Consents", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "3rd-party logins", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Properties", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is admin", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is forbidden", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is deleted", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Multi-factor authentication", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
+		{Name: "MFA items", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "WebAuthn credentials", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
+		{Name: "Last change password time", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Managed accounts", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
+		{Name: "Face ID", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "MFA accounts", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
+		{Name: "Need update password", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
+		{Name: "IP whitelist", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 	}
 }
 

object/organization.go

@@ -614,9 +614,9 @@ func UpdateOrganizationBalance(owner string, name string, balance float64, curre
 	var newBalance float64
 	if isOrgBalance {
 		newBalance = AddPrices(organization.OrgBalance, convertedBalance)
-		// Check organization balance credit limit
-		if newBalance < organization.BalanceCredit {
-			return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new organization balance %v would be below credit limit %v"), newBalance, organization.BalanceCredit)
+		// Check organization balance credit limit (BalanceCredit is an overdraft limit: balance can go down to -BalanceCredit)
+		if newBalance < -organization.BalanceCredit {
+			return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new organization balance %v would exceed the credit limit %v"), newBalance, organization.BalanceCredit)
 		}
 		organization.OrgBalance = newBalance
 		columns = []string{"org_balance"}

object/ormer.go

@@ -62,6 +62,12 @@ func InitFlag() {
 	configPath = *configPathPtr
 	exportData = *exportDataPtr
 	exportFilePath = *exportFilePathPtr
+
+	// Load beego config from the specified config path
+	err := web.LoadAppConfig("ini", configPath)
+	if err != nil {
+		panic(fmt.Sprintf("failed to load config from %s: %v", configPath, err))
+	}
 }
 
 func ShouldExportData() bool {

object/payment.go

@@ -33,6 +33,8 @@ type Payment struct {
 	// Product Info
 	Products            []string `xorm:"varchar(1000)" json:"products"`
 	ProductsDisplayName string   `xorm:"varchar(1000)" json:"productsDisplayName"`
+	ProductName         string   `xorm:"varchar(1000)" json:"productName"`
+	ProductDisplayName  string   `xorm:"varchar(1000)" json:"productDisplayName"`
 	Detail              string   `xorm:"varchar(255)" json:"detail"`
 	Currency            string   `xorm:"varchar(100)" json:"currency"`
 	Price               float64  `json:"price"`
@@ -303,7 +305,7 @@ func NotifyPayment(body []byte, owner string, paymentName string, lang string) (
 		order.Message = "Payment successful"
 		order.UpdateTime = util.GetCurrentTime()
 	} else if payment.State == pp.PaymentStateError {
-		order.State = "PaymentFailed"
+		order.State = "Failed"
 		order.Message = payment.Message
 		order.UpdateTime = util.GetCurrentTime()
 	} else if payment.State == pp.PaymentStateCanceled {

object/provider.go

@@ -564,7 +564,7 @@ func providerChangeTrigger(oldName string, newName string) error {
 	return session.Commit()
 }
 
-func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.ProviderInfo {
+func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) (*idp.ProviderInfo, error) {
 	providerInfo := &idp.ProviderInfo{
 		Type:          provider.Type,
 		SubType:       provider.SubType,
@@ -588,9 +588,19 @@ func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.Provid
 		}
 	} else if provider.Type == "ADFS" || provider.Type == "AzureAD" || provider.Type == "AzureADB2C" || provider.Type == "Casdoor" || provider.Type == "Okta" {
 		providerInfo.HostUrl = provider.Domain
+	} else if provider.Type == "Alipay" && provider.Cert != "" {
+		// For Alipay with certificate mode, load private key from certificate
+		cert, err := GetCert(util.GetId(provider.Owner, provider.Cert))
+		if err != nil {
+			return nil, fmt.Errorf("failed to load certificate for Alipay provider %s: %w", provider.Name, err)
+		}
+		if cert == nil {
+			return nil, fmt.Errorf("certificate not found for Alipay provider %s", provider.Name)
+		}
+		providerInfo.ClientSecret = cert.PrivateKey
 	}
 
-	return providerInfo
+	return providerInfo, nil
 }
 
 func GetIdvProviderFromProvider(provider *Provider) idv.IdvProvider {

object/site_cert_account.go

@@ -0,0 +1,103 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casbin/lego/v4/acme"
+	"github.com/casbin/lego/v4/certcrypto"
+	"github.com/casbin/lego/v4/lego"
+	"github.com/casbin/lego/v4/registration"
+	"github.com/casdoor/casdoor/certificate"
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/proxy"
+)
+
+func getLegoClientAndAccount(email string, privateKey string, devMode bool, useProxy bool) (*lego.Client, *certificate.Account, error) {
+	eccKey, err := decodeEccKey(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	account := &certificate.Account{
+		Email: email,
+		Key:   eccKey,
+	}
+
+	config := lego.NewConfig(account)
+	if devMode {
+		config.CADirURL = lego.LEDirectoryStaging
+	} else {
+		config.CADirURL = lego.LEDirectoryProduction
+	}
+
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	if useProxy {
+		config.HTTPClient = proxy.ProxyHttpClient
+	} else {
+		config.HTTPClient = proxy.DefaultHttpClient
+	}
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return client, account, nil
+}
+
+func getAcmeClient(email string, privateKey string, devMode bool, useProxy bool) (*lego.Client, error) {
+	// Create a user. New accounts need an email and private key to start.
+	client, account, err := getLegoClientAndAccount(email, privateKey, devMode, useProxy)
+	if err != nil {
+		return nil, err
+	}
+
+	// try to obtain an account based on the private key
+	account.Registration, err = client.Registration.ResolveAccountByKey()
+	if err != nil {
+		acmeError, ok := err.(*acme.ProblemDetails)
+		if !ok {
+			return nil, err
+		}
+
+		if acmeError.Type != "urn:ietf:params:acme:error:accountDoesNotExist" {
+			return nil, err
+		}
+
+		// Failed to get account, so create an account based on the private key.
+		account.Registration, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return client, nil
+}
+
+func GetAcmeClient(useProxy bool) (*lego.Client, error) {
+	acmeEmail := conf.GetConfigString("acmeEmail")
+	acmePrivateKey := conf.GetConfigString("acmePrivateKey")
+	if acmeEmail == "" {
+		return nil, fmt.Errorf("acmeEmail should not be empty")
+	}
+	if acmePrivateKey == "" {
+		return nil, fmt.Errorf("acmePrivateKey should not be empty")
+	}
+
+	return getAcmeClient(acmeEmail, acmePrivateKey, false, useProxy)
+}

object/site_cert_ecc.go

@@ -0,0 +1,59 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"strings"
+)
+
+// generateEccKey generates a public and private key pair.(NIST P-256)
+func generateEccKey() *ecdsa.PrivateKey {
+	privateKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	return privateKey
+}
+
+// encodeEccKey Return the input private key object as string type private key
+func encodeEccKey(privateKey *ecdsa.PrivateKey) string {
+	x509Encoded, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		panic(err)
+	}
+
+	pemEncoded := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: x509Encoded})
+	return string(pemEncoded)
+}
+
+// decodeEccKey Return the entered private key string as a private key object that can be used
+func decodeEccKey(pemEncoded string) (*ecdsa.PrivateKey, error) {
+	pemEncoded = strings.ReplaceAll(pemEncoded, "\\n", "\n")
+	block, _ := pem.Decode([]byte(pemEncoded))
+	if block == nil {
+		return nil, fmt.Errorf("decodeEccKey() error, block should not be nil")
+	}
+
+	x509Encoded := block.Bytes
+	privateKey, err := x509.ParseECPrivateKey(x509Encoded)
+	if err != nil {
+		return nil, err
+	}
+
+	return privateKey, nil
+}

object/sms.go

@@ -15,8 +15,10 @@
 package object
 
 import (
+	"strconv"
 	"strings"
 
+	"github.com/casdoor/casdoor/conf"
 	sender "github.com/casdoor/go-sms-sender"
 )
 
@@ -61,6 +63,13 @@ func SendSms(provider *Provider, content string, phoneNumbers ...string) error {
 		params["0"] = content
 	} else {
 		params["code"] = content
+		if provider.Type == "Alibaba Cloud PNVS SMS" {
+			timeoutInMinutes, err := conf.GetConfigInt64("verificationCodeTimeout")
+			if err != nil || timeoutInMinutes <= 0 {
+				timeoutInMinutes = 10
+			}
+			params["min"] = strconv.FormatInt(timeoutInMinutes, 10)
+		}
 	}
 
 	err = client.SendMessage(params, phoneNumbers...)

object/syncer_dingtalk.go

@@ -406,27 +406,61 @@ func (p *DingtalkSyncerProvider) getDingtalkUsers() ([]*OriginalUser, error) {
 	return originalUsers, nil
 }
 
+// getDingtalkUserFieldValue extracts a field value from DingtalkUser by field name
+func (p *DingtalkSyncerProvider) getDingtalkUserFieldValue(dingtalkUser *DingtalkUser, fieldName string) string {
+	switch fieldName {
+	case "userid":
+		return dingtalkUser.UserId
+	case "unionid":
+		return dingtalkUser.UnionId
+	case "name":
+		return dingtalkUser.Name
+	case "email":
+		return dingtalkUser.Email
+	case "mobile":
+		return dingtalkUser.Mobile
+	case "avatar":
+		return dingtalkUser.Avatar
+	case "title":
+		return dingtalkUser.Position
+	case "job_number":
+		return dingtalkUser.JobNumber
+	case "active":
+		// Invert the boolean because active=true means NOT forbidden
+		return util.BoolToString(!dingtalkUser.Active)
+	default:
+		return ""
+	}
+}
+
 // dingtalkUserToOriginalUser converts DingTalk user to Casdoor OriginalUser
 func (p *DingtalkSyncerProvider) dingtalkUserToOriginalUser(dingtalkUser *DingtalkUser) *OriginalUser {
-	// Use unionid as name to be consistent with OAuth provider
-	// Fallback to userId if unionid is not available
-	userName := dingtalkUser.UserId
-	if dingtalkUser.UnionId != "" {
-		userName = dingtalkUser.UnionId
+	user := &OriginalUser{
+		Address:    []string{},
+		Properties: map[string]string{},
+		Groups:     []string{},
+		DingTalk:   dingtalkUser.UserId, // Link DingTalk provider account
 	}
 
-	user := &OriginalUser{
-		Id:          dingtalkUser.UserId,
-		Name:        userName,
-		DisplayName: dingtalkUser.Name,
-		Email:       dingtalkUser.Email,
-		Phone:       dingtalkUser.Mobile,
-		Avatar:      dingtalkUser.Avatar,
-		Title:       dingtalkUser.Position,
-		Address:     []string{},
-		Properties:  map[string]string{},
-		Groups:      []string{},
-		DingTalk:    dingtalkUser.UserId, // Link DingTalk provider account
+	// Apply TableColumns mapping if configured
+	if len(p.Syncer.TableColumns) > 0 {
+		for _, tableColumn := range p.Syncer.TableColumns {
+			value := p.getDingtalkUserFieldValue(dingtalkUser, tableColumn.Name)
+			p.Syncer.setUserByKeyValue(user, tableColumn.CasdoorName, value)
+		}
+	} else {
+		// Fallback to default mapping for backward compatibility
+		user.Id = dingtalkUser.UserId
+		user.Name = dingtalkUser.UserId
+		if dingtalkUser.UnionId != "" {
+			user.Name = dingtalkUser.UnionId
+		}
+		user.DisplayName = dingtalkUser.Name
+		user.Email = dingtalkUser.Email
+		user.Phone = dingtalkUser.Mobile
+		user.Avatar = dingtalkUser.Avatar
+		user.Title = dingtalkUser.Position
+		user.IsForbidden = !dingtalkUser.Active
 	}
 
 	// Add department IDs to Groups field
@@ -434,9 +468,6 @@ func (p *DingtalkSyncerProvider) dingtalkUserToOriginalUser(dingtalkUser *Dingta
 		user.Groups = append(user.Groups, fmt.Sprintf("%d", deptId))
 	}
 
-	// Set IsForbidden based on active status (active=false means user is forbidden)
-	user.IsForbidden = !dingtalkUser.Active
-
 	// Set CreatedTime to current time if not set
 	if user.CreatedTime == "" {
 		user.CreatedTime = util.GetCurrentTime()

object/syncer_user.go

@@ -71,6 +71,19 @@ func (syncer *Syncer) updateUserForOriginalFields(user *User, key string) (bool,
 	columns := syncer.getCasdoorColumns()
 	columns = append(columns, "affiliation", "hash", "pre_hash")
 
+	// Skip password-related columns when the incoming user has no password data.
+	// API-based syncers (DingTalk, WeCom, Lark, etc.) do not provide passwords,
+	// so updating these columns would wipe out locally set passwords.
+	if user.Password == "" {
+		filtered := make([]string, 0, len(columns))
+		for _, col := range columns {
+			if col != "password" && col != "password_salt" && col != "password_type" {
+				filtered = append(filtered, col)
+			}
+		}
+		columns = filtered
+	}
+
 	// Add provider-specific field for API-based syncers to enable login binding
 	// This allows synced users to login via their provider accounts
 	switch syncer.Type {

object/token_jwt.go

@@ -660,6 +660,15 @@ func generateJwtToken(application *Application, user *User, provider string, sig
 	return tokenString, refreshTokenString, name, err
 }
 
+func ParseJwtTokenWithoutValidation(token string) (*jwt.Token, error) {
+	t, _, err := jwt.NewParser().ParseUnverified(token, &Claims{})
+	if err != nil {
+		return nil, err
+	}
+
+	return t, nil
+}
+
 func ParseJwtToken(token string, cert *Cert) (*Claims, error) {
 	t, err := jwt.ParseWithClaims(token, &Claims{}, func(token *jwt.Token) (interface{}, error) {
 		var (

object/token_oauth.go

@@ -19,6 +19,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/url"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -154,6 +155,10 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 		return fmt.Sprintf(i18n.Translate(lang, "token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri), application, nil
 	}
 
+	if !IsScopeValid(scope, application) {
+		return i18n.Translate(lang, "token:Invalid scope"), application, nil
+	}
+
 	// Mask application for /api/get-app-login
 	application.ClientSecret = ""
 	return "", application, nil
@@ -240,10 +245,33 @@ func GetOAuthCode(userId string, clientId string, provider string, signinMethod
 	}, nil
 }
 
-func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, nonce string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string, subjectToken string, subjectTokenType string, audience string, resource string) (interface{}, error) {
-	application, err := GetApplicationByClientId(clientId)
-	if err != nil {
-		return nil, err
+func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, nonce string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string, subjectToken string, subjectTokenType string, assertion string, clientAssertion string, clientAssertionType string, audience string, resource string) (interface{}, error) {
+	var (
+		application *Application
+		err         error
+		ok          bool
+	)
+
+	if clientAssertionType == "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" {
+		ok, application, err = ValidateClientAssertion(clientAssertion, host)
+		if err != nil {
+			return nil, err
+		}
+
+		if !ok || application == nil {
+			return &TokenError{
+				Error:            InvalidClient,
+				ErrorDescription: "client_assertion is invalid",
+			}, nil
+		}
+
+		clientSecret = application.ClientSecret
+		clientId = application.ClientId
+	} else {
+		application, err = GetApplicationByClientId(clientId)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	if application == nil {
@@ -273,12 +301,14 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 		token, tokenError, err = GetClientCredentialsToken(application, clientSecret, scope, host)
 	case "token", "id_token": // Implicit Grant
 		token, tokenError, err = GetImplicitToken(application, username, scope, nonce, host)
+	case "urn:ietf:params:oauth:grant-type:jwt-bearer":
+		token, tokenError, err = GetJwtBearerToken(application, assertion, scope, nonce, host)
 	case "urn:ietf:params:oauth:grant-type:device_code":
 		token, tokenError, err = GetImplicitToken(application, username, scope, nonce, host)
 	case "urn:ietf:params:oauth:grant-type:token-exchange": // Token Exchange Grant (RFC 8693)
 		token, tokenError, err = GetTokenExchangeToken(application, clientSecret, subjectToken, subjectTokenType, audience, scope, host)
 	case "refresh_token":
-		refreshToken2, err := RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+		refreshToken2, err := RefreshToken(application, grantType, refreshToken, scope, clientId, clientSecret, host)
 		if err != nil {
 			return nil, err
 		}
@@ -320,7 +350,7 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 	return tokenWrapper, nil
 }
 
-func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) (interface{}, error) {
+func RefreshToken(application *Application, grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) (interface{}, error) {
 	// check parameters
 	if grantType != "refresh_token" {
 		return &TokenError{
@@ -328,16 +358,20 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 			ErrorDescription: "grant_type should be refresh_token",
 		}, nil
 	}
-	application, err := GetApplicationByClientId(clientId)
-	if err != nil {
-		return nil, err
-	}
 
+	var err error
 	if application == nil {
-		return &TokenError{
-			Error:            InvalidClient,
-			ErrorDescription: "client_id is invalid",
-		}, nil
+		application, err = GetApplicationByClientId(clientId)
+		if err != nil {
+			return nil, err
+		}
+
+		if application == nil {
+			return &TokenError{
+				Error:            InvalidClient,
+				ErrorDescription: "client_id is invalid",
+			}, nil
+		}
 	}
 
 	if clientSecret != "" && application.ClientSecret != clientSecret {
@@ -486,6 +520,28 @@ func IsGrantTypeValid(method string, grantTypes []string) bool {
 	return false
 }
 
+// IsScopeValid checks whether all space-separated scopes in the scope string
+// are defined in the application's Scopes list.
+// If the application has no defined scopes, every scope is considered valid
+// (backward-compatible behaviour).
+func IsScopeValid(scope string, application *Application) bool {
+	if len(application.Scopes) == 0 || scope == "" {
+		return true
+	}
+
+	allowed := make(map[string]bool, len(application.Scopes))
+	for _, s := range application.Scopes {
+		allowed[s.Name] = true
+	}
+
+	for _, s := range strings.Fields(scope) {
+		if !allowed[s] {
+			return false
+		}
+	}
+	return true
+}
+
 // createGuestUserToken creates a new guest user and returns a token for them
 func createGuestUserToken(application *Application, clientSecret string, verifier string) (*Token, *TokenError, error) {
 	// Verify client secret if provided
@@ -526,12 +582,19 @@ func createGuestUserToken(application *Application, clientSecret string, verifie
 		}, nil
 	}
 
+	// Generate a unique user ID within the confines of the application
+	newUserId, idErr := GenerateIdForNewUser(application)
+	if idErr != nil {
+		// If we fail to generate a unique user ID, we can fallback to a random ID
+		newUserId = util.GenerateId()
+	}
+
 	// Create the guest user
 	guestUser := &User{
 		Owner:             application.Organization,
 		Name:              guestUsername,
 		CreatedTime:       util.GetCurrentTime(),
-		Id:                util.GenerateId(),
+		Id:                newUserId,
 		Type:              "normal-user",
 		Password:          guestPassword,
 		Tag:               "guest-user",
@@ -715,6 +778,13 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 // GetPasswordToken
 // Resource Owner Password Credentials flow
 func GetPasswordToken(application *Application, username string, password string, scope string, host string) (*Token, *TokenError, error) {
+	if !IsScopeValid(scope, application) {
+		return nil, &TokenError{
+			Error:            InvalidScope,
+			ErrorDescription: "the requested scope is invalid or not defined in the application",
+		}, nil
+	}
+
 	user, err := GetUserByFields(application.Organization, username)
 	if err != nil {
 		return nil, nil, err
@@ -796,6 +866,12 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 			ErrorDescription: "client_secret is invalid",
 		}, nil
 	}
+	if !IsScopeValid(scope, application) {
+		return nil, &TokenError{
+			Error:            InvalidScope,
+			ErrorDescription: "the requested scope is invalid or not defined in the application",
+		}, nil
+	}
 	nullUser := &User{
 		Owner: application.Owner,
 		Id:    application.GetId(),
@@ -835,6 +911,13 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 // GetImplicitToken
 // Implicit flow
 func GetImplicitToken(application *Application, username string, scope string, nonce string, host string) (*Token, *TokenError, error) {
+	if !IsScopeValid(scope, application) {
+		return nil, &TokenError{
+			Error:            InvalidScope,
+			ErrorDescription: "the requested scope is invalid or not defined in the application",
+		}, nil
+	}
+
 	user, err := GetUserByFields(application.Organization, username)
 	if err != nil {
 		return nil, nil, err
@@ -859,6 +942,84 @@ func GetImplicitToken(application *Application, username string, scope string, n
 	return token, nil, nil
 }
 
