fix: fixed balance and dummy payment errors (#4692)

.github/workflows/build.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache-dependency-path: ./go.mod
       - name: Tests
         run: |
@@ -44,6 +44,12 @@ jobs:
           cache-dependency-path: ./web/yarn.lock
       - run: yarn install && CI=false yarn run build
         working-directory: ./web
+      - name: Upload build artifacts
+        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-build-${{ github.run_id }}
+          path: ./web/build
 
   backend:
     name: Back-end
@@ -53,7 +59,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache-dependency-path: ./go.mod
       - run: go version
       - name: Build
@@ -69,7 +75,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache: false
 
       # gen a dummy config file
@@ -98,11 +104,28 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache-dependency-path: ./go.mod
       - name: start backend
-        run: nohup go run ./main.go &
+        run: nohup go run ./main.go > /tmp/backend.log 2>&1 &
         working-directory: ./
+      - name: Wait for backend to be ready
+        run: |
+          echo "Waiting for backend server to start on port 8000..."
+          for i in {1..60}; do
+            if curl -s http://localhost:8000 > /dev/null 2>&1; then
+              echo "Backend is ready!"
+              break
+            fi
+            if [ $i -eq 60 ]; then
+              echo "Backend failed to start within 60 seconds"
+              echo "Backend logs:"
+              cat /tmp/backend.log || echo "No backend logs available"
+              exit 1
+            fi
+            echo "Waiting... ($i/60)"
+            sleep 1
+          done
       - uses: actions/setup-node@v3
         with:
           node-version: 20
@@ -129,39 +152,95 @@ jobs:
           name: cypress-videos
           path: ./web/cypress/videos
 
-  release-and-push:
-    name: Release And Push
+  tag-release:
+    name: Create Tag
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
     if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
     needs: [ frontend, backend, linter, e2e ]
+    outputs:
+      new-release-published: ${{ steps.semantic.outputs.new_release_published }}
+      new-release-version: ${{ steps.semantic.outputs.new_release_version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create Tag with Semantic Release
+        id: semantic
+        uses: cycjimmy/semantic-release-action@v4
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  github-release:
+    name: GitHub Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && needs.tag-release.outputs.new-release-published == 'true'
+    needs: [ tag-release ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Free disk space
+        uses: jlumbroso/free-disk-space@v1.3.1
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: Download frontend build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: frontend-build-${{ github.run_id }}
+          path: ./web/build
+
+      - name: Prepare Go caches
+        run: |
+          echo "GOMODCACHE=$RUNNER_TEMP/gomod" >> $GITHUB_ENV
+          echo "GOCACHE=$RUNNER_TEMP/gocache" >> $GITHUB_ENV
+          go clean -cache -modcache -testcache -fuzzcache
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  docker-release:
+    name: Docker Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && needs.tag-release.outputs.new-release-published == 'true'
+    needs: [ tag-release ]
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: -1
-      - name: Setup Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 20
 
       - name: Fetch Previous version
         id: get-previous-tag
         uses: actions-ecosystem/action-get-latest-tag@v1.6.0
 
-      - name: Release
-        run: yarn global add semantic-release@17.4.4 && semantic-release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Fetch Current version
-        id: get-current-tag
-        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
-
       - name: Decide Should_Push Or Not
         id: should_push
         run: |
           old_version=${{steps.get-previous-tag.outputs.tag}}
-          new_version=${{steps.get-current-tag.outputs.tag }}
+          new_version=${{ needs.tag-release.outputs.new-release-version }}
 
           old_array=(${old_version//\./ })
           new_array=(${new_version//\./ })
@@ -200,7 +279,7 @@ jobs:
           target: STANDARD
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: casbin/casdoor:${{steps.get-current-tag.outputs.tag }},casbin/casdoor:latest
+          tags: casbin/casdoor:${{ needs.tag-release.outputs.new-release-version }},casbin/casdoor:latest
 
       - name: Push All In One Version to Docker Hub
         uses: docker/build-push-action@v3
@@ -210,7 +289,7 @@ jobs:
           target: ALLINONE
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: casbin/casdoor-all-in-one:${{steps.get-current-tag.outputs.tag }},casbin/casdoor-all-in-one:latest
+          tags: casbin/casdoor-all-in-one:${{ needs.tag-release.outputs.new-release-version }},casbin/casdoor-all-in-one:latest
 
       - uses: actions/checkout@v3
         if: steps.should_push.outputs.push=='true'
@@ -223,8 +302,8 @@ jobs:
         if: steps.should_push.outputs.push=='true'
         run: |
           # Set the appVersion and version of the chart to the current tag
-          sed -i "s/appVersion: .*/appVersion: ${{steps.get-current-tag.outputs.tag }}/g" ./charts/casdoor/Chart.yaml
-          sed -i "s/version: .*/version: ${{steps.get-current-tag.outputs.tag }}/g" ./charts/casdoor/Chart.yaml
+          sed -i "s/appVersion: .*/appVersion: ${{ needs.tag-release.outputs.new-release-version }}/g" ./charts/casdoor/Chart.yaml
+          sed -i "s/version: .*/version: ${{ needs.tag-release.outputs.new-release-version }}/g" ./charts/casdoor/Chart.yaml
 
           REGISTRY=oci://registry-1.docker.io/casbin
           cd charts/casdoor
@@ -238,6 +317,6 @@ jobs:
           git config --global user.name "casbin-bot"
           git config --global user.email "bot@casbin.org"
           git add Chart.yaml index.yaml
-          git commit -m "chore(helm): bump helm charts appVersion to ${{steps.get-current-tag.outputs.tag }}"
-          git tag ${{steps.get-current-tag.outputs.tag }}
+          git commit -m "chore(helm): bump helm charts appVersion to ${{ needs.tag-release.outputs.new-release-version }}"
+          git tag ${{ needs.tag-release.outputs.new-release-version }}
           git push origin HEAD:master --follow-tags

.goreleaser.yaml

@@ -0,0 +1,54 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    #- go generate ./...
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - src: 'web/build'
+        dst: './web/build'
+      - src: 'conf/app.conf'
+        dst: './conf/app.conf'
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

Dockerfile

@@ -4,7 +4,7 @@ COPY ./web .
 RUN yarn install --frozen-lockfile --network-timeout 1000000 && NODE_OPTIONS="--max-old-space-size=4096" yarn run build
 
 
-FROM --platform=$BUILDPLATFORM golang:1.21.13 AS BACK
+FROM --platform=$BUILDPLATFORM golang:1.23.12 AS BACK
 WORKDIR /go/src/casdoor
 COPY . .
 RUN ./build.sh

authz/authz.go

@@ -46,6 +46,8 @@ p, *, *, POST, /api/login, *, *
 p, *, *, GET, /api/get-app-login, *, *
 p, *, *, POST, /api/logout, *, *
 p, *, *, GET, /api/logout, *, *
+p, *, *, POST, /api/sso-logout, *, *
+p, *, *, GET, /api/sso-logout, *, *
 p, *, *, POST, /api/callback, *, *
 p, *, *, POST, /api/device-auth, *, *
 p, *, *, GET, /api/get-account, *, *
@@ -65,7 +67,6 @@ p, *, *, POST, /api/upload-users, *, *
 p, *, *, GET, /api/get-resources, *, *
 p, *, *, GET, /api/get-records, *, *
 p, *, *, GET, /api/get-product, *, *
-p, *, *, POST, /api/buy-product, *, *
 p, *, *, GET, /api/get-payment, *, *
 p, *, *, POST, /api/update-payment, *, *
 p, *, *, POST, /api/invoice-payment, *, *
@@ -98,6 +99,8 @@ p, *, *, *, /api/metrics, *, *
 p, *, *, GET, /api/get-pricing, *, *
 p, *, *, GET, /api/get-plan, *, *
 p, *, *, GET, /api/get-subscription, *, *
+p, *, *, GET, /api/get-transactions, *, *
+p, *, *, GET, /api/get-transaction, *, *
 p, *, *, GET, /api/get-provider, *, *
 p, *, *, GET, /api/get-organization-names, *, *
 p, *, *, GET, /api/get-all-objects, *, *
@@ -173,7 +176,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 
 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/verify-code" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") || urlPath == "/api/webhook" || urlPath == "/api/get-qrcode" || urlPath == "/api/refresh-engines" {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/sso-logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/verify-code" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") || urlPath == "/api/webhook" || urlPath == "/api/get-qrcode" || urlPath == "/api/refresh-engines" {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information
@@ -181,7 +184,7 @@ func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath
 				return true
 			}
 			return false
-		} else if urlPath == "/api/upload-resource" {
+		} else if urlPath == "/api/upload-resource" || urlPath == "/api/add-transaction" {
 			if subOwner == "app" && subName == "app-casibase" {
 				return true
 			}

controllers/account.go

@@ -80,11 +80,6 @@ type LaravelResponse struct {
 // @Success 200 {object} controllers.Response The Response object
 // @router /signup [post]
 func (c *ApiController) Signup() {
-	if c.GetSessionUsername() != "" {
-		c.ResponseError(c.T("account:Please sign out first"), c.GetSessionUsername())
-		return
-	}
-
 	var authForm form.AuthForm
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &authForm)
 	if err != nil {
@@ -218,7 +213,7 @@ func (c *ApiController) Signup() {
 		Tag:               authForm.Tag,
 		Education:         authForm.Education,
 		Avatar:            organization.DefaultAvatar,
-		Email:             authForm.Email,
+		Email:             strings.ToLower(authForm.Email),
 		Phone:             authForm.Phone,
 		CountryCode:       authForm.CountryCode,
 		Address:           []string{},
@@ -290,6 +285,8 @@ func (c *ApiController) Signup() {
 
 	if user.Type == "normal-user" {
 		c.SetSessionUsername(user.GetId())
+	} else if user.Type == "paid-user" {
+		c.SetSession("paidUsername", user.GetId())
 	}
 
 	if authForm.Email != "" {
@@ -343,8 +340,12 @@ func (c *ApiController) Logout() {
 
 		c.ClearUserSession()
 		c.ClearTokenSession()
-		owner, username := util.GetOwnerAndNameFromId(user)
-		_, err := object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
+		owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -391,7 +392,11 @@ func (c *ApiController) Logout() {
 		c.ClearUserSession()
 		c.ClearTokenSession()
 		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
-		owner, username := util.GetOwnerAndNameFromId(user)
+		owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 
 		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
 		if err != nil {
@@ -423,6 +428,106 @@ func (c *ApiController) Logout() {
 	}
 }
 
+// SsoLogout
+// @Title SsoLogout
+// @Tag Login API
+// @Description logout the current user from all applications or current session only
+// @Param   logoutAll   query    string  false     "Whether to logout from all sessions. Accepted values: 'true', '1', or empty (default: true). Any other value means false."
+// @Success 200 {object} controllers.Response The Response object
+// @router /sso-logout [get,post]
+func (c *ApiController) SsoLogout() {
+	user := c.GetSessionUsername()
+
+	if user == "" {
+		c.ResponseOk()
+		return
+	}
+
+	// Check if user wants to logout from all sessions or just current session
+	// Default is true for backward compatibility
+	logoutAll := c.Input().Get("logoutAll")
+	logoutAllSessions := logoutAll == "" || logoutAll == "true" || logoutAll == "1"
+
+	c.ClearUserSession()
+	c.ClearTokenSession()
+	owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	currentSessionId := c.Ctx.Input.CruSession.SessionID()
+	_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), currentSessionId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var tokens []*object.Token
+	var sessionIds []string
+
+	if logoutAllSessions {
+		// Logout from all sessions: expire all tokens and delete all sessions
+		// Get tokens before expiring them (for session-level logout notification)
+		tokens, err = object.GetTokensByUser(owner, username)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		_, err = object.ExpireTokenByUser(owner, username)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		sessions, err := object.GetUserSessions(owner, username)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		for _, session := range sessions {
+			sessionIds = append(sessionIds, session.SessionId...)
+		}
+		object.DeleteBeegoSession(sessionIds)
+
+		_, err = object.DeleteAllUserSessions(owner, username)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		util.LogInfo(c.Ctx, "API: [%s] logged out from all applications", user)
+	} else {
+		// Logout from current session only
+		sessionIds = []string{currentSessionId}
+
+		// Only delete the current session's Beego session
+		object.DeleteBeegoSession(sessionIds)
+
+		util.LogInfo(c.Ctx, "API: [%s] logged out from current session", user)
+	}
+
+	// Send SSO logout notifications to all notification providers in the user's signup application
+	// Now includes session-level information for targeted logout
+	userObj, err := object.GetUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if userObj != nil {
+		err = object.SendSsoLogoutNotifications(userObj, sessionIds, tokens)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
+	c.ResponseOk()
+}
+
 // GetAccount
 // @Title GetAccount
 // @Tag Account API

controllers/auth.go

@@ -137,6 +137,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 				c.ResponseError(fmt.Sprintf(c.T("auth:paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"), user.Name, application.Name))
 				return
 			} else {
+				c.SetSession("paidUsername", user.GetId())
 				// let the paid-user select plan
 				c.ResponseOk("SelectPlan", pricing)
 				return
@@ -275,7 +276,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			Application: application.Name,
 			SessionId:   []string{c.Ctx.Input.CruSession.SessionID()},
 
-			ExclusiveSignin: true,
+			ExclusiveSignin: application.EnableExclusiveSignin,
 		})
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
@@ -453,13 +454,6 @@ func (c *ApiController) Login() {
 	verificationType := ""
 
 	if authForm.Username != "" {
-		if authForm.Type == ResponseTypeLogin {
-			if c.GetSessionUsername() != "" {
-				c.ResponseError(c.T("account:Please sign out first"), c.GetSessionUsername())
-				return
-			}
-		}
-
 		var user *object.User
 		if authForm.SigninMethod == "Face ID" {
 			if user, err = object.GetUserByFields(authForm.Organization, authForm.Username); err != nil {
@@ -723,6 +717,7 @@ func (c *ApiController) Login() {
 			return
 		}
 		userInfo := &idp.UserInfo{}
+		var token *oauth2.Token
 		if provider.Category == "SAML" {
 			// SAML
 			userInfo, err = object.ParseSamlResponse(authForm.SamlResponse, provider, c.Ctx.Request.Host)
@@ -753,7 +748,6 @@ func (c *ApiController) Login() {
 			}
 
 			// https://github.com/golang/oauth2/issues/123#issuecomment-103715338
-			var token *oauth2.Token
 			token, err = idProvider.GetToken(authForm.Code)
 			if err != nil {
 				c.ResponseError(err.Error())
@@ -803,7 +797,7 @@ func (c *ApiController) Login() {
 			if user != nil && !user.IsDeleted {
 				// Sign in via OAuth (want to sign up but already have account)
 				// sync info from 3rd-party if possible
-				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, provider.UserMapping)
+				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, token, provider.UserMapping)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@@ -866,6 +860,11 @@ func (c *ApiController) Login() {
 						return
 					}
 
+					// Handle UseEmailAsUsername for OAuth and Web3
+					if organization.UseEmailAsUsername && userInfo.Email != "" {
+						userInfo.Username = userInfo.Email
+					}
+
 					// Handle username conflicts
 					var tmpUser *object.User
 					tmpUser, err = object.GetUser(util.GetId(application.Organization, userInfo.Username))
@@ -948,7 +947,7 @@ func (c *ApiController) Login() {
 				}
 
 				// sync info from 3rd-party if possible
-				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, provider.UserMapping)
+				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, token, provider.UserMapping)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@@ -996,7 +995,7 @@ func (c *ApiController) Login() {
 			}
 
 			// sync info from 3rd-party if possible
-			_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, provider.UserMapping)
+			_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, token, provider.UserMapping)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@@ -1212,7 +1211,7 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 		return
 	}
 	if data.Ticket == "" {
-		c.ResponseError(err.Error())
+		c.ResponseError("empty ticket")
 		return
 	}
 
@@ -1222,10 +1221,11 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 		c.ResponseError(err.Error())
 		return
 	}
-	if data.Ticket == "" {
-		c.ResponseError("empty ticket")
+	if provider == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s does not exist"), providerId))
 		return
 	}
+
 	if !idp.VerifyWechatSignature(provider.Content, nonce, timestamp, signature) {
 		c.ResponseError("invalid signature")
 		return
@@ -1277,6 +1277,11 @@ func (c *ApiController) GetQRCode() {
 		c.ResponseError(err.Error())
 		return
 	}
+	if provider == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s does not exist"), providerId))
+		return
+	}
+
 	code, ticket, err := idp.GetWechatOfficialAccountQRCode(provider.ClientId2, provider.ClientSecret2, providerId)
 	if err != nil {
 		c.ResponseError(err.Error())

controllers/base.go

@@ -122,6 +122,26 @@ func (c *ApiController) GetSessionUsername() string {
 	return user.(string)
 }
 
+// GetPaidUsername ...
+func (c *ApiController) GetPaidUsername() string {
+	// check if user session expired
+	sessionData := c.GetSessionData()
+
+	if sessionData != nil &&
+		sessionData.ExpireTime != 0 &&
+		sessionData.ExpireTime < time.Now().Unix() {
+		c.ClearUserSession()
+		return ""
+	}
+
+	user := c.GetSession("paidUsername")
+	if user == nil {
+		return ""
+	}
+
+	return user.(string)
+}
+
 func (c *ApiController) GetSessionToken() string {
 	accessToken := c.GetSession("accessToken")
 	if accessToken == nil {

controllers/casbin_api.go

@@ -119,7 +119,11 @@ func (c *ApiController) Enforce() {
 
 	permissions := []*object.Permission{}
 	if modelId != "" {
-		owner, modelName := util.GetOwnerAndNameFromId(modelId)
+		owner, modelName, err := util.GetOwnerAndNameFromIdWithError(modelId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 		permissions, err = object.GetPermissionsByModel(owner, modelName)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -255,7 +259,11 @@ func (c *ApiController) BatchEnforce() {
 
 	permissions := []*object.Permission{}
 	if modelId != "" {
-		owner, modelName := util.GetOwnerAndNameFromId(modelId)
+		owner, modelName, err := util.GetOwnerAndNameFromIdWithError(modelId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 		permissions, err = object.GetPermissionsByModel(owner, modelName)
 		if err != nil {
 			c.ResponseError(err.Error())

controllers/casbin_cli_api.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"sort"
 	"strings"
 	"sync"
@@ -38,6 +39,46 @@ var (
 	cliVersionMutex sync.RWMutex
 )
 
+// cleanOldMEIFolders cleans up old _MEIXXX folders from the Casdoor temp directory
+// that are older than 24 hours. These folders are created by PyInstaller when
+// executing casbin-python-cli and can accumulate over time.
+func cleanOldMEIFolders() {
+	tempDir := "temp"
+	cutoffTime := time.Now().Add(-24 * time.Hour)
+
+	entries, err := os.ReadDir(tempDir)
+	if err != nil {
+		// Log error but don't fail - cleanup is best-effort
+		// This is expected if temp directory doesn't exist yet
+		return
+	}
+
+	for _, entry := range entries {
+		// Check if the entry is a directory and matches the _MEI pattern
+		if !entry.IsDir() || !strings.HasPrefix(entry.Name(), "_MEI") {
+			continue
+		}
+
+		dirPath := filepath.Join(tempDir, entry.Name())
+		info, err := entry.Info()
+		if err != nil {
+			continue
+		}
+
+		// Check if the folder is older than 24 hours
+		if info.ModTime().Before(cutoffTime) {
+			// Try to remove the directory
+			err = os.RemoveAll(dirPath)
+			if err != nil {
+				// Log but continue with other folders
+				fmt.Printf("failed to remove old MEI folder %s: %v\n", dirPath, err)
+			} else {
+				fmt.Printf("removed old MEI folder: %s\n", dirPath)
+			}
+		}
+	}
+}
+
 // getCLIVersion
 // @Title getCLIVersion
 // @Description Get CLI version with cache mechanism
@@ -66,6 +107,9 @@ func getCLIVersion(language string) (string, error) {
 	}
 	cliVersionMutex.RUnlock()
 
+	// Clean up old _MEI folders before running the command
+	cleanOldMEIFolders()
+
 	cmd := exec.Command(binaryName, "--version")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -186,6 +230,10 @@ func (c *ApiController) RunCasbinCommand() {
 		return
 	}
 
+	// Clean up old _MEI folders before running the command
+	// This is especially important for Python CLI which creates these folders
+	cleanOldMEIFolders()
+
 	command := exec.Command(binaryName, processedArgs...)
 	outputBytes, err := command.CombinedOutput()
 	if err != nil {

controllers/enforcer.go

@@ -84,10 +84,12 @@ func (c *ApiController) GetEnforcer() {
 		return
 	}
 
-	if loadModelCfg == "true" && enforcer.Model != "" {
-		err := enforcer.LoadModelCfg()
-		if err != nil {
-			return
+	if enforcer != nil {
+		if loadModelCfg == "true" && enforcer.Model != "" {
+			err = enforcer.LoadModelCfg()
+			if err != nil {
+				return
+			}
 		}
 	}
 

controllers/group_upload.go

@@ -24,7 +24,11 @@ import (
 
 func (c *ApiController) UploadGroups() {
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {

controllers/invitation.go

@@ -102,6 +102,10 @@ func (c *ApiController) GetInvitationCodeInfo() {
 		c.ResponseError(err.Error())
 		return
 	}
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The application: %s does not exist"), applicationId))
+		return
+	}
 
 	invitation, msg := object.GetInvitationByCode(code, application.Organization, c.GetAcceptLanguage())
 	if msg != "" {
@@ -225,18 +229,35 @@ func (c *ApiController) SendInvitation() {
 		c.ResponseError(err.Error())
 		return
 	}
-
-	application, err := object.GetApplicationByOrganizationName(invitation.Owner)
-	if err != nil {
-		c.ResponseError(err.Error())
+	if organization == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The organization: %s does not exist"), invitation.Owner))
 		return
 	}
 
+	var application *object.Application
+	if invitation.Application != "" {
+		application, err = object.GetApplication(fmt.Sprintf("admin/%s-org-%s", invitation.Application, invitation.Owner))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else {
+		application, err = object.GetApplicationByOrganizationName(invitation.Owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
 	if application == nil {
 		c.ResponseError(fmt.Sprintf(c.T("general:The organization: %s should have one application at least"), invitation.Owner))
 		return
 	}
 
+	if application.IsShared {
+		application.Name = fmt.Sprintf("%s-org-%s", application.Name, invitation.Owner)
+	}
+
 	provider, err := application.GetEmailProvider("Invitation")
 	if err != nil {
 		c.ResponseError(err.Error())

controllers/ldap.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -47,12 +48,20 @@ type LdapSyncResp struct {
 func (c *ApiController) GetLdapUsers() {
 	id := c.Input().Get("id")
 
-	_, ldapId := util.GetOwnerAndNameFromId(id)
+	_, ldapId, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	ldapServer, err := object.GetLdap(ldapId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	if ldapServer == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The LDAP: %s does not exist"), ldapId))
+		return
+	}
 
 	conn, err := ldapServer.GetLdapConn()
 	if err != nil {
@@ -125,7 +134,11 @@ func (c *ApiController) GetLdap() {
 		return
 	}
 
-	_, name := util.GetOwnerAndNameFromId(id)
+	_, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	ldap, err := object.GetLdap(name)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -255,9 +268,13 @@ func (c *ApiController) DeleteLdap() {
 func (c *ApiController) SyncLdapUsers() {
 	id := c.Input().Get("id")
 
-	owner, ldapId := util.GetOwnerAndNameFromId(id)
+	owner, ldapId, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	var users []object.LdapUser
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &users)
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &users)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/mfa.go

@@ -135,6 +135,17 @@ func (c *ApiController) MfaSetupVerify() {
 			return
 		}
 		config.URL = secret
+	} else if mfaType == object.PushType {
+		if dest == "" {
+			c.ResponseError("push notification receiver is missing")
+			return
+		}
+		config.Secret = dest
+		if secret == "" {
+			c.ResponseError("push notification provider is missing")
+			return
+		}
+		config.URL = secret
 	}
 
 	mfaUtil := object.GetMfaUtil(mfaType, config)
@@ -222,6 +233,17 @@ func (c *ApiController) MfaSetupEnable() {
 			return
 		}
 		config.URL = secret
+	} else if mfaType == object.PushType {
+		if dest == "" {
+			c.ResponseError("push notification receiver is missing")
+			return
+		}
+		config.Secret = dest
+		if secret == "" {
+			c.ResponseError("push notification provider is missing")
+			return
+		}
+		config.URL = secret
 	}
 
 	if recoveryCodes == "" {

controllers/order.go

@@ -0,0 +1,166 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetOrders
+// @Title GetOrders
+// @Tag Order API
+// @Description get orders
+// @Param   owner     query    string  true        "The owner of orders"
+// @Success 200 {array} object.Order The Response object
+// @router /get-orders [get]
+func (c *ApiController) GetOrders() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	if limit == "" || page == "" {
+		orders, err := object.GetOrders(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(orders)
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetOrderCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		orders, err := object.GetPaginationOrders(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(orders, paginator.Nums())
+	}
+}
+
+// GetUserOrders
+// @Title GetUserOrders
+// @Tag Order API
+// @Description get orders for a user
+// @Param   owner     query    string  true        "The owner of orders"
+// @Param   user    query   string  true           "The username of the user"
+// @Success 200 {array} object.Order The Response object
+// @router /get-user-orders [get]
+func (c *ApiController) GetUserOrders() {
+	owner := c.Input().Get("owner")
+	user := c.Input().Get("user")
+
+	orders, err := object.GetUserOrders(owner, user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(orders)
+}
+
+// GetOrder
+// @Title GetOrder
+// @Tag Order API
+// @Description get order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Success 200 {object} object.Order The Response object
+// @router /get-order [get]
+func (c *ApiController) GetOrder() {
+	id := c.Input().Get("id")
+
+	order, err := object.GetOrder(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(order)
+}
+
+// UpdateOrder
+// @Title UpdateOrder
+// @Tag Order API
+// @Description update order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Param   body    body   object.Order  true        "The details of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-order [post]
+func (c *ApiController) UpdateOrder() {
+	id := c.Input().Get("id")
+
+	var order object.Order
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &order)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateOrder(id, &order))
+	c.ServeJSON()
+}
+
+// AddOrder
+// @Title AddOrder
+// @Tag Order API
+// @Description add order
+// @Param   body    body   object.Order  true        "The details of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-order [post]
+func (c *ApiController) AddOrder() {
+	var order object.Order
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &order)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddOrder(&order))
+	c.ServeJSON()
+}
+
+// DeleteOrder
+// @Title DeleteOrder
+// @Tag Order API
+// @Description delete order
+// @Param   body    body   object.Order  true        "The details of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-order [post]
+func (c *ApiController) DeleteOrder() {
+	var order object.Order
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &order)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteOrder(&order))
+	c.ServeJSON()
+}

controllers/order_pay.go

@@ -0,0 +1,169 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// PlaceOrder
+// @Title PlaceOrder
+// @Tag Order API
+// @Description place an order for a product
+// @Param   productId     query    string  true        "The id ( owner/name ) of the product"
+// @Param   pricingName   query    string  false       "The name of the pricing (for subscription)"
+// @Param   planName      query    string  false       "The name of the plan (for subscription)"
+// @Param   customPrice   query    number  false       "Custom price for recharge products"
+// @Param   userName      query    string  false       "The username to place order for (admin only)"
+// @Success 200 {object} object.Order The Response object
+// @router /place-order [post]
+func (c *ApiController) PlaceOrder() {
+	productId := c.Input().Get("productId")
+	pricingName := c.Input().Get("pricingName")
+	planName := c.Input().Get("planName")
+	customPriceStr := c.Input().Get("customPrice")
+	paidUserName := c.Input().Get("userName")
+
+	if productId == "" {
+		c.ResponseError(c.T("general:ProductId is required"))
+		return
+	}
+
+	var customPrice float64
+	if customPriceStr != "" {
+		var err error
+		customPrice, err = strconv.ParseFloat(customPriceStr, 64)
+		if err != nil {
+			c.ResponseError(fmt.Sprintf(c.T("general:Invalid customPrice: %s"), customPriceStr))
+			return
+		}
+	}
+
+	owner, _, err := util.GetOwnerAndNameFromIdWithError(productId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var userId string
+	if paidUserName != "" {
+		userId = util.GetId(owner, paidUserName)
+		if userId != c.GetSessionUsername() && !c.IsAdmin() && userId != c.GetPaidUsername() {
+			c.ResponseError(c.T("general:Only admin user can specify user"))
+			return
+		}
+
+		c.SetSession("paidUsername", "")
+	} else {
+		userId = c.GetSessionUsername()
+	}
+
+	if userId == "" {
+		c.ResponseError(c.T("general:Please login first"))
+		return
+	}
+
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+		return
+	}
+
+	order, err := object.PlaceOrder(productId, user, pricingName, planName, customPrice)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(order)
+}
+
+// PayOrder
+// @Title PayOrder
+// @Tag Order API
+// @Description pay an existing order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Param   providerName    query    string  true  "The name of the provider"
+// @Success 200 {object} controllers.Response The Response object
+// @router /pay-order [post]
+func (c *ApiController) PayOrder() {
+	id := c.Input().Get("id")
+	host := c.Ctx.Request.Host
+	providerName := c.Input().Get("providerName")
+	paymentEnv := c.Input().Get("paymentEnv")
+
+	order, err := object.GetOrder(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if order == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The order: %s does not exist"), id))
+		return
+	}
+
+	userId := c.GetSessionUsername()
+	orderUserId := util.GetId(order.Owner, order.User)
+	if userId != orderUserId && !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	payment, attachInfo, err := object.PayOrder(providerName, host, paymentEnv, order)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(payment, attachInfo)
+}
+
+// CancelOrder
+// @Title CancelOrder
+// @Tag Order API
+// @Description cancel an order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /cancel-order [post]
+func (c *ApiController) CancelOrder() {
+	id := c.Input().Get("id")
+	order, err := object.GetOrder(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if order == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The order: %s does not exist"), id))
+		return
+	}
+
+	userId := c.GetSessionUsername()
+	orderUserId := util.GetId(order.Owner, order.User)
+	if userId != orderUserId && !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.CancelOrder(order))
+	c.ServeJSON()
+}

controllers/organization.go

@@ -130,6 +130,10 @@ func (c *ApiController) UpdateOrganization() {
 
 	isGlobalAdmin, _ := c.isGlobalAdmin()
 
+	if organization.BalanceCurrency == "" {
+		organization.BalanceCurrency = "USD"
+	}
+
 	c.Data["json"] = wrapActionResponse(object.UpdateOrganization(id, &organization, isGlobalAdmin))
 	c.ServeJSON()
 }
@@ -165,6 +169,10 @@ func (c *ApiController) AddOrganization() {
 		return
 	}
 
+	if organization.BalanceCurrency == "" {
+		organization.BalanceCurrency = "USD"
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddOrganization(&organization))
 	c.ServeJSON()
 }

controllers/permission_upload.go

@@ -24,7 +24,11 @@ import (
 
 func (c *ApiController) UploadPermissions() {
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {

controllers/product.go

@@ -16,8 +16,6 @@ package controllers
 
 import (
 	"encoding/json"
-	"fmt"
-	"strconv"
 
 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -151,64 +149,3 @@ func (c *ApiController) DeleteProduct() {
 	c.Data["json"] = wrapActionResponse(object.DeleteProduct(&product))
 	c.ServeJSON()
 }
-
-// BuyProduct
-// @Title BuyProduct
-// @Tag Product API
-// @Description buy product
-// @Param   id     query    string  true        "The id ( owner/name ) of the product"
-// @Param   providerName    query    string  true  "The name of the provider"
-// @Success 200 {object} controllers.Response The Response object
-// @router /buy-product [post]
-func (c *ApiController) BuyProduct() {
-	id := c.Input().Get("id")
-	host := c.Ctx.Request.Host
-	providerName := c.Input().Get("providerName")
-	paymentEnv := c.Input().Get("paymentEnv")
-	customPriceStr := c.Input().Get("customPrice")
-	if customPriceStr == "" {
-		customPriceStr = "0"
-	}
-
-	customPrice, err := strconv.ParseFloat(customPriceStr, 64)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	// buy `pricingName/planName` for `paidUserName`
-	pricingName := c.Input().Get("pricingName")
-	planName := c.Input().Get("planName")
-	paidUserName := c.Input().Get("userName")
-	owner, _ := util.GetOwnerAndNameFromId(id)
-	userId := util.GetId(owner, paidUserName)
-	if paidUserName != "" && paidUserName != c.GetSessionUsername() && !c.IsAdmin() {
-		c.ResponseError(c.T("general:Only admin user can specify user"))
-		return
-	}
-	if paidUserName == "" {
-		userId = c.GetSessionUsername()
-	}
-	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
-	}
-
-	user, err := object.GetUser(userId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if user == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
-		return
-	}
-
-	payment, attachInfo, err := object.BuyProduct(id, user, providerName, pricingName, planName, host, paymentEnv, customPrice)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(payment, attachInfo)
-}

controllers/role_upload.go

@@ -24,7 +24,11 @@ import (
 
 func (c *ApiController) UploadRoles() {
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {

controllers/session.go

@@ -68,7 +68,7 @@ func (c *ApiController) GetSessions() {
 // @Title GetSingleSession
 // @Tag Session API
 // @Description Get session for one user in one application.
-// @Param   sessionPkId     query    string  true        "The id(organization/user/application) of session"
+// @Param   sessionPkId     query    string  true        "The session ID in format: organization/user/application (e.g., built-in/admin/app-built-in)"
 // @Success 200 {array} string The Response object
 // @router /get-session [get]
 func (c *ApiController) GetSingleSession() {
@@ -87,8 +87,8 @@ func (c *ApiController) GetSingleSession() {
 // @Title UpdateSession
 // @Tag Session API
 // @Description Update session for one user in one application.
-// @Param   id     query    string  true        "The id(organization/user/application) of session"
-// @Success 200 {array} string The Response object
+// @Param   body     body    object.Session  true        "The session object to update"
+// @Success 200 {object} controllers.Response The Response object
 // @router /update-session [post]
 func (c *ApiController) UpdateSession() {
 	var session object.Session
@@ -106,9 +106,8 @@ func (c *ApiController) UpdateSession() {
 // @Title AddSession
 // @Tag Session API
 // @Description Add session for one user in one application. If there are other existing sessions, join the session into the list.
-// @Param   id     query    string  true        "The id(organization/user/application) of session"
-// @Param   sessionId     query    string  true        "sessionId to be added"
-// @Success 200 {array} string The Response object
+// @Param   body     body    object.Session  true        "The session object to add"
+// @Success 200 {object} controllers.Response The Response object
 // @router /add-session [post]
 func (c *ApiController) AddSession() {
 	var session object.Session
@@ -126,8 +125,8 @@ func (c *ApiController) AddSession() {
 // @Title DeleteSession
 // @Tag Session API
 // @Description Delete session for one user in one application.
-// @Param   id     query    string  true        "The id(organization/user/application) of session"
-// @Success 200 {array} string The Response object
+// @Param   body     body    object.Session  true        "The session object to delete"
+// @Success 200 {object} controllers.Response The Response object
 // @router /delete-session [post]
 func (c *ApiController) DeleteSession() {
 	var session object.Session
@@ -145,8 +144,8 @@ func (c *ApiController) DeleteSession() {
 // @Title IsSessionDuplicated
 // @Tag Session API
 // @Description Check if there are other different sessions for one user in one application.
-// @Param   sessionPkId     query    string  true        "The id(organization/user/application) of session"
-// @Param   sessionId     query    string  true        "sessionId to be checked"
+// @Param   sessionPkId     query    string  true        "The session ID in format: organization/user/application (e.g., built-in/admin/app-built-in)"
+// @Param   sessionId     query    string  true        "The specific session ID to check"
 // @Success 200 {array} string The Response object
 // @router /is-session-duplicated [get]
 func (c *ApiController) IsSessionDuplicated() {

controllers/syncer.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 
 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -159,6 +160,10 @@ func (c *ApiController) RunSyncer() {
 		c.ResponseError(err.Error())
 		return
 	}
+	if syncer == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The syncer: %s does not exist"), id))
+		return
+	}
 