+// GetJwtBearerToken
+// RFC 7523
+func GetJwtBearerToken(application *Application, assertion string, scope string, nonce string, host string) (*Token, *TokenError, error) {
+	ok, claims, err := ValidateJwtAssertion(assertion, application, host)
+	if err != nil || !ok {
+		if err != nil {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: err.Error(),
+			}, err
+		}
+
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: fmt.Sprintf("assertion (JWT) is invalid for application: [%s]", application.GetId()),
+		}, nil
+	}
+
+	return GetImplicitToken(application, claims.Subject, scope, nonce, host)
+}
+
+func ValidateJwtAssertion(clientAssertion string, application *Application, host string) (bool, *Claims, error) {
+	_, originBackend := getOriginFromHost(host)
+
+	clientCert, err := getCert(application.Owner, application.ClientCert)
+	if err != nil {
+		return false, nil, err
+	}
+	if clientCert == nil {
+		return false, nil, fmt.Errorf("client certificate is not configured for application: [%s]", application.GetId())
+	}
+
+	claims, err := ParseJwtToken(clientAssertion, clientCert)
+	if err != nil {
+		return false, nil, err
+	}
+
+	if !slices.Contains(application.RedirectUris, claims.Issuer) {
+		return false, nil, nil
+	}
+
+	if !slices.Contains(claims.Audience, fmt.Sprintf("%s/api/login/oauth/access_token", originBackend)) {
+		return false, nil, nil
+	}
+
+	return true, claims, nil
+}
+
+func ValidateClientAssertion(clientAssertion string, host string) (bool, *Application, error) {
+	token, err := ParseJwtTokenWithoutValidation(clientAssertion)
+	if err != nil {
+		return false, nil, err
+	}
+
+	clientId, err := token.Claims.GetSubject()
+	if err != nil {
+		return false, nil, err
+	}
+
+	application, err := GetApplicationByClientId(clientId)
+	if err != nil {
+		return false, nil, err
+	}
+	if application == nil {
+		return false, nil, fmt.Errorf("application not found for client: [%s]", clientId)
+	}
+
+	ok, _, err := ValidateJwtAssertion(clientAssertion, application, host)
+	if err != nil {
+		return false, application, err
+	}
+	if !ok {
+		return false, application, nil
+	}
+
+	return true, application, nil
+}
+
 // GetTokenByUser
 // Implicit flow
 func GetTokenByUser(application *Application, user *User, scope string, nonce string, host string) (*Token, error) {
@@ -946,9 +1107,16 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 			name = fmt.Sprintf("wechat-%s", openId)
 		}
 
+		// Generate a unique user ID within the confines of the application
+		newUserId, idErr := GenerateIdForNewUser(application)
+		if idErr != nil {
+			// If we fail to generate a unique user ID, we can fallback to a random ID
+			newUserId = util.GenerateId()
+		}
+
 		user = &User{
 			Owner:             application.Organization,
-			Id:                util.GenerateId(),
+			Id:                newUserId,
 			Name:              name,
 			Avatar:            avatar,
 			SignupApplication: application.Name,

object/transaction_validate.go

@@ -62,9 +62,9 @@ func validateOrganizationBalance(owner string, name string, balance float64, cur
 	var newBalance float64
 	if isOrgBalance {
 		newBalance = AddPrices(organization.OrgBalance, convertedBalance)
-		// Check organization balance credit limit
-		if newBalance < organization.BalanceCredit {
-			return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new organization balance %v would be below credit limit %v"), newBalance, organization.BalanceCredit)
+		// Check organization balance credit limit (BalanceCredit is an overdraft limit: balance can go down to -BalanceCredit)
+		if newBalance < -organization.BalanceCredit {
+			return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new organization balance %v would exceed the credit limit %v"), newBalance, organization.BalanceCredit)
 		}
 	} else {
 		// User balance is just a sum of all users' balances, no credit limit check here
@@ -120,9 +120,9 @@ func validateUserBalance(owner string, name string, balance float64, currency st
 		}
 	}
 
-	// Validate new balance against credit limit
-	if newBalance < balanceCredit {
-		return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new balance %v would be below credit limit %v"), newBalance, balanceCredit)
+	// Validate new balance against credit limit (BalanceCredit is an overdraft limit: balance can go down to -BalanceCredit)
+	if newBalance < -balanceCredit {
+		return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new balance %v would exceed the credit limit %v"), newBalance, balanceCredit)
 	}
 
 	// In validation mode, we don't actually update the balance

object/user.go

@@ -180,6 +180,7 @@ type User struct {
 	Spotify         string `xorm:"spotify varchar(100)" json:"spotify"`
 	Strava          string `xorm:"strava varchar(100)" json:"strava"`
 	Stripe          string `xorm:"stripe varchar(100)" json:"stripe"`
+	Telegram        string `xorm:"telegram varchar(100)" json:"telegram"`
 	TikTok          string `xorm:"tiktok varchar(100)" json:"tiktok"`
 	Tumblr          string `xorm:"tumblr varchar(100)" json:"tumblr"`
 	Twitch          string `xorm:"twitch varchar(100)" json:"twitch"`
@@ -241,6 +242,7 @@ type User struct {
 	MfaRememberDeadline string           `xorm:"varchar(100)" json:"mfaRememberDeadline"`
 	NeedUpdatePassword  bool             `json:"needUpdatePassword"`
 	IpWhitelist         string           `xorm:"varchar(200)" json:"ipWhitelist"`
+	ApplicationScopes   []ConsentRecord  `xorm:"mediumtext" json:"applicationScopes"`
 }
 
 type Userinfo struct {
@@ -860,17 +862,17 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 	if len(columns) == 0 {
 		columns = []string{
 			"owner", "display_name", "avatar", "first_name", "last_name",
-			"location", "address", "country_code", "region", "language", "affiliation", "title", "id_card_type", "id_card", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application",
-			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "managedAccounts", "face_ids", "mfaAccounts",
-			"signin_wrong_times", "last_change_password_time", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled", "email_verified",
+			"location", "address", "addresses", "country_code", "region", "language", "affiliation", "title", "id_card_type", "id_card", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application", "register_type", "register_source",
+			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "mfa_items", "last_change_password_time", "managedAccounts", "face_ids", "mfaAccounts",
+			"signin_wrong_times", "last_signin_wrong_time", "groups", "access_key", "access_secret", "mfa_phone_enabled", "mfa_email_enabled", "email_verified",
 			"github", "google", "qq", "wechat", "facebook", "dingtalk", "weibo", "gitee", "linkedin", "wecom", "lark", "gitlab", "adfs",
 			"baidu", "alipay", "casdoor", "infoflow", "apple", "azuread", "azureadb2c", "slack", "steam", "bilibili", "okta", "douyin", "kwai", "line", "amazon",
 			"auth0", "battlenet", "bitbucket", "box", "cloudfoundry", "dailymotion", "deezer", "digitalocean", "discord", "dropbox",
 			"eveonline", "fitbit", "gitea", "heroku", "influxcloud", "instagram", "intercom", "kakao", "lastfm", "mailru", "meetup",
 			"microsoftonline", "naver", "nextcloud", "onedrive", "oura", "patreon", "paypal", "salesforce", "shopify", "soundcloud",
-			"spotify", "strava", "stripe", "type", "tiktok", "tumblr", "twitch", "twitter", "typetalk", "uber", "vk", "wepay", "xero", "yahoo",
-			"yammer", "yandex", "zoom", "custom", "need_update_password", "ip_whitelist", "mfa_items", "mfa_remember_deadline",
-			"cart",
+			"spotify", "strava", "stripe", "type", "telegram", "tiktok", "tumblr", "twitch", "twitter", "typetalk", "uber", "vk", "wepay", "xero", "yahoo",
+			"yammer", "yandex", "zoom", "custom", "need_update_password", "ip_whitelist", "mfa_remember_deadline",
+			"cart", "application_scopes",
 		}
 	}
 	if isAdmin {
@@ -954,6 +956,13 @@ func UpdateUserForAllFields(id string, user *User) (bool, error) {
 
 	user.UpdatedTime = util.GetCurrentTime()
 
+	if len(user.Groups) > 0 {
+		_, err = userEnforcer.UpdateGroupsForUser(user.GetId(), user.Groups)
+		if err != nil {
+			return false, err
+		}
+	}
+
 	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(user)
 	if err != nil {
 		return false, err
@@ -1563,9 +1572,9 @@ func UpdateUserBalance(owner string, name string, balance float64, currency stri
 		}
 	}
 
-	// Validate new balance against credit limit
-	if newBalance < balanceCredit {
-		return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new balance %v would be below credit limit %v"), newBalance, balanceCredit)
+	// Validate new balance against credit limit (BalanceCredit is an overdraft limit: balance can go down to -BalanceCredit)
+	if newBalance < -balanceCredit {
+		return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new balance %v would exceed the credit limit %v"), newBalance, balanceCredit)
 	}
 
 	user.Balance = newBalance

object/user_scope.go

@@ -0,0 +1,119 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/casdoor/casdoor/i18n"
+)
+
+// ConsentRecord represents the data for OAuth consent API requests/responses
+type ConsentRecord struct {
+	// owner/name
+	Application   string   `json:"application"`
+	GrantedScopes []string `json:"grantedScopes"`
+}
+
+// ScopeDescription represents a human-readable description of an OAuth scope
+type ScopeDescription struct {
+	Scope       string `json:"scope"`
+	DisplayName string `json:"displayName"`
+	Description string `json:"description"`
+}
+
+// parseScopes converts a space-separated scope string to a slice
+func parseScopes(scopeStr string) []string {
+	if scopeStr == "" {
+		return []string{}
+	}
+	scopes := strings.Split(scopeStr, " ")
+	var result []string
+	for _, scope := range scopes {
+		trimmed := strings.TrimSpace(scope)
+		if trimmed != "" {
+			result = append(result, trimmed)
+		}
+	}
+	return result
+}
+
+// CheckConsentRequired checks if user consent is required for the OAuth flow
+func CheckConsentRequired(userObj *User, application *Application, scopeStr string) (bool, error) {
+	// Skip consent when no custom scopes are configured
+	if len(application.CustomScopes) == 0 {
+		return false, nil
+	}
+
+	// Once policy: check if consent already granted
+	requestedScopes := parseScopes(scopeStr)
+	appId := application.GetId()
+
+	// Filter requestedScopes to only include scopes defined in application.CustomScopes
+	customScopesMap := make(map[string]bool)
+	for _, customScope := range application.CustomScopes {
+		if customScope.Scope != "" {
+			customScopesMap[customScope.Scope] = true
+		}
+	}
+
+	validRequestedScopes := []string{}
+	for _, scope := range requestedScopes {
+		if customScopesMap[scope] {
+			validRequestedScopes = append(validRequestedScopes, scope)
+		}
+	}
+
+	// If no valid requested scopes, no consent required
+	if len(validRequestedScopes) == 0 {
+		return false, nil
+	}
+
+	for _, record := range userObj.ApplicationScopes {
+		if record.Application == appId {
+			// Check if grantedScopes contains all validRequestedScopes
+			grantedMap := make(map[string]bool)
+			for _, scope := range record.GrantedScopes {
+				grantedMap[scope] = true
+			}
+
+			allGranted := true
+			for _, scope := range validRequestedScopes {
+				if !grantedMap[scope] {
+					allGranted = false
+					break
+				}
+			}
+
+			if allGranted {
+				// Consent already granted for all valid requested scopes
+				return false, nil
+			}
+		}
+	}
+
+	// Consent required
+	return true, nil
+}
+
+func validateCustomScopes(customScopes []*ScopeDescription, lang string) error {
+	for _, scope := range customScopes {
+		if scope == nil || strings.TrimSpace(scope.Scope) == "" {
+			return fmt.Errorf("%s: custom scope name", i18n.Translate(lang, "general:Missing parameter"))
+		}
+	}
+	return nil
+}

pp/dummy.go

@@ -39,7 +39,7 @@ func (pp *DummyPaymentProvider) Pay(r *PayReq) (*PayResp, error) {
 	orderInfo := DummyOrderInfo{
 		Price:              r.Price,
 		Currency:           r.Currency,
-		ProductDisplayName: r.ProductDisplayName,
+		ProductDisplayName: "",
 	}
 	orderInfoBytes, err := json.Marshal(orderInfo)
 	if err != nil {

routers/router.go

@@ -132,6 +132,7 @@ func InitAPI() {
 	web.Router("/api/update-cert", &controllers.ApiController{}, "POST:UpdateCert")
 	web.Router("/api/add-cert", &controllers.ApiController{}, "POST:AddCert")
 	web.Router("/api/delete-cert", &controllers.ApiController{}, "POST:DeleteCert")
+	web.Router("/api/update-cert-domain-expire", &controllers.ApiController{}, "POST:UpdateCertDomainExpire")
 
 	web.Router("/api/get-roles", &controllers.ApiController{}, "GET:GetRoles")
 	web.Router("/api/get-role", &controllers.ApiController{}, "GET:GetRole")
@@ -319,6 +320,9 @@ func InitAPI() {
 	web.Router("/api/delete-mfa", &controllers.ApiController{}, "POST:DeleteMfa")
 	web.Router("/api/set-preferred-mfa", &controllers.ApiController{}, "POST:SetPreferredMfa")
 
+	web.Router("/api/grant-consent", &controllers.ApiController{}, "POST:GrantConsent")
+	web.Router("/api/revoke-consent", &controllers.ApiController{}, "POST:RevokeConsent")
+
 	web.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery")
 	web.Router("/.well-known/:application/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscoveryByApplication")
 	web.Router("/.well-known/oauth-authorization-server", &controllers.RootController{}, "GET:GetOAuthServerMetadata")

routers/static_filter.go

@@ -89,6 +89,23 @@ func fastAutoSignin(ctx *context.Context) (string, error) {
 		return "", nil
 	}
 
+	user, err := object.GetUser(userId)
+	if err != nil {
+		return "", err
+	}
+	if user == nil {
+		return "", nil
+	}
+
+	consentRequired, err := object.CheckConsentRequired(user, application, scope)
+	if err != nil {
+		return "", err
+	}
+
+	if consentRequired {
+		return "", nil
+	}
+
 	code, err := object.GetOAuthCode(userId, clientId, "", "autoSignin", responseType, redirectUri, scope, state, nonce, codeChallenge, "", ctx.Request.Host, getAcceptLanguage(ctx))
 	if err != nil {
 		return "", err

util/cert.go

@@ -0,0 +1,50 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"time"
+
+	"golang.org/x/net/publicsuffix"
+)
+
+func GetCertExpireTime(s string) (string, error) {
+	block, _ := pem.Decode([]byte(s))
+	if block == nil {
+		return "", errors.New("getCertExpireTime() error, block should not be nil")
+	} else if block.Type != "CERTIFICATE" {
+		return "", fmt.Errorf("getCertExpireTime() error, block.Type should be \"CERTIFICATE\" instead of %s", block.Type)
+	}
+
+	certificate, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return "", err
+	}
+
+	t := certificate.NotAfter
+	return t.Local().Format(time.RFC3339), nil
+}
+
+func GetBaseDomain(domain string) (string, error) {
+	// abc.com -> abc.com
+	// abc.com.it -> abc.com.it
+	// subdomain.abc.io -> abc.io
+	// subdomain.abc.org.us -> abc.org.us
+	return publicsuffix.EffectiveTLDPlusOne(domain)
+}

util/network.go

@@ -16,8 +16,18 @@ package util
 
 import (
 	"net"
+	"os"
 )
 
+func GetHostname() string {
+	name, err := os.Hostname()
+	if err != nil {
+		panic(err)
+	}
+
+	return name
+}
+
 func IsInternetIp(ip string) bool {
 	ipStr, _, err := net.SplitHostPort(ip)
 	if err != nil {

web/src/AdapterEditPage.js

@@ -158,7 +158,7 @@ class AdapterEditPage extends React.Component {
             <React.Fragment>
               <Row style={{marginTop: "20px"}} >
                 <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                  {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
+                  {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
                 </Col>
                 <Col span={22} >
                   <Select virtual={false} disabled={Setting.builtInObject(this.state.adapter)} style={{width: "100%"}} value={this.state.adapter.type} onChange={(value => {

web/src/App.js

@@ -487,7 +487,7 @@ class App extends Component {
               : (
                 Conf.CustomFooter !== null ? Conf.CustomFooter : (
                   <React.Fragment>
-                  Powered by <a target="_blank" href="https://casdoor.org" rel="noreferrer"><img style={{paddingBottom: "3px"}} height={"20px"} alt={"Casdoor"} src={logo} /></a>
+                    Powered by <a target="_blank" href="https://casdoor.org" rel="noreferrer"><img style={{paddingBottom: "3px"}} height={"20px"} alt={"Casdoor"} src={logo} /></a>
                   </React.Fragment>
                 )
               )
@@ -539,15 +539,16 @@ class App extends Component {
 
   isEntryPages() {
     return window.location.pathname.startsWith("/signup") ||
-        window.location.pathname.startsWith("/login") ||
-        window.location.pathname.startsWith("/forget") ||
-        window.location.pathname.startsWith("/prompt") ||
-        window.location.pathname.startsWith("/result") ||
-        window.location.pathname.startsWith("/cas") ||
-        window.location.pathname.startsWith("/select-plan") ||
-        window.location.pathname.startsWith("/buy-plan") ||
-        window.location.pathname.startsWith("/qrcode") ||
-        window.location.pathname.startsWith("/captcha");
+      window.location.pathname.startsWith("/login") ||
+      window.location.pathname.startsWith("/forget") ||
+      window.location.pathname.startsWith("/prompt") ||
+      window.location.pathname.startsWith("/result") ||
+      window.location.pathname.startsWith("/cas") ||
+      window.location.pathname.startsWith("/select-plan") ||
+      window.location.pathname.startsWith("/buy-plan") ||
+      window.location.pathname.startsWith("/qrcode") ||
+      window.location.pathname.startsWith("/consent") ||
+      window.location.pathname.startsWith("/captcha");
   }
 
   onClick = ({key}) => {
@@ -656,7 +657,7 @@ class App extends Component {
                 menuVisible={this.state.menuVisible}
                 logo={this.state.logo}
                 onChangeTheme={this.setTheme}
-                onClick = {this.onClick}
+                onClick={this.onClick}
                 onfinish={() => {
                   this.setState({requiredEnableMfa: false});
                 }}

web/src/ApplicationEditPage.js

@@ -248,6 +248,33 @@ class ApplicationEditPage extends React.Component {
     return value;
   }
 