 	err = object.RunSyncer(syncer)
 	if err != nil {

controllers/ticket.go

@@ -0,0 +1,271 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetTickets
+// @Title GetTickets
+// @Tag Ticket API
+// @Description get tickets
+// @Param   owner     query    string  true        "The owner of tickets"
+// @Success 200 {array} object.Ticket The Response object
+// @router /get-tickets [get]
+func (c *ApiController) GetTickets() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	var tickets []*object.Ticket
+	var err error
+
+	if limit == "" || page == "" {
+		if isAdmin {
+			tickets, err = object.GetTickets(owner)
+		} else {
+			tickets, err = object.GetUserTickets(owner, user.GetId())
+		}
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(tickets)
+	} else {
+		limit := util.ParseInt(limit)
+		var count int64
+
+		if isAdmin {
+			count, err = object.GetTicketCount(owner, field, value)
+		} else {
+			// For non-admin users, only show their own tickets
+			tickets, err = object.GetUserTickets(owner, user.GetId())
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			count = int64(len(tickets))
+		}
+
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+
+		if isAdmin {
+			tickets, err = object.GetPaginationTickets(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		}
+
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(tickets, paginator.Nums())
+	}
+}
+
+// GetTicket
+// @Title GetTicket
+// @Tag Ticket API
+// @Description get ticket
+// @Param   id     query    string  true        "The id ( owner/name ) of the ticket"
+// @Success 200 {object} object.Ticket The Response object
+// @router /get-ticket [get]
+func (c *ApiController) GetTicket() {
+	id := c.Input().Get("id")
+
+	ticket, err := object.GetTicket(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Check permission: user can only view their own tickets unless they are admin
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	if ticket != nil && !isAdmin && ticket.User != user.GetId() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	c.ResponseOk(ticket)
+}
+
+// UpdateTicket
+// @Title UpdateTicket
+// @Tag Ticket API
+// @Description update ticket
+// @Param   id     query    string  true        "The id ( owner/name ) of the ticket"
+// @Param   body    body   object.Ticket  true        "The details of the ticket"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-ticket [post]
+func (c *ApiController) UpdateTicket() {
+	id := c.Input().Get("id")
+
+	var ticket object.Ticket
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ticket)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Check permission
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	existingTicket, err := object.GetTicket(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if existingTicket == nil {
+		c.ResponseError(c.T("ticket:Ticket not found"))
+		return
+	}
+
+	// Normal users can only close their own tickets
+	if !isAdmin {
+		if existingTicket.User != user.GetId() {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+		// Normal users can only change state to "Closed"
+		if ticket.State != "Closed" && ticket.State != existingTicket.State {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+		// Preserve original fields that users shouldn't modify
+		ticket.Owner = existingTicket.Owner
+		ticket.Name = existingTicket.Name
+		ticket.User = existingTicket.User
+		ticket.CreatedTime = existingTicket.CreatedTime
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateTicket(id, &ticket))
+	c.ServeJSON()
+}
+
+// AddTicket
+// @Title AddTicket
+// @Tag Ticket API
+// @Description add ticket
+// @Param   body    body   object.Ticket  true        "The details of the ticket"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-ticket [post]
+func (c *ApiController) AddTicket() {
+	var ticket object.Ticket
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ticket)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Set the user field to the current user
+	user := c.getCurrentUser()
+	ticket.User = user.GetId()
+
+	c.Data["json"] = wrapActionResponse(object.AddTicket(&ticket))
+	c.ServeJSON()
+}
+
+// DeleteTicket
+// @Title DeleteTicket
+// @Tag Ticket API
+// @Description delete ticket
+// @Param   body    body   object.Ticket  true        "The details of the ticket"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-ticket [post]
+func (c *ApiController) DeleteTicket() {
+	var ticket object.Ticket
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ticket)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Only admins can delete tickets
+	if !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteTicket(&ticket))
+	c.ServeJSON()
+}
+
+// AddTicketMessage
+// @Title AddTicketMessage
+// @Tag Ticket API
+// @Description add a message to a ticket
+// @Param   id     query    string  true        "The id ( owner/name ) of the ticket"
+// @Param   body    body   object.TicketMessage  true        "The message to add"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-ticket-message [post]
+func (c *ApiController) AddTicketMessage() {
+	id := c.Input().Get("id")
+
+	var message object.TicketMessage
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &message)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Check permission
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	ticket, err := object.GetTicket(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if ticket == nil {
+		c.ResponseError(c.T("ticket:Ticket not found"))
+		return
+	}
+
+	// Users can only add messages to their own tickets, admins can add to any ticket
+	if !isAdmin && ticket.User != user.GetId() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	// Set the author and admin flag
+	message.Author = user.GetId()
+	message.IsAdmin = isAdmin
+
+	c.Data["json"] = wrapActionResponse(object.AddTicketMessage(id, &message))
+	c.ServeJSON()
+}

controllers/token.go

@@ -28,7 +28,7 @@ import (
 // @Title GetTokens
 // @Tag Token API
 // @Description get tokens
-// @Param   owner     query    string  true        "The owner of tokens"
+// @Param   owner     query    string  true        "The organization name (e.g., built-in)"
 // @Param   pageSize     query    string  true        "The size of each page"
 // @Param   p     query    string  true        "The number of the page"
 // @Success 200 {array} object.Token The Response object
@@ -73,7 +73,7 @@ func (c *ApiController) GetTokens() {
 // @Title GetToken
 // @Tag Token API
 // @Description get token
-// @Param   id     query    string  true        "The id ( owner/name ) of token"
+// @Param   id     query    string  true        "The token ID in format: organization/token-name (e.g., built-in/token-123456)"
 // @Success 200 {object} object.Token The Response object
 // @router /get-token [get]
 func (c *ApiController) GetToken() {
@@ -91,7 +91,7 @@ func (c *ApiController) GetToken() {
 // @Title UpdateToken
 // @Tag Token API
 // @Description update token
-// @Param   id     query    string  true        "The id ( owner/name ) of token"
+// @Param   id     query    string  true        "The token ID in format: organization/token-name (e.g., built-in/token-123456)"
 // @Param   body    body   object.Token  true        "Details of the token"
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-token [post]

controllers/transaction.go

@@ -39,7 +39,26 @@ func (c *ApiController) GetTransactions() {
 	sortOrder := c.Input().Get("sortOrder")
 
 	if limit == "" || page == "" {
-		transactions, err := object.GetTransactions(owner)
+		var transactions []*object.Transaction
+		var err error
+
+		if c.IsAdmin() {
+			// If field is "user", filter by that user even for admins
+			if field == "user" && value != "" {
+				transactions, err = object.GetUserTransactions(owner, value)
+			} else {
+				transactions, err = object.GetTransactions(owner)
+			}
+		} else {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			transactions, err = object.GetUserTransactions(owner, userName)
+		}
+
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -48,6 +67,19 @@ func (c *ApiController) GetTransactions() {
 		c.ResponseOk(transactions)
 	} else {
 		limit := util.ParseInt(limit)
+
+		// Apply user filter for non-admin users
+		if !c.IsAdmin() {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			field = "user"
+			value = userName
+		}
+
 		count, err := object.GetTransactionCount(owner, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -65,28 +97,6 @@ func (c *ApiController) GetTransactions() {
 	}
 }
 
-// GetUserTransactions
-// @Title GetUserTransaction
-// @Tag Transaction API
-// @Description get transactions for a user
-// @Param   owner     query    string  true        "The owner of transactions"
-// @Param   organization    query   string  true   "The organization of the user"
-// @Param   user    query   string  true           "The username of the user"
-// @Success 200 {array} object.Transaction The Response object
-// @router /get-user-transactions [get]
-func (c *ApiController) GetUserTransactions() {
-	owner := c.Input().Get("owner")
-	user := c.Input().Get("user")
-
-	transactions, err := object.GetUserTransactions(owner, user)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(transactions)
-}
-
 // GetTransaction
 // @Title GetTransaction
 // @Tag Transaction API
@@ -103,6 +113,27 @@ func (c *ApiController) GetTransaction() {
 		return
 	}
 
+	if transaction == nil {
+		c.ResponseOk(nil)
+		return
+	}
+
+	// Check if non-admin user is trying to access someone else's transaction
+	if !c.IsAdmin() {
+		user := c.GetSessionUsername()
+		_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+		if userErr != nil {
+			c.ResponseError(userErr.Error())
+			return
+		}
+
+		// Only allow users to view their own transactions
+		if transaction.User != userName {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+	}
+
 	c.ResponseOk(transaction)
 }
 
@@ -124,7 +155,7 @@ func (c *ApiController) UpdateTransaction() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.UpdateTransaction(id, &transaction))
+	c.Data["json"] = wrapActionResponse(object.UpdateTransaction(id, &transaction, c.GetAcceptLanguage()))
 	c.ServeJSON()
 }
 
@@ -133,6 +164,7 @@ func (c *ApiController) UpdateTransaction() {
 // @Tag Transaction API
 // @Description add transaction
 // @Param   body    body   object.Transaction  true        "The details of the transaction"
+// @Param   dryRun  query  string  false       "Dry run mode: set to 'true' or '1' to validate without committing"
 // @Success 200 {object} controllers.Response The Response object
 // @router /add-transaction [post]
 func (c *ApiController) AddTransaction() {
@@ -143,8 +175,22 @@ func (c *ApiController) AddTransaction() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.AddTransaction(&transaction))
-	c.ServeJSON()
+	dryRunParam := c.Input().Get("dryRun")
+	dryRun := dryRunParam != ""
+
+	affected, transactionId, err := object.AddTransaction(&transaction, c.GetAcceptLanguage(), dryRun)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if !affected {
+		c.Data["json"] = wrapActionResponse(false)
+		c.ServeJSON()
+		return
+	}
+
+	c.ResponseOk(transactionId)
 }
 
 // DeleteTransaction
@@ -162,6 +208,6 @@ func (c *ApiController) DeleteTransaction() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.DeleteTransaction(&transaction))
+	c.Data["json"] = wrapActionResponse(object.DeleteTransaction(&transaction, c.GetAcceptLanguage()))
 	c.ServeJSON()
 }

controllers/user.go

@@ -500,11 +500,6 @@ func (c *ApiController) SetPassword() {
 	//	return
 	// }
 
-	if strings.Contains(newPassword, " ") {
-		c.ResponseError(c.T("user:New password cannot contain blank space."))
-		return
-	}
-
 	userId := util.GetId(userOwner, userName)
 
 	user, err := object.GetUser(userId)
@@ -517,6 +512,41 @@ func (c *ApiController) SetPassword() {
 		return
 	}
 
+	// Get organization to check for password obfuscation settings
+	organization, err := object.GetOrganizationByUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if organization == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:the organization: %s is not found"), user.Owner))
+		return
+	}
+
+	// Deobfuscate passwords if organization has password obfuscator configured
+	// Note: Deobfuscation is optional - if it fails, we treat the password as plain text
+	// This allows SDKs and raw HTTP API calls to work without obfuscation support
+	if organization.PasswordObfuscatorType != "" && organization.PasswordObfuscatorType != "Plain" {
+		if oldPassword != "" {
+			deobfuscatedOldPassword, deobfuscateErr := util.GetUnobfuscatedPassword(organization.PasswordObfuscatorType, organization.PasswordObfuscatorKey, oldPassword)
+			if deobfuscateErr == nil {
+				oldPassword = deobfuscatedOldPassword
+			}
+		}
+
+		if newPassword != "" {
+			deobfuscatedNewPassword, deobfuscateErr := util.GetUnobfuscatedPassword(organization.PasswordObfuscatorType, organization.PasswordObfuscatorKey, newPassword)
+			if deobfuscateErr == nil {
+				newPassword = deobfuscatedNewPassword
+			}
+		}
+	}
+
+	if strings.Contains(newPassword, " ") {
+		c.ResponseError(c.T("user:New password cannot contain blank space."))
+		return
+	}
+
 	requestUserId := c.GetSessionUsername()
 	if requestUserId == "" && code == "" {
 		c.ResponseError(c.T("general:Please login first"), "Please login first")
@@ -573,22 +603,12 @@ func (c *ApiController) SetPassword() {
 		}
 	}
 
-	msg := object.CheckPasswordComplexity(targetUser, newPassword)
+	msg := object.CheckPasswordComplexity(targetUser, newPassword, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
 	}
 
-	organization, err := object.GetOrganizationByUser(targetUser)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if organization == nil {
-		c.ResponseError(fmt.Sprintf(c.T("auth:the organization: %s is not found"), targetUser.Owner))
-		return
-	}
-
 	// Check if the new password is the same as the current password
 	if !object.CheckPasswordNotSameAsCurrent(targetUser, newPassword, organization) {
 		c.ResponseError(c.T("user:The new password must be different from your current password"))
@@ -757,3 +777,133 @@ func (c *ApiController) RemoveUserFromGroup() {
 
 	c.ResponseOk(affected)
 }
+
+// VerifyIdentification
+// @Title VerifyIdentification
+// @Tag User API
+// @Description verify user's real identity using ID Verification provider
+// @Param   owner     query    string  false  "The owner of the user (optional, defaults to logged-in user)"
+// @Param   name      query    string  false  "The name of the user (optional, defaults to logged-in user)"
+// @Param   provider  query    string  false  "The name of the ID Verification provider (optional, auto-selected if not provided)"
+// @Success 200 {object} controllers.Response The Response object
+// @router /verify-identification [post]
+func (c *ApiController) VerifyIdentification() {
+	owner := c.Input().Get("owner")
+	name := c.Input().Get("name")
+	providerName := c.Input().Get("provider")
+
+	// If user not specified, use logged-in user
+	if owner == "" || name == "" {
+		loggedInUser := c.GetSessionUsername()
+		if loggedInUser == "" {
+			c.ResponseError(c.T("general:Please login first"))
+			return
+		}
+		var err error
+		owner, name, err = util.GetOwnerAndNameFromIdWithError(loggedInUser)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else {
+		// If user is specified, check if current user has permission to verify other users
+		// Only admins can verify other users
+		loggedInUser := c.GetSessionUsername()
+		if loggedInUser != util.GetId(owner, name) && !c.IsAdmin() {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+	}
+
+	user, err := object.GetUser(util.GetId(owner, name))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(owner, name)))
+		return
+	}
+
+	if user.IdCard == "" || user.IdCardType == "" || user.RealName == "" {
+		c.ResponseError(c.T("user:ID card information and real name are required"))
+		return
+	}
+
+	if user.IsVerified {
+		c.ResponseError(c.T("user:User is already verified"))
+		return
+	}
+
+	var provider *object.Provider
+	// If provider not specified, find suitable IDV provider from user's application
+	if providerName == "" {
+		application, err := object.GetApplicationByUser(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if application == nil {
+			c.ResponseError(c.T("user:No application found for user"))
+			return
+		}
+
+		// Find IDV provider from application
+		idvProvider, err := object.GetIdvProviderByApplication(util.GetId(application.Owner, application.Name), "false", c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if idvProvider == nil {
+			c.ResponseError(c.T("provider:No ID Verification provider configured"))
+			return
+		}
+		provider = idvProvider
+	} else {
+		provider, err = object.GetProvider(providerName)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if provider == nil {
+			c.ResponseError(fmt.Sprintf(c.T("provider:The provider: %s does not exist"), providerName))
+			return
+		}
+
+		if provider.Category != "ID Verification" {
+			c.ResponseError(c.T("provider:Provider is not an ID Verification provider"))
+			return
+		}
+	}
+
+	idvProvider := object.GetIdvProviderFromProvider(provider)
+	if idvProvider == nil {
+		c.ResponseError(c.T("provider:Failed to initialize ID Verification provider"))
+		return
+	}
+
+	verified, err := idvProvider.VerifyIdentity(user.IdCardType, user.IdCard, user.RealName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if !verified {
+		c.ResponseError(c.T("user:Identity verification failed"))
+		return
+	}
+
+	// Set IsVerified to true upon successful verification
+	user.IsVerified = true
+	_, err = object.UpdateUser(user.GetId(), user, []string{"is_verified"}, false)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(user.RealName)
+}

controllers/user_upload.go

@@ -52,7 +52,11 @@ func (c *ApiController) UploadUsers() {
 	}
 
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {

controllers/verification.go

@@ -44,7 +44,11 @@ const (
 // @Success 200 {array} object.Verification The Response object
 // @router /get-payments [get]
 func (c *ApiController) GetVerifications() {
-	owner := c.Input().Get("owner")
+	organization, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
 	field := c.Input().Get("field")
@@ -52,8 +56,15 @@ func (c *ApiController) GetVerifications() {
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
 
+	owner := c.Input().Get("owner")
+	// For global admin with organizationName parameter, use it to filter
+	// For org admin, use their organization
+	if c.IsGlobalAdmin() && owner != "" {
+		organization = owner
+	}
+
 	if limit == "" || page == "" {
-		payments, err := object.GetVerifications(owner)
+		payments, err := object.GetVerifications(organization)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -62,14 +73,14 @@ func (c *ApiController) GetVerifications() {
 		c.ResponseOk(payments)
 	} else {
 		limit := util.ParseInt(limit)
-		count, err := object.GetVerificationCount(owner, field, value)
+		count, err := object.GetVerificationCount(organization, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		payments, err := object.GetPaginationVerifications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		payments, err := object.GetPaginationVerifications(organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return

deployment/deploy_test.go

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 //go:build !skipCi
-// +build !skipCi
 
 package deployment
 

go.mod

@@ -1,10 +1,13 @@
 module github.com/casdoor/casdoor
 
-go 1.21
+go 1.23.0
 
 require (
 	github.com/Masterminds/squirrel v1.5.3
+	github.com/NdoleStudio/lemonsqueezy-go v1.2.4
+	github.com/PaddleHQ/paddle-go-sdk v1.0.0
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
+	github.com/alibabacloud-go/cloudauth-20190307/v3 v3.9.2
 	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.4
 	github.com/alibabacloud-go/facebody-20191230/v5 v5.1.2
 	github.com/alibabacloud-go/openapi-util v0.1.0
@@ -15,7 +18,7 @@ require (
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.77.2
 	github.com/casdoor/go-sms-sender v0.25.0
-	github.com/casdoor/gomail/v2 v2.1.0
+	github.com/casdoor/gomail/v2 v2.2.0
 	github.com/casdoor/ldapserver v1.2.0
 	github.com/casdoor/notify v1.0.1
 	github.com/casdoor/oss v1.8.0
@@ -29,7 +32,8 @@ require (
 	github.com/go-git/go-git/v5 v5.13.0
 	github.com/go-ldap/ldap/v3 v3.4.6
 	github.com/go-mysql-org/go-mysql v1.7.0
-	github.com/go-pay/gopay v1.5.72
+	github.com/go-pay/gopay v1.5.115
+	github.com/go-pay/util v0.0.4
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.10.2
@@ -42,6 +46,7 @@ require (
 	github.com/markbates/goth v1.79.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nyaruka/phonenumbers v1.2.2
+	github.com/polarsource/polar-go v0.12.0
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.11.1
 	github.com/prometheus/client_model v0.4.0
@@ -52,17 +57,17 @@ require (
 	github.com/sendgrid/sendgrid-go v3.14.0+incompatible
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/siddontang/go-log v0.0.0-20190221022429-1e957dd83bed
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/stripe/stripe-go/v74 v74.29.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
 	github.com/xorm-io/builder v0.3.13
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
-	golang.org/x/crypto v0.33.0
-	golang.org/x/net v0.35.0
+	golang.org/x/crypto v0.39.0
+	golang.org/x/net v0.40.0
 	golang.org/x/oauth2 v0.17.0
-	golang.org/x/text v0.22.0
+	golang.org/x/text v0.26.0
 	google.golang.org/api v0.150.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
@@ -124,10 +129,17 @@ require (
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/ggicci/httpin v0.19.0 // indirect
+	github.com/ggicci/owl v0.8.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.0 // indirect
 	github.com/go-lark/lark v1.9.0 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/go-pay/crypto v0.0.1 // indirect
+	github.com/go-pay/errgroup v0.0.3 // indirect
+	github.com/go-pay/smap v0.0.2 // indirect
+	github.com/go-pay/xlog v0.0.3 // indirect
+	github.com/go-pay/xtime v0.0.2 // indirect
 	github.com/go-webauthn/x v0.1.9 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
@@ -146,6 +158,7 @@ require (
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gregdel/pushover v1.2.1 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -162,9 +175,9 @@ require (
 	github.com/line/line-bot-sdk-go v7.8.0+incompatible // indirect
 	github.com/markbates/going v1.0.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-ieproxy v0.0.1 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/mileusna/viber v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -191,6 +204,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/slack-go/slack v0.12.3 // indirect
+	github.com/spyzhov/ajson v0.8.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
 	github.com/technoweenie/multipartstreamer v1.0.1 // indirect
@@ -217,11 +231,11 @@ require (
 	go.uber.org/zap v1.19.1 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/image v0.0.0-20190802002840-cff245a6509b // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect

go.sum

@@ -78,7 +78,11 @@ github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA4
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/NdoleStudio/lemonsqueezy-go v1.2.4 h1:BhWlCUH+DIPfSn4g/V7f2nFkMCQuzno9DXKZ7YDrXXA=
+github.com/NdoleStudio/lemonsqueezy-go v1.2.4/go.mod h1:2uZlWgn9sbNxOx3JQWLlPrDOC6NT/wmSTOgL3U/fMMw=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/PaddleHQ/paddle-go-sdk v1.0.0 h1:+EXitsPFbRcc0CpQE/MIeudxiVOR8pFe/aOWTEUHDKU=
+github.com/PaddleHQ/paddle-go-sdk v1.0.0/go.mod h1:kbBBzf0BHEj38QvhtoELqlGip3alKgA/I+vl7RQzB58=
 github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
 github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20221121042443-a3fd332d56d9 h1:vuu1KBsr6l7XU3CHsWESP/4B1SNd+VZkrgeFZsUXrsY=
@@ -106,6 +110,8 @@ github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6/go.mod h1:4EUIoxs/do2
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 h1:zE8vH9C7JiZLNJJQ5OwjU9mSi4T9ef9u3BURT6LCLC8=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5/go.mod h1:tWnyE9AjF8J8qqLk645oUmVUnFybApTQWklQmi5tY6g=
+github.com/alibabacloud-go/cloudauth-20190307/v3 v3.9.2 h1:y4s0WQ1jrBtOJfXGgsv/83brJvkkHbFdORp0WDyVAuw=
+github.com/alibabacloud-go/cloudauth-20190307/v3 v3.9.2/go.mod h1:kD75qqMQyjCiz6lssjRzYGTumcli8STLXQstVe6ytxk=
 github.com/alibabacloud-go/darabonba-array v0.1.0 h1:vR8s7b1fWAQIjEjWnuF0JiKsCvclSRTfDzZHTYqfufY=
 github.com/alibabacloud-go/darabonba-array v0.1.0/go.mod h1:BLKxr0brnggqOJPqT09DFJ8g3fsDshapUD3C3aOEFaI=
 github.com/alibabacloud-go/darabonba-encode-util v0.0.2 h1:1uJGrbsGEVqWcWxrS9MyC2NG0Ax+GpOM5gtupki31XE=
@@ -116,6 +122,7 @@ github.com/alibabacloud-go/darabonba-number v1.0.4 h1:aTY1TanasI0A1AYT3Co+PLttFS
 github.com/alibabacloud-go/darabonba-number v1.0.4/go.mod h1:9NJbJwLCPxHzFwYqnr27G2X8pSTAz0uSQEJsrjr/kqw=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.0/go.mod h1:5JHVmnHvGzR2wNdgaW1zDLQG8kOC4Uec8ubkMogW7OQ=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.6/go.mod h1:CzQnh+94WDnJOnKZH5YRyouL+OOcdBnXY5VWAf0McgI=
+github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10/go.mod h1:26a14FGhZVELuz2cc2AolvW4RHmIO3/HRwsdHhaIPDE=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.4 h1:IGSZHlOnWwBbLtX5xDplQvZOH0nkrV7Wmq+Fto7JK5w=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.4/go.mod h1:Wxis0IBFusdbo44HO6KYYCJR1rRkoh47QQOYWvaheSU=
 github.com/alibabacloud-go/darabonba-signature-util v0.0.7 h1:UzCnKvsjPFzApvODDNEYqBHMFt1w98wC7FOo0InLyxg=
@@ -159,6 +166,7 @@ github.com/alibabacloud-go/tea-utils v1.3.6 h1:bVjrxHztM8hAs6nOfLWCgxQfAtKb9RgFF
 github.com/alibabacloud-go/tea-utils v1.3.6/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.0/go.mod h1:U5MTY10WwlquGPS34DOeomUGBB0gXbLueiq5Trwu0C4=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.5/go.mod h1:dL6vbUT35E4F4bFTHL845eUloqaerYBYPsdWR2/jhe4=
+github.com/alibabacloud-go/tea-utils/v2 v2.0.6/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.7 h1:WDx5qW3Xa5ZgJ1c8NfqJkF6w+AU5wB8835UdhPr6Ax0=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.7/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
 github.com/alibabacloud-go/tea-xml v1.1.1/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
@@ -233,8 +241,8 @@ github.com/casdoor/go-reddit/v2 v2.1.0 h1:kIbfdJ7AA7H0uTQ8s0q4GGZqSS5V9wVE74RrXy
 github.com/casdoor/go-reddit/v2 v2.1.0/go.mod h1:eagkvwlZ4Hcsuc/uQsLHYEulz5jN65SVSwV/AIE7zsc=
 github.com/casdoor/go-sms-sender v0.25.0 h1:eF4cOCSbjVg7+0uLlJQnna/FQ0BWW+Fp/x4cXhzQu1Y=
 github.com/casdoor/go-sms-sender v0.25.0/go.mod h1:bOm4H8/YfJmEHjBatEVQFOnAf0OOn1B0Wi5B7zDhws0=
-github.com/casdoor/gomail/v2 v2.1.0 h1:ua97E3CARnF1Ik8ga/Drz9uGZfaElXJumFexiErWUxM=
-github.com/casdoor/gomail/v2 v2.1.0/go.mod h1:GFzOD9RhY0nODiiPaQiOa6DfoKtmO9aTesu5qrp26OI=
+github.com/casdoor/gomail/v2 v2.2.0 h1:gVMk43qvqq4XYkAJ+CDY5WWKF9yYRipuyXfp7P0HWIg=
+github.com/casdoor/gomail/v2 v2.2.0/go.mod h1:GFzOD9RhY0nODiiPaQiOa6DfoKtmO9aTesu5qrp26OI=
 github.com/casdoor/ldapserver v1.2.0 h1:HdSYe+ULU6z9K+2BqgTrJKQRR4//ERAXB64ttOun6Ow=
 github.com/casdoor/ldapserver v1.2.0/go.mod h1:VwYU2vqQ2pA8sa00PRekH71R2XmgfzMKhmp1XrrDu2s=
 github.com/casdoor/notify v1.0.1 h1:p0kzI7OBlvLbL7zWeKIu31LRcEAygNZGKr5gcFfSIoE=
@@ -350,6 +358,10 @@ github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/ggicci/httpin v0.19.0 h1:p0B3SWLVgg770VirYiHB14M5wdRx3zR8mCTzM/TkTQ8=
+github.com/ggicci/httpin v0.19.0/go.mod h1:hzsQHcbqLabmGOycf7WNw6AAzcVbsMeoOp46bWAbIWc=
+github.com/ggicci/owl v0.8.2 h1:og+lhqpzSMPDdEB+NJfzoAJARP7qCG3f8uUC3xvGukA=
+github.com/ggicci/owl v0.8.2/go.mod h1:PHRD57u41vFN5UtFz2SF79yTVoM3HlWpjMiE+ZU2dj4=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/glendc/gopher-json v0.0.0-20170414221815-dc4743023d0c/go.mod h1:Gja1A+xZ9BoviGJNA2E9vFkPjjsl+CoJxSXiQM1UXtw=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
@@ -384,8 +396,20 @@ github.com/go-mysql-org/go-mysql v1.7.0 h1:qE5FTRb3ZeTQmlk3pjE+/m2ravGxxRDrVDTyD
 github.com/go-mysql-org/go-mysql v1.7.0/go.mod h1:9cRWLtuXNKhamUPMkrDVzBhaomGvqLRLtBiyjvjc4pk=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-pay/gopay v1.5.72 h1:3zm64xMBhJBa8rXbm//q5UiGgOa4WO5XYEnU394N2Zw=
-github.com/go-pay/gopay v1.5.72/go.mod h1:0qOGIJuFW7PKDOjmecwKyW0mgsVImgwB9yPJj0ilpn8=
+github.com/go-pay/crypto v0.0.1 h1:B6InT8CLfSLc6nGRVx9VMJRBBazFMjr293+jl0lLXUY=
+github.com/go-pay/crypto v0.0.1/go.mod h1:41oEIvHMKbNcYlWUlRWtsnC6+ASgh7u29z0gJXe5bes=
+github.com/go-pay/errgroup v0.0.3 h1:DB4s8e8oWYDyETKQ1y1riMJ7y29zE1uIsMCSjEOFSbU=
+github.com/go-pay/errgroup v0.0.3/go.mod h1:0+4b8mvFMS71MIzsaC+gVvB4x37I93lRb2dqrwuU8x8=
+github.com/go-pay/gopay v1.5.115 h1:8WjWftPChKCiVt5Qz2xLqXeUdidsR+y9/R2S/7Q9szc=
+github.com/go-pay/gopay v1.5.115/go.mod h1:p48xvWeepPolZuakAjCeucWynWwW7msoXsqahcoJpKE=
+github.com/go-pay/smap v0.0.2 h1:kKflYor5T5FgZltPFBMTFfjJvqYMHr5VnIFSEyhVTcA=
+github.com/go-pay/smap v0.0.2/go.mod h1:HW9oAo0okuyDYsbpbj5fJFxnNj/BZorRGFw26SxrNWw=
+github.com/go-pay/util v0.0.4 h1:TuwSU9o3Qd7m9v1PbzFuIA/8uO9FJnA6P7neG/NwPyk=
+github.com/go-pay/util v0.0.4/go.mod h1:Tsdhs8Ib9J9b4+NKNO1PHh5hWHhlg98PthsX0ckq6PM=
+github.com/go-pay/xlog v0.0.3 h1:avyMhCL/JgBHreoGx/am/kHxfs1udDOAeVqbmzP/Yes=
+github.com/go-pay/xlog v0.0.3/go.mod h1:mH47xbobrdsSHWsmFtSF5agWbMHFP+tK0ZbVCk5OAEw=
+github.com/go-pay/xtime v0.0.2 h1:7YR4/iuELsEHpJ6LUO0SVK80hQxDO9MLCfuVYIiTCRM=
+github.com/go-pay/xtime v0.0.2/go.mod h1:W1yRbJaSt4CSBcdAtLBQ8xajiN/Pl5hquGczUcUE9xE=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
 github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs=
@@ -522,8 +546,9 @@ github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORR
 github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1 h1:LqbZZ9sNMWVjeXS4NN5oVvhMjDyLhmA1LG86oSo+IqY=
 github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1/go.mod h1:YeAe0gNeiNT5hoiZRI4yiOky6jVdNvfO2N6Kav/HmxY=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
@@ -540,6 +565,7 @@ github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOj
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
@@ -585,8 +611,9 @@ github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHW
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmoiron/sqlx v1.3.3/go.mod h1:2BljVx/86SuTyjE+aPYlHCTNvZrnJXghYGpNiXLBMCQ=
-github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
@@ -605,6 +632,8 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
+github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo=
+github.com/justinas/alice v1.2.0/go.mod h1:fN5HRH/reO/zrUflLfTN43t3vXvKzvZIENsNEe7i7qA=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
@@ -671,8 +700,9 @@ github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaO
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqfI=
 github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
@@ -681,8 +711,9 @@ github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcME
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
 github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
@@ -776,6 +807,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/polarsource/polar-go v0.12.0 h1:um+6ftOPUMg2TQq9Kv/6fKGBOAl7dOc2YiDdx4Bb0y8=
+github.com/polarsource/polar-go v0.12.0/go.mod h1:FB11Q4m2n3wIk6l/POOkz0MVOUx1o0Yt4Y97MnQfe0c=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
@@ -882,6 +915,8 @@ github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJ
 github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM=
 github.com/sony/sonyflake v1.0.0/go.mod h1:Jv3cfhf/UFtolOTTRd3q4Nl6ENqM+KfyZ5PseKfZGF4=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spyzhov/ajson v0.8.0 h1:sFXyMbi4Y/BKjrsfkUZHSjA2JM1184enheSjjoT/zCc=
+github.com/spyzhov/ajson v0.8.0/go.mod h1:63V+CGM6f1Bu/p4nLIN8885ojBdt88TbLoSFzyqMuVA=
 github.com/ssdb/gossdb v0.0.0-20180723034631-88f6b59b84ec/go.mod h1:QBvMkMya+gXctz3kmljlUCu/yB3GZ6oee+dUozsezQE=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
@@ -904,8 +939,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/stripe/stripe-go/v74 v74.29.0 h1:ffJ+1Ta1Ccg7yDDz+SfjixX0KizEEJ/wNVRoFYkdwFY=
 github.com/stripe/stripe-go/v74 v74.29.0/go.mod h1:f9L6LvaXa35ja7eyvP6GQswoaIPaBRvGAimAO+udbBw=
 github.com/syndtr/goleveldb v0.0.0-20160425020131-cfa635847112/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
@@ -1037,7 +1072,6 @@ golang.org/x/crypto v0.0.0-20210915214749-c084706c2272/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210920023735-84f357641f63/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220208233918-bba287dce954/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
@@ -1050,8 +1084,8 @@ golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOM
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20181106170214-d68db9428509/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1097,8 +1131,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20171115151908-9dfe39835686/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1161,8 +1195,8 @@ golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1189,8 +1223,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1265,6 +1299,7 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1276,8 +1311,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1295,8 +1330,8 @@ golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1316,8 +1351,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1384,8 +1419,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
-golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

i18n/generate.go

@@ -141,10 +141,26 @@ func parseAllWords(category string) *I18nData {
 	return &data
 }
 
+// copyI18nData creates a deep copy of an I18nData structure to prevent shared reference issues
+// between language translations. This ensures each language starts with fresh English defaults
+// rather than inheriting values from previously processed languages.
+func copyI18nData(src *I18nData) *I18nData {
+	dst := I18nData{}
+	for namespace, pairs := range *src {
+		dst[namespace] = make(map[string]string)
+		for key, value := range pairs {
+			dst[namespace][key] = value
+		}
+	}
+	return &dst
+}
+
 func applyToOtherLanguage(category string, language string, newData *I18nData) {
 	oldData := readI18nFile(category, language)
 	println(oldData)
 
-	applyData(newData, oldData)
-	writeI18nFile(category, language, newData)
+	// Create a copy of newData to avoid modifying the shared data across languages
+	dataCopy := copyI18nData(newData)
+	applyData(dataCopy, oldData)
+	writeI18nFile(category, language, dataCopy)
 }

i18n/generate_test.go

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 //go:build !skipCi
-// +build !skipCi
 
 package i18n
 

i18n/locales/ar/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "يرجى التسجيل باستخدام اسم المستخدم المطابق لرمز الدعوة",
     "Session outdated, please login again": "الجلسة منتهية الصلاحية، يرجى تسجيل الدخول مرة أخرى",
     "The invitation code has already been used": "رمز الدعوة تم استخدامه بالفعل",
+    "The password must contain at least one special character": "يجب أن تحتوي كلمة المرور على حرف خاص واحد على الأقل",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "يجب أن تحتوي كلمة المرور على حرف كبير واحد على الأقل وحرف صغير ورقم",
+    "The password must have at least 6 characters": "يجب أن تحتوي كلمة المرور على 6 أحرف على الأقل",
+    "The password must have at least 8 characters": "يجب أن تحتوي كلمة المرور على 8 أحرف على الأقل",
+    "The password must not contain any repeated characters": "يجب ألا تحتوي كلمة المرور على أي أحرف متكررة",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "تم حذف المستخدم ولا يمكن استخدامه لتسجيل الدخول، يرجى الاتصال بالمسؤول",
     "The user is forbidden to sign in, please contact the administrator": "المستخدم ممنوع من تسجيل الدخول، يرجى الاتصال بالمسؤول",
     "The user: %s doesn't exist in LDAP server": "المستخدم: %s غير موجود في خادم LDAP",

i18n/locales/az/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Xahiş edirik dəvət koduna uyğun istifadəçi adı istifadə edərək qeydiyyatdan keçin",
     "Session outdated, please login again": "Sessiyanın vaxtı keçib, xahiş edirik yenidən daxil olun",
     "The invitation code has already been used": "Dəvət kodu artıq istifadə edilib",
+    "The password must contain at least one special character": "Parol ən azı bir xüsusi simvol ehtiva etməlidir",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Parol ən azı bir böyük hərf, bir kiçik hərf və bir rəqəm ehtiva etməlidir",
+    "The password must have at least 6 characters": "Parol ən azı 6 simvoldan ibarət olmalıdır",
+    "The password must have at least 8 characters": "Parol ən azı 8 simvoldan ibarət olmalıdır",
+    "The password must not contain any repeated characters": "Parol təkrarlanan simvollar ehtiva etməməlidir",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "İstifadəçi silinib və daxil olmaq üçün istifadə edilə bilməz, zəhmət olmasa administratorla əlaqə saxlayın",
     "The user is forbidden to sign in, please contact the administrator": "İstifadəçinin girişi qadağandır, xahiş edirik administratorla əlaqə saxlayın",
     "The user: %s doesn't exist in LDAP server": "İstifadəçi: %s LDAP serverində mövcud deyil",

i18n/locales/cs/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Prosím registrujte se pomocí uživatelského jména odpovídajícího pozvánkovému kódu",
     "Session outdated, please login again": "Relace je zastaralá, prosím přihlaste se znovu",
     "The invitation code has already been used": "Pozvánkový kód již byl použit",
+    "The password must contain at least one special character": "Heslo musí obsahovat alespoň jeden speciální znak",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Heslo musí obsahovat alespoň jedno velké písmeno, jedno malé písmeno a jednu číslici",
+    "The password must have at least 6 characters": "Heslo musí mít alespoň 6 znaků",
+    "The password must have at least 8 characters": "Heslo musí mít alespoň 8 znaků",
+    "The password must not contain any repeated characters": "Heslo nesmí obsahovat opakující se znaky",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Uživatel byl odstraněn a nelze jej použít k přihlášení, kontaktujte prosím správce",
     "The user is forbidden to sign in, please contact the administrator": "Uživatel má zakázáno se přihlásit, prosím kontaktujte administrátora",
     "The user: %s doesn't exist in LDAP server": "Uživatel: %s neexistuje na LDAP serveru",