+  trimCustomScopes(customScopes) {
+    if (!Array.isArray(customScopes)) {
+      return [];
+    }
+    return customScopes.map((item) => {
+      const scope = (item?.scope || "").trim();
+      const displayName = (item?.displayName || "").trim();
+      const description = (item?.description || "").trim();
+      return {
+        ...item,
+        scope: scope,
+        displayName: displayName,
+        description: description,
+      };
+    });
+  }
+
+  validateCustomScopes(customScopes) {
+    const trimmed = this.trimCustomScopes(customScopes);
+    for (const item of trimmed) {
+      if (!item || !item.scope || item.scope === "") {
+        return {ok: false, scopes: trimmed};
+      }
+    }
+    return {ok: true, scopes: trimmed};
+  }
+
   updateApplicationField(key, value) {
     value = this.parseApplicationField(key, value);
     const application = this.state.application;
@@ -506,157 +533,6 @@ class ApplicationEditPage extends React.Component {
       )}
       {this.state.activeMenuKey === "authentication" && (
         <React.Fragment>
-          <Row style={{marginTop: "10px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Input value={this.state.application.clientId} onChange={e => {
-                this.updateApplicationField("clientId", e.target.value);
-              }} />
-            </Col>
-          </Row>
-          <Row style={{marginTop: "10px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("provider:Client secret"), i18next.t("provider:Client secret - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Input value={this.state.application.clientSecret} onChange={e => {
-                this.updateApplicationField("clientSecret", e.target.value);
-              }} />
-            </Col>
-          </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Redirect URLs"), i18next.t("application:Redirect URLs - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <UrlTable
-                title={i18next.t("application:Redirect URLs")}
-                table={this.state.application.redirectUris}
-                onUpdateTable={(value) => {this.updateApplicationField("redirectUris", value);}}
-              />
-            </Col>
-          </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Forced redirect origin"), i18next.t("general:Forced redirect origin - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Input prefix={<LinkOutlined />} value={this.state.application.forcedRedirectOrigin} onChange={e => {
-                this.updateApplicationField("forcedRedirectOrigin", e.target.value);
-              }} />
-            </Col>
-          </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Grant types"), i18next.t("application:Grant types - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Select virtual={false} mode="multiple" style={{width: "100%"}}
-                value={this.state.application.grantTypes}
-                onChange={(value => {
-                  this.updateApplicationField("grantTypes", value);
-                })} >
-                {
-                  [
-                    {id: "authorization_code", name: "Authorization Code"},
-                    {id: "password", name: "Password"},
-                    {id: "client_credentials", name: "Client Credentials"},
-                    {id: "token", name: "Token"},
-                    {id: "id_token", name: "ID Token"},
-                    {id: "refresh_token", name: "Refresh Token"},
-                    {id: "urn:ietf:params:oauth:grant-type:device_code", name: "Device Code"},
-                  ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
-                }
-              </Select>
-            </Col>
-          </Row>
-          {
-            (this.state.application.category === "Agent") ? (
-              <Row style={{marginTop: "20px"}} >
-                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-                  {Setting.getLabel(i18next.t("general:Scopes"), i18next.t("general:Scopes - Tooltip"))} :
-                </Col>
-                <Col span={21} >
-                  <ScopeTable
-                    title={i18next.t("general:Scopes")}
-                    table={this.state.application.scopes}
-                    onUpdateTable={(value) => {this.updateApplicationField("scopes", value);}}
-                  />
-                </Col>
-              </Row>
-            ) : null
-          }
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Token format"), i18next.t("application:Token format - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Select virtual={false} style={{width: "100%"}} value={this.state.application.tokenFormat} onChange={(value => {this.updateApplicationField("tokenFormat", value);})}
-                options={["JWT", "JWT-Empty", "JWT-Custom", "JWT-Standard"].map((item) => Setting.getOption(item, item))}
-              />
-            </Col>
-          </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Token signing method"), i18next.t("application:Token signing method - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Select virtual={false} style={{width: "100%"}} value={this.state.application.tokenSigningMethod === "" ? "RS256" : this.state.application.tokenSigningMethod} onChange={(value => {this.updateApplicationField("tokenSigningMethod", value);})}
-                options={["RS256", "RS512", "ES256", "ES512", "ES384"].map((item) => Setting.getOption(item, item))}
-              />
-            </Col>
-          </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Token fields"), i18next.t("application:Token fields - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Select virtual={false} disabled={this.state.application.tokenFormat !== "JWT-Custom"} mode="tags" showSearch style={{width: "100%"}} value={this.state.application.tokenFields} onChange={(value => {this.updateApplicationField("tokenFields", value);})}>
-                <Option key={"signinMethod"} value={"signinMethod"}>{"SigninMethod"}</Option>
-                <Option key={"provider"} value={"provider"}>{"Provider"}</Option>
-                {
-                  [...Setting.getUserCommonFields(), "permissionNames"].map((item, index) => <Option key={index} value={item}>{item}</Option>)
-                }
-              </Select>
-            </Col>
-          </Row>
-          {
-            this.state.application.tokenFormat === "JWT-Custom" ? (<Row style={{marginTop: "20px"}} >
-              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                {Setting.getLabel(i18next.t("general:Token attributes"), i18next.t("general:Token attributes - Tooltip"))} :
-              </Col>
-              <Col span={22} >
-                <TokenAttributeTable
-                  title={i18next.t("general:Token attributes")}
-                  table={this.state.application.tokenAttributes}
-                  application={this.state.application}
-                  onUpdateTable={(value) => {this.updateApplicationField("tokenAttributes", value);}}
-                />
-              </Col>
-            </Row>) : null
-          }
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Token expire"), i18next.t("application:Token expire - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <InputNumber style={{width: "150px"}} value={this.state.application.expireInHours} min={0.01} step={1} precision={2} addonAfter="Hours" onChange={value => {
-                this.updateApplicationField("expireInHours", value);
-              }} />
-            </Col>
-          </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("application:Refresh token expire"), i18next.t("application:Refresh token expire - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <InputNumber style={{width: "150px"}} value={this.state.application.refreshExpireInHours} min={0.01} step={1} precision={2} addonAfter="Hours" onChange={value => {
-                this.updateApplicationField("refreshExpireInHours", value);
-              }} />
-            </Col>
-          </Row>
           <Row style={{marginTop: "20px"}} >
             <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
               {Setting.getLabel(i18next.t("application:Cookie expire"), i18next.t("application:Cookie expire - Tooltip"))} :
@@ -807,7 +683,167 @@ class ApplicationEditPage extends React.Component {
               }} />
             </Col>
           </Row>
+        </React.Fragment>
+      )}
+      {this.state.activeMenuKey === "oidc-oauth" && (
+        <React.Fragment>
+          <Row style={{marginTop: "10px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Input value={this.state.application.clientId} onChange={e => {
+                this.updateApplicationField("clientId", e.target.value);
+              }} />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "10px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("provider:Client secret"), i18next.t("provider:Client secret - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Input value={this.state.application.clientSecret} onChange={e => {
+                this.updateApplicationField("clientSecret", e.target.value);
+              }} />
+            </Col>
+          </Row>
           <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Redirect URLs"), i18next.t("application:Redirect URLs - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <UrlTable
+                title={i18next.t("application:Redirect URLs")}
+                table={this.state.application.redirectUris}
+                onUpdateTable={(value) => {this.updateApplicationField("redirectUris", value);}}
+              />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Forced redirect origin"), i18next.t("general:Forced redirect origin - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Input prefix={<LinkOutlined />} value={this.state.application.forcedRedirectOrigin} onChange={e => {
+                this.updateApplicationField("forcedRedirectOrigin", e.target.value);
+              }} />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Grant types"), i18next.t("application:Grant types - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Select virtual={false} mode="multiple" style={{width: "100%"}}
+                value={this.state.application.grantTypes}
+                onChange={(value => {
+                  this.updateApplicationField("grantTypes", value);
+                })} >
+                {
+                  [
+                    {id: "authorization_code", name: "Authorization Code"},
+                    {id: "password", name: "Password"},
+                    {id: "client_credentials", name: "Client Credentials"},
+                    {id: "token", name: "Token"},
+                    {id: "id_token", name: "ID Token"},
+                    {id: "refresh_token", name: "Refresh Token"},
+                    {id: "urn:ietf:params:oauth:grant-type:device_code", name: "Device Code"},
+                    {id: "urn:ietf:params:oauth:grant-type:jwt-bearer", name: "JWT Bearer"},
+                  ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
+                }
+              </Select>
+            </Col>
+          </Row>
+          {
+            (this.state.application.category === "Agent") ? (
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+                  {Setting.getLabel(i18next.t("general:Scopes"), i18next.t("general:Scopes - Tooltip"))} :
+                </Col>
+                <Col span={21} >
+                  <ScopeTable
+                    title={i18next.t("general:Scopes")}
+                    table={this.state.application.scopes}
+                    onUpdateTable={(value) => {this.updateApplicationField("scopes", value);}}
+                  />
+                </Col>
+              </Row>
+            ) : null
+          }
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Token format"), i18next.t("application:Token format - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Select virtual={false} style={{width: "100%"}} value={this.state.application.tokenFormat} onChange={(value => {this.updateApplicationField("tokenFormat", value);})}
+                options={["JWT", "JWT-Empty", "JWT-Custom", "JWT-Standard"].map((item) => Setting.getOption(item, item))}
+              />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Token signing method"), i18next.t("application:Token signing method - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Select virtual={false} style={{width: "100%"}} value={this.state.application.tokenSigningMethod === "" ? "RS256" : this.state.application.tokenSigningMethod} onChange={(value => {this.updateApplicationField("tokenSigningMethod", value);})}
+                options={["RS256", "RS512", "ES256", "ES512", "ES384"].map((item) => Setting.getOption(item, item))}
+              />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Token fields"), i18next.t("application:Token fields - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Select virtual={false} disabled={this.state.application.tokenFormat !== "JWT-Custom"} mode="tags" showSearch style={{width: "100%"}} value={this.state.application.tokenFields} onChange={(value => {this.updateApplicationField("tokenFields", value);})}>
+                <Option key={"signinMethod"} value={"signinMethod"}>{"SigninMethod"}</Option>
+                <Option key={"provider"} value={"provider"}>{"Provider"}</Option>
+                {
+                  [...Setting.getUserCommonFields(), "permissionNames"].map((item, index) => <Option key={index} value={item}>{item}</Option>)
+                }
+              </Select>
+            </Col>
+          </Row>
+          {
+            this.state.application.tokenFormat === "JWT-Custom" ? (<Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                {Setting.getLabel(i18next.t("general:Token attributes"), i18next.t("general:Token attributes - Tooltip"))} :
+              </Col>
+              <Col span={22} >
+                <TokenAttributeTable
+                  title={i18next.t("general:Token attributes")}
+                  table={this.state.application.tokenAttributes}
+                  application={this.state.application}
+                  onUpdateTable={(value) => {this.updateApplicationField("tokenAttributes", value);}}
+                />
+              </Col>
+            </Row>) : null
+          }
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Token expire"), i18next.t("application:Token expire - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <InputNumber style={{width: "150px"}} value={this.state.application.expireInHours} min={0.01} step={1} precision={2} addonAfter="Hours" onChange={value => {
+                this.updateApplicationField("expireInHours", value);
+              }} />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Refresh token expire"), i18next.t("application:Refresh token expire - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <InputNumber style={{width: "150px"}} value={this.state.application.refreshExpireInHours} min={0.01} step={1} precision={2} addonAfter="Hours" onChange={value => {
+                this.updateApplicationField("refreshExpireInHours", value);
+              }} />
+            </Col>
+          </Row>
+        </React.Fragment>
+      )}
+      {this.state.activeMenuKey === "saml" && (
+        <React.Fragment>
+          <Row style={{marginTop: "10px"}} >
             <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
               {Setting.getLabel(i18next.t("application:SAML reply URL"), i18next.t("application:Redirect URL (Assertion Consumer Service POST Binding URL) - Tooltip"))} :
             </Col>
@@ -1308,7 +1344,7 @@ class ApplicationEditPage extends React.Component {
         <React.Fragment>
           <Row style={{marginTop: "20px"}} >
             <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("general:Cert"), i18next.t("general:Cert - Tooltip"))} :
+              {Setting.getLabel(i18next.t("application:Token cert"), i18next.t("application:Token cert - Tooltip"))} :
             </Col>
             <Col span={21} >
               <Select virtual={false} style={{width: "100%"}} value={this.state.application.cert} onChange={(value => {this.updateApplicationField("cert", value);})}>
@@ -1318,6 +1354,18 @@ class ApplicationEditPage extends React.Component {
               </Select>
             </Col>
           </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Client cert"), i18next.t("application:Client cert - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Select virtual={false} style={{width: "100%"}} value={this.state.application.clientCert} onChange={(value => {this.updateApplicationField("clientCert", value);})}>
+                {
+                  this.state.certs.map((cert, index) => <Option key={index} value={cert.name}>{cert.name}</Option>)
+                }
+              </Select>
+            </Col>
+          </Row>
           <Row style={{marginTop: "20px"}} >
             <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
               {Setting.getLabel(i18next.t("application:Failed signin limit"), i18next.t("application:Failed signin limit - Tooltip"))} :
@@ -1353,7 +1401,7 @@ class ApplicationEditPage extends React.Component {
               {Setting.getLabel(i18next.t("general:IP whitelist"), i18next.t("general:IP whitelist - Tooltip"))} :
             </Col>
             <Col span={21} >
-              <Input placeholder = {this.state.application.organizationObj?.ipWhitelist} value={this.state.application.ipWhitelist} onChange={e => {
+              <Input placeholder={this.state.application.organizationObj?.ipWhitelist} value={this.state.application.ipWhitelist} onChange={e => {
                 this.updateApplicationField("ipWhitelist", e.target.value);
               }} />
             </Col>
@@ -1373,6 +1421,68 @@ class ApplicationEditPage extends React.Component {
             </Col>
           </Row>
         </React.Fragment>
+      )}
+      {this.state.activeMenuKey === "reverse-proxy" && (
+        <React.Fragment>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Input value={this.state.application.domain} placeholder="e.g., blog.example.com" onChange={e => {
+                this.updateApplicationField("domain", e.target.value);
+              }} />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Other domains"), i18next.t("application:Other domains - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <UrlTable
+                title={i18next.t("application:Other domains")}
+                table={this.state.application.otherDomains}
+                onUpdateTable={(value) => {this.updateApplicationField("otherDomains", value);}}
+              />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:Upstream host"), i18next.t("application:Upstream host - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Input value={this.state.application.upstreamHost} placeholder="e.g., localhost:8080 or 192.168.1.100:3000" onChange={e => {
+                this.updateApplicationField("upstreamHost", e.target.value);
+              }} />
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("provider:SSL mode"), i18next.t("provider:SSL mode - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Select virtual={false} style={{width: "100%"}} value={this.state.application.sslMode} onChange={(value => {this.updateApplicationField("sslMode", value);})}>
+                <Option value="">{i18next.t("general:None")}</Option>
+                <Option value="HTTP">HTTP</Option>
+                <Option value="HTTPS and HTTP">HTTPS and HTTP</Option>
+                <Option value="HTTPS Only">HTTPS Only</Option>
+              </Select>
+            </Col>
+          </Row>
+          <Row style={{marginTop: "20px"}} >
+            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+              {Setting.getLabel(i18next.t("application:SSL cert"), i18next.t("application:SSL cert - Tooltip"))} :
+            </Col>
+            <Col span={21} >
+              <Select virtual={false} style={{width: "100%"}} value={this.state.application.sslCert} onChange={(value => {this.updateApplicationField("sslCert", value);})}>
+                <Option value="">{i18next.t("general:None")}</Option>
+                {
+                  this.state.certs.map((cert, index) => <Option key={index} value={cert.name}>{cert.name}</Option>)
+                }
+              </Select>
+            </Col>
+          </Row>
+        </React.Fragment>
       )}</>;
   }
 
@@ -1390,7 +1500,7 @@ class ApplicationEditPage extends React.Component {
         <Layout style={{background: "inherit", height: "100%", overflow: "auto"}}>
           {
             this.state.menuMode === "horizontal" || !this.state.menuMode ? (
-              <Header style={{background: "inherit", padding: "0px", position: "sticky", top: 0}}>
+              <Header style={{background: "inherit", padding: "0px", position: "sticky", top: 0, height: 38, minHeight: 38}}>
                 <div className="demo-logo" />
                 <Tabs
                   onChange={(key) => {
@@ -1399,12 +1509,16 @@ class ApplicationEditPage extends React.Component {
                   }}
                   type="card"
                   activeKey={this.state.activeMenuKey}
+                  tabBarStyle={{marginBottom: 0}}
                   items={[
                     {label: i18next.t("application:Basic"), key: "basic"},
                     {label: i18next.t("application:Authentication"), key: "authentication"},
+                    {label: "OIDC/OAuth", key: "oidc-oauth"},
+                    {label: "SAML", key: "saml"},
                     {label: i18next.t("application:Providers"), key: "providers"},
                     {label: i18next.t("application:UI Customization"), key: "ui-customization"},
                     {label: i18next.t("application:Security"), key: "security"},
+                    {label: i18next.t("application:Reverse Proxy"), key: "reverse-proxy"},
                   ]}
                 />
               </Header>
@@ -1425,9 +1539,12 @@ class ApplicationEditPage extends React.Component {
                   >
                     <Menu.Item key="basic">{i18next.t("application:Basic")}</Menu.Item>
                     <Menu.Item key="authentication">{i18next.t("application:Authentication")}</Menu.Item>
+                    <Menu.Item key="oidc-oauth">OIDC/OAuth</Menu.Item>
+                    <Menu.Item key="saml">SAML</Menu.Item>
                     <Menu.Item key="providers">{i18next.t("application:Providers")}</Menu.Item>
                     <Menu.Item key="ui-customization">{i18next.t("application:UI Customization")}</Menu.Item>
                     <Menu.Item key="security">{i18next.t("application:Security")}</Menu.Item>
+                    <Menu.Item key="reverse-proxy">{i18next.t("application:Reverse Proxy")}</Menu.Item>
                   </Menu>
                 </Sider>) : null
             }
@@ -1483,11 +1600,11 @@ class ApplicationEditPage extends React.Component {
               {
                 Setting.isPasswordEnabled(this.state.application) ? (
                   <div className="loginBackground" style={{backgroundImage: `url(${this.state.application?.formBackgroundUrl})`, overflow: "auto"}}>
-                    <SignupPage application={this.state.application} preview = "auto" />
+                    <SignupPage application={this.state.application} preview="auto" />
                   </div>
                 ) : (
                   <div className="loginBackground" style={{backgroundImage: `url(${this.state.application?.formBackgroundUrl})`, overflow: "auto"}}>
-                    <LoginPage type={"login"} mode={"signup"} application={this.state.application} preview = "auto" />
+                    <LoginPage type={"login"} mode={"signup"} application={this.state.application} preview="auto" />
                   </div>
                 )
               }
@@ -1513,7 +1630,7 @@ class ApplicationEditPage extends React.Component {
           }}>
             <div style={{position: "relative", width: previewWidth, border: "1px solid rgb(217,217,217)", boxShadow: "10px 10px 5px #888888", overflow: "auto"}}>
               <div className="loginBackground" style={{backgroundImage: `url(${this.state.application?.formBackgroundUrl})`, overflow: "auto"}}>
-                <LoginPage type={"login"} mode={"signin"} application={this.state.application} preview = "auto" />
+                <LoginPage type={"login"} mode={"signin"} application={this.state.application} preview="auto" />
               </div>
               <div style={{overflow: "auto", ...maskStyle}} />
             </div>
@@ -1557,6 +1674,12 @@ class ApplicationEditPage extends React.Component {
     const application = Setting.deepCopy(this.state.application);
     application.providers = application.providers?.filter(provider => this.state.providers.map(provider => provider.name).includes(provider.name));
     application.signinMethods = application.signinMethods?.filter(signinMethod => ["Password", "Verification code", "WebAuthn", "LDAP", "Face ID", "WeChat"].includes(signinMethod.name));
+    const customScopeValidation = this.validateCustomScopes(application.customScopes);
+    application.customScopes = customScopeValidation.scopes;
+    if (!customScopeValidation.ok) {
+      Setting.showMessage("error", `${i18next.t("general:Name")}: ${i18next.t("provider:This field is required")}`);
+      return;
+    }
 
     ApplicationBackend.updateApplication("admin", this.state.applicationName, application)
       .then((res) => {

web/src/ApplicationListPage.js

@@ -190,19 +190,15 @@ class ApplicationListPage extends BaseListPage {
         sorter: true,
         ...this.getColumnSearchProps("category"),
         render: (text, record, index) => {
-          const category = text;
-          const tagColor = category === "Agent" ? "green" : "blue";
-          return (
-            <span style={{
-              padding: "4px 8px",
-              borderRadius: "4px",
-              backgroundColor: tagColor,
-              color: "white",
-              fontWeight: "500",
-            }}>
-              {category}
-            </span>
-          );
+          if (!text) {
+            text = "Default";
+          }
+
+          if (text === "Agent") {
+            return Setting.getTag("success", text);
+          } else {
+            return Setting.getTag("default", text);
+          }
         },
       },
       {

web/src/CertEditPage.js

@@ -81,6 +81,24 @@ class CertEditPage extends React.Component {
     value = this.parseCertField(key, value);
 
     const cert = this.state.cert;
+    const previousType = cert.type;
+    if (key === "type") {
+      if (value === "SSL") {
+        cert.cryptoAlgorithm = "RSA";
+        cert.certificate = "";
+        cert.privateKey = "";
+      } else if (previousType === "SSL" && value !== "SSL") {
+        // Clear SSL-specific sensitive and derived fields when leaving SSL type
+        cert.provider = "";
+        cert.account = "";
+        cert.accessKey = "";
+        cert.accessSecret = "";
+        cert.certificate = "";
+        cert.privateKey = "";
+        cert.expireTime = "";
+        cert.domainExpireTime = "";
+      }
+    }
     cert[key] = value;
     this.setState({
       cert: cert,
@@ -133,7 +151,7 @@ class CertEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("cert:Scope - Tooltip"))} :
+            {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("provider:Scope - Tooltip"))} :
           </Col>
           <Col span={22} >
             <Select virtual={false} style={{width: "100%"}} value={this.state.cert.scope} onChange={(value => {
@@ -149,7 +167,7 @@ class CertEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
           </Col>
           <Col span={22} >
             <Select virtual={false} style={{width: "100%"}} value={this.state.cert.type} onChange={(value => {
@@ -157,6 +175,7 @@ class CertEditPage extends React.Component {
             })}>
               {
                 [
+                  {id: "SSL", name: "SSL"},
                   {id: "x509", name: "x509"},
                   {id: "Payment", name: "Payment"},
                 ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
@@ -184,7 +203,10 @@ class CertEditPage extends React.Component {
               this.updateCertField("privateKey", "");
             })}>
               {
-                [
+                (this.state.cert.type === "SSL" ? [
+                  {id: "RSA", name: "RSA"},
+                  {id: "ECC", name: "ECC"},
+                ] : [
                   {id: "RS256", name: "RS256 (RSA + SHA256)"},
                   {id: "RS384", name: "RS384 (RSA + SHA384)"},
                   {id: "RS512", name: "RS512 (RSA + SHA512)"},
@@ -194,13 +216,13 @@ class CertEditPage extends React.Component {
                   {id: "PS256", name: "PS256 (RSASSA-PSS using SHA256 and MGF1 with SHA256)"},
                   {id: "PS384", name: "PS384 (RSASSA-PSS using SHA384 and MGF1 with SHA384)"},
                   {id: "PS512", name: "PS512 (RSASSA-PSS using SHA512 and MGF1 with SHA512)"},
-                ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
+                ]).map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
               }
             </Select>
           </Col>
         </Row>
         {
-          this.state.cert.cryptoAlgorithm.startsWith("ES") ? null : (
+          this.state.cert.cryptoAlgorithm.startsWith("ES") || this.state.cert.type === "SSL" ? null : (
             <Row style={{marginTop: "20px"}} >
               <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                 {Setting.getLabel(i18next.t("cert:Bit size"), i18next.t("cert:Bit size - Tooltip"))} :
@@ -219,16 +241,91 @@ class CertEditPage extends React.Component {
             </Row>
           )
         }
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("cert:Expire in years"), i18next.t("cert:Expire in years - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <InputNumber value={this.state.cert.expireInYears} onChange={value => {
-              this.updateCertField("expireInYears", value);
-            }} />
-          </Col>
-        </Row>
+        {
+          this.state.cert.type === "SSL" ? null : (
+            <Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                {Setting.getLabel(i18next.t("cert:Expire in years"), i18next.t("cert:Expire in years - Tooltip"))} :
+              </Col>
+              <Col span={22} >
+                <InputNumber value={this.state.cert.expireInYears} onChange={value => {
+                  this.updateCertField("expireInYears", value);
+                }} />
+              </Col>
+            </Row>
+          )
+        }
+        {
+          this.state.cert.type === "SSL" ? (
+            <React.Fragment>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={2}>
+                  {i18next.t("cert:Expire time")}:
+                </Col>
+                <Col span={22} >
+                  <Input disabled={true} value={Setting.getFormattedDate(this.state.cert.expireTime)} onChange={e => {
+                    this.updateCertField("expireTime", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={2}>
+                  {i18next.t("cert:Domain expire")}:
+                </Col>
+                <Col span={22} >
+                  <Input disabled={true} value={Setting.getFormattedDate(this.state.cert.domainExpireTime)} onChange={e => {
+                    this.updateCertField("domainExpireTime", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={2}>
+                  {i18next.t("cert:Provider")}:
+                </Col>
+                <Col span={22} >
+                  <Select virtual={false} style={{width: "100%"}} value={this.state.cert.provider} onChange={(value => {this.updateCertField("provider", value);})}>
+                    {
+                      [
+                        {id: "GoDaddy", name: "GoDaddy"},
+                        {id: "Aliyun", name: "Aliyun"},
+                      ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
+                    }
+                  </Select>
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={2}>
+                  {i18next.t("cert:Account")}:
+                </Col>
+                <Col span={22} >
+                  <Input value={this.state.cert.account} onChange={e => {
+                    this.updateCertField("account", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={2}>
+                  {i18next.t("cert:Access key")}:
+                </Col>
+                <Col span={22} >
+                  <Input value={this.state.cert.accessKey} onChange={e => {
+                    this.updateCertField("accessKey", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={2}>
+                  {i18next.t("cert:Access secret")}:
+                </Col>
+                <Col span={22} >
+                  <Input.Password value={this.state.cert.accessSecret} onChange={e => {
+                    this.updateCertField("accessSecret", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+            </React.Fragment>
+          ) : null
+        }
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("cert:Certificate"), i18next.t("cert:Certificate - Tooltip"))} :

web/src/CertListPage.js

@@ -88,6 +88,28 @@ class CertListPage extends BaseListPage {
       });
   }
 
+  refreshCert(i) {
+    const cert = this.state.data[i];
+    CertBackend.refreshDomainExpire(cert.owner, cert.name)
+      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", `Failed to refresh domain expire: ${res.msg}`);
+        } else {
+          Setting.showMessage("success", "Domain expire refreshed successfully");
+          this.fetch({
+            pagination: {
+              ...this.state.pagination,
+              current: this.state.pagination.current > 1 && this.state.data.length === 1 ? this.state.pagination.current - 1 : this.state.pagination.current,
+            },
+          });
+        }
+      }
+      )
+      .catch(error => {
+        Setting.showMessage("error", `Domain expire failed to refresh: ${error}`);
+      });
+  }
+
   renderTable(certs) {
     const columns = [
       {
@@ -194,6 +216,12 @@ class CertListPage extends BaseListPage {
         render: (text, record, index) => {
           return (
             <div>
+              {
+                record.type === "SSL" ? (
+                  <Button disabled={!Setting.isAdminUser(this.props.account) && (record.owner !== this.props.account.owner)} style={{margin: "10px 10px 10px 0"}} type="default" onClick={() => this.refreshCert(index)}>{i18next.t("general:Refresh")}
+                  </Button>
+                ) : null
+              }
               <Button disabled={!Setting.isAdminUser(this.props.account) && (record.owner !== this.props.account.owner)} style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} type="primary" onClick={() => this.props.history.push(`/certs/${record.owner}/${record.name}`)}>{i18next.t("general:Edit")}</Button>
               <PopconfirmModal
                 disabled={!Setting.isAdminUser(this.props.account) && (record.owner !== this.props.account.owner)}

web/src/EntryPage.js

@@ -26,6 +26,7 @@ import LoginPage from "./auth/LoginPage";
 import SelfForgetPage from "./auth/SelfForgetPage";
 import ForgetPage from "./auth/ForgetPage";
 import PromptPage from "./auth/PromptPage";
+import ConsentPage from "./auth/ConsentPage";
 import ResultPage from "./auth/ResultPage";
 import CasLogout from "./auth/CasLogout";
 import {authConfig} from "./auth/Auth";
@@ -125,6 +126,7 @@ class EntryPage extends React.Component {
             <Route exact path="/forget/:applicationName" render={(props) => <ForgetPage {...this.props} account={this.props.account} application={this.state.application} onUpdateApplication={onUpdateApplication} {...props} />} />
             <Route exact path="/prompt" render={(props) => this.renderLoginIfNotLoggedIn(<PromptPage {...this.props} application={this.state.application} onUpdateApplication={onUpdateApplication} {...props} />)} />
             <Route exact path="/prompt/:applicationName" render={(props) => this.renderLoginIfNotLoggedIn(<PromptPage {...this.props} application={this.state.application} onUpdateApplication={onUpdateApplication} {...props} />)} />
+            <Route exact path="/consent/:applicationName" render={(props) => this.renderLoginIfNotLoggedIn(<ConsentPage {...this.props} application={this.state.application} onUpdateApplication={onUpdateApplication} {...props} />)} />
             <Route exact path="/result" render={(props) => this.renderHomeIfLoggedIn(<ResultPage {...this.props} application={this.state.application} onUpdateApplication={onUpdateApplication} {...props} />)} />
             <Route exact path="/result/:applicationName" render={(props) => this.renderHomeIfLoggedIn(<ResultPage {...this.props} application={this.state.application} onUpdateApplication={onUpdateApplication} {...props} />)} />
             <Route exact path="/cas/:owner/:casApplicationName/logout" render={(props) => this.renderHomeIfLoggedIn(<CasLogout {...this.props} application={this.state.application} onUpdateApplication={onUpdateApplication} {...props} />)} />

web/src/FormEditPage.js

@@ -93,7 +93,7 @@ class FormEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}}>
           <Col style={{marginTop: "5px"}} span={Setting.isMobile() ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
           </Col>
           <Col span={22}>
             <Select

web/src/GroupEditPage.js

@@ -148,7 +148,7 @@ class GroupEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
           </Col>
           <Col span={22} >
             <Select style={{width: "100%"}}

web/src/ManagementPage.js

@@ -193,12 +193,12 @@ function ManagementPage(props) {
           {
             renderAvatar()
           }
-                     
-                     
+           
+           
           {Setting.isMobile() ? null : Setting.getShortText(Setting.getNameAtLeast(props.account.displayName), 30)} &nbsp; <DownOutlined />
-                    &nbsp;
-                    &nbsp;
-                    &nbsp;
+          &nbsp;
+          &nbsp;
+          &nbsp;
         </div>
       </Dropdown>
     );
@@ -252,15 +252,15 @@ function ManagementPage(props) {
           {renderRightDropdown()}
           {renderWidgets()}
           {Setting.isAdminUser(props.account) && (props.uri.indexOf("/trees") === -1) &&
-                        <OrganizationSelect
-                          initValue={Setting.getOrganization()}
-                          withAll={true}
-                          className="org-select"
-                          style={{display: Setting.isMobile() ? "none" : "flex"}}
-                          onChange={(value) => {
-                            Setting.setOrganization(value);
-                          }}
-                        />
+            <OrganizationSelect
+              initValue={Setting.getOrganization()}
+              withAll={true}
+              className="org-select"
+              style={{display: Setting.isMobile() ? "none" : "flex"}}
+              onChange={(value) => {
+                Setting.setOrganization(value);
+              }}
+            />
           }
         </React.Fragment>
       );
@@ -287,9 +287,9 @@ function ManagementPage(props) {
 
     !Setting.isMobile() ? res.push({
       label:
-            <Link to="/">
-              <img className="logo" src={logo ?? props.logo} alt="logo" />
-            </Link>,
+        <Link to="/">
+          <img className="logo" src={logo ?? props.logo} alt="logo" />
+        </Link>,
       disabled: true, key: "logo",
       style: {
         padding: 0,

web/src/OrderListPage.js

@@ -236,6 +236,13 @@ class OrderListPage extends BaseListPage {
         width: "120px",
         sorter: true,
         ...this.getColumnSearchProps("state"),
+        render: (text, record, index) => {
+          return (
+            <Tooltip title={record.message || ""}>
+              <span>{text}</span>
+            </Tooltip>
+          );
+        },
       },
       {
         title: i18next.t("general:Action"),
@@ -248,7 +255,7 @@ class OrderListPage extends BaseListPage {
           return (
             <div style={{display: "flex", flexWrap: "wrap", gap: "8px"}}>
               <Button onClick={() => this.props.history.push(`/orders/${record.owner}/${record.name}/pay`)}>
-                {record.state === "Created" ? i18next.t("order:Pay") : i18next.t("general:Detail")}
+                {(record.state === "Created" || record.state === "Failed") ? i18next.t("order:Pay") : i18next.t("general:Detail")}
               </Button>
               <Button danger onClick={() => this.cancelOrder(record)} disabled={record.state !== "Created" || !isAdmin}>
                 {i18next.t("general:Cancel")}

web/src/OrderPayPage.js

@@ -272,7 +272,7 @@ class OrderPayPage extends React.Component {
     const updateTimeMap = {
       Paid: i18next.t("order:Payment time"),
       Canceled: i18next.t("order:Cancel time"),
-      PaymentFailed: i18next.t("order:Payment failed time"),
+      Failed: i18next.t("order:Payment failed time"),
       Timeout: i18next.t("order:Timeout time"),
     };
     const updateTimeLabel = updateTimeMap[state] || i18next.t("general:Updated time");

web/src/OrganizationListPage.js

@@ -57,6 +57,8 @@ class OrganizationListPage extends BaseListPage {
         {name: "ID", visible: true, viewRule: "Public", modifyRule: "Immutable"},
         {name: "Name", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Display name", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "First name", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "Last name", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Avatar", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "User type", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Password", visible: true, viewRule: "Self", modifyRule: "Self"},
@@ -66,6 +68,7 @@ class OrganizationListPage extends BaseListPage {
         {name: "Country/Region", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Location", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Address", visible: true, viewRule: "Public", modifyRule: "Self"},
+        {name: "Addresses", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Affiliation", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "Title", visible: true, viewRule: "Public", modifyRule: "Self"},
         {name: "ID card type", visible: true, viewRule: "Public", modifyRule: "Self"},
@@ -86,6 +89,8 @@ class OrganizationListPage extends BaseListPage {
         {name: "Balance", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Balance credit", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Balance currency", visible: true, viewRule: "Public", modifyRule: "Admin"},
+        {name: "Cart", visible: true, viewRule: "Self", modifyRule: "Self"},
+        {name: "Transactions", visible: true, viewRule: "Self", modifyRule: "Self"},
         {name: "Signup application", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Register type", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Register source", visible: true, viewRule: "Public", modifyRule: "Admin"},
@@ -93,16 +98,22 @@ class OrganizationListPage extends BaseListPage {
         {name: "Groups", visible: true, viewRule: "Public", modifyRule: "Admin"},
         {name: "Roles", visible: true, viewRule: "Public", modifyRule: "Immutable"},
         {name: "Permissions", visible: true, viewRule: "Public", modifyRule: "Immutable"},
+        {name: "Consents", visible: true, viewRule: "Self", modifyRule: "Self"},
         {name: "3rd-party logins", visible: true, viewRule: "Self", modifyRule: "Self"},
         {name: "Properties", visible: false, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is online", visible: true, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is admin", visible: true, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is forbidden", visible: true, viewRule: "Admin", modifyRule: "Admin"},
         {name: "Is deleted", visible: true, viewRule: "Admin", modifyRule: "Admin"},
-        {Name: "Multi-factor authentication", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
-        {Name: "WebAuthn credentials", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
-        {Name: "Managed accounts", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
-        {Name: "MFA accounts", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
+        {name: "Multi-factor authentication", visible: true, viewRule: "Self", modifyRule: "Self"},
+        {name: "MFA items", visible: true, viewRule: "Self", modifyRule: "Self"},
+        {name: "WebAuthn credentials", visible: true, viewRule: "Self", modifyRule: "Self"},
+        {name: "Last change password time", visible: true, viewRule: "Admin", modifyRule: "Admin"},
+        {name: "Managed accounts", visible: true, viewRule: "Self", modifyRule: "Self"},
+        {name: "Face ID", visible: true, viewRule: "Self", modifyRule: "Self"},
+        {name: "MFA accounts", visible: true, viewRule: "Self", modifyRule: "Self"},
+        {name: "Need update password", visible: true, viewRule: "Admin", modifyRule: "Admin"},
+        {name: "IP whitelist", visible: true, viewRule: "Admin", modifyRule: "Admin"},
       ],
     };
   }

web/src/PaymentEditPage.js

@@ -18,7 +18,6 @@ import {InfoCircleTwoTone} from "@ant-design/icons";
 import * as PaymentBackend from "./backend/PaymentBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
-import * as ProductBackend from "./backend/ProductBackend";
 
 const {Option} = Select;
 
@@ -30,7 +29,6 @@ class PaymentEditPage extends React.Component {
       organizationName: props.organizationName !== undefined ? props.organizationName : props.match.params.organizationName,
       paymentName: props.match.params.paymentName,
       payment: null,
-      products: [],
       isModalVisible: false,
       isInvoiceLoading: false,
       mode: props.location.mode !== undefined ? props.location.mode : "edit",
@@ -39,7 +37,6 @@ class PaymentEditPage extends React.Component {
 
   UNSAFE_componentWillMount() {
     this.getPayment();
-    this.getProducts();
   }
 
   getPayment() {
@@ -58,19 +55,6 @@ class PaymentEditPage extends React.Component {
       });
   }
 
-  getProducts() {
-    ProductBackend.getProducts(this.state.organizationName)
-      .then((res) => {
-        if (res.status === "ok") {
-          this.setState({
-            products: res.data,
-          });
-        } else {
-          Setting.showMessage("error", `Failed to get products: ${res.msg}`);
-        }
-      });
-  }
-
   goToViewOrder() {
     const payment = this.state.payment;
     if (payment && payment.order) {
@@ -232,7 +216,7 @@ class PaymentEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
           </Col>
           <Col span={22} >
             <Input disabled={true} value={this.state.payment.type} onChange={e => {
@@ -240,29 +224,6 @@ class PaymentEditPage extends React.Component {
             }} />
           </Col>
         </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Products"), i18next.t("payment:Products - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Select
-              mode="multiple"
-              style={{width: "100%"}}
-              value={this.state.payment?.products || []}
-              disabled={isViewMode}
-              allowClear
-              options={(this.state.products || [])
-                .map((p) => ({
-                  label: Setting.getLanguageText(p?.displayName) || p?.name,
-                  value: p?.name,
-                }))
-                .filter((o) => o.value)}
-              onChange={(value) => {
-                this.updatePaymentField("products", value);
-              }}
-            />
-          </Col>
-        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("order:Price"), i18next.t("plan:Price - Tooltip"))} :

web/src/PaymentListPage.js

@@ -14,7 +14,7 @@
 
 import React from "react";
 import {Link} from "react-router-dom";
-import {Button, List, Table, Tooltip} from "antd";
+import {Button, Col, List, Row, Table, Tooltip} from "antd";
 import moment from "moment";
 import * as Setting from "./Setting";
 import * as PaymentBackend from "./backend/PaymentBackend";
@@ -195,21 +195,31 @@ class PaymentListPage extends BaseListPage {
                   paddingBottom: 8,
                 }}
                 renderItem={(productInfo, i) => {
-                  const price = productInfo.price * (productInfo.quantity || 1);
+                  const price = productInfo.price || 0;
+                  const number = productInfo.quantity || 1;
                   const currency = record.currency || "USD";
+                  const productName = productInfo.displayName || productInfo.name;
                   return (
                     <List.Item>
-                      <div style={{display: "inline"}}>
-                        <Tooltip placement="topLeft" title={i18next.t("general:Edit")}>
-                          <Button style={{marginRight: "5px"}} icon={<EditOutlined />} size="small" onClick={() => Setting.goToLinkSoft(this, `/products/${record.owner}/${productInfo.name}`)} />
-                        </Tooltip>
-                        <Link to={`/products/${record.owner}/${productInfo.name}`}>
-                          {productInfo.displayName || productInfo.name}
-                        </Link>
-                        <span style={{marginLeft: "8px", color: "#666"}}>
-                          {Setting.getPriceDisplay(price, currency)}
-                        </span>
-                      </div>
+                      <Row style={{width: "100%"}} wrap={false} gutter={[12, 0]}>
+                        <Col flex="auto" style={{minWidth: 0}}>
+                          <div style={{display: "flex", alignItems: "center", minWidth: 0}}>
+                            <Tooltip placement="topLeft" title={i18next.t("general:Edit")}>
+                              <Button style={{marginRight: "5px"}} icon={<EditOutlined />} size="small" onClick={() => Setting.goToLinkSoft(this, `/products/${record.owner}/${productInfo.name}`)} />
+                            </Tooltip>
+                            <Tooltip placement="topLeft" title={productName}>
+                              <Link to={`/products/${record.owner}/${productInfo.name}`} style={{display: "inline-block", maxWidth: "100%", minWidth: 0, overflow: "hidden", textOverflow: "ellipsis", whiteSpace: "nowrap"}}>
+                                {productName}
+                              </Link>
+                            </Tooltip>
+                          </div>
+                        </Col>
+                        <Col flex="none" style={{whiteSpace: "nowrap"}}>
+                          <span style={{color: "#666"}}>
+                            {Setting.getCurrencySymbol(currency)}{price} ({Setting.getCurrencyText(currency)}) × {number}
+                          </span>
+                        </Col>
+                      </Row>
                     </List.Item>
                   );
                 }}

web/src/PermissionEditPage.js

@@ -309,7 +309,7 @@ class PermissionEditPage extends React.Component {
                 }
                 const data = res.data.map((role) => Setting.getOption(`${role.owner}/${role.name}`, `${role.owner}/${role.name}`));
                 if (args?.[1] === 1 && Array.isArray(res?.data)) {
-                  // res.data = [{owner: i18next.t("organization:All"), name: "*"}, ...res.data];
+                  // res.data = [{owner: i18next.t("general:All"), name: "*"}, ...res.data];
                   res.data = [
                     Setting.getOption(i18next.t("general:All"), "*"),
                     ...data,

web/src/ProductEditPage.js

@@ -307,16 +307,6 @@ class ProductEditPage extends React.Component {
             </Select>
           </Col>
         </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("product:Return URL"), i18next.t("product:Return URL - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Input prefix={<LinkOutlined />} value={this.state.product.returnUrl} disabled={isViewMode} onChange={e => {
-              this.updateProductField("returnUrl", e.target.value);
-            }} />
-          </Col>
-        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("product:Success URL"), i18next.t("product:Success URL - Tooltip"))} :

web/src/ProviderListPage.js

@@ -139,7 +139,7 @@ class ProviderListPage extends BaseListPage {
         ...this.getColumnSearchProps("displayName"),
       },
       {
-        title: i18next.t("provider:Category"),
+        title: i18next.t("general:Category"),
         dataIndex: "category",
         key: "category",
         filterMultiple: false,

web/src/RecordListPage.js

@@ -137,7 +137,7 @@ class RecordListPage extends BaseListPage {
         title: i18next.t("record:Status code"),
         dataIndex: "statusCode",
         key: "statusCode",
-        width: "120px",
+        width: "140px",
         sorter: true,
         ...this.getColumnSearchProps("statusCode"),
       },

web/src/Setting.js

@@ -182,6 +182,10 @@ export const OtherProviderInfo = {
       logo: `${StaticBaseUrl}/img/social_default.png`,
       url: "https://casdoor.org/docs/provider/email/overview",
     },
+    "Resend": {
+      logo: `${StaticBaseUrl}/img/email_resend.png`,
+      url: "https://resend.com/",
+    },
   },
   Storage: {
     "Local File System": {
@@ -457,8 +461,8 @@ export const UserFields = ["owner", "name", "password", "display_name", "id", "t
   "is_admin", "homepage", "birthday", "gender", "password_type", "password_salt", "external_id", "avatar", "first_name", "last_name",
   "avatar_type", "permanent_avatar", "email_verified", "region", "location", "address",
   "affiliation", "title", "id_card_type", "id_card", "real_name", "is_verified", "bio", "tag", "language",
-  "education", "score", "karma", "ranking", "balance", "currency", "is_default_avatar", "is_online",
-  "is_forbidden", "is_deleted", "signup_application", "hash", "pre_hash", "access_key", "access_secret", "access_token",
+  "education", "score", "karma", "ranking", "balance", "balance_credit", "balance_currency", "currency", "is_default_avatar", "is_online",
+  "is_forbidden", "is_deleted", "signup_application", "register_type", "register_source", "hash", "pre_hash", "access_key", "access_secret", "access_token",
   "created_ip", "last_signin_time", "last_signin_ip", "github", "google", "qq", "wechat", "facebook", "dingtalk",
   "weibo", "gitee", "linkedin", "wecom", "lark", "gitlab", "adfs", "baidu", "alipay", "casdoor", "infoflow", "apple",
   "azuread", "azureadb2c", "slack", "steam", "bilibili", "okta", "douyin", "kwai", "line", "amazon", "auth0",
@@ -469,7 +473,7 @@ export const UserFields = ["owner", "name", "password", "display_name", "id", "t
   "wepay", "xero", "yahoo", "yammer", "yandex", "zoom", "metamask", "web3onboard", "custom", "webauthnCredentials",
   "preferred_mfa_type", "recovery_codes", "totp_secret", "mfa_phone_enabled", "mfa_email_enabled", "invitation",
   "invitation_code", "face_ids", "ldap", "properties", "roles", "permissions", "groups", "last_change_password_time",
-  "last_signin_wrong_time", "signin_wrong_times", "managedAccounts", "mfaAccounts", "need_update_password",
+  "last_signin_wrong_time", "signin_wrong_times", "managedAccounts", "mfaAccounts", "mfaItems", "need_update_password",
   "created_time", "updated_time", "deleted_time",
   "ip_whitelist"];
 