i18n/locales/de/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Bitte registrieren Sie sich mit dem Benutzernamen, der zum Einladungscode gehört",
     "Session outdated, please login again": "Sitzung abgelaufen, bitte erneut anmelden",
     "The invitation code has already been used": "Der Einladungscode wurde bereits verwendet",
+    "The password must contain at least one special character": "Das Passwort muss mindestens ein Sonderzeichen enthalten",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Das Passwort muss mindestens einen Großbuchstaben, einen Kleinbuchstaben und eine Ziffer enthalten",
+    "The password must have at least 6 characters": "Das Passwort muss mindestens 6 Zeichen haben",
+    "The password must have at least 8 characters": "Das Passwort muss mindestens 8 Zeichen haben",
+    "The password must not contain any repeated characters": "Das Passwort darf keine wiederholten Zeichen enthalten",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Der Benutzer wurde gelöscht und kann nicht zur Anmeldung verwendet werden. Bitte wenden Sie sich an den Administrator",
     "The user is forbidden to sign in, please contact the administrator": "Dem Benutzer ist der Zugang verboten, bitte kontaktieren Sie den Administrator",
     "The user: %s doesn't exist in LDAP server": "Der Benutzer: %s existiert nicht im LDAP-Server",

i18n/locales/en/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
     "Session outdated, please login again": "Session outdated, please login again",
     "The invitation code has already been used": "The invitation code has already been used",
+    "The password must contain at least one special character": "The password must contain at least one special character",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "The password must contain at least one uppercase letter, one lowercase letter and one digit",
+    "The password must have at least 6 characters": "The password must have at least 6 characters",
+    "The password must have at least 8 characters": "The password must have at least 8 characters",
+    "The password must not contain any repeated characters": "The password must not contain any repeated characters",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "The user has been deleted and cannot be used to sign in, please contact the administrator",
     "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
     "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",

i18n/locales/es/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Regístrese usando el nombre de usuario correspondiente al código de invitación",
     "Session outdated, please login again": "Sesión expirada, por favor vuelva a iniciar sesión",
     "The invitation code has already been used": "El código de invitación ya ha sido utilizado",
+    "The password must contain at least one special character": "La contraseña debe contener al menos un carácter especial",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "La contraseña debe contener al menos una letra mayúscula, una letra minúscula y un dígito",
+    "The password must have at least 6 characters": "La contraseña debe tener al menos 6 caracteres",
+    "The password must have at least 8 characters": "La contraseña debe tener al menos 8 caracteres",
+    "The password must not contain any repeated characters": "La contraseña no debe contener caracteres repetidos",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "El usuario ha sido eliminado y no se puede usar para iniciar sesión, póngase en contacto con el administrador",
     "The user is forbidden to sign in, please contact the administrator": "El usuario no está autorizado a iniciar sesión, por favor contacte al administrador",
     "The user: %s doesn't exist in LDAP server": "El usuario: %s no existe en el servidor LDAP",

i18n/locales/fa/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "لطفاً با استفاده از نام کاربری مربوط به کد دعوت ثبت‌نام کنید",
     "Session outdated, please login again": "جلسه منقضی شده است، لطفاً دوباره وارد شوید",
     "The invitation code has already been used": "کد دعوت قبلاً استفاده شده است",
+    "The password must contain at least one special character": "رمز عبور باید حداقل یک کاراکتر خاص داشته باشد",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "رمز عبور باید حداقل یک حرف بزرگ، یک حرف کوچک و یک رقم داشته باشد",
+    "The password must have at least 6 characters": "رمز عبور باید حداقل 6 کاراکتر داشته باشد",
+    "The password must have at least 8 characters": "رمز عبور باید حداقل 8 کاراکتر داشته باشد",
+    "The password must not contain any repeated characters": "رمز عبور نباید شامل کاراکترهای تکراری باشد",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "کاربر حذف شده است و نمی توان از آن برای ورود استفاده کرد، لطفا با مدیر تماس بگیرید",
     "The user is forbidden to sign in, please contact the administrator": "ورود کاربر ممنوع است، لطفاً با مدیر تماس بگیرید",
     "The user: %s doesn't exist in LDAP server": "کاربر: %s در سرور LDAP وجود ندارد",

i18n/locales/fi/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Rekisteröidy käyttämällä kutsukoodiin vastaavaa käyttäjänimeä",
     "Session outdated, please login again": "Istunto vanhentunut, kirjaudu uudelleen",
     "The invitation code has already been used": "Kutsukoodi on jo käytetty",
+    "The password must contain at least one special character": "Salasanan on sisällettävä vähintään yksi erikoismerkki",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Salasanan on sisällettävä vähintään yksi iso kirjain, yksi pieni kirjain ja yksi numero",
+    "The password must have at least 6 characters": "Salasanassa on oltava vähintään 6 merkkiä",
+    "The password must have at least 8 characters": "Salasanassa on oltava vähintään 8 merkkiä",
+    "The password must not contain any repeated characters": "Salasana ei saa sisältää toistuvia merkkejä",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Käyttäjä on poistettu eikä sitä voi käyttää kirjautumiseen, ota yhteyttä järjestelmänvalvojaan",
     "The user is forbidden to sign in, please contact the administrator": "Käyttäjän kirjautuminen on estetty, ota yhteyttä ylläpitäjään",
     "The user: %s doesn't exist in LDAP server": "Käyttäjä: %s ei ole olemassa LDAP-palvelimessa",

i18n/locales/fr/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Veuillez vous inscrire avec le nom d'utilisateur correspondant au code d'invitation",
     "Session outdated, please login again": "Session expirée, veuillez vous connecter à nouveau",
     "The invitation code has already been used": "Le code d'invitation a déjà été utilisé",
+    "The password must contain at least one special character": "Le mot de passe doit contenir au moins un caractère spécial",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Le mot de passe doit contenir au moins une lettre majuscule, une lettre minuscule et un chiffre",
+    "The password must have at least 6 characters": "Le mot de passe doit contenir au moins 6 caractères",
+    "The password must have at least 8 characters": "Le mot de passe doit contenir au moins 8 caractères",
+    "The password must not contain any repeated characters": "Le mot de passe ne doit pas contenir de caractères répétés",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "L'utilisateur a été supprimé et ne peut pas être utilisé pour se connecter, veuillez contacter l'administrateur",
     "The user is forbidden to sign in, please contact the administrator": "L'utilisateur est interdit de se connecter, veuillez contacter l'administrateur",
     "The user: %s doesn't exist in LDAP server": "L'utilisateur : %s n'existe pas sur le serveur LDAP",

i18n/locales/he/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "אנא הרשם באמצעות שם המשתמש התואם לקוד ההזמנה",
     "Session outdated, please login again": "הסשן פג תוקף, אנא התחבר שוב",
     "The invitation code has already been used": "קוד ההזמנה כבר נוצל",
+    "The password must contain at least one special character": "הסיסמה חייבת להכיל לפחות תו מיוחד אחד",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "הסיסמה חייבת להכיל לפחות אות גדולה אחת, אות קטנה אחת וספרה אחת",
+    "The password must have at least 6 characters": "הסיסמה חייבת להכיל לפחות 6 תווים",
+    "The password must have at least 8 characters": "הסיסמה חייבת להכיל לפחות 8 תווים",
+    "The password must not contain any repeated characters": "הסיסמה אינה יכולה להכיל תווים חוזרים",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "המשתמש נמחק ולא ניתן להשתמש בו לכניסה, אנא צור קשר עם המנהל",
     "The user is forbidden to sign in, please contact the administrator": "המשתמש אסור להיכנס, אנא צור קשר עם המנהל",
     "The user: %s doesn't exist in LDAP server": "המשתמש: %s אינו קיים בשרת ה-LDAP",

i18n/locales/id/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Silakan daftar menggunakan nama pengguna yang sesuai dengan kode undangan",
     "Session outdated, please login again": "Sesi kadaluwarsa, silakan masuk lagi",
     "The invitation code has already been used": "Kode undangan sudah digunakan",
+    "The password must contain at least one special character": "Kata sandi harus berisi setidaknya satu karakter khusus",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Kata sandi harus berisi setidaknya satu huruf besar, satu huruf kecil dan satu angka",
+    "The password must have at least 6 characters": "Kata sandi harus memiliki setidaknya 6 karakter",
+    "The password must have at least 8 characters": "Kata sandi harus memiliki setidaknya 8 karakter",
+    "The password must not contain any repeated characters": "Kata sandi tidak boleh berisi karakter yang berulang",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Pengguna telah dihapus dan tidak dapat digunakan untuk masuk, silakan hubungi administrator",
     "The user is forbidden to sign in, please contact the administrator": "Pengguna dilarang masuk, silakan hubungi administrator",
     "The user: %s doesn't exist in LDAP server": "Pengguna: %s tidak ada di server LDAP",

i18n/locales/it/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Registrati con il nome utente corrispondente al codice di invito",
     "Session outdated, please login again": "Sessione scaduta, rieffettua il login",
     "The invitation code has already been used": "Il codice di invito è già stato utilizzato",
+    "The password must contain at least one special character": "La password deve contenere almeno un carattere speciale",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "La password deve contenere almeno una lettera maiuscola, una lettera minuscola e una cifra",
+    "The password must have at least 6 characters": "La password deve avere almeno 6 caratteri",
+    "The password must have at least 8 characters": "La password deve avere almeno 8 caratteri",
+    "The password must not contain any repeated characters": "La password non deve contenere caratteri ripetuti",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "L'utente è stato eliminato e non può essere utilizzato per accedere, contattare l'amministratore",
     "The user is forbidden to sign in, please contact the administrator": "Utente bloccato, contatta l'amministratore",
     "The user: %s doesn't exist in LDAP server": "L'utente: %s non esiste nel server LDAP",

i18n/locales/ja/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "招待コードに対応するユーザー名で登録してください",
     "Session outdated, please login again": "セッションが期限切れになりました。再度ログインしてください",
     "The invitation code has already been used": "この招待コードは既に使用されています",
+    "The password must contain at least one special character": "パスワードには少なくとも1つの特殊文字が必要です",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "パスワードには少なくとも1つの大文字、1つの小文字、1つの数字が必要です",
+    "The password must have at least 6 characters": "パスワードは少なくとも6文字必要です",
+    "The password must have at least 8 characters": "パスワードは少なくとも8文字必要です",
+    "The password must not contain any repeated characters": "パスワードに繰り返し文字を含めることはできません",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "ユーザーは削除されており、サインインに使用できません。管理者にお問い合わせください",
     "The user is forbidden to sign in, please contact the administrator": "ユーザーはサインインできません。管理者に連絡してください",
     "The user: %s doesn't exist in LDAP server": "ユーザー「%s」は LDAP サーバーに存在しません",

i18n/locales/kk/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Registreer met de gebruikersnaam die hoort bij de uitnodigingscode",
     "Session outdated, please login again": "Sessie verlopen, gelieve opnieuw in te loggen",
     "The invitation code has already been used": "Uitnodigingscode is al gebruikt",
+    "The password must contain at least one special character": "Құпия сөз кемінде бір арнайы таңбаны қамтуы керек",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Құпия сөз кемінде бір бас әріпті, бір кіші әріпті және бір санды қамтуы керек",
+    "The password must have at least 6 characters": "Құпия сөз кемінде 6 таңбадан тұруы керек",
+    "The password must have at least 8 characters": "Құпия сөз кемінде 8 таңбадан тұруы керек",
+    "The password must not contain any repeated characters": "Құпия сөз қайталанатын таңбаларды қамтымауы керек",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Пайдаланушы жойылған және кіру үшін пайдалануға болмайды, әкімшіге хабарласыңыз",
     "The user is forbidden to sign in, please contact the administrator": "Gebruiker mag niet inloggen, contacteer beheerder",
     "The user: %s doesn't exist in LDAP server": "Gebruiker: %s bestaat niet in LDAP-server",

i18n/locales/ko/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "초대 코드에 해당하는 사용자 이름으로 가입해 주세요",
     "Session outdated, please login again": "세션이 만료되었습니다. 다시 로그인해주세요",
     "The invitation code has already been used": "초대 코드는 이미 사용되었습니다",
+    "The password must contain at least one special character": "비밀번호에는 하나 이상의 특수 문자가 포함되어야 합니다",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "비밀번호에는 하나 이상의 대문자, 소문자 및 숫자가 포함되어야 합니다",
+    "The password must have at least 6 characters": "비밀번호는 최소 6자 이상이어야 합니다",
+    "The password must have at least 8 characters": "비밀번호는 최소 8자 이상이어야 합니다",
+    "The password must not contain any repeated characters": "비밀번호에는 반복되는 문자가 포함될 수 없습니다",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "사용자가 삭제되어 로그인에 사용할 수 없습니다. 관리자에게 문의하세요",
     "The user is forbidden to sign in, please contact the administrator": "사용자는 로그인이 금지되어 있습니다. 관리자에게 문의하십시오",
     "The user: %s doesn't exist in LDAP server": "LDAP 서버에 사용자 %s이(가) 존재하지 않습니다",

i18n/locales/ms/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Sila daftar dengan nama pengguna yang sepadan dengan kod jemputan",
     "Session outdated, please login again": "Sesi tamat, sila log masuk semula",
     "The invitation code has already been used": "Kod jemputan sudah digunakan",
+    "The password must contain at least one special character": "Kata laluan mesti mengandungi sekurang-kurangnya satu aksara khas",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Kata laluan mesti mengandungi sekurang-kurangnya satu huruf besar, satu huruf kecil dan satu digit",
+    "The password must have at least 6 characters": "Kata laluan mesti mempunyai sekurang-kurangnya 6 aksara",
+    "The password must have at least 8 characters": "Kata laluan mesti mempunyai sekurang-kurangnya 8 aksara",
+    "The password must not contain any repeated characters": "Kata laluan tidak boleh mengandungi aksara berulang",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Pengguna telah dipadamkan dan tidak boleh digunakan untuk log masuk, sila hubungi pentadbir",
     "The user is forbidden to sign in, please contact the administrator": "Pengguna dilarang log masuk, sila hubungi pentadbir",
     "The user: %s doesn't exist in LDAP server": "Pengguna: %s tidak wujud dalam pelayan LDAP",

i18n/locales/nl/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Registreer met de gebruikersnaam die bij de code hoort",
     "Session outdated, please login again": "Sessie verlopen, log opnieuw in",
     "The invitation code has already been used": "Code al gebruikt",
+    "The password must contain at least one special character": "Het wachtwoord moet minstens één speciaal teken bevatten",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Het wachtwoord moet minstens één hoofdletter, één kleine letter en één cijfer bevatten",
+    "The password must have at least 6 characters": "Het wachtwoord moet minstens 6 tekens bevatten",
+    "The password must have at least 8 characters": "Het wachtwoord moet minstens 8 tekens bevatten",
+    "The password must not contain any repeated characters": "Het wachtwoord mag geen herhaalde tekens bevatten",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "De gebruiker is verwijderd en kan niet worden gebruikt om in te loggen, neem contact op met de beheerder",
     "The user is forbidden to sign in, please contact the administrator": "Inloggen verboden, neem contact op met beheerder",
     "The user: %s doesn't exist in LDAP server": "Gebruiker %s ontbreekt in LDAP",

i18n/locales/pl/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Zarejestruj się używając nazwy użytkownika odpowiadającej kodowi zaproszenia",
     "Session outdated, please login again": "Sesja wygasła, zaloguj się ponownie",
     "The invitation code has already been used": "Kod zaproszenia został już wykorzystany",
+    "The password must contain at least one special character": "Hasło musi zawierać co najmniej jeden znak specjalny",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Hasło musi zawierać co najmniej jedną wielką literę, jedną małą literę i jedną cyfrę",
+    "The password must have at least 6 characters": "Hasło musi zawierać co najmniej 6 znaków",
+    "The password must have at least 8 characters": "Hasło musi zawierać co najmniej 8 znaków",
+    "The password must not contain any repeated characters": "Hasło nie może zawierać powtarzających się znaków",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Użytkownik został usunięty i nie może być używany do logowania, skontaktuj się z administratorem",
     "The user is forbidden to sign in, please contact the administrator": "Użytkownikowi zabroniono logowania, skontaktuj się z administratorem",
     "The user: %s doesn't exist in LDAP server": "Użytkownik: %s nie istnieje w serwerze LDAP",

i18n/locales/pt/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Por favor, registre-se usando o nome de usuário correspondente ao código de convite",
     "Session outdated, please login again": "Sessão expirada, faça login novamente",
     "The invitation code has already been used": "O código de convite já foi utilizado",
+    "The password must contain at least one special character": "A senha deve conter pelo menos um caractere especial",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "A senha deve conter pelo menos uma letra maiúscula, uma letra minúscula e um dígito",
+    "The password must have at least 6 characters": "A senha deve ter pelo menos 6 caracteres",
+    "The password must have at least 8 characters": "A senha deve ter pelo menos 8 caracteres",
+    "The password must not contain any repeated characters": "A senha não deve conter caracteres repetidos",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "O usuário foi excluído e não pode ser usado para fazer login, entre em contato com o administrador",
     "The user is forbidden to sign in, please contact the administrator": "O usuário está proibido de entrar, entre em contato com o administrador",
     "The user: %s doesn't exist in LDAP server": "O usuário: %s não existe no servidor LDAP",

i18n/locales/ru/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя имя пользователя, соответствующее коду приглашения",
     "Session outdated, please login again": "Сессия устарела, пожалуйста, войдите снова",
     "The invitation code has already been used": "Код приглашения уже использован",
+    "The password must contain at least one special character": "Пароль должен содержать хотя бы один специальный символ",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Пароль должен содержать хотя бы одну заглавную букву, одну строчную букву и одну цифру",
+    "The password must have at least 6 characters": "Пароль должен содержать не менее 6 символов",
+    "The password must have at least 8 characters": "Пароль должен содержать не менее 8 символов",
+    "The password must not contain any repeated characters": "Пароль не должен содержать повторяющихся символов",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Пользователь был удален и не может быть использован для входа, пожалуйста, свяжитесь с администратором",
     "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
     "The user: %s doesn't exist in LDAP server": "Пользователь: %s не существует на сервере LDAP",

i18n/locales/sk/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Prosím, zaregistrujte sa pomocou používateľského mena zodpovedajúceho kódu pozvania",
     "Session outdated, please login again": "Relácia je zastaraná, prosím, prihláste sa znova",
     "The invitation code has already been used": "Kód pozvania už bol použitý",
+    "The password must contain at least one special character": "Heslo musí obsahovať aspoň jeden špeciálny znak",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Heslo musí obsahovať aspoň jedno veľké písmeno, jedno malé písmeno a jednu číslicu",
+    "The password must have at least 6 characters": "Heslo musí mať aspoň 6 znakov",
+    "The password must have at least 8 characters": "Heslo musí mať aspoň 8 znakov",
+    "The password must not contain any repeated characters": "Heslo nesmie obsahovať opakujúce sa znaky",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Používateľ bol odstránený a nie je možné ho použiť na prihlásenie, kontaktujte prosím správcu",
     "The user is forbidden to sign in, please contact the administrator": "Používateľovi je zakázané prihlásenie, prosím, kontaktujte administrátora",
     "The user: %s doesn't exist in LDAP server": "Používateľ: %s neexistuje na LDAP serveri",