@@ -500,6 +504,7 @@ export const GetTranslatedUserItems = () => {
     {name: "Country/Region", label: i18next.t("user:Country/Region")},
     {name: "Location", label: i18next.t("user:Location")},
     {name: "Address", label: i18next.t("user:Address")},
+    {name: "Addresses", label: i18next.t("user:Addresses")},
     {name: "Affiliation", label: i18next.t("user:Affiliation")},
     {name: "Title", label: i18next.t("general:Title")},
     {name: "ID card type", label: i18next.t("user:ID card type")},
@@ -523,6 +528,8 @@ export const GetTranslatedUserItems = () => {
     {name: "Karma", label: i18next.t("user:Karma")},
     {name: "Ranking", label: i18next.t("user:Ranking")},
     {name: "Signup application", label: i18next.t("general:Signup application")},
+    {name: "Register type", label: i18next.t("user:Register type")},
+    {name: "Register source", label: i18next.t("user:Register source")},
     {name: "API key", label: i18next.t("general:API key")},
     {name: "Groups", label: i18next.t("general:Groups")},
     {name: "Roles", label: i18next.t("general:Roles")},
@@ -537,6 +544,7 @@ export const GetTranslatedUserItems = () => {
     {name: "IP whitelist", label: i18next.t("general:IP whitelist")},
     {name: "Multi-factor authentication", label: i18next.t("mfa:Multi-factor authentication")},
     {name: "WebAuthn credentials", label: i18next.t("user:WebAuthn credentials")},
+    {name: "Last change password time", label: i18next.t("user:Last change password time")},
     {name: "Managed accounts", label: i18next.t("user:Managed accounts")},
     {name: "Face ID", label: i18next.t("login:Face ID")},
     {name: "MFA accounts", label: i18next.t("user:MFA accounts")},
@@ -554,6 +562,8 @@ export function getUserColumns() {
       transField = "Country/Region";
     } else if (field === "mfaAccounts") {
       transField = "MFA accounts";
+    } else if (field === "mfaItems") {
+      transField = "MFA items";
     } else if (field === "face_ids") {
       transField = "Face ID";
     } else if (field === "managedAccounts") {
@@ -1291,6 +1301,7 @@ export function getProviderTypeOptions(category) {
         {id: "Azure ACS", name: "Azure ACS"},
         {id: "SendGrid", name: "SendGrid"},
         {id: "Custom HTTP Email", name: "Custom HTTP Email"},
+        {id: "Resend", name: "Resend"},
       ]
     );
   } else if (category === "SMS") {
@@ -2267,7 +2278,7 @@ export function getFormTypeItems(formType) {
       {name: "owner", label: "general:Organization", visible: true, width: "150"},
       {name: "createdTime", label: "general:Created time", visible: true, width: "180"},
       {name: "displayName", label: "general:Display name", visible: true, width: "150"},
-      {name: "category", label: "provider:Category", visible: true, width: "110"},
+      {name: "category", label: "general:Category", visible: true, width: "110"},
       {name: "type", label: "general:Type", visible: true, width: "110"},
       {name: "clientId", label: "provider:Client ID", visible: true, width: "100"},
       {name: "providerUrl", label: "provider:Provider URL", visible: true, width: "150"},

web/src/SyncerEditPage.js

@@ -389,6 +389,13 @@ class SyncerEditPage extends React.Component {
           "isHashed": true,
           "values": [],
         },
+        {
+          "name": "unionid",
+          "type": "string",
+          "casdoorName": "Name",
+          "isHashed": true,
+          "values": [],
+        },
         {
           "name": "name",
           "type": "string",
@@ -424,13 +431,6 @@ class SyncerEditPage extends React.Component {
           "isHashed": true,
           "values": [],
         },
-        {
-          "name": "job_number",
-          "type": "string",
-          "casdoorName": "Name",
-          "isHashed": true,
-          "values": [],
-        },
         {
           "name": "active",
           "type": "boolean",
@@ -826,7 +826,7 @@ class SyncerEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
           </Col>
           <Col span={22} >
             <Select virtual={false} style={{width: "100%"}} value={this.state.syncer.type} onChange={(value => {
@@ -878,7 +878,7 @@ class SyncerEditPage extends React.Component {
           this.state.syncer.databaseType !== "postgres" ? null : (
             <Row style={{marginTop: "20px"}} >
               <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                {Setting.getLabel(i18next.t("syncer:SSL mode"), i18next.t("syncer:SSL mode - Tooltip"))} :
+                {Setting.getLabel(i18next.t("provider:SSL mode"), i18next.t("provider:SSL mode - Tooltip"))} :
               </Col>
               <Col span={22} >
                 <Select virtual={false} style={{width: "100%"}} value={this.state.syncer.sslMode} onChange={(value => {this.updateSyncerField("sslMode", value);})}>

web/src/TokenEditPage.js

@@ -158,7 +158,7 @@ class TokenEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("cert:Scope - Tooltip"))}
+            {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("provider:Scope - Tooltip"))}
           </Col>
           <Col span={22} >
             <Input value={this.state.token.scope} onChange={e => {

web/src/TransactionEditPage.js

@@ -261,7 +261,7 @@ class TransactionEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Category"), i18next.t("provider:Category - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Category"), i18next.t("general:Category - Tooltip"))} :
           </Col>
           <Col span={22} >
             <Input disabled={true} value={this.state.transaction.category} />
@@ -269,7 +269,7 @@ class TransactionEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
           </Col>
           <Col span={22} >
             <Input disabled={true} value={this.state.transaction.type} onChange={e => {

web/src/UserEditPage.js

@@ -50,6 +50,7 @@ import MfaTable from "./table/MfaTable";
 import TransactionTable from "./table/TransactionTable";
 import CartTable from "./table/CartTable";
 import * as TransactionBackend from "./backend/TransactionBackend";
+import ConsentTable from "./table/ConsentTable";
 import {Content, Header} from "antd/es/layout/layout";
 import Sider from "antd/es/layout/Sider";
 
@@ -73,6 +74,7 @@ class UserEditPage extends React.Component {
       idCardInfo: ["ID card front", "ID card back", "ID card with person"],
       openFaceRecognitionModal: false,
       transactions: [],
+      consents: [],
       activeMenuKey: window.location.hash?.slice(1) || "",
       menuMode: "Horizontal",
     };
@@ -110,6 +112,7 @@ class UserEditPage extends React.Component {
         this.setState({
           user: res.data,
           multiFactorAuths: res.data?.multiFactorAuths ?? [],
+          consents: res.data?.applicationScopes ?? [],
           loading: false,
         });
 
@@ -274,7 +277,7 @@ class UserEditPage extends React.Component {
 
     // Fallback to comparing by owner and name
     return (this.state.user.owner === this.props.account.owner &&
-            this.state.user.name === this.props.account.name);
+      this.state.user.name === this.props.account.name);
   }
 
   isSelfOrAdmin() {
@@ -609,13 +612,20 @@ class UserEditPage extends React.Component {
       );
     } else if (accountItem.name === "Addresses") {
       return (
-        <AddressTable
-          title={i18next.t("user:Addresses")}
-          table={this.state.user.addresses}
-          onUpdateTable={(value) => {
-            this.updateUserField("addresses", value);
-          }}
-        />
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("user:Addresses"), i18next.t("user:Addresses"))} :
+          </Col>
+          <Col span={22} >
+            <AddressTable
+              title={i18next.t("user:Addresses")}
+              table={this.state.user.addresses}
+              onUpdateTable={(value) => {
+                this.updateUserField("addresses", value);
+              }}
+            />
+          </Col>
+        </Row>
       );
     } else if (accountItem.name === "Affiliation") {
       return (
@@ -880,7 +890,7 @@ class UserEditPage extends React.Component {
             {Setting.getLabel(i18next.t("general:Transactions"), i18next.t("general:Transactions"))} :
           </Col>
           <Col span={22}>
-            <TransactionTable transactions={this.state.transactions} hideTag={true} />
+            <TransactionTable title={i18next.t("general:Transactions")} transactions={this.state.transactions} hideTag={true} />
           </Col>
         </Row>
       );
@@ -1122,6 +1132,21 @@ class UserEditPage extends React.Component {
           />
         </Col>
       </Row>);
+    } else if (accountItem.name === "Consents") {
+      return (
+        <Row style={{marginTop: "20px"}}>
+          <Col style={{marginTop: "5px"}} span={Setting.isMobile() ? 22 : 2}>
+            {Setting.getLabel(i18next.t("consent:Consents"), i18next.t("consent:Consents - Tooltip"))} :
+          </Col>
+          <Col span={22}>
+            <ConsentTable
+              title={i18next.t("consent:Consents")}
+              table={this.state.consents}
+              onUpdateTable={() => this.getUser()}
+            />
+          </Col>
+        </Row>
+      );
     } else if (accountItem.name === "Multi-factor authentication") {
       return (
         !this.isSelfOrAdmin() ? null : (
@@ -1130,15 +1155,21 @@ class UserEditPage extends React.Component {
               {Setting.getLabel(i18next.t("mfa:Multi-factor authentication"), i18next.t("mfa:Multi-factor authentication - Tooltip "))} :
             </Col>
             <Col span={22} >
-              <Card size="small" title={i18next.t("mfa:Multi-factor methods")}
-                extra={this.state.multiFactorAuths?.some(mfaProps => mfaProps.enabled) ?
-                  <PopconfirmModal
-                    text={i18next.t("general:Disable")}
-                    title={i18next.t("general:Sure to disable") + "?"}
-                    onConfirm={() => this.deleteMfa()}
-                  /> : null
-                }>
+              <Card size="small" title={
+                <div>
+                  {i18next.t("mfa:Multi-factor methods")}&nbsp;&nbsp;&nbsp;&nbsp;
+                  {this.state.multiFactorAuths?.some(mfaProps => mfaProps.enabled) ?
+                    <PopconfirmModal
+                      text={i18next.t("general:Disable")}
+                      title={i18next.t("general:Sure to disable") + "?"}
+                      onConfirm={() => this.deleteMfa()}
+                      size="small"
+                    /> : null
+                  }
+                </div>
+              }>
                 <List
+                  size="small"
                   rowKey="mfaType"
                   itemLayout="horizontal"
                   dataSource={this.state.multiFactorAuths}

web/src/auth/ConsentPage.js

@@ -0,0 +1,260 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React from "react";
+import {Button, Card, List, Result, Space} from "antd";
+import {CheckOutlined, LockOutlined} from "@ant-design/icons";
+import * as ApplicationBackend from "../backend/ApplicationBackend";
+import * as ConsentBackend from "../backend/ConsentBackend";
+import * as Setting from "../Setting";
+import i18next from "i18next";
+import {withRouter} from "react-router-dom";
+import * as Util from "./Util";
+
+class ConsentPage extends React.Component {
+  constructor(props) {
+    super(props);
+    const params = new URLSearchParams(window.location.search);
+    this.state = {
+      applicationName: props.match?.params?.applicationName || params.get("application"),
+      scopeDescriptions: [],
+      granting: false,
+      oAuthParams: Util.getOAuthGetParameters(),
+    };
+  }
+
+  getApplicationObj() {
+    return this.props.application;
+  }
+
+  componentDidMount() {
+    this.getApplication();
+    this.loadScopeDescriptions();
+  }
+
+  componentDidUpdate(prevProps) {
+    if (this.props.application !== prevProps.application) {
+      this.loadScopeDescriptions();
+    }
+  }
+
+  getApplication() {
+    if (!this.state.applicationName) {
+      return;
+    }
+
+    ApplicationBackend.getApplication("admin", this.state.applicationName)
+      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
+        this.props.onUpdateApplication(res.data);
+      });
+  }
+
+  loadScopeDescriptions() {
+    const {oAuthParams} = this.state;
+    const application = this.getApplicationObj();
+    if (!oAuthParams?.scope || !application) {
+      return;
+    }
+    // Check if urlPar scope is within application scopes
+    const scopes = oAuthParams.scope.split(" ").map(s => s.trim()).filter(Boolean);
+    const customScopes = application.customScopes || [];
+    const customScopesMap = {};
+    customScopes.forEach(s => {
+      if (s?.scope) {
+        customScopesMap[s.scope] = s;
+      }
+    });
+
+    const scopeDescriptions = scopes
+      .map(scope => {
+        const item = customScopesMap[scope];
+        if (item) {
+          return {
+            ...item,
+            displayName: item.displayName || item.scope,
+          };
+        }
+        return {
+          scope: scope,
+          displayName: scope,
+          description: i18next.t("consent:This scope is not defined in the application"),
+        };
+      })
+      .filter(Boolean);
+
+    this.setState({
+      scopeDescriptions: scopeDescriptions,
+    });
+  }
+
+  handleGrant() {
+    const {oAuthParams, scopeDescriptions} = this.state;
+    const application = this.getApplicationObj();
+
+    this.setState({granting: true});
+
+    const consent = {
+      owner: application.owner,
+      application: application.owner + "/" + application.name,
+      grantedScopes: scopeDescriptions.map(s => s.scope),
+    };
+
+    ConsentBackend.grantConsent(consent, oAuthParams)
+      .then((res) => {
+        if (res.status === "ok") {
+          // res.data contains the authorization code
+          const code = res.data;
+          const concatChar = oAuthParams?.redirectUri?.includes("?") ? "&" : "?";
+          const redirectUrl = `${oAuthParams.redirectUri}${concatChar}code=${code}&state=${oAuthParams.state}`;
+          Setting.goToLink(redirectUrl);
+        } else {
+          Setting.showMessage("error", res.msg);
+          this.setState({granting: false});
+        }
+      });
+  }
+
+  handleDeny() {
+    const {oAuthParams} = this.state;
+    const concatChar = oAuthParams?.redirectUri?.includes("?") ? "&" : "?";
+    Setting.goToLink(`${oAuthParams.redirectUri}${concatChar}error=access_denied&error_description=User denied consent&state=${oAuthParams.state}`);
+  }
+
+  render() {
+    const application = this.getApplicationObj();
+
+    if (application === undefined) {
+      return null;
+    }
+
+    if (!application) {
+      return (
+        <Result
+          status="error"
+          title={i18next.t("general:Invalid application")}
+        />
+      );
+    }
+
+    const {scopeDescriptions, granting} = this.state;
+    const isScopeEmpty = scopeDescriptions.length === 0;
+
+    return (
+      <div className="login-content">
+        <div className={Setting.isDarkTheme(this.props.themeAlgorithm) ? "login-panel-dark" : "login-panel"}>
+          <div className="login-form">
+            <Card
+              style={{
+                padding: "32px",
+                width: 450,
+                borderRadius: "12px",
+                boxShadow: "0 10px 25px rgba(0, 0, 0, 0.05)",
+                border: "1px solid #f0f0f0",
+              }}
+            >
+              <div style={{textAlign: "center", marginBottom: 24}}>
+                {application.logo && (
+                  <div style={{marginBottom: 16}}>
+                    <img
+                      src={application.logo}
+                      alt={application.displayName || application.name}
+                      style={{height: 56, objectFit: "contain"}}
+                    />
+                  </div>
+                )}
+                <h2 style={{margin: 0, fontWeight: 600, fontSize: "24px"}}>
+                  {i18next.t("consent:Authorization Request")}
+                </h2>
+              </div>
+
+              <div style={{marginBottom: 32}}>
+                <p style={{fontSize: 15, color: "#666", textAlign: "center", lineHeight: "1.6"}}>
+                  <span style={{fontWeight: 600, color: "#000"}}>{application.displayName || application.name}</span>
+                  {" "}{i18next.t("consent:wants to access your account")}
+                </p>
+                {application.homepageUrl && (
+                  <div style={{textAlign: "center", marginTop: 4}}>
+                    <a href={application.homepageUrl} target="_blank" rel="noopener noreferrer" style={{fontSize: 13, color: "#1890ff"}}>
+                      {application.homepageUrl}
+                    </a>
+                  </div>
+                )}
+              </div>
+
+              <div style={{marginBottom: 32}}>
+                <div style={{fontSize: 14, color: "#8c8c8c", marginBottom: 16}}>
+                  <LockOutlined style={{marginRight: 8}} /> {i18next.t("consent:This application is requesting")}
+                </div>
+                <div style={{display: "flex", justifyContent: "center"}}>
+                  <List
+                    size="small"
+                    dataSource={scopeDescriptions}
+                    style={{width: "100%"}}
+                    renderItem={item => (
+                      <List.Item style={{borderBottom: "none", width: "100%"}}>
+                        <div style={{display: "inline-grid", gridTemplateColumns: "16px auto", columnGap: 8, alignItems: "start"}}>
+                          <CheckOutlined style={{color: "#52c41a", fontSize: "14px", marginTop: "4px", justifySelf: "center"}} />
+                          <div style={{fontWeight: 500, fontSize: "14px", lineHeight: "22px"}}>{item.displayName || item.scope}</div>
+                        </div>
+                        <div style={{fontSize: "12px", color: "#8c8c8c", marginTop: 2}}>{item.description}</div>
+                      </List.Item>
+                    )}
+                  />
+                </div>
+              </div>
+
+              <div style={{textAlign: "center", marginBottom: 24}}>
+                <Space size={16}>
+                  <Button
+                    type="primary"
+                    size="large"
+                    shape="round"
+                    onClick={() => this.handleGrant()}
+                    loading={granting}
+                    disabled={granting || isScopeEmpty}
+                    style={{minWidth: 120, height: 44, fontWeight: 500}}
+                  >
+                    {i18next.t("consent:Allow")}
+                  </Button>
+                  <Button
+                    size="large"
+                    shape="round"
+                    onClick={() => this.handleDeny()}
+                    disabled={granting || isScopeEmpty}
+                    style={{minWidth: 120, height: 44, fontWeight: 500}}
+                  >
+                    {i18next.t("consent:Deny")}
+                  </Button>
+                </Space>
+              </div>
+
+              <div style={{padding: "16px", backgroundColor: "#fafafa", borderRadius: "8px", border: "1px solid #f0f0f0"}}>
+                <p style={{margin: 0, fontSize: 12, color: "#8c8c8c", textAlign: "center", lineHeight: "1.5"}}>
+                  {i18next.t("consent:By clicking Allow, you allow this app to use your information")}
+                </p>
+              </div>
+            </Card>
+          </div>
+        </div>
+      </div>
+    );
+  }
+}
+
+export default withRouter(ConsentPage);

web/src/auth/LoginPage.js

@@ -216,7 +216,7 @@ class LoginPage extends React.Component {
             this.setState({
               msg: res.msg,
             });
-            return ;
+            return;
           }
           this.onUpdateApplication(res.data);
         });
@@ -369,6 +369,13 @@ class LoginPage extends React.Component {
       return;
     }
 
+    // Check if consent is required
+    if (resp.data?.required === true) {
+      // Consent required, redirect to consent page
+      Setting.goToLinkSoft(ths, `/consent/${application.name}?${window.location.search.substring(1)}`);
+      return;
+    }
+
     if (Setting.hasPromptPage(application)) {
       AuthBackend.getAccount()
         .then((res) => {
@@ -1141,9 +1148,11 @@ class LoginPage extends React.Component {
       visible={this.state.openCaptchaModal}
       noModal={noModal}
       onUpdateToken={(captchaType, captchaToken, clientSecret) => {
-        this.setState({captchaValues: {
-          captchaType, captchaToken, clientSecret,
-        }});
+        this.setState({
+          captchaValues: {
+            captchaType, captchaToken, clientSecret,
+          },
+        });
       }}
       onOk={(captchaType, captchaToken, clientSecret) => {
         const values = this.state.values;

web/src/auth/Provider.js

@@ -44,20 +44,15 @@ function generateCodeChallenge(verifier) {
 }
 
 function storeCodeVerifier(state, verifier) {
-  localStorage.setItem("pkce_verifier", `${state}#${verifier}`);
+  localStorage.setItem(`pkce_verifier_${state}`, verifier);
 }
 
 export function getCodeVerifier(state) {
-  const verifierStore = localStorage.getItem("pkce_verifier");
-  const [storedState, verifier] = verifierStore ? verifierStore.split("#") : [null, null];
-  if (storedState !== state) {
-    return null;
-  }
-  return verifier;
+  return localStorage.getItem(`pkce_verifier_${state}`);
 }
 
 export function clearCodeVerifier(state) {
-  localStorage.removeItem("pkce_verifier");
+  localStorage.removeItem(`pkce_verifier_${state}`);
 }
 
 const authInfo = {
@@ -407,24 +402,27 @@ export function getProviderUrl(provider) {
   }
 }
 