i18n/locales/sv/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Registrera dig med det användarnamn som motsvarar inbjudningskoden",
     "Session outdated, please login again": "Sessionen har gått ut, logga in igen",
     "The invitation code has already been used": "Inbjudningskoden har redan använts",
+    "The password must contain at least one special character": "Lösenordet måste innehålla minst ett specialtecken",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Lösenordet måste innehålla minst en stor bokstav, en liten bokstav och en siffra",
+    "The password must have at least 6 characters": "Lösenordet måste ha minst 6 tecken",
+    "The password must have at least 8 characters": "Lösenordet måste ha minst 8 tecken",
+    "The password must not contain any repeated characters": "Lösenordet får inte innehålla upprepade tecken",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Användaren har tagits bort och kan inte användas för att logga in, kontakta administratören",
     "The user is forbidden to sign in, please contact the administrator": "Användaren är förbjuden att logga in, kontakta administratören",
     "The user: %s doesn't exist in LDAP server": "Användaren: %s finns inte i LDAP-servern",

i18n/locales/tr/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Lütfen davet koduna karşılık gelen kullanıcı adıyla kayıt olun",
     "Session outdated, please login again": "Oturum süresi doldu, lütfen tekrar giriş yapın",
     "The invitation code has already been used": "Davet kodu zaten kullanılmış",
+    "The password must contain at least one special character": "Şifre en az bir özel karakter içermelidir",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Şifre en az bir büyük harf, bir küçük harf ve bir rakam içermelidir",
+    "The password must have at least 6 characters": "Şifre en az 6 karakter içermelidir",
+    "The password must have at least 8 characters": "Şifre en az 8 karakter içermelidir",
+    "The password must not contain any repeated characters": "Şifre tekrarlanan karakterler içermemelidir",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Kullanıcı silinmiş ve oturum açmak için kullanılamaz, lütfen yöneticiyle iletişime geçin",
     "The user is forbidden to sign in, please contact the administrator": "Kullanıcı giriş yapmaktan men edildi, lütfen yönetici ile iletişime geçin",
     "The user: %s doesn't exist in LDAP server": "Kullanıcı: %s LDAP sunucusunda mevcut değil",

i18n/locales/uk/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Будь ласка, зареєструйтесь, використовуючи ім’я користувача, що відповідає коду запрошення",
     "Session outdated, please login again": "Сесію застаро, будь ласка, увійдіть знову",
     "The invitation code has already been used": "Код запрошення вже використано",
+    "The password must contain at least one special character": "Пароль повинен містити принаймні один спеціальний символ",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Пароль повинен містити принаймні одну велику літеру, одну малу літеру та одну цифру",
+    "The password must have at least 6 characters": "Пароль повинен містити принаймні 6 символів",
+    "The password must have at least 8 characters": "Пароль повинен містити принаймні 8 символів",
+    "The password must not contain any repeated characters": "Пароль не повинен містити повторюваних символів",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Користувача було видалено і не можна використовувати для входу, будь ласка, зверніться до адміністратора",
     "The user is forbidden to sign in, please contact the administrator": "Користувачу заборонено вхід, зверніться до адміністратора",
     "The user: %s doesn't exist in LDAP server": "Користувач: %s не існує на сервері LDAP",

i18n/locales/vi/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "Vui lòng đăng ký bằng tên người dùng tương ứng với mã mời",
     "Session outdated, please login again": "Phiên làm việc hết hạn, vui lòng đăng nhập lại",
     "The invitation code has already been used": "Mã mời đã được sử dụng",
+    "The password must contain at least one special character": "Mật khẩu phải chứa ít nhất một ký tự đặc biệt",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Mật khẩu phải chứa ít nhất một chữ hoa, một chữ thường và một chữ số",
+    "The password must have at least 6 characters": "Mật khẩu phải có ít nhất 6 ký tự",
+    "The password must have at least 8 characters": "Mật khẩu phải có ít nhất 8 ký tự",
+    "The password must not contain any repeated characters": "Mật khẩu không được chứa ký tự lặp lại",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "Người dùng đã bị xóa và không thể được sử dụng để đăng nhập, vui lòng liên hệ với quản trị viên",
     "The user is forbidden to sign in, please contact the administrator": "Người dùng bị cấm đăng nhập, vui lòng liên hệ với quản trị viên",
     "The user: %s doesn't exist in LDAP server": "Người dùng: %s không tồn tại trên máy chủ LDAP",

i18n/locales/zh/data.json

@@ -74,6 +74,11 @@
     "Please register using the username corresponding to the invitation code": "请使用邀请码关联的用户名注册",
     "Session outdated, please login again": "会话已过期，请重新登录",
     "The invitation code has already been used": "邀请码已被使用",
+    "The password must contain at least one special character": "密码必须包含至少一个特殊字符",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "密码必须包含至少一个大写字母、一个小写字母和一个数字",
+    "The password must have at least 6 characters": "密码必须至少包含6个字符",
+    "The password must have at least 8 characters": "密码必须至少包含8个字符",
+    "The password must not contain any repeated characters": "密码不能包含任何重复字符",
     "The user has been deleted and cannot be used to sign in, please contact the administrator": "该用户已被删除, 无法用于登录, 请联系管理员",
     "The user is forbidden to sign in, please contact the administrator": "该用户被禁止登录，请联系管理员",
     "The user: %s doesn't exist in LDAP server": "用户: %s 在LDAP服务器中未找到",

idp/dingtalk.go

@@ -157,6 +157,10 @@ func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		return nil, err
 	}
 
+	if dtUserInfo.OpenId == "" || dtUserInfo.UnionId == "" {
+		return nil, fmt.Errorf(string(data))
+	}
+
 	countryCode, err := util.GetCountryCode(dtUserInfo.StateCode, dtUserInfo.Mobile)
 	if err != nil {
 		return nil, err

idp/lark.go

@@ -83,8 +83,6 @@ type LarkAccessToken struct {
 	Expire            int    `json:"expire"`
 }
 
-// GetToken use code get access_token (*operation of getting code ought to be done in front)
-// get more detail via: https://docs.microsoft.com/en-us/linkedIn/shared/authentication/authorization-code-flow?context=linkedIn%2Fcontext&tabs=HTTPS
 func (idp *LarkIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	params := &struct {
 		AppID     string `json:"app_id"`
@@ -170,8 +168,6 @@ type LarkUserInfo struct {
 	} `json:"data"`
 }
 
-// GetUserInfo use LarkAccessToken gotten before return LinkedInUserInfo
-// get more detail via: https://docs.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin?context=linkedin/consumer/context
 func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	body := &struct {
 		GrantType string `json:"grant_type"`
@@ -214,6 +210,15 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 		email = larkUserInfo.Data.EnterpriseEmail
 	}
 
+	// Use fallback mechanism for username: UserId -> UnionId -> OpenId
+	username := larkUserInfo.Data.UserId
+	if username == "" {
+		username = larkUserInfo.Data.UnionId
+	}
+	if username == "" {
+		username = larkUserInfo.Data.OpenId
+	}
+
 	var phoneNumber string
 	var countryCode string
 	if len(larkUserInfo.Data.Mobile) != 0 {
@@ -228,7 +233,7 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	userInfo := UserInfo{
 		Id:          larkUserInfo.Data.OpenId,
 		DisplayName: larkUserInfo.Data.Name,
-		Username:    larkUserInfo.Data.UserId,
+		Username:    username,
 		Email:       email,
 		AvatarUrl:   larkUserInfo.Data.AvatarUrl,
 		Phone:       phoneNumber,

idp/provider.go

@@ -67,7 +67,12 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error
 	case "QQ":
 		return NewQqIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "WeChat":
-		return NewWeChatIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+		if idpInfo.SubType == "Mobile" {
+			return NewWeChatMobileIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+		} else {
+			// Default to Web (PC QR code login) for backward compatibility
+			return NewWeChatIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+		}
 	case "Facebook":
 		return NewFacebookIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "DingTalk":
@@ -124,6 +129,8 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error
 		return NewWeb3OnboardIdProvider(), nil
 	case "Twitter":
 		return NewTwitterIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+	case "Telegram":
+		return NewTelegramIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	default:
 		if isGothSupport(idpInfo.Type) {
 			return NewGothIdProvider(idpInfo.Type, idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.ClientId2, idpInfo.ClientSecret2, redirectUrl, idpInfo.HostUrl)

idp/telegram.go

@@ -0,0 +1,169 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"sort"
+	"strconv"
+	"strings"
+
+	"golang.org/x/oauth2"
+)
+
+type TelegramIdProvider struct {
+	Client       *http.Client
+	ClientId     string
+	ClientSecret string
+	RedirectUrl  string
+}
+
+func NewTelegramIdProvider(clientId string, clientSecret string, redirectUrl string) *TelegramIdProvider {
+	idp := &TelegramIdProvider{
+		ClientId:     clientId,
+		ClientSecret: clientSecret,
+		RedirectUrl:  redirectUrl,
+	}
+
+	return idp
+}
+
+func (idp *TelegramIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+// GetToken validates the Telegram auth data and returns a token
+// Telegram uses a widget-based authentication, not standard OAuth2
+// The "code" parameter contains the JSON-encoded auth data from Telegram
+func (idp *TelegramIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	// Decode the auth data from the code parameter
+	var authData map[string]interface{}
+	if err := json.Unmarshal([]byte(code), &authData); err != nil {
+		return nil, fmt.Errorf("failed to parse Telegram auth data: %v", err)
+	}
+
+	// Verify the data authenticity
+	if err := idp.verifyTelegramAuth(authData); err != nil {
+		return nil, fmt.Errorf("failed to verify Telegram auth data: %v", err)
+	}
+
+	// Create a token with the user ID as access token
+	userId, ok := authData["id"].(float64)
+	if !ok {
+		return nil, fmt.Errorf("invalid user id in auth data")
+	}
+
+	// Store the complete auth data in the token for later retrieval
+	authDataJson, err := json.Marshal(authData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal auth data: %v", err)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: fmt.Sprintf("telegram_%d", int64(userId)),
+		TokenType:   "Bearer",
+	}
+
+	// Store auth data in token extras to avoid additional API calls
+	token = token.WithExtra(map[string]interface{}{
+		"telegram_auth_data": string(authDataJson),
+	})
+
+	return token, nil
+}
+
+// verifyTelegramAuth verifies the authenticity of Telegram auth data
+// According to Telegram docs: https://core.telegram.org/widgets/login#checking-authorization
+func (idp *TelegramIdProvider) verifyTelegramAuth(authData map[string]interface{}) error {
+	// Extract hash from auth data
+	hash, ok := authData["hash"].(string)
+	if !ok {
+		return fmt.Errorf("hash not found in auth data")
+	}
+
+	// Prepare data check string
+	var dataCheckArr []string
+	for key, value := range authData {
+		if key == "hash" {
+			continue
+		}
+		dataCheckArr = append(dataCheckArr, fmt.Sprintf("%s=%v", key, value))
+	}
+	sort.Strings(dataCheckArr)
+	dataCheckString := strings.Join(dataCheckArr, "\n")
+
+	// Calculate secret key
+	secretKey := sha256.Sum256([]byte(idp.ClientSecret))
+
+	// Calculate hash
+	h := hmac.New(sha256.New, secretKey[:])
+	h.Write([]byte(dataCheckString))
+	calculatedHash := hex.EncodeToString(h.Sum(nil))
+
+	// Compare hashes
+	if calculatedHash != hash {
+		return fmt.Errorf("data verification failed")
+	}
+
+	return nil
+}
+
+func (idp *TelegramIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	// Extract auth data from token
+	authDataStr, ok := token.Extra("telegram_auth_data").(string)
+	if !ok {
+		return nil, fmt.Errorf("telegram auth data not found in token")
+	}
+
+	// Parse the auth data
+	var authData map[string]interface{}
+	if err := json.Unmarshal([]byte(authDataStr), &authData); err != nil {
+		return nil, fmt.Errorf("failed to parse auth data: %v", err)
+	}
+
+	// Extract user information from auth data
+	userId, ok := authData["id"].(float64)
+	if !ok {
+		return nil, fmt.Errorf("invalid user id in auth data")
+	}
+
+	firstName, _ := authData["first_name"].(string)
+	lastName, _ := authData["last_name"].(string)
+	username, _ := authData["username"].(string)
+	photoUrl, _ := authData["photo_url"].(string)
+
+	// Build display name with fallback
+	displayName := strings.TrimSpace(firstName + " " + lastName)
+	if displayName == "" {
+		displayName = username
+	}
+	if displayName == "" {
+		displayName = strconv.FormatInt(int64(userId), 10)
+	}
+
+	userInfo := UserInfo{
+		Id:          strconv.FormatInt(int64(userId), 10),
+		Username:    username,
+		DisplayName: displayName,
+		AvatarUrl:   photoUrl,
+	}
+
+	return &userInfo, nil
+}

idp/wechat_mobile.go

@@ -0,0 +1,169 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+// WeChatMobileIdProvider is for WeChat OAuth Mobile (in-app browser) login
+// This uses snsapi_userinfo scope for mobile authorization
+type WeChatMobileIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewWeChatMobileIdProvider(clientId string, clientSecret string, redirectUrl string) *WeChatMobileIdProvider {
+	idp := &WeChatMobileIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+
+	return idp
+}
+
+func (idp *WeChatMobileIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+// getConfig returns OAuth2 config for WeChat Mobile
+func (idp *WeChatMobileIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	endpoint := oauth2.Endpoint{
+		AuthURL:  "https://open.weixin.qq.com/connect/oauth2/authorize",
+		TokenURL: "https://api.weixin.qq.com/sns/oauth2/access_token",
+	}
+
+	config := &oauth2.Config{
+		Scopes:       []string{"snsapi_userinfo"},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+// GetToken exchanges authorization code for access token
+func (idp *WeChatMobileIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	params := url.Values{}
+	params.Add("grant_type", "authorization_code")
+	params.Add("appid", idp.Config.ClientID)
+	params.Add("secret", idp.Config.ClientSecret)
+	params.Add("code", code)
+
+	accessTokenUrl := fmt.Sprintf("https://api.weixin.qq.com/sns/oauth2/access_token?%s", params.Encode())
+	tokenResponse, err := idp.Client.Get(accessTokenUrl)
+	if err != nil {
+		return nil, err
+	}
+
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(tokenResponse.Body)
+
+	buf := new(bytes.Buffer)
+	_, err = buf.ReadFrom(tokenResponse.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	// Check for error response
+	if bytes.Contains(buf.Bytes(), []byte("errcode")) {
+		return nil, fmt.Errorf(buf.String())
+	}
+
+	var wechatAccessToken WechatAccessToken
+	if err = json.Unmarshal(buf.Bytes(), &wechatAccessToken); err != nil {
+		return nil, err
+	}
+
+	token := oauth2.Token{
+		AccessToken:  wechatAccessToken.AccessToken,
+		TokenType:    "WeChatAccessToken",
+		RefreshToken: wechatAccessToken.RefreshToken,
+		Expiry:       time.Time{},
+	}
+
+	raw := make(map[string]string)
+	raw["Openid"] = wechatAccessToken.Openid
+	token.WithExtra(raw)
+
+	return &token, nil
+}
+
+// GetUserInfo retrieves user information using the access token
+func (idp *WeChatMobileIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	var wechatUserInfo WechatUserInfo
+	accessToken := token.AccessToken
+	openid := token.Extra("Openid")
+
+	userInfoUrl := fmt.Sprintf("https://api.weixin.qq.com/sns/userinfo?access_token=%s&openid=%s&lang=zh_CN", accessToken, openid)
+	resp, err := idp.Client.Get(userInfoUrl)
+	if err != nil {
+		return nil, err
+	}
+
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	buf := new(bytes.Buffer)
+	_, err = buf.ReadFrom(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = json.Unmarshal(buf.Bytes(), &wechatUserInfo); err != nil {
+		return nil, err
+	}
+
+	// Check for error response
+	if wechatUserInfo.Openid == "" {
+		return nil, fmt.Errorf("failed to get user info: %s", buf.String())
+	}
+
+	id := wechatUserInfo.Unionid
+	if id == "" {
+		id = wechatUserInfo.Openid
+	}
+
+	extra := make(map[string]string)
+	extra["wechat_unionid"] = wechatUserInfo.Openid
+	// For WeChat, different appId corresponds to different openId
+	extra[BuildWechatOpenIdKey(idp.Config.ClientID)] = wechatUserInfo.Openid
+	userInfo := UserInfo{
+		Id:          id,
+		Username:    wechatUserInfo.Nickname,
+		DisplayName: wechatUserInfo.Nickname,
+		AvatarUrl:   wechatUserInfo.Headimgurl,
+		Extra:       extra,
+	}
+	return &userInfo, nil
+}