-export function getProviderLogoWidget(provider) {
+export function getProviderLogoWidget(provider, options = {}) {
   if (provider === undefined) {
     return null;
   }
 
   const url = getProviderUrl(provider);
-  if (url !== "") {
+  const disableLink = options.disableLink === true;
+  const imgEl = <img width={36} height={36} src={Setting.getProviderLogoURL(provider)} alt={provider.displayName} />;
+
+  if (url !== "" && !disableLink) {
     return (
       <Tooltip title={provider.type}>
         <a target="_blank" rel="noreferrer" href={getProviderUrl(provider)}>
-          <img width={36} height={36} src={Setting.getProviderLogoURL(provider)} alt={provider.displayName} />
+          {imgEl}
         </a>
       </Tooltip>
     );
   } else {
     return (
       <Tooltip title={provider.type}>
-        <img width={36} height={36} src={Setting.getProviderLogoURL(provider)} alt={provider.displayName} />
+        {imgEl}
       </Tooltip>
     );
   }

web/src/auth/SignupPage.js

@@ -293,8 +293,17 @@ class SignupPage extends React.Component {
             return;
           }
 
+          // Check if consent is required
+          if (oAuthParams && res.data && typeof res.data === "object" && res.data.required === true) {
+            // Consent required, redirect to consent page
+            Setting.goToLink(`/consent/${application.name}?${window.location.search.substring(1)}`);
+            return;
+          }
+
           // the user's id will be returned by `signup()`, if user signup by phone, the `username` in `values` is undefined.
-          values.username = res.data.split("/")[1];
+          if (typeof res.data === "string") {
+            values.username = res.data.split("/")[1];
+          }
           if (Setting.hasPromptPage(application) && (!values.plan || !values.pricing)) {
             AuthBackend.getAccount("")
               .then((res) => {

web/src/auth/Util.js

@@ -130,7 +130,7 @@ export function getOAuthGetParameters(params) {
   }
 
   let state = getRefinedValue(queries.get("state"));
-  if (state.startsWith("/auth/oauth2/login.php?wantsurl=")) {
+  if (state.startsWith("/auth/oauth2/login.php?wantsurl")) {
     // state contains URL param encoding for Moodle, URLSearchParams automatically decoded it, so here encode it again
     state = encodeURIComponent(state);
   }
@@ -213,17 +213,19 @@ export async function WechatOfficialAccountModal(application, provider, method)
       }
 
       const t1 = setInterval(await getEvent, 1000, application, provider, res.data2, method);
-      {Modal.info({
-        title: i18next.t("provider:Please use WeChat to scan the QR code and follow the official account for sign in"),
-        content: (
-          <div style={{marginRight: "34px"}}>
-            <QRCode style={{padding: "20px", margin: "auto"}} bordered={false} value={res.data} size={230} />
-          </div>
-        ),
-        onOk() {
-          window.clearInterval(t1);
-        },
-      });}
+      {
+        Modal.info({
+          title: i18next.t("provider:Please use WeChat to scan the QR code and follow the official account for sign in"),
+          content: (
+            <div style={{marginRight: "34px"}}>
+              <QRCode style={{padding: "20px", margin: "auto"}} bordered={false} value={res.data} size={230} />
+            </div>
+          ),
+          onOk() {
+            window.clearInterval(t1);
+          },
+        });
+      }
     }
   );
 }

web/src/backend/CertBackend.js

@@ -79,3 +79,10 @@ export function deleteCert(cert) {
     },
   }).then(res => res.json());
 }
+
+export function refreshDomainExpire(owner, name) {
+  return fetch(`${Setting.ServerUrl}/api/update-cert-domain-expire?id=${owner}/${encodeURIComponent(name)}`, {
+    method: "POST",
+    credentials: "include",
+  }).then(res => res.json());
+}

web/src/backend/ConsentBackend.js

@@ -0,0 +1,50 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as Setting from "../Setting";
+
+export function grantConsent(consent, oAuthParams) {
+  const request = {
+    ...consent,
+    clientId: oAuthParams.clientId,
+    provider: "",
+    signinMethod: "",
+    responseType: oAuthParams.responseType || "code",
+    redirectUri: oAuthParams.redirectUri,
+    scope: oAuthParams.scope,
+    state: oAuthParams.state,
+    nonce: oAuthParams.nonce || "",
+    challenge: oAuthParams.codeChallenge || "",
+    resource: "",
+  };
+  return fetch(`${Setting.ServerUrl}/api/grant-consent`, {
+    method: "POST",
+    credentials: "include",
+    body: JSON.stringify(request),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
+  }).then(res => res.json());
+}
+
+export function revokeConsent(consent) {
+  return fetch(`${Setting.ServerUrl}/api/revoke-consent`, {
+    method: "POST",
+    credentials: "include",
+    body: JSON.stringify(consent),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
+  }).then(res => res.json());
+}

web/src/basic/Dashboard.js

@@ -158,7 +158,7 @@ const Dashboard = (props) => {
         i18next.t("general:Adapters"),
         i18next.t("general:Enforcers"),
       ], top: "10%"},
-      grid: {left: "3%", right: "4%", bottom: "0", top: "25%", containLabel: true},
+      grid: {left: "3%", right: "4%", bottom: "0", top: "30%", containLabel: true},
       xAxis: {type: "category", boundaryGap: false, data: dateArray},
       yAxis: {type: "value"},
       series: [

web/src/common/select/RegionSelect.js

@@ -23,24 +23,24 @@ class RegionSelect extends React.Component {
     super(props);
     this.state = {
       classes: props,
-      value: "",
     };
   }
 
   onChange(e) {
     this.props.onChange(e);
-    this.setState({value: e});
   }
 
   render() {
+    const value = this.props.value !== undefined && this.props.value !== "" ? this.props.value : (this.props.defaultValue !== undefined && this.props.defaultValue !== "" ? this.props.defaultValue : undefined);
     return (
       <Select virtual={false}
+        size={this.props.size}
         showSearch
         optionFilterProp="label"
         style={{width: "100%"}}
-        defaultValue={this.props.defaultValue || undefined}
+        value={value}
         placeholder="Please select country/region"
-        onChange={(value => {this.onChange(value);})}
+        onChange={(val) => {this.onChange(val);}}
         filterOption={(input, option) => (option?.label ?? "").toLowerCase().includes(input.toLowerCase())}
         filterSort={(optionA, optionB) =>
           (optionA?.label ?? "").toLowerCase().localeCompare((optionB?.label ?? "").toLowerCase())

web/src/locales/de/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "Ob Casdoor eine Sitzung aufrechterhält, nachdem man sich von der Anwendung aus bei Casdoor angemeldet hat",
     "Enable signup": "Registrierung aktivieren",
     "Enable signup - Tooltip": "Ob Benutzern erlaubt werden soll, ein neues Konto zu registrieren",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "Sperrzeit bei fehlgeschlagenem Login",
     "Failed signin frozen time - Tooltip": "Zeit, für die das Konto nach fehlgeschlagenen Anmeldeversuchen gesperrt wird",
     "Failed signin limit": "Limit für fehlgeschlagene Logins",
@@ -151,6 +152,7 @@
     "Signup items - Tooltip": "Elemente für Benutzer, die beim Registrieren neuer Konten ausgefüllt werden müssen - Hinweis",
     "Single Choice": "Einfachauswahl",
     "Small icon": "Kleines Symbol",
+    "Static Value": "Static Value",
     "String": "String",
     "Tags - Tooltip": "Nur Benutzer mit einem Tag, das in den Anwendungstags aufgeführt ist, können sich anmelden",
     "The application does not allow to sign up new account": "Die Anwendung erlaubt es nicht, ein neues Konto zu registrieren",
@@ -184,9 +186,7 @@
     "Expire in years - Tooltip": "Gültigkeitsdauer des Zertifikats in Jahren",
     "New Cert": "Neues Zertifikat",
     "Private key": "Private-Key",
-    "Private key - Tooltip": "Privater Schlüssel, der zum öffentlichen Schlüsselzertifikat gehört",
-    "Scope - Tooltip": "Nutzungsszenarien des Zertifikats",
-    "Type - Tooltip": "Art des Zertifikats"
+    "Private key - Tooltip": "Privater Schlüssel, der zum öffentlichen Schlüsselzertifikat gehört"
   },
   "code": {
     "Code you received": "Der Code, den Sie erhalten haben",
@@ -275,6 +275,7 @@
     "Applications that require authentication": "Anwendungen, die eine Authentifizierung erfordern",
     "Apps": "Anwendungen",
     "Authorization": "Autorisierung",
+    "Auto": "Auto",
     "Avatar": "Profilbild",
     "Avatar - Tooltip": "Öffentliches Avatarbild für den Benutzer",
     "Back": "Zurück",
@@ -283,6 +284,8 @@
     "Cancel": "Abbrechen",
     "Captcha": "Captcha",
     "Cart": "Warenkorb",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "Zertifikat",
     "Cert - Tooltip": "Das Public-Key-Zertifikat, das vom Client-SDK, das mit dieser Anwendung korrespondiert, verifiziert werden muss",
     "Certs": "Zertifikate",
@@ -476,6 +479,8 @@
     "SSH type - Tooltip": "Der Authentifizierungstyp für SSH-Verbindungen",
     "Save": "Speichern",
     "Save & Exit": "Speichern und verlassen",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "Suchen",
     "Send": "Senden",
     "Session ID": "Session-ID",
@@ -530,6 +535,7 @@
     "Transactions": "Transaktionen",
     "True": "Wahr",
     "Type": "Typ",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "URL-Link",
     "Unknown application name": "Unbekannter Anwendungsname",
@@ -867,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "Plan bearbeiten",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "Neuer Plan",
     "Period": "Zeitraum",
     "Period - Tooltip": "Zeitraum",
@@ -897,6 +905,7 @@
     "Amount": "Betrag",
     "Buy": "Kaufen",
     "Buy Product": "Produkt kaufen",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "Benutzerdefinierter Betrag verfügbar",
     "Custom price should be greater than zero": "Benutzerdefinierter Preis muss größer als null sein",
     "Detail - Tooltip": "Detail des Produkts",
@@ -909,9 +918,11 @@
     "Image": "Bild",
     "Image - Tooltip": "Bild des Produkts",
     "Information": "Information",
+    "Invalid product": "Invalid product",
     "Is recharge": "Ist Aufladung",
     "Is recharge - Tooltip": "Ob das Produkt zum Aufladen des Guthabens dient",
     "New Product": "Neues Produkt",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "Bestellung erfolgreich erstellt",
     "PayPal": "PayPal",
     "Payment cancelled": "Zahlung storniert",
@@ -924,12 +935,12 @@
     "Please select at least one payment provider": "Bitte wählen Sie mindestens einen Zahlungsanbieter aus",
     "Processing payment...": "Zahlung wird verarbeitet...",
     "Product list cannot be empty": "Produktliste darf nicht leer sein",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "Menge",
     "Quantity - Tooltip": "Menge des Produkts",
     "Recharge options": "Aufladeoptionen",
     "Recharge options - Tooltip": "Aufladeoptionen - Tooltip",
-    "Return URL": "Rückkeht-URL",
-    "Return URL - Tooltip": "URL für die Rückkehr nach einem erfolgreichen Kauf",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "Betrag auswählen",
     "Sold": "Verkauft",
@@ -972,8 +983,6 @@
     "Can signin": "Kann sich einloggen",
     "Can signup": "Kann sich registrieren",
     "Can unlink": "Entlinken möglich",
-    "Category": "Kategorie",
-    "Category - Tooltip": "Kennung zur Kategorisierung und Gruppierung von Elementen oder Inhalten, erleichtert Filterung und Verwaltung",
     "Channel No.": "Kanal Nr.",
     "Channel No. - Tooltip": "Eindeutige Nummer zur Identifizierung eines Kommunikations- oder Datenübertragungskanals, verwendet zur Unterscheidung verschiedener Übertragungswege",
     "Chat ID": "Chat-ID",
@@ -990,8 +999,6 @@
     "Content - Tooltip": "Spezifische Informationen oder Daten in Nachrichten, Benachrichtigungen oder Dokumenten",
     "DB test": "DB-Test",
     "DB test - Tooltip": "DB-Test - Tooltip",
-    "Disable SSL": "SSL deaktivieren",
-    "Disable SSL - Tooltip": "Ob die Deaktivierung des SSL-Protokolls bei der Kommunikation mit dem STMP-Server erfolgen soll",
     "Domain": "Domäne",
     "Domain - Tooltip": "Benutzerdefinierte Domain für Objektspeicher",
     "Edit Provider": "Provider bearbeiten",
@@ -1074,9 +1081,12 @@
     "SP ACS URL": "SP-ACS-URL",
     "SP ACS URL - Tooltip": "SP ACS URL",
     "SP Entity ID": "SP-Entitäts-ID",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "Szene",
     "Scene - Tooltip": "Spezifisches Geschäftsszenario, in dem die Funktion oder Operation angewendet wird, verwendet zur Anpassung der logischen Verarbeitung für verschiedene Szenarien",
     "Scope": "Umfang",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "Secret-Access-Key",
     "Secret access key - Tooltip": "Privater Schlüssel, der mit dem Zugriffsschlüssel gepaart ist, verwendet zum Signieren sensibler Operationen zur Verbesserung der Zugriffssicherheit",
     "Secret key": "Secret-Key",
@@ -1238,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "API Token / Password",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "Admin-E-Mail",
     "Affiliation table": "Zuordnungstabelle",
     "Affiliation table - Tooltip": "Datenbanktabellenname der Arbeitseinheit",
@@ -1269,8 +1282,6 @@
     "SSH password": "SSH-Passwort",
     "SSH port": "SSH-Port",
     "SSH user": "SSH-Benutzer",
-    "SSL mode": "SSL-Modus",
-    "SSL mode - Tooltip": "SSL-Modus",
     "Service account key": "Service-Account-Schlüssel",
     "Sync interval": "Synchronisierungsintervall",
     "Sync interval - Tooltip": "Einheit in Sekunden",

web/src/locales/en/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "Whether Casdoor maintains a session after logging into Casdoor from the application",
     "Enable signup": "Enable signup",
     "Enable signup - Tooltip": "Whether to allow users to register a new account",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "Failed signin frozen time",
     "Failed signin frozen time - Tooltip": "Waiting time after exceeding the number of failed login attempts. Users can only log in again after the waiting time expires. Default value is 15 minutes. The set value must be a positive integer",
     "Failed signin limit": "Failed signin limit",
@@ -151,6 +152,7 @@
     "Signup items - Tooltip": "Items for users to fill in when registering new accounts",
     "Single Choice": "Single Choice",
     "Small icon": "Small icon",
+    "Static Value": "Static Value",
     "String": "String",
     "Tags - Tooltip": "Only users with the tag that is listed in the application tags can login",
     "The application does not allow to sign up new account": "The application does not allow to sign up new account",
@@ -184,9 +186,7 @@
     "Expire in years - Tooltip": "Validity period of the certificate, in years",
     "New Cert": "New Cert",
     "Private key": "Private key",
-    "Private key - Tooltip": "Private key corresponding to the public key certificate",
-    "Scope - Tooltip": "Usage scenarios of the certificate",
-    "Type - Tooltip": "Type of certificate"
+    "Private key - Tooltip": "Private key corresponding to the public key certificate"
   },
   "code": {
     "Code you received": "Code you received",
@@ -275,6 +275,7 @@
     "Applications that require authentication": "Applications that require authentication",
     "Apps": "Apps",
     "Authorization": "Authorization",
+    "Auto": "Auto",
     "Avatar": "Avatar",
     "Avatar - Tooltip": "Public avatar image for the user",
     "Back": "Back",
@@ -283,6 +284,8 @@
     "Cancel": "Cancel",
     "Captcha": "Captcha",
     "Cart": "Cart",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "Cert",
     "Cert - Tooltip": "The public key certificate that needs to be verified by the client SDK corresponding to this application",
     "Certs": "Certs",
@@ -476,6 +479,8 @@
     "SSH type - Tooltip": "The auth type of SSH connection",
     "Save": "Save",
     "Save & Exit": "Save & Exit",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "Search",
     "Send": "Send",
     "Session ID": "Session ID",
@@ -530,6 +535,7 @@
     "Transactions": "Transactions",
     "True": "True",
     "Type": "Type",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "URL link",
     "Unknown application name": "Unknown application name",
@@ -867,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "Edit Plan",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "New Plan",
     "Period": "Period",
     "Period - Tooltip": "Period for the plan",
@@ -897,6 +905,7 @@
     "Amount": "Amount",
     "Buy": "Buy",
     "Buy Product": "Buy Product",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "Custom amount available",
     "Custom price should be greater than zero": "Custom price should be greater than zero",
     "Detail - Tooltip": "Detail of product",
@@ -909,9 +918,11 @@
     "Image": "Image",
     "Image - Tooltip": "Image of product",
     "Information": "Information",
+    "Invalid product": "Invalid product",
     "Is recharge": "Is recharge",
     "Is recharge - Tooltip": "Whether the current product is to recharge balance",
     "New Product": "New Product",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "Order created successfully",
     "PayPal": "PayPal",
     "Payment cancelled": "Payment cancelled",
@@ -924,12 +935,12 @@
     "Please select at least one payment provider": "Please select at least one payment provider",
     "Processing payment...": "Processing payment...",
     "Product list cannot be empty": "Product list cannot be empty",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "Quantity",
     "Quantity - Tooltip": "Quantity of product",
     "Recharge options": "Recharge options",
     "Recharge options - Tooltip": "Preset recharge amounts",
-    "Return URL": "Return URL",
-    "Return URL - Tooltip": "URL to return to after successful purchase",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "Select amount",
     "Sold": "Sold",
@@ -972,8 +983,6 @@
     "Can signin": "Can signin",
     "Can signup": "Can signup",
     "Can unlink": "Can unlink",
-    "Category": "Category",
-    "Category - Tooltip": "Identifier for categorizing and grouping items or content, facilitating filtering and management",
     "Channel No.": "Channel No.",
     "Channel No. - Tooltip": "Unique number identifying a communication or data transmission channel, used to distinguish different transmission paths",
     "Chat ID": "Chat ID",
@@ -990,8 +999,6 @@
     "Content - Tooltip": "Specific information or data contained in messages, notifications, or documents",
     "DB test": "DB test",
     "DB test - Tooltip": "DB test - Tooltip",
-    "Disable SSL": "Disable SSL",
-    "Disable SSL - Tooltip": "Whether to disable SSL protocol when communicating with STMP server",
     "Domain": "Domain",
     "Domain - Tooltip": "Custom domain for object storage",
     "Edit Provider": "Edit Provider",
@@ -1074,9 +1081,12 @@
     "SP ACS URL": "SP ACS URL",
     "SP ACS URL - Tooltip": "SP ACS URL",
     "SP Entity ID": "SP Entity ID",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "Scene",
     "Scene - Tooltip": "Specific business scenario where the function or operation applies, used to adapt logic processing for different scenarios",
     "Scope": "Scope",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "Secret access key",
     "Secret access key - Tooltip": "Private key paired with the access key, used for signing sensitive operations to enhance access security",
     "Secret key": "Secret key",
@@ -1238,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "API Token / Password",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "Admin Email",
     "Affiliation table": "Affiliation table",
     "Affiliation table - Tooltip": "Database table name of the work unit",
@@ -1269,8 +1282,6 @@
     "SSH password": "SSH password",
     "SSH port": "SSH port",
     "SSH user": "SSH user",
-    "SSL mode": "SSL mode",
-    "SSL mode - Tooltip": "The SSL mode used when connecting to the database",
     "Service account key": "Service account key",
     "Sync interval": "Sync interval",
     "Sync interval - Tooltip": "Unit in seconds",

web/src/locales/es/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "Si Casdoor mantiene una sesión después de iniciar sesión en Casdoor desde la aplicación",
     "Enable signup": "Habilitar registro",
     "Enable signup - Tooltip": "Ya sea permitir que los usuarios registren una nueva cuenta",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "Tiempo de congelación tras inicio fallido",
     "Failed signin frozen time - Tooltip": "Tiempo durante el cual la cuenta está congelada después de intentos fallidos de inicio de sesión",
     "Failed signin limit": "Límite de intentos fallidos de inicio",
@@ -134,7 +135,6 @@
     "SAML metadata": "Metadatos de SAML",
     "SAML metadata - Tooltip": "Los metadatos del protocolo SAML - Sugerencia",
     "SAML reply URL": "URL de respuesta SAML",
-    "SAML reply URL - Tooltip": "Personalizar el código HTML del panel lateral de la página de inicio de sesión - Sugerencia",
     "Security": "Seguridad",
     "Select": "Seleccionar",
     "Side panel HTML": "Panel lateral HTML",
@@ -152,6 +152,7 @@
     "Signup items - Tooltip": "Elementos para que los usuarios completen al registrar nuevas cuentas - Sugerencia",
     "Single Choice": "Opción única",
     "Small icon": "Icono pequeño",
+    "Static Value": "Static Value",
     "String": "Cadena",
     "Tags - Tooltip": "Solo los usuarios con la etiqueta que esté listada en las etiquetas de la aplicación pueden iniciar sesión - Sugerencia",
     "The application does not allow to sign up new account": "La aplicación no permite registrarse una cuenta nueva",
@@ -185,9 +186,7 @@
     "Expire in years - Tooltip": "Período de validez del certificado, en años",
     "New Cert": "Nuevo certificado",
     "Private key": "Clave privada",
-    "Private key - Tooltip": "Clave privada correspondiente al certificado de clave pública",
-    "Scope - Tooltip": "Escenarios de uso del certificado",
-    "Type - Tooltip": "Tipo de certificado"
+    "Private key - Tooltip": "Clave privada correspondiente al certificado de clave pública"
   },
   "code": {
     "Code you received": "Código que recibió",
@@ -276,6 +275,7 @@
     "Applications that require authentication": "Aplicaciones que requieren autenticación",
     "Apps": "Aplicaciones",
     "Authorization": "Autorización",
+    "Auto": "Auto",
     "Avatar": "Avatar",
     "Avatar - Tooltip": "Imagen de avatar pública para el usuario",
     "Back": "Atrás",
@@ -284,6 +284,8 @@
     "Cancel": "Cancelar",
     "Captcha": "Captcha",
     "Cart": "Carrito",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "Certificado",
     "Cert - Tooltip": "El certificado de clave pública que necesita ser verificado por el SDK del cliente correspondiente a esta aplicación",
     "Certs": "Certificaciones",
@@ -477,6 +479,8 @@
     "SSH type - Tooltip": "El tipo de autenticación de conexión SSH",
     "Save": "Guardar",
     "Save & Exit": "Guardar y salir",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "Buscar",
     "Send": "Enviar",
     "Session ID": "ID de sesión",
@@ -531,6 +535,7 @@
     "Transactions": "Transacciones",
     "True": "Verdadero",
     "Type": "Tipo",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "Enlace de URL",
     "Unknown application name": "Nombre de aplicación desconocido",
@@ -868,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "Editar plan",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "Nuevo plan",
     "Period": "Período",
     "Period - Tooltip": "Período",
@@ -898,6 +905,7 @@
     "Amount": "Importe",
     "Buy": "Comprar",
     "Buy Product": "Comprar producto",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "Importe personalizado disponible",
     "Custom price should be greater than zero": "El precio personalizado debe ser mayor que cero",
     "Detail - Tooltip": "Detalle del producto",
@@ -910,9 +918,11 @@
     "Image": "Imagen",
     "Image - Tooltip": "Imagen del producto",
     "Information": "Información",
+    "Invalid product": "Invalid product",
     "Is recharge": "Es recarga",
     "Is recharge - Tooltip": "Indica si el producto actual es para recargar saldo",
     "New Product": "Nuevo producto",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "Pedido creado con éxito",
     "PayPal": "PayPal",
     "Payment cancelled": "Pago cancelado",
@@ -925,12 +935,12 @@
     "Please select at least one payment provider": "Por favor, selecciona al menos un proveedor de pago",
     "Processing payment...": "Procesando el pago...",
     "Product list cannot be empty": "La lista de productos no puede estar vacía",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "Cantidad",
     "Quantity - Tooltip": "Cantidad de producto",
     "Recharge options": "Opciones de recarga",
     "Recharge options - Tooltip": "Opciones de recarga - Tooltip",
-    "Return URL": "URL de retorno",
-    "Return URL - Tooltip": "URL para regresar después de una compra exitosa",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "Seleccionar importe",
     "Sold": "Vendido",
@@ -973,8 +983,6 @@
     "Can signin": "¿Puedes iniciar sesión?",
     "Can signup": "Puede registrarse",
     "Can unlink": "Desvincular",
-    "Category": "Categoría",
-    "Category - Tooltip": "Identificador para categorizar y agrupar elementos o contenido, facilitando el filtrado y la gestión",
     "Channel No.": "Canal No.",
     "Channel No. - Tooltip": "Número único que identifica un canal de comunicación o transmisión de datos, utilizado para distinguir diferentes rutas de transmisión",
     "Chat ID": "ID de chat",
@@ -991,8 +999,6 @@
     "Content - Tooltip": "Contenido - Información adicional",
     "DB test": "Prueba de BD",
     "DB test - Tooltip": "Prueba de BD - Tooltip",
-    "Disable SSL": "Desactivar SSL",
-    "Disable SSL - Tooltip": "¿Hay que desactivar el protocolo SSL al comunicarse con el servidor STMP?",
     "Domain": "Dominio",
     "Domain - Tooltip": "Dominio personalizado para almacenamiento de objetos",
     "Edit Provider": "Editar proveedor",
@@ -1075,9 +1081,12 @@
     "SP ACS URL": "URL de ACS de SP",
     "SP ACS URL - Tooltip": "URL del ACS de SP",
     "SP Entity ID": "ID de entidad SP",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "Escena",
     "Scene - Tooltip": "Escena",
     "Scope": "Alcance",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "Clave de acceso secreta",
     "Secret access key - Tooltip": "Clave de acceso secreta",
     "Secret key": "Clave secreta",
@@ -1239,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "Token API / Contraseña",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "Correo del administrador",
     "Affiliation table": "Tabla de afiliación",
     "Affiliation table - Tooltip": "Nombre de la tabla de base de datos de la unidad de trabajo",
@@ -1270,8 +1282,6 @@
     "SSH password": "Contraseña SSH",
     "SSH port": "Puerto SSH",
     "SSH user": "Usuario SSH",
-    "SSL mode": "Modo SSL",
-    "SSL mode - Tooltip": "Modo SSL",
     "Service account key": "Clave de la cuenta de servicio",
     "Sync interval": "Intervalo de sincronización",
     "Sync interval - Tooltip": "Unidad en segundos",

web/src/locales/fr/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "Conserver une session après la connexion à Casdoor à partir de l'application",
     "Enable signup": "Activer l'inscription",
     "Enable signup - Tooltip": "Autoriser la création de nouveaux comptes",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "Temps de blocage après échec de connexion",
     "Failed signin frozen time - Tooltip": "Durée pendant laquelle le compte est gelé après des tentatives de connexion échouées",
     "Failed signin limit": "Limite d'échecs de connexion",
@@ -151,6 +152,7 @@
     "Signup items - Tooltip": "Éléments à remplir par les utilisateurs lors de la création de nouveaux comptes - Info-bulle",
     "Single Choice": "Choix unique",
     "Small icon": "Petite icône",
+    "Static Value": "Static Value",
     "String": "String",
     "Tags - Tooltip": "Seuls les utilisateurs avec le tag listé dans les tags de l'application peuvent se connecter - Info-bulle",
     "The application does not allow to sign up new account": "L'application ne permet pas de créer un nouveau compte",
@@ -184,9 +186,7 @@
     "Expire in years - Tooltip": "Période de validité du certificat, en années",
     "New Cert": "Nouveau Certificat",
     "Private key": "Clé privée",
-    "Private key - Tooltip": "Clé privée correspondant au certificat de la clé publique",
-    "Scope - Tooltip": "Scénarios d'utilisation du certificat",
-    "Type - Tooltip": "Type de certificat"
+    "Private key - Tooltip": "Clé privée correspondant au certificat de la clé publique"
   },
   "code": {
     "Code you received": "Le code que vous avez reçu",
@@ -275,6 +275,7 @@
     "Applications that require authentication": "Applications qui nécessitent une authentification",
     "Apps": "Applications",
     "Authorization": "Autorisation",
+    "Auto": "Auto",
     "Avatar": "Avatar",
     "Avatar - Tooltip": "Image d'avatar publique pour le compte",
     "Back": "Retour",
@@ -283,6 +284,8 @@
     "Cancel": "Annuler",
     "Captcha": "Captcha",
     "Cart": "Panier",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "Certificat",
     "Cert - Tooltip": "La clé publique du certificat qui doit être vérifiée par le kit de développement client correspondant à cette application",
     "Certs": "Certificats",
@@ -476,6 +479,8 @@
     "SSH type - Tooltip": "Type d'authentification de connexion SSH",
     "Save": "Enregistrer",
     "Save & Exit": "Enregistrer et quitter",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "Rechercher",
     "Send": "Envoyer",
     "Session ID": "Identifiant de session",
@@ -530,6 +535,7 @@
     "Transactions": "Transactions",
     "True": "Vrai",
     "Type": "Type",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "Lien de l'URL",
     "Unknown application name": "Nom d'application inconnu",
@@ -867,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "Modifier le plan",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "Nouveau plan",
     "Period": "Période",
     "Period - Tooltip": "Période",
@@ -897,6 +905,7 @@
     "Amount": "Montant",
     "Buy": "Acheter",
     "Buy Product": "Acheter un produit",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "Montant personnalisé disponible",
     "Custom price should be greater than zero": "Le prix personnalisé doit être supérieur à zéro",
     "Detail - Tooltip": "Détail du produit - Infobulle",
@@ -909,9 +918,11 @@
     "Image": "Image",
     "Image - Tooltip": "Image du produit",
     "Information": "Informations",
+    "Invalid product": "Invalid product",
     "Is recharge": "Est un rechargement",
     "Is recharge - Tooltip": "Indique si le produit actuel permet de recharger le solde",
     "New Product": "Nouveau produit",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "Commande créée avec succès",
     "PayPal": "PayPal",
     "Payment cancelled": "Paiement annulé",
@@ -924,12 +935,12 @@
     "Please select at least one payment provider": "Veuillez sélectionner au moins un fournisseur de paiement",
     "Processing payment...": "Traitement du paiement...",
     "Product list cannot be empty": "La liste des produits ne peut pas être vide",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "Quantité",
     "Quantity - Tooltip": "Quantité du produit",
     "Recharge options": "Options de recharge",
     "Recharge options - Tooltip": "Recharge options - Tooltip",
-    "Return URL": "URL de retour",
-    "Return URL - Tooltip": "URL de retour après l'achat réussi",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "Sélectionner un montant",
     "Sold": "Vendu",
@@ -972,8 +983,6 @@
     "Can signin": "Pouvez-vous vous connecter?",
     "Can signup": "Peut s'inscrire",
     "Can unlink": "Peut annuler le lien",
-    "Category": "Catégorie",
-    "Category - Tooltip": "Sélectionnez une catégorie",
     "Channel No.": "chaîne n°",
     "Channel No. - Tooltip": "Canal N°",
     "Chat ID": "ID de chat",
@@ -990,8 +999,6 @@
     "Content - Tooltip": "Contenu - Infobulle",
     "DB test": "Test BD",
     "DB test - Tooltip": "Test BD - Infobulle",
-    "Disable SSL": "Désactiver SSL",
-    "Disable SSL - Tooltip": "Désactiver le protocole SSL lors de la communication avec le serveur STMP",
     "Domain": "Domaine",
     "Domain - Tooltip": "Domaine personnalisé pour le stockage d'objets",
     "Edit Provider": "Modifier le fournisseur",
@@ -1074,9 +1081,12 @@
     "SP ACS URL": "URL du SP ACS",
     "SP ACS URL - Tooltip": "URL de l'ACS du fournisseur de service",
     "SP Entity ID": "Identifiant d'entité SP",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "Scène",
     "Scene - Tooltip": "Scène",
     "Scope": "Portée",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "Clé d'accès secrète",
     "Secret access key - Tooltip": "Clé d'accès secrète",
     "Secret key": "Clé secrète",
@@ -1238,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "Jeton API / Mot de passe",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "E-mail admin",
     "Affiliation table": "Table d'affiliation",
     "Affiliation table - Tooltip": "Nom de la table de la base de données de l'unité de travail",
@@ -1269,8 +1282,6 @@
     "SSH password": "Mot de passe SSH",
     "SSH port": "Port SSH",
     "SSH user": "Utilisateur SSH",
-    "SSL mode": "Mode SSL",
-    "SSL mode - Tooltip": "Mode SSL",
     "Service account key": "Clé du compte de service",
     "Sync interval": "Intervalle de synchronisation",
     "Sync interval - Tooltip": "Unité en secondes",

web/src/locales/ja/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "アプリケーションから Casdoor にログイン後、Casdoor がセッションを維持しているかどうか",
     "Enable signup": "サインアップを有効にする",
     "Enable signup - Tooltip": "新しいアカウントの登録をユーザーに許可するかどうか",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "サインイン失敗時の凍結時間",
     "Failed signin frozen time - Tooltip": "サインイン失敗後にアカウントが凍結される時間",
     "Failed signin limit": "サインイン失敗回数制限",
@@ -117,7 +118,6 @@
     "Please input your organization!": "あなたの組織を入力してください！",
     "Please select a HTML file": "HTMLファイルを選択してください",
     "Pop up": "ポップアップ",
-    "Pop up - Tooltip": "ポップアップ - ヒント",
     "Providers": "プロバイダー",
     "Random": "ランダム",
     "Real name": "本名",
@@ -135,7 +135,6 @@
     "SAML metadata": "SAMLメタデータ",
     "SAML metadata - Tooltip": "SAMLプロトコルのメタデータ - ヒント",
     "SAML reply URL": "SAMLリプライURL",
-    "SAML reply URL - Tooltip": "SAMLリプライURL - ヒント",
     "Security": "セキュリティ",
     "Select": "選択",
     "Side panel HTML": "サイドパネルのHTML",
@@ -153,6 +152,7 @@
     "Signup items - Tooltip": "新しいアカウントを登録する際にユーザーが入力するアイテム",
     "Single Choice": "単一選択",
     "Small icon": "小さいアイコン",
+    "Static Value": "Static Value",
     "String": "文字列",
     "Tags - Tooltip": "アプリケーションタグに含まれるタグを持つユーザーのみログイン可能です",
     "The application does not allow to sign up new account": "アプリケーションでは新しいアカウントの登録ができません",
@@ -186,9 +186,7 @@
     "Expire in years - Tooltip": "証明書の有効期間、年数で",
     "New Cert": "新しい証明書",
     "Private key": "プライベートキー",
-    "Private key - Tooltip": "公開鍵証明書に対応する秘密鍵",
-    "Scope - Tooltip": "証明書の使用シナリオ",
-    "Type - Tooltip": "証明書の種類"
+    "Private key - Tooltip": "公開鍵証明書に対応する秘密鍵"
   },
   "code": {
     "Code you received": "受け取ったコード",
@@ -277,6 +275,7 @@
     "Applications that require authentication": "認証が必要なアプリケーション",
     "Apps": "アプリ",
     "Authorization": "認可",
+    "Auto": "Auto",
     "Avatar": "アバター",
     "Avatar - Tooltip": "ユーザーのパブリックアバター画像",
     "Back": "戻る",
@@ -285,6 +284,8 @@
     "Cancel": "キャンセルします",
     "Captcha": "キャプチャ",
     "Cart": "カート",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "証明書",
     "Cert - Tooltip": "このアプリケーションに対応するクライアントSDKによって検証する必要がある公開鍵証明書",
     "Certs": "証明書",
@@ -478,6 +479,8 @@
     "SSH type - Tooltip": "SSH接続の認証タイプ",
     "Save": "保存",
     "Save & Exit": "保存して終了",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "検索",
     "Send": "送信",
     "Session ID": "セッションID",
@@ -532,6 +535,7 @@
     "Transactions": "取引",
     "True": "真",
     "Type": "タイプ",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "URLリンク",
     "Unknown application name": "不明なアプリケーション名",
@@ -869,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "プランを編集",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "新しいプラン",
     "Period": "期間",
     "Period - Tooltip": "期間",
@@ -899,6 +905,7 @@
     "Amount": "金額",
     "Buy": "購入",
     "Buy Product": "製品を購入する",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "任意金額を利用可能",
     "Custom price should be greater than zero": "カスタム価格は0より大きくする必要があります",
     "Detail - Tooltip": "製品の詳細",
@@ -911,9 +918,11 @@
     "Image": "画像",
     "Image - Tooltip": "製品のイメージ",
     "Information": "情報",
+    "Invalid product": "Invalid product",
     "Is recharge": "チャージ用か",
     "Is recharge - Tooltip": "現在の製品が残高をチャージするためかどうか",
     "New Product": "新製品",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "注文が正常に作成されました",
     "PayPal": "ペイパル",
     "Payment cancelled": "支払いキャンセル",
@@ -926,12 +935,12 @@
     "Please select at least one payment provider": "少なくとも1つの支払いプロバイダーを選択してください",
     "Processing payment...": "支払い処理中...",
     "Product list cannot be empty": "商品リストを空にできません",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "量",
     "Quantity - Tooltip": "製品の量",
     "Recharge options": "チャージオプション",
     "Recharge options - Tooltip": "チャージオプション - ツールチップ",
-    "Return URL": "戻りURL",
-    "Return URL - Tooltip": "成功した購入後に戻るURL",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "金額を選択",
     "Sold": "売れました",
@@ -974,8 +983,6 @@
     "Can signin": "サインインできますか？",
     "Can signup": "サインアップできますか？",
     "Can unlink": "アンリンクすることができます",
-    "Category": "カテゴリー",
-    "Category - Tooltip": "カテゴリーを選択してください",
     "Channel No.": "チャンネル番号",
     "Channel No. - Tooltip": "チャンネル番号",
     "Chat ID": "チャットID",
@@ -992,8 +999,6 @@
     "Content - Tooltip": "コンテンツ - ツールチップ",
     "DB test": "DBテスト",
     "DB test - Tooltip": "DBテスト - ツールチップ",
-    "Disable SSL": "SSLを無効にする",
-    "Disable SSL - Tooltip": "SMTPサーバーと通信する場合にSSLプロトコルを無効にするかどうか",
     "Domain": "ドメイン",
     "Domain - Tooltip": "オブジェクトストレージのカスタムドメイン",
     "Edit Provider": "編集プロバイダー",
@@ -1076,9 +1081,12 @@
     "SP ACS URL": "SP ACS URL",
     "SP ACS URL - Tooltip": "SP ACS URL - ツールチップ",
     "SP Entity ID": "SPエンティティID",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "シーン",
     "Scene - Tooltip": "シーン",
     "Scope": "範囲",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "秘密のアクセスキー",
     "Secret access key - Tooltip": "秘密のアクセスキー",
     "Secret key": "秘密鍵",
@@ -1240,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "APIトークン / パスワード",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "管理者メール",
     "Affiliation table": "所属テーブル",
     "Affiliation table - Tooltip": "作業単位のデータベーステーブル名",
@@ -1271,8 +1282,6 @@
     "SSH password": "SSHパスワード",
     "SSH port": "SSHポート",
     "SSH user": "SSHユーザー",
-    "SSL mode": "SSLモード",
-    "SSL mode - Tooltip": "SSLモード",
     "Service account key": "サービスアカウントキー",
     "Sync interval": "同期の間隔",
     "Sync interval - Tooltip": "単位は秒です",