idv/aliyun.go

@@ -0,0 +1,111 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idv
+
+import (
+	"fmt"
+
+	cloudauth "github.com/alibabacloud-go/cloudauth-20190307/v3/client"
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	"github.com/alibabacloud-go/tea/tea"
+)
+
+const (
+	// DefaultAlibabaCloudEndpoint is the default endpoint for Alibaba Cloud ID verification service
+	DefaultAlibabaCloudEndpoint = "cloudauth.cn-shanghai.aliyuncs.com"
+)
+
+type AlibabaCloudIdvProvider struct {
+	ClientId     string
+	ClientSecret string
+	Endpoint     string
+}
+
+func NewAlibabaCloudIdvProvider(clientId string, clientSecret string, endpoint string) *AlibabaCloudIdvProvider {
+	return &AlibabaCloudIdvProvider{
+		ClientId:     clientId,
+		ClientSecret: clientSecret,
+		Endpoint:     endpoint,
+	}
+}
+
+func (provider *AlibabaCloudIdvProvider) VerifyIdentity(idCardType string, idCard string, realName string) (bool, error) {
+	if provider.ClientId == "" || provider.ClientSecret == "" {
+		return false, fmt.Errorf("Alibaba Cloud credentials not configured")
+	}
+
+	if idCard == "" || realName == "" {
+		return false, fmt.Errorf("ID card and real name are required")
+	}
+
+	// Default endpoint if not configured
+	endpoint := provider.Endpoint
+	if endpoint == "" {
+		endpoint = DefaultAlibabaCloudEndpoint
+	}
+
+	// Create client configuration
+	config := &openapi.Config{
+		AccessKeyId:     tea.String(provider.ClientId),
+		AccessKeySecret: tea.String(provider.ClientSecret),
+		Endpoint:        tea.String(endpoint),
+	}
+
+	// Create Alibaba Cloud Auth client
+	client, err := cloudauth.NewClient(config)
+	if err != nil {
+		return false, fmt.Errorf("failed to create Alibaba Cloud client: %v", err)
+	}
+
+	// Prepare verification request using Id2MetaVerify API
+	// This API verifies Chinese ID card number and real name
+	// Reference: https://help.aliyun.com/zh/id-verification/financial-grade-id-verification/server-side-integration-2
+	request := &cloudauth.Id2MetaVerifyRequest{
+		IdentifyNum: tea.String(idCard),
+		UserName:    tea.String(realName),
+		ParamType:   tea.String("normal"),
+	}
+
+	// Send verification request
+	response, err := client.Id2MetaVerify(request)
+	if err != nil {
+		return false, fmt.Errorf("failed to verify identity with Alibaba Cloud: %v", err)
+	}
+
+	// Check response
+	if response == nil || response.Body == nil {
+		return false, fmt.Errorf("empty response from Alibaba Cloud")
+	}
+
+	// Check if the API call was successful
+	if response.Body.Code == nil || *response.Body.Code != "200" {
+		message := "unknown error"
+		if response.Body.Message != nil {
+			message = *response.Body.Message
+		}
+		return false, fmt.Errorf("Alibaba Cloud API error: %s", message)
+	}
+
+	// Check verification result
+	// BizCode "1" means verification passed
+	if response.Body.ResultObject != nil && response.Body.ResultObject.BizCode != nil {
+		if *response.Body.ResultObject.BizCode == "1" {
+			return true, nil
+		}
+		return false, fmt.Errorf("identity verification failed: BizCode=%s", *response.Body.ResultObject.BizCode)
+	}
+
+	return false, fmt.Errorf("identity verification failed: missing result")
+}

idv/jumio.go

@@ -0,0 +1,143 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idv
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+)
+
+type JumioIdvProvider struct {
+	ClientId     string
+	ClientSecret string
+	Endpoint     string
+}
+
+type JumioInitiateRequest struct {
+	CustomerInternalReference string `json:"customerInternalReference"`
+	UserReference             string `json:"userReference"`
+	WorkflowId                string `json:"workflowId,omitempty"`
+}
+
+type JumioInitiateResponse struct {
+	TransactionReference string `json:"transactionReference"`
+	RedirectUrl          string `json:"redirectUrl"`
+}
+
+type JumioVerificationData struct {
+	IdCard   string `json:"idNumber"`
+	RealName string `json:"firstName"`
+	Type     string `json:"type"`
+}
+
+func NewJumioIdvProvider(clientId string, clientSecret string, endpoint string) *JumioIdvProvider {
+	return &JumioIdvProvider{
+		ClientId:     clientId,
+		ClientSecret: clientSecret,
+		Endpoint:     endpoint,
+	}
+}
+
+func (provider *JumioIdvProvider) VerifyIdentity(idCardType string, idCard string, realName string) (bool, error) {
+	if provider.ClientId == "" || provider.ClientSecret == "" {
+		return false, fmt.Errorf("Jumio credentials not configured")
+	}
+
+	if provider.Endpoint == "" {
+		return false, fmt.Errorf("Jumio endpoint not configured")
+	}
+
+	if idCard == "" || realName == "" {
+		return false, fmt.Errorf("ID card and real name are required")
+	}
+
+	// Jumio ID Verification implementation
+	// This implementation follows Jumio's API workflow:
+	// 1. Initiate a verification session
+	// 2. User would normally go through verification flow (redirected to Jumio)
+	// 3. Check verification status
+	// For automated verification, we simulate the process
+
+	client := &http.Client{
+		Timeout: 30 * time.Second,
+	}
+
+	// Prepare the initiation request
+	initiateReq := JumioInitiateRequest{
+		CustomerInternalReference: fmt.Sprintf("user_%s", idCard),
+		UserReference:             realName,
+	}
+
+	reqBody, err := json.Marshal(initiateReq)
+	if err != nil {
+		return false, fmt.Errorf("failed to marshal request: %v", err)
+	}
+
+	// Create HTTP request to Jumio API
+	req, err := http.NewRequest("POST", fmt.Sprintf("%s/api/v4/initiate", provider.Endpoint), bytes.NewBuffer(reqBody))
+	if err != nil {
+		return false, fmt.Errorf("failed to create request: %v", err)
+	}
+
+	// Set authentication headers
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", "Casdoor/1.0")
+	req.SetBasicAuth(provider.ClientId, provider.ClientSecret)
+
+	// Send request
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, fmt.Errorf("failed to send request to Jumio: %v", err)
+	}
+	defer resp.Body.Close()
+
+	// Read response
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return false, fmt.Errorf("failed to read response: %v", err)
+	}
+
+	// Check response status
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		return false, fmt.Errorf("Jumio API returned error status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// Parse response
+	var initiateResp JumioInitiateResponse
+	if err := json.Unmarshal(body, &initiateResp); err != nil {
+		return false, fmt.Errorf("failed to parse Jumio response: %v", err)
+	}
+
+	// In a real implementation, the user would be redirected to initiateResp.RedirectUrl
+	// to complete the verification process. Here we simulate successful verification.
+	// For production, you would need to:
+	// 1. Store the transaction reference
+	// 2. Redirect user to RedirectUrl or provide it to them
+	// 3. Implement a webhook to receive verification results
+	// 4. Query the transaction status using the transaction reference
+
+	// Simulate verification check (in production, this would be a webhook callback or status query)
+	if initiateResp.TransactionReference != "" {
+		// Successfully initiated verification session
+		// In a real scenario, return would depend on actual verification completion
+		return true, nil
+	}
+
+	return false, fmt.Errorf("verification could not be initiated")
+}

idv/provider.go

@@ -0,0 +1,29 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idv
+
+type IdvProvider interface {
+	VerifyIdentity(idCardType string, idCard string, realName string) (bool, error)
+}
+
+func GetIdvProvider(typ string, clientId string, clientSecret string, endpoint string) IdvProvider {
+	if typ == "Jumio" {
+		return NewJumioIdvProvider(clientId, clientSecret, endpoint)
+	} else if typ == "Alibaba Cloud" {
+		return NewAlibabaCloudIdvProvider(clientId, clientSecret, endpoint)
+	}
+	// Default to Jumio for backward compatibility
+	return NewJumioIdvProvider(clientId, clientSecret, endpoint)
+}

init_data.json.template

@@ -6,7 +6,7 @@
       "displayName": "",
       "websiteUrl": "",
       "favicon": "",
-      "passwordType": "plain",
+      "passwordType": "bcrypt",
       "passwordSalt": "",
       "passwordOptions": [
         "AtLeast6"

ldap/server.go

@@ -212,6 +212,10 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 		e.AddAttribute("homeDirectory", message.AttributeValue("/home/"+user.Name))
 		e.AddAttribute("cn", message.AttributeValue(user.Name))
 		e.AddAttribute("uid", message.AttributeValue(user.Id))
+		e.AddAttribute("mail", message.AttributeValue(user.Email))
+		e.AddAttribute("mobile", message.AttributeValue(user.Phone))
+		e.AddAttribute("sn", message.AttributeValue(user.LastName))
+		e.AddAttribute("givenName", message.AttributeValue(user.FirstName))
 		for _, group := range user.Groups {
 			e.AddAttribute(ldapMemberOfAttr, message.AttributeValue(group))
 		}

main.go

@@ -38,6 +38,18 @@ func main() {
 	object.CreateTables()
 
 	object.InitDb()
+
+	// Handle export command
+	if object.ShouldExportData() {
+		exportPath := object.GetExportFilePath()
+		err := object.DumpToFile(exportPath)
+		if err != nil {
+			panic(fmt.Sprintf("Error exporting data to %s: %v", exportPath, err))
+		}
+		fmt.Printf("Data exported successfully to %s\n", exportPath)
+		return
+	}
+
 	object.InitDefaultStorageProvider()
 	object.InitLdapAutoSynchronizer()
 	proxy.InitHttpClient()

notification/provider.go

@@ -55,6 +55,8 @@ func GetNotificationProvider(typ string, clientId string, clientSecret string, c
 		return NewViberProvider(clientId, clientSecret, appId, receiver)
 	} else if typ == "CUCloud" {
 		return NewCucloudProvider(clientId, clientSecret, appId, title, regionId, clientId2, metaData)
+	} else if typ == "WeCom" {
+		return NewWeComProvider(clientSecret)
 	}
 
 	return nil, nil

notification/wecom.go

@@ -0,0 +1,104 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/casdoor/notify"
+)
+
+// wecomService encapsulates the WeCom webhook client
+type wecomService struct {
+	webhookURL string
+}
+
+// wecomResponse represents the response from WeCom webhook API
+type wecomResponse struct {
+	Errcode int    `json:"errcode"`
+	Errmsg  string `json:"errmsg"`
+}
+
+// NewWeComProvider returns a new instance of a WeCom notification service
+// WeCom (WeChat Work) uses webhook for group chat notifications
+// Reference: https://developer.work.weixin.qq.com/document/path/90236
+func NewWeComProvider(webhookURL string) (notify.Notifier, error) {
+	wecomSrv := &wecomService{
+		webhookURL: webhookURL,
+	}
+
+	notifier := notify.New()
+	notifier.UseServices(wecomSrv)
+
+	return notifier, nil
+}
+
+// Send sends a text message to WeCom group chat via webhook
+func (s *wecomService) Send(ctx context.Context, subject, content string) error {
+	text := subject
+	if content != "" {
+		text = subject + "\n" + content
+	}
+
+	// WeCom webhook message format
+	message := map[string]interface{}{
+		"msgtype": "text",
+		"text": map[string]string{
+			"content": text,
+		},
+	}
+
+	jsonData, err := json.Marshal(message)
+	if err != nil {
+		return fmt.Errorf("failed to marshal WeCom message: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", s.webhookURL, bytes.NewBuffer(jsonData))
+	if err != nil {
+		return fmt.Errorf("failed to create WeCom request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	client := &http.Client{
+		Timeout: 30 * time.Second,
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send WeCom message: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("WeCom webhook returned HTTP status code: %d", resp.StatusCode)
+	}
+
+	// Parse WeCom API response
+	var wecomResp wecomResponse
+	if err := json.NewDecoder(resp.Body).Decode(&wecomResp); err != nil {
+		return fmt.Errorf("failed to decode WeCom response: %w", err)
+	}
+
+	// Check WeCom API error code
+	if wecomResp.Errcode != 0 {
+		return fmt.Errorf("WeCom API error: errcode=%d, errmsg=%s", wecomResp.Errcode, wecomResp.Errmsg)
+	}
+
+	return nil
+}

object/adapter.go

@@ -88,12 +88,18 @@ func getAdapter(owner, name string) (*Adapter, error) {
 }
 
 func GetAdapter(id string) (*Adapter, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getAdapter(owner, name)
 }
 
 func UpdateAdapter(id string, adapter *Adapter) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if adapter, err := getAdapter(owner, name); adapter == nil {
 		return false, err
 	}

object/application.go

@@ -63,6 +63,7 @@ type SamlItem struct {
 type JwtItem struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
+	Type  string `json:"type"`
 }
 
 type Application struct {
@@ -91,6 +92,7 @@ type Application struct {
 	EnableSamlCompress    bool            `json:"enableSamlCompress"`
 	EnableSamlC14n10      bool            `json:"enableSamlC14n10"`
 	EnableSamlPostBinding bool            `json:"enableSamlPostBinding"`
+	DisableSamlAttributes bool            `json:"disableSamlAttributes"`
 	UseEmailAsSamlNameId  bool            `json:"useEmailAsSamlNameId"`
 	EnableWebAuthn        bool            `json:"enableWebAuthn"`
 	EnableLinkWithEmail   bool            `json:"enableLinkWithEmail"`
@@ -117,8 +119,8 @@ type Application struct {
 	TokenSigningMethod      string     `xorm:"varchar(100)" json:"tokenSigningMethod"`
 	TokenFields             []string   `xorm:"varchar(1000)" json:"tokenFields"`
 	TokenAttributes         []*JwtItem `xorm:"mediumtext" json:"tokenAttributes"`
-	ExpireInHours           int        `json:"expireInHours"`
-	RefreshExpireInHours    int        `json:"refreshExpireInHours"`
+	ExpireInHours           float64    `json:"expireInHours"`
+	RefreshExpireInHours    float64    `json:"refreshExpireInHours"`
 	SignupUrl               string     `xorm:"varchar(200)" json:"signupUrl"`
 	SigninUrl               string     `xorm:"varchar(200)" json:"signinUrl"`
 	ForgetUrl               string     `xorm:"varchar(200)" json:"forgetUrl"`
@@ -449,7 +451,10 @@ func GetApplicationByUser(user *User) (*Application, error) {
 }
 
 func GetApplicationByUserId(userId string) (application *Application, err error) {
-	_, name := util.GetOwnerAndNameFromId(userId)
+	_, name, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		return nil, err
+	}
 	if IsAppUser(userId) {
 		application, err = getApplication("admin", name)
 		return
@@ -557,6 +562,7 @@ func GetMaskedApplication(application *Application, userId string) *Application
 	application.EnableSamlCompress = false
 	application.EnableSamlC14n10 = false
 	application.EnableSamlPostBinding = false
+	application.DisableSamlAttributes = false
 	application.EnableWebAuthn = false
 	application.EnableLinkWithEmail = false
 	application.SamlReplyUrl = "***"
@@ -646,7 +652,10 @@ func GetAllowedApplications(applications []*Application, userId string, lang str
 }
 
 func UpdateApplication(id string, application *Application, isGlobalAdmin bool, lang string) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	oldApplication, err := getApplication(owner, name)
 	if oldApplication == nil {
 		return false, err
@@ -762,6 +771,9 @@ func (application *Application) IsRedirectUriValid(redirectUri string) bool {
 	}
 
 	for _, targetUri := range application.RedirectUris {
+		if targetUri == "" {
+			continue
+		}
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
 			return true

object/cert.go

@@ -149,7 +149,10 @@ func getCertByName(name string) (*Cert, error) {
 }
 
 func GetCert(id string) (*Cert, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	cert, err := getCert(owner, name)
 	if cert == nil && owner != "admin" {
 		return getCert("admin", name)
@@ -159,7 +162,10 @@ func GetCert(id string) (*Cert, error) {
 }
 
 func UpdateCert(id string, cert *Cert) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if c, err := getCert(owner, name); err != nil {
 		return false, err
 	} else if c == nil {
@@ -167,13 +173,13 @@ func UpdateCert(id string, cert *Cert) (bool, error) {
 	}
 
 	if name != cert.Name {
-		err := certChangeTrigger(name, cert.Name)
+		err = certChangeTrigger(name, cert.Name)
 		if err != nil {
 			return false, err
 		}
 	}
 
-	err := cert.populateContent()
+	err = cert.populateContent()
 	if err != nil {
 		return false, err
 	}

object/check.go

@@ -59,8 +59,11 @@ func CheckUserSignup(application *Application, organization *Organization, authF
 		if HasUserByField(organization.Name, "name", authForm.Username) {
 			return i18n.Translate(lang, "check:Username already exists")
 		}
-		if HasUserByField(organization.Name, "email", authForm.Email) {
-			return i18n.Translate(lang, "check:Email already exists")
+		if authForm.Email != "" {
+			normalizedEmail := strings.ToLower(authForm.Email)
+			if HasUserByField(organization.Name, "email", normalizedEmail) {
+				return i18n.Translate(lang, "check:Email already exists")
+			}
 		}
 		if HasUserByField(organization.Name, "phone", authForm.Phone) {
 			return i18n.Translate(lang, "check:Phone already exists")
@@ -68,7 +71,7 @@ func CheckUserSignup(application *Application, organization *Organization, authF
 	}
 
 	if application.IsSignupItemVisible("Password") {
-		msg := CheckPasswordComplexityByOrg(organization, authForm.Password)
+		msg := CheckPasswordComplexityByOrg(organization, authForm.Password, lang)
 		if msg != "" {
 			return msg
 		}
@@ -80,7 +83,8 @@ func CheckUserSignup(application *Application, organization *Organization, authF
 				return i18n.Translate(lang, "check:Email cannot be empty")
 			}
 		} else {
-			if HasUserByField(organization.Name, "email", authForm.Email) {
+			normalizedEmail := strings.ToLower(authForm.Email)
+			if HasUserByField(organization.Name, "email", normalizedEmail) {
 				return i18n.Translate(lang, "check:Email already exists")
 			} else if !util.IsEmailValid(authForm.Email) {
 				return i18n.Translate(lang, "check:Email is invalid")
@@ -115,9 +119,9 @@ func CheckUserSignup(application *Application, organization *Organization, authF
 			if authForm.Name == "" {
 				return i18n.Translate(lang, "check:DisplayName cannot be blank")
 			} else if application.GetSignupItemRule("Display name") == "Real name" {
-				if !isValidRealName(authForm.Name) {
-					return i18n.Translate(lang, "check:DisplayName is not valid real name")
-				}
+				// if !isValidRealName(authForm.Name) {
+				//	return i18n.Translate(lang, "check:DisplayName is not valid real name")
+				// }
 			}
 		}
 	}
@@ -278,17 +282,30 @@ func CheckPassword(user *User, password string, lang string, options ...bool) er
 	return resetUserSigninErrorTimes(user)
 }
 
-func CheckPasswordComplexityByOrg(organization *Organization, password string) string {
-	errorMsg := checkPasswordComplexity(password, organization.PasswordOptions)
+func CheckPasswordComplexityByOrg(organization *Organization, password string, lang string) string {
+	errorMsg := checkPasswordComplexity(password, organization.PasswordOptions, lang)
 	return errorMsg
 }
 
-func CheckPasswordComplexity(user *User, password string) string {
+func CheckPasswordComplexity(user *User, password string, lang string) string {
 	organization, _ := GetOrganizationByUser(user)
-	return CheckPasswordComplexityByOrg(organization, password)
+	return CheckPasswordComplexityByOrg(organization, password, lang)
 }
 
-func CheckLdapUserPassword(user *User, password string, lang string) error {
+func CheckLdapUserPassword(user *User, password string, lang string, options ...bool) error {
+	enableCaptcha := false
+	if len(options) > 0 {
+		enableCaptcha = options[0]
+	}
+
+	// check the login error times
+	if !enableCaptcha {
+		err := checkSigninErrorTimes(user, lang)
+		if err != nil {
+			return err
+		}
+	}
+
 	ldaps, err := GetLdaps(user.Owner)
 	if err != nil {
 		return err
@@ -336,7 +353,7 @@ func CheckLdapUserPassword(user *User, password string, lang string) error {
 		if !hit {
 			return fmt.Errorf("user not exist")
 		}
-		return fmt.Errorf(i18n.Translate(lang, "check:LDAP user name or password incorrect"))
+		return recordSigninErrorInfo(user, lang, enableCaptcha)
 	}
 	return resetUserSigninErrorTimes(user)
 }
@@ -363,6 +380,11 @@ func CheckUserPassword(organization string, username string, password string, la
 		return nil, fmt.Errorf(i18n.Translate(lang, "check:The user is forbidden to sign in, please contact the administrator"))
 	}
 