web/src/locales/pl/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "Czy Casdoor utrzymuje sesję po zalogowaniu do Casdoor z poziomu aplikacji",
     "Enable signup": "Włącz rejestrację",
     "Enable signup - Tooltip": "Czy zezwolić użytkownikom na rejestrację nowych kont",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "Czas blokady po nieudanym logowaniu",
     "Failed signin frozen time - Tooltip": "Czas w którym konto jest zablokowane po nieudanych próbach logowania - Podpowiedź",
     "Failed signin limit": "Limit nieudanych logowań",
@@ -151,6 +152,7 @@
     "Signup items - Tooltip": "Elementy, które użytkownicy muszą wypełnić podczas rejestracji nowych kont",
     "Single Choice": "Jednokrotny wybór",
     "Small icon": "Mała ikona",
+    "Static Value": "Static Value",
     "String": "Ciąg",
     "Tags - Tooltip": "Tylko użytkownicy z tagiem wymienionym w tagach aplikacji mogą się zalogować",
     "The application does not allow to sign up new account": "Aplikacja nie zezwala na rejestrację nowego konta",
@@ -184,9 +186,7 @@
     "Expire in years - Tooltip": "Okres ważności certyfikatu, w latach",
     "New Cert": "Nowy certyfikat",
     "Private key": "Klucz prywatny",
-    "Private key - Tooltip": "Klucz prywatny odpowiadający certyfikatowi klucza publicznego",
-    "Scope - Tooltip": "Scenariusze użycia certyfikatu",
-    "Type - Tooltip": "Typ certyfikatu"
+    "Private key - Tooltip": "Klucz prywatny odpowiadający certyfikatowi klucza publicznego"
   },
   "code": {
     "Code you received": "Kod, który otrzymałeś",
@@ -275,6 +275,7 @@
     "Applications that require authentication": "Aplikacje wymagające uwierzytelniania",
     "Apps": "Aplikacje",
     "Authorization": "Autoryzacja",
+    "Auto": "Auto",
     "Avatar": "Awatar",
     "Avatar - Tooltip": "Publiczny obraz awatara użytkownika",
     "Back": "Wstecz",
@@ -283,6 +284,8 @@
     "Cancel": "Anuluj",
     "Captcha": "Captcha",
     "Cart": "Koszyk",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "Certyfikat",
     "Cert - Tooltip": "Certyfikat klucza publicznego, który musi być zweryfikowany przez odpowiednią aplikację SDK po stronie klienta",
     "Certs": "Certyfikaty",
@@ -476,6 +479,8 @@
     "SSH type - Tooltip": "Typ uwierzytelniania połączenia SSH",
     "Save": "Zapisz",
     "Save & Exit": "Zapisz i wyjdź",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "Szukaj",
     "Send": "Wyślij",
     "Session ID": "ID sesji",
@@ -530,6 +535,7 @@
     "Transactions": "Transakcje",
     "True": "Prawda",
     "Type": "Typ",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "Link URL",
     "Unknown application name": "Nieznana nazwa aplikacji",
@@ -867,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "Edytuj plan",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "Nowy plan",
     "Period": "Okres",
     "Period - Tooltip": "Okres",
@@ -897,6 +905,7 @@
     "Amount": "Kwota",
     "Buy": "Kup",
     "Buy Product": "Kup produkt",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "Dostępna kwota niestandardowa",
     "Custom price should be greater than zero": "Cena niestandardowa musi być większa od zera",
     "Detail - Tooltip": "Szczegóły produktu",
@@ -909,9 +918,11 @@
     "Image": "Obrazek",
     "Image - Tooltip": "Obrazek produktu",
     "Information": "Informacje",
+    "Invalid product": "Invalid product",
     "Is recharge": "Jest doładowaniem",
     "Is recharge - Tooltip": "Czy bieżący produkt służy do doładowania salda",
     "New Product": "Nowy produkt",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "Zamówienie utworzone pomyślnie",
     "PayPal": "PayPal",
     "Payment cancelled": "Płatność anulowana",
@@ -924,12 +935,12 @@
     "Please select at least one payment provider": "Wybierz co najmniej jednego dostawcę płatności",
     "Processing payment...": "Przetwarzanie płatności...",
     "Product list cannot be empty": "Lista produktów nie może być pusta",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "Ilość",
     "Quantity - Tooltip": "Ilość produktu",
     "Recharge options": "Opcje doładowania",
     "Recharge options - Tooltip": "Opcje doładowania - Podpowiedź",
-    "Return URL": "Adres powrotu",
-    "Return URL - Tooltip": "Adres do powrotu po udanym zakupie",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "Wybierz kwotę",
     "Sold": "Sprzedano",
@@ -972,8 +983,10 @@
     "Can signin": "Można się zalogować",
     "Can signup": "Można się zarejestrować",
     "Can unlink": "Można odłączyć",
-    "Category": "Kategoria",
-    "Category - Tooltip": "Wybierz kategorię",
+    "Channel No.": "Channel No.",
+    "Channel No. - Tooltip": "Channel No. - Tooltip",
+    "Chat ID": "Chat ID",
+    "Chat ID - Tooltip": "Chat ID - Tooltip",
     "Client ID": "ID klienta",
     "Client ID - Tooltip": "ID klienta",
     "Client ID 2": "ID klienta 2",
@@ -986,6 +999,37 @@
     "Content - Tooltip": "Treść",
     "DB test": "Test bazy danych",
     "DB test - Tooltip": "Test bazy danych",
+    "Domain": "Domain",
+    "Domain - Tooltip": "Domain - Tooltip",
+    "Edit Provider": "Edit Provider",
+    "Email content": "Email content",
+    "Email content - Tooltip": "Email content - Tooltip",
+    "Email regex": "Email regex",
+    "Email regex - Tooltip": "Email regex - Tooltip",
+    "Email title": "Email title",
+    "Email title - Tooltip": "Email title - Tooltip",
+    "Enable PKCE": "Enable PKCE",
+    "Enable PKCE - Tooltip": "Enable PKCE - Tooltip",
+    "Enable proxy": "Enable proxy",
+    "Enable proxy - Tooltip": "Enable proxy - Tooltip",
+    "Endpoint": "Endpoint",
+    "Endpoint (Intranet)": "Endpoint (Intranet)",
+    "Endpoint - Tooltip": "Endpoint - Tooltip",
+    "Follow-up action": "Follow-up action",
+    "Follow-up action - Tooltip": "Follow-up action - Tooltip",
+    "From address": "From address",
+    "From address - Tooltip": "From address - Tooltip",
+    "From name": "From name",
+    "From name - Tooltip": "From name - Tooltip",
+    "Get phone number": "Get phone number",
+    "Get phone number - Tooltip": "Get phone number - Tooltip",
+    "HTTP body mapping": "HTTP body mapping",
+    "HTTP body mapping - Tooltip": "HTTP body mapping - Tooltip",
+    "HTTP header": "HTTP header",
+    "HTTP header - Tooltip": "HTTP header - Tooltip",
+    "Host": "Host",
+    "Host - Tooltip": "Host - Tooltip",
+    "IdP": "IdP",
     "IdP certificate": "Certyfikat IdP",
     "Internal": "Wewnętrzny",
     "Issuer URL": "Adres URL wystawcy",
@@ -1037,9 +1081,12 @@
     "SP ACS URL": "Adres URL SP ACS",
     "SP ACS URL - Tooltip": "Adres URL SP ACS",
     "SP Entity ID": "ID jednostki SP",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "Scena",
     "Scene - Tooltip": "Scena",
     "Scope": "Zakres",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "Tajny klucz dostępu",
     "Secret access key - Tooltip": "Tajny klucz dostępu",
     "Secret key": "Tajny klucz",
@@ -1201,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "API Token / Password",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "Admin Email",
     "Affiliation table": "Tabela przynależności",
     "Affiliation table - Tooltip": "Nazwa tabeli bazy danych jednostki pracy",
@@ -1232,8 +1282,6 @@
     "SSH password": "Hasło SSH",
     "SSH port": "Port SSH",
     "SSH user": "Użytkownik SSH",
-    "SSL mode": "Tryb SSL",
-    "SSL mode - Tooltip": "Tryb SSL - etykietka",
     "Service account key": "Klucz konta usługi",
     "Sync interval": "Interwał synchronizacji",
     "Sync interval - Tooltip": "Jednostka w sekundach",

web/src/locales/pt/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "Se o Casdoor mantém uma sessão depois de fazer login no Casdoor a partir da aplicação",
     "Enable signup": "Ativar registro",
     "Enable signup - Tooltip": "Se permite que os usuários registrem uma nova conta",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "Tempo de bloqueio após falha de login",
     "Failed signin frozen time - Tooltip": "Tempo em que a conta fica congelada após tentativas de login falhadas",
     "Failed signin limit": "Limite de tentativas de login falhadas",
@@ -151,6 +152,7 @@
     "Signup items - Tooltip": "Itens para os usuários preencherem ao fazer login - Dica",
     "Single Choice": "Escolha única",
     "Small icon": "Ícone pequeno",
+    "Static Value": "Static Value",
     "String": "String",
     "Tags - Tooltip": "Apenas usuários com a tag listada nas tags da aplicação podem fazer login - Dica",
     "The application does not allow to sign up new account": "A aplicação não permite o registro de novas contas",
@@ -184,9 +186,7 @@
     "Expire in years - Tooltip": "Período de validade do certificado, em anos",
     "New Cert": "Novo Certificado",
     "Private key": "Chave privada",
-    "Private key - Tooltip": "Chave privada correspondente ao certificado de chave pública",
-    "Scope - Tooltip": "Cenários de uso do certificado",
-    "Type - Tooltip": "Tipo de certificado"
+    "Private key - Tooltip": "Chave privada correspondente ao certificado de chave pública"
   },
   "code": {
     "Code you received": "Código que você recebeu",
@@ -275,6 +275,7 @@
     "Applications that require authentication": "Aplicações que requerem autenticação",
     "Apps": "Aplicativos",
     "Authorization": "Autorização",
+    "Auto": "Auto",
     "Avatar": "Avatar",
     "Avatar - Tooltip": "Imagem de avatar pública do usuário",
     "Back": "Voltar",
@@ -283,6 +284,8 @@
     "Cancel": "Cancelar",
     "Captcha": "Captcha",
     "Cart": "Carrinho",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "Certificado",
     "Cert - Tooltip": "O certificado da chave pública que precisa ser verificado pelo SDK do cliente correspondente a esta aplicação",
     "Certs": "Certificados",
@@ -476,6 +479,8 @@
     "SSH type - Tooltip": "Tipo de autenticação para conexão SSH",
     "Save": "Salvar",
     "Save & Exit": "Salvar e Sair",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "Buscar",
     "Send": "Enviar",
     "Session ID": "ID da sessão",
@@ -530,6 +535,7 @@
     "Transactions": "Transações",
     "True": "Verdadeiro",
     "Type": "Tipo",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "Link da URL",
     "Unknown application name": "Nome de aplicação desconhecido",
@@ -867,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "Editar Plano",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "Novo Plano",
     "Period": "Período",
     "Period - Tooltip": "Período",
@@ -897,6 +905,7 @@
     "Amount": "Valor",
     "Buy": "Comprar",
     "Buy Product": "Comprar Produto",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "Valor personalizado disponível",
     "Custom price should be greater than zero": "O preço personalizado deve ser maior que zero",
     "Detail - Tooltip": "Detalhes do produto",
@@ -909,9 +918,11 @@
     "Image": "Imagem",
     "Image - Tooltip": "Imagem do produto",
     "Information": "Informações",
+    "Invalid product": "Invalid product",
     "Is recharge": "É recarga",
     "Is recharge - Tooltip": "Se o produto atual é para recarregar saldo",
     "New Product": "Novo Produto",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "Pedido criado com sucesso",
     "PayPal": "PayPal",
     "Payment cancelled": "Pagamento cancelado",
@@ -924,12 +935,12 @@
     "Please select at least one payment provider": "Por favor, selecione pelo menos um provedor de pagamento",
     "Processing payment...": "Processando pagamento...",
     "Product list cannot be empty": "A lista de produtos não pode estar vazia",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "Quantidade",
     "Quantity - Tooltip": "Quantidade do produto",
     "Recharge options": "Opções de recarga",
     "Recharge options - Tooltip": "Dica: opções de recarga",
-    "Return URL": "URL de Retorno",
-    "Return URL - Tooltip": "URL para retornar após a compra bem-sucedida",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "Selecionar valor",
     "Sold": "Vendido",
@@ -972,8 +983,6 @@
     "Can signin": "Pode fazer login",
     "Can signup": "Pode se inscrever",
     "Can unlink": "Pode desvincular",
-    "Category": "Categoria",
-    "Category - Tooltip": "Selecione uma categoria",
     "Channel No.": "Número do canal",
     "Channel No. - Tooltip": "Número do canal",
     "Chat ID": "ID do chat",
@@ -990,8 +999,6 @@
     "Content - Tooltip": "Dica: conteúdo",
     "DB test": "Teste do banco de dados",
     "DB test - Tooltip": "Dica: teste do banco de dados",
-    "Disable SSL": "Desabilitar SSL",
-    "Disable SSL - Tooltip": "Se deve desabilitar o protocolo SSL ao comunicar com o servidor SMTP",
     "Domain": "Domínio",
     "Domain - Tooltip": "Domínio personalizado para armazenamento de objetos",
     "Edit Provider": "Editar Provedor",
@@ -1074,9 +1081,12 @@
     "SP ACS URL": "URL SP ACS",
     "SP ACS URL - Tooltip": "URL SP ACS",
     "SP Entity ID": "ID da Entidade SP",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "Cenário",
     "Scene - Tooltip": "Cenário",
     "Scope": "Escopo",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "Chave de acesso secreta",
     "Secret access key - Tooltip": "Chave de acesso secreta",
     "Secret key": "Chave secreta",
@@ -1238,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "Token de API / Senha",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "E-mail do administrador",
     "Affiliation table": "Tabela de Afiliação",
     "Affiliation table - Tooltip": "Nome da tabela no banco de dados da unidade de trabalho",
@@ -1269,8 +1282,6 @@
     "SSH password": "Senha SSH",
     "SSH port": "Porta SSH",
     "SSH user": "Usuário SSH",
-    "SSL mode": "Modo SSL",
-    "SSL mode - Tooltip": "Dica: modo SSL",
     "Service account key": "Chave da conta de serviço",
     "Sync interval": "Intervalo de sincronização",
     "Sync interval - Tooltip": "Unidade em segundos",

web/src/locales/tr/data.json

@@ -70,6 +70,7 @@
     "Enable signin session - Tooltip": "Uygulamadan Casdoor'a giriş yaptıktan sonra Casdoor'un bir oturum sürdürüp sürdürmeyeceği",
     "Enable signup": "Kayıtı Etkinleştir",
     "Enable signup - Tooltip": "Kullanıcıların yeni bir hesap kaydetmesine izin verilip verilmeyeceği",
+    "Existing Field": "Existing Field",
     "Failed signin frozen time": "Başarısız giriş dondurma süresi",
     "Failed signin frozen time - Tooltip": "Başarısız giriş denemelerinden sonra hesabın dondurulduğu süre",
     "Failed signin limit": "Başarısız giriş limiti",
@@ -151,6 +152,7 @@
     "Signup items - Tooltip": "Kullanıcıların yeni hesaplar kaydederken doldurması gereken öğeler - İpucu",
     "Single Choice": "Tek Seçim",
     "Small icon": "Küçük simge",
+    "Static Value": "Static Value",
     "String": "Dize",
     "Tags - Tooltip": "Yalnızca uygulama etiketlerinde listelenen etikete sahip kullanıcılar giriş yapabilir - İpucu",
     "The application does not allow to sign up new account": "Uygulama yeni hesap kaydetmeyi izin vermemektedir",
@@ -184,9 +186,7 @@
     "Expire in years - Tooltip": "Sertifikanın geçerlilik süresi, yıllarda",
     "New Cert": "Yeni Sertifika",
     "Private key": "Özel anahtar",
-    "Private key - Tooltip": "Genel anahtar sertifikasına karşılık gelen özel anahtar",
-    "Scope - Tooltip": "Sertifikanın kullanım senaryoları",
-    "Type - Tooltip": "Sertifika türü"
+    "Private key - Tooltip": "Genel anahtar sertifikasına karşılık gelen özel anahtar"
   },
   "code": {
     "Code you received": "Aldığınız kod",
@@ -275,6 +275,7 @@
     "Applications that require authentication": "Kimlik doğrulaması gerektiren uygulamalar",
     "Apps": "Uygulamalar",
     "Authorization": "Yetkilendirme",
+    "Auto": "Auto",
     "Avatar": "Avatar",
     "Avatar - Tooltip": "Kullanıcı için genel avatar resmi",
     "Back": "Geri",
@@ -283,6 +284,8 @@
     "Cancel": "Vazgeç",
     "Captcha": "Captcha",
     "Cart": "Sepet",
+    "Category": "Category",
+    "Category - Tooltip": "Category - Tooltip",
     "Cert": "Sertifika",
     "Cert - Tooltip": "Bu uygulamaya karşılık gelen istemci SDK tarafından doğrulanması gereken genel anahtar sertifikası",
     "Certs": "Sertifikalar",
@@ -476,6 +479,8 @@
     "SSH type - Tooltip": "SSH bağlantısının kimlik doğrulama türü",
     "Save": "Kaydet",
     "Save & Exit": "Kaydet ve Çık",
+    "Scopes": "Scopes",
+    "Scopes - Tooltip": "Scopes - Tooltip",
     "Search": "Ara",
     "Send": "Gönder",
     "Session ID": "Oturum ID",
@@ -530,6 +535,7 @@
     "Transactions": "İşlemler",
     "True": "Doğru",
     "Type": "Tür",
+    "Type - Tooltip": "Type - Tooltip",
     "URL": "URL",
     "URL - Tooltip": "URL bağlantısı",
     "Unknown application name": "Bilinmeyen uygulama adı",
@@ -867,6 +873,8 @@
   },
   "plan": {
     "Edit Plan": "Planı Düzenle",
+    "Is exclusive": "Is exclusive",
+    "Is exclusive - Tooltip": "Is exclusive - Tooltip",
     "New Plan": "Yeni Plan",
     "Period": "Dönem",
     "Period - Tooltip": "Dönem",
@@ -897,6 +905,7 @@
     "Amount": "Tutar",
     "Buy": "Satın Al",
     "Buy Product": "Ürün Satın Al",
+    "Cart contains invalid products, please delete them before placing an order": "Cart contains invalid products, please delete them before placing an order",
     "Custom amount available": "Özel tutar kullanılabilir",
     "Custom price should be greater than zero": "Özel fiyat sıfırdan büyük olmalıdır",
     "Detail - Tooltip": "Ürün detayı",
@@ -909,9 +918,11 @@
     "Image": "Resim",
     "Image - Tooltip": "Ürün resmi",
     "Information": "Bilgi",
+    "Invalid product": "Invalid product",
     "Is recharge": "Yeniden yükleme mi",
     "Is recharge - Tooltip": "Mevcut ürün bakiye yeniden yüklemesi ise",
     "New Product": "Yeni Ürün",
+    "No recharge options available": "No recharge options available",
     "Order created successfully": "Sipariş başarıyla oluşturuldu",
     "PayPal": "PayPal",
     "Payment cancelled": "Ödeme iptal edildi",
@@ -924,12 +935,12 @@
     "Please select at least one payment provider": "Lütfen en az bir ödeme sağlayıcısı seçin",
     "Processing payment...": "Ödeme işleniyor...",
     "Product list cannot be empty": "Ürün listesi boş olamaz",
+    "Product not found or invalid": "Product not found or invalid",
     "Quantity": "Miktar",
     "Quantity - Tooltip": "Ürün miktarı",
     "Recharge options": "Yeniden yükleme seçenekleri",
     "Recharge options - Tooltip": "Yeniden yükleme seçenekleri - Araç ipucu",
-    "Return URL": "Dönüş URL'si",
-    "Return URL - Tooltip": "Satın alımdan sonra dönülecek URL",
+    "Recharge products need to go to the product detail page to set custom amount": "Recharge products need to go to the product detail page to set custom amount",
     "SKU": "SKU",
     "Select amount": "Tutar seç",
     "Sold": "Satılmış",
@@ -972,8 +983,6 @@
     "Can signin": "Giriş yapabilir",
     "Can signup": "Kayıt yapabilir",
     "Can unlink": "Bağlantıyı kesebilir",
-    "Category": "Kategori",
-    "Category - Tooltip": "Bir kategori seçin",
     "Channel No.": "Kanal Numarası",
     "Channel No. - Tooltip": "Kanal Numarası",
     "Chat ID": "Sohbet Kimliği",
@@ -990,8 +999,6 @@
     "Content - Tooltip": "İçerik - Araç ipucu",
     "DB test": "Veritabanı testi",
     "DB test - Tooltip": "Veritabanı testi - Araç ipucu",
-    "Disable SSL": "SSL'yi Devre Dışı Bırak",
-    "Disable SSL - Tooltip": "STMP sunucusu ile iletişim kurarken SSL protokolünü devre dışı bırakıp bırakmayacağı",
     "Domain": "Alan adı",
     "Domain - Tooltip": "Nesne depolama için özel alan adı",
     "Edit Provider": "Sağlayıcıyı Düzenle",
@@ -1074,9 +1081,12 @@
     "SP ACS URL": "SP ACS URL'si",
     "SP ACS URL - Tooltip": "SP ACS URL'si",
     "SP Entity ID": "SP Varlık ID'si",
+    "SSL mode": "SSL mode",
+    "SSL mode - Tooltip": "SSL mode - Tooltip",
     "Scene": "Senaryo",
     "Scene - Tooltip": "Senaryo",
     "Scope": "Kapsam",
+    "Scope - Tooltip": "Scope - Tooltip",
     "Secret access key": "Gizli erişim anahtarı",
     "Secret access key - Tooltip": "Gizli erişim anahtarı",
     "Secret key": "Gizli anahtar",
@@ -1238,6 +1248,9 @@
   },
   "syncer": {
     "API Token / Password": "API Token / Password",
+    "AWS Access Key ID": "AWS Access Key ID",
+    "AWS Region": "AWS Region",
+    "AWS Secret Access Key": "AWS Secret Access Key",
     "Admin Email": "Admin Email",
     "Affiliation table": "İlişki tablosu",
     "Affiliation table - Tooltip": "Çalışma biriminin veritabanı tablo adı",
@@ -1269,8 +1282,6 @@
     "SSH password": "SSH şifresi",
     "SSH port": "SSH portu",
     "SSH user": "SSH kullanıcısı",
-    "SSL mode": "SSL modu",
-    "SSL mode - Tooltip": "SSL modu - İpucu",
     "Service account key": "Service account key",
     "Sync interval": "Senkronizasyon aralığı",
     "Sync interval - Tooltip": "Birimi saniye cinsinden",