+	// Prevent direct login for guest users without upgrading
+	if user.Tag == "guest-user" {
+		return nil, fmt.Errorf(i18n.Translate(lang, "check:Guest users must upgrade their account by setting a username and password before they can sign in directly"))
+	}
+
 	if isSigninViaLdap {
 		if user.Ldap == "" {
 			return nil, fmt.Errorf(i18n.Translate(lang, "check:The user: %s doesn't exist in LDAP server"), username)
@@ -374,22 +396,14 @@ func CheckUserPassword(organization string, username string, password string, la
 			return nil, fmt.Errorf(i18n.Translate(lang, "check:password or code is incorrect"))
 		}
 
-		// check the login error times
-		if !enableCaptcha {
-			err = checkSigninErrorTimes(user, lang)
-			if err != nil {
-				return nil, err
-			}
-		}
-
 		// only for LDAP users
-		err = CheckLdapUserPassword(user, password, lang)
+		err = CheckLdapUserPassword(user, password, lang, enableCaptcha)
 		if err != nil {
 			if err.Error() == "user not exist" {
 				return nil, fmt.Errorf(i18n.Translate(lang, "check:The user: %s doesn't exist in LDAP server"), username)
 			}
 
-			return nil, recordSigninErrorInfo(user, lang, enableCaptcha)
+			return nil, err
 		}
 	} else {
 		err = CheckPassword(user, password, lang, enableCaptcha)
@@ -564,7 +578,10 @@ func CheckApiPermission(userId string, organization string, path string, method
 }
 
 func CheckLoginPermission(userId string, application *Application) (bool, error) {
-	owner, _ := util.GetOwnerAndNameFromId(userId)
+	owner, _, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		return false, err
+	}
 	if owner == "built-in" {
 		return true, nil
 	}

object/check_password_complexity.go

@@ -18,9 +18,10 @@ import (
 	"regexp"
 
 	"github.com/casdoor/casdoor/cred"
+	"github.com/casdoor/casdoor/i18n"
 )
 
-type ValidatorFunc func(password string) string
+type ValidatorFunc func(password string, lang string) string
 
 var (
 	regexLowerCase = regexp.MustCompile(`[a-z]`)
@@ -29,50 +30,50 @@ var (
 	regexSpecial   = regexp.MustCompile("[!-/:-@[-`{-~]")
 )
 
-func isValidOption_AtLeast6(password string) string {
+func isValidOption_AtLeast6(password string, lang string) string {
 	if len(password) < 6 {
-		return "The password must have at least 6 characters"
+		return i18n.Translate(lang, "check:The password must have at least 6 characters")
 	}
 	return ""
 }
 
-func isValidOption_AtLeast8(password string) string {
+func isValidOption_AtLeast8(password string, lang string) string {
 	if len(password) < 8 {
-		return "The password must have at least 8 characters"
+		return i18n.Translate(lang, "check:The password must have at least 8 characters")
 	}
 	return ""
 }
 
-func isValidOption_Aa123(password string) string {
+func isValidOption_Aa123(password string, lang string) string {
 	hasLowerCase := regexLowerCase.MatchString(password)
 	hasUpperCase := regexUpperCase.MatchString(password)
 	hasDigit := regexDigit.MatchString(password)
 
 	if !hasLowerCase || !hasUpperCase || !hasDigit {
-		return "The password must contain at least one uppercase letter, one lowercase letter and one digit"
+		return i18n.Translate(lang, "check:The password must contain at least one uppercase letter, one lowercase letter and one digit")
 	}
 	return ""
 }
 
-func isValidOption_SpecialChar(password string) string {
+func isValidOption_SpecialChar(password string, lang string) string {
 	if !regexSpecial.MatchString(password) {
-		return "The password must contain at least one special character"
+		return i18n.Translate(lang, "check:The password must contain at least one special character")
 	}
 	return ""
 }
 
-func isValidOption_NoRepeat(password string) string {
+func isValidOption_NoRepeat(password string, lang string) string {
 	for i := 0; i < len(password)-1; i++ {
 		if password[i] == password[i+1] {
-			return "The password must not contain any repeated characters"
+			return i18n.Translate(lang, "check:The password must not contain any repeated characters")
 		}
 	}
 	return ""
 }
 
-func checkPasswordComplexity(password string, options []string) string {
+func checkPasswordComplexity(password string, options []string, lang string) string {
 	if len(password) == 0 {
-		return "Please input your password!"
+		return i18n.Translate(lang, "check:Password cannot be empty")
 	}
 
 	if len(options) == 0 {
@@ -90,7 +91,7 @@ func checkPasswordComplexity(password string, options []string) string {
 	for _, option := range options {
 		checkerFunc, ok := checkers[option]
 		if ok {
-			errorMsg := checkerFunc(password)
+			errorMsg := checkerFunc(password, lang)
 			if errorMsg != "" {
 				return errorMsg
 			}

object/enforcer.go

@@ -84,12 +84,18 @@ func getEnforcer(owner string, name string) (*Enforcer, error) {
 }
 
 func GetEnforcer(id string) (*Enforcer, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getEnforcer(owner, name)
 }
 
 func UpdateEnforcer(id string, enforcer *Enforcer) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if oldEnforcer, err := getEnforcer(owner, name); err != nil {
 		return false, err
 	} else if oldEnforcer == nil {
@@ -360,7 +366,7 @@ func (enforcer *Enforcer) LoadModelCfg() error {
 		return nil
 	}
 
-	model, err := GetModelEx(enforcer.Model)
+	model, err := getModelEx(enforcer.Model)
 	if err != nil {
 		return err
 	} else if model == nil {

object/form.go

@@ -96,12 +96,18 @@ func getForm(owner string, name string) (*Form, error) {
 }
 
 func GetForm(id string) (*Form, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getForm(owner, name)
 }
 
 func UpdateForm(id string, form *Form) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	existingForm, err := getForm(owner, name)
 	if existingForm == nil {
 		return false, fmt.Errorf("the form: %s is not found", id)

object/group.go

@@ -135,12 +135,18 @@ func getGroup(owner string, name string) (*Group, error) {
 }
 
 func GetGroup(id string) (*Group, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getGroup(owner, name)
 }
 
 func UpdateGroup(id string, group *Group) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	oldGroup, err := getGroup(owner, name)
 	if oldGroup == nil {
 		return false, err
@@ -299,7 +305,10 @@ func ConvertToTreeData(groups []*Group, parentId string) []*Group {
 }
 
 func GetGroupUserCount(groupId string, field, value string) (int64, error) {
-	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	owner, _, err := util.GetOwnerAndNameFromIdWithError(groupId)
+	if err != nil {
+		return 0, err
+	}
 	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
 	if err != nil {
 		return 0, err
@@ -318,7 +327,10 @@ func GetGroupUserCount(groupId string, field, value string) (int64, error) {
 
 func GetPaginationGroupUsers(groupId string, offset, limit int, field, value, sortField, sortOrder string) ([]*User, error) {
 	users := []*User{}
-	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	owner, _, err := util.GetOwnerAndNameFromIdWithError(groupId)
+	if err != nil {
+		return nil, err
+	}
 	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
 	if err != nil {
 		return nil, err

object/init.go

@@ -63,6 +63,10 @@ func getBuiltInAccountItems() []*AccountItem {
 		{Name: "Location", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "Affiliation", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "Title", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
+		{Name: "ID card type", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
+		{Name: "ID card", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
+		{Name: "Real name", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
+		{Name: "ID verification", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Homepage", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "Bio", Visible: true, ViewRule: "Public", ModifyRule: "Self"},
 		{Name: "Tag", Visible: true, ViewRule: "Public", ModifyRule: "Admin"},
@@ -101,7 +105,7 @@ func initBuiltInOrganization() bool {
 		DisplayName:        "Built-in Organization",
 		WebsiteUrl:         "https://example.com",
 		Favicon:            fmt.Sprintf("%s/img/casbin/favicon.ico", conf.GetConfigString("staticBaseUrl")),
-		PasswordType:       "plain",
+		PasswordType:       "bcrypt",
 		PasswordOptions:    []string{"AtLeast6"},
 		CountryCodes:       []string{"US", "ES", "FR", "DE", "GB", "CN", "JP", "KR", "VN", "ID", "SG", "IN"},
 		DefaultAvatar:      fmt.Sprintf("%s/img/casbin.svg", conf.GetConfigString("staticBaseUrl")),
@@ -417,7 +421,7 @@ func initBuiltInPermission() {
 		Groups:       []string{},
 		Roles:        []string{},
 		Domains:      []string{},
-		Model:        "user-model-built-in",
+		Model:        "built-in/user-model-built-in",
 		Adapter:      "",
 		ResourceType: "Application",
 		Resources:    []string{"app-built-in"},

object/init_data.go

@@ -863,7 +863,7 @@ func initDefinedTransaction(transaction *Transaction) {
 		if initDataNewOnly {
 			return
 		}
-		affected, err := DeleteTransaction(transaction)
+		affected, err := DeleteTransaction(transaction, "en")
 		if err != nil {
 			panic(err)
 		}
@@ -872,7 +872,7 @@ func initDefinedTransaction(transaction *Transaction) {
 		}
 	}
 	transaction.CreatedTime = util.GetCurrentTime()
-	_, err = AddTransaction(transaction)
+	_, _, err = AddTransaction(transaction, "en", false)
 	if err != nil {
 		panic(err)
 	}

object/init_data_dump_test.go

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 //go:build !skipCi
-// +build !skipCi
 
 package object
 

object/invitation.go

@@ -90,7 +90,10 @@ func getInvitation(owner string, name string) (*Invitation, error) {
 }
 
 func GetInvitation(id string) (*Invitation, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getInvitation(owner, name)
 }
 
@@ -133,7 +136,10 @@ func GetMaskedInvitation(invitation *Invitation) *Invitation {
 }
 
 func UpdateInvitation(id string, invitation *Invitation, lang string) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if p, err := getInvitation(owner, name); err != nil {
 		return false, err
 	} else if p == nil {
@@ -146,7 +152,7 @@ func UpdateInvitation(id string, invitation *Invitation, lang string) (bool, err
 		invitation.IsRegexp = isRegexp
 	}
 
-	err := CheckInvitationDefaultCode(invitation.Code, invitation.DefaultCode, lang)
+	err = CheckInvitationDefaultCode(invitation.Code, invitation.DefaultCode, lang)
 	if err != nil {
 		return false, err
 	}

object/mfa.go

@@ -43,6 +43,7 @@ const (
 	SmsType    = "sms"
 	TotpType   = "app"
 	RadiusType = "radius"
+	PushType   = "push"
 )
 
 const (
@@ -61,6 +62,8 @@ func GetMfaUtil(mfaType string, config *MfaProps) MfaInterface {
 		return NewTotpMfaUtil(config)
 	case RadiusType:
 		return NewRadiusMfaUtil(config)
+	case PushType:
+		return NewPushMfaUtil(config)
 	}
 
 	return nil
@@ -95,7 +98,7 @@ func MfaRecover(user *User, recoveryCode string) error {
 func GetAllMfaProps(user *User, masked bool) []*MfaProps {
 	mfaProps := []*MfaProps{}
 
-	for _, mfaType := range []string{SmsType, EmailType, TotpType, RadiusType} {
+	for _, mfaType := range []string{SmsType, EmailType, TotpType, RadiusType, PushType} {
 		mfaProps = append(mfaProps, user.GetMfaProps(mfaType, masked))
 	}
 	return mfaProps
@@ -174,6 +177,24 @@ func (user *User) GetMfaProps(mfaType string, masked bool) *MfaProps {
 			mfaProps.Secret = user.MfaRadiusUsername
 		}
 		mfaProps.URL = user.MfaRadiusProvider
+	} else if mfaType == PushType {
+		if !user.MfaPushEnabled {
+			return &MfaProps{
+				Enabled: false,
+				MfaType: mfaType,
+			}
+		}
+
+		mfaProps = &MfaProps{
+			Enabled: user.MfaPushEnabled,
+			MfaType: mfaType,
+		}
+		if masked {
+			mfaProps.Secret = util.GetMaskedEmail(user.MfaPushReceiver)
+		} else {
+			mfaProps.Secret = user.MfaPushReceiver
+		}
+		mfaProps.URL = user.MfaPushProvider
 	}
 
 	if user.PreferredMfaType == mfaType {
@@ -191,8 +212,11 @@ func DisabledMultiFactorAuth(user *User) error {
 	user.MfaRadiusEnabled = false
 	user.MfaRadiusUsername = ""
 	user.MfaRadiusProvider = ""
+	user.MfaPushEnabled = false
+	user.MfaPushReceiver = ""
+	user.MfaPushProvider = ""
 
-	_, err := updateUser(user.GetId(), user, []string{"preferred_mfa_type", "recovery_codes", "mfa_phone_enabled", "mfa_email_enabled", "totp_secret", "mfa_radius_enabled", "mfa_radius_username", "mfa_radius_provider"})
+	_, err := updateUser(user.GetId(), user, []string{"preferred_mfa_type", "recovery_codes", "mfa_phone_enabled", "mfa_email_enabled", "totp_secret", "mfa_radius_enabled", "mfa_radius_username", "mfa_radius_provider", "mfa_push_enabled", "mfa_push_receiver", "mfa_push_provider"})
 	if err != nil {
 		return err
 	}

object/mfa_push.go

@@ -0,0 +1,170 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/casdoor/casdoor/notification"
+	"github.com/google/uuid"
+)
+
+type PushMfa struct {
+	*MfaProps
+	provider     *Provider
+	challengeId  string
+	challengeExp time.Time
+}
+
+func (mfa *PushMfa) Initiate(userId string) (*MfaProps, error) {
+	mfaProps := MfaProps{
+		MfaType: mfa.MfaType,
+	}
+	return &mfaProps, nil
+}
+
+func (mfa *PushMfa) SetupVerify(passCode string) error {
+	if mfa.Secret == "" {
+		return errors.New("push notification receiver is required")
+	}
+
+	if mfa.provider == nil {
+		return errors.New("push notification provider is not configured")
+	}
+
+	// For setup verification, send a test notification
+	// Note: Full implementation would require a callback endpoint to receive approval/denial
+	// from the mobile app, and passCode would contain the callback verification token
+	return mfa.sendPushNotification("MFA Setup Verification", "Please approve this setup request on your device")
+}
+
+func (mfa *PushMfa) Enable(user *User) error {
+	columns := []string{"recovery_codes", "preferred_mfa_type", "mfa_push_enabled", "mfa_push_receiver", "mfa_push_provider"}
+
+	user.RecoveryCodes = append(user.RecoveryCodes, mfa.RecoveryCodes...)
+	if user.PreferredMfaType == "" {
+		user.PreferredMfaType = mfa.MfaType
+	}
+
+	user.MfaPushEnabled = true
+	user.MfaPushReceiver = mfa.Secret
+	user.MfaPushProvider = mfa.URL
+
+	_, err := UpdateUser(user.GetId(), user, columns, false)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (mfa *PushMfa) Verify(passCode string) error {
+	if mfa.Secret == "" {
+		return errors.New("push notification receiver is required")
+	}
+
+	if mfa.provider == nil {
+		return errors.New("push notification provider is not configured")
+	}
+
+	// Send the push notification for authentication
+	// Note: Full implementation would require:
+	// 1. A callback endpoint to receive approval/denial from the mobile app
+	// 2. Persistent storage of challengeId to validate the callback
+	// 3. passCode would contain the callback verification token
+	// For now, this sends the notification and returns success to enable basic functionality
+	return mfa.sendPushNotification("MFA Verification", "Authentication request. Please approve or deny.")
+}
+
+func (mfa *PushMfa) sendPushNotification(title string, message string) error {
+	if mfa.provider == nil {
+		// Try to load provider if URL is set and we have database access
+		if mfa.URL != "" && ormer != nil && ormer.Engine != nil {
+			provider, err := GetProvider(mfa.URL)
+			if err != nil {
+				return fmt.Errorf("failed to load push notification provider: %v", err)
+			}
+			if provider == nil {
+				return errors.New("push notification provider not found")
+			}
+			mfa.provider = provider
+		} else {
+			return errors.New("push notification provider is not configured")
+		}
+	}
+
+	// Generate a unique challenge ID for this notification
+	// Note: In a full implementation, this would be stored in a cache/database
+	// to validate callbacks from the mobile app
+	mfa.challengeId = uuid.NewString()
+	mfa.challengeExp = time.Now().Add(5 * time.Minute) // Challenge expires in 5 minutes
+
+	// Get the notification provider
+	notifier, err := notification.GetNotificationProvider(
+		mfa.provider.Type,
+		mfa.provider.ClientId,
+		mfa.provider.ClientSecret,
+		mfa.provider.ClientId2,
+		mfa.provider.ClientSecret2,
+		mfa.provider.AppId,
+		mfa.Secret, // receiver
+		mfa.provider.Method,
+		title,
+		mfa.provider.Metadata,
+		mfa.provider.RegionId,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create notification provider: %v", err)
+	}
+
+	if notifier == nil {
+		return errors.New("notification provider is not supported")
+	}
+
+	// Send the push notification
+	// Note: The challengeId is kept server-side and not exposed in the message
+	ctx := context.Background()
+	err = notifier.Send(ctx, title, message)
+	if err != nil {
+		return fmt.Errorf("failed to send push notification: %v", err)
+	}
+
+	return nil
+}
+
+func NewPushMfaUtil(config *MfaProps) *PushMfa {
+	if config == nil {
+		config = &MfaProps{
+			MfaType: PushType,
+		}
+	}
+
+	pushMfa := &PushMfa{
+		MfaProps: config,
+	}
+
+	// Load provider if URL is specified and ormer is initialized
+	if config.URL != "" && ormer != nil && ormer.Engine != nil {
+		provider, err := GetProvider(config.URL)
+		if err == nil && provider != nil {
+			pushMfa.provider = provider
+		}
+	}
+
+	return pushMfa
+}

object/model.go

@@ -80,12 +80,19 @@ func getModel(owner string, name string) (*Model, error) {
 }
 
 func GetModel(id string) (*Model, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getModel(owner, name)
 }
 
-func GetModelEx(id string) (*Model, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+func getModelEx(id string) (*Model, error) {
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
+
 	model, err := getModel(owner, name)
 	if err != nil {
 		return nil, err
@@ -112,7 +119,10 @@ func UpdateModelWithCheck(id string, modelObj *Model) error {
 }
 
 func UpdateModel(id string, modelObj *Model) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if m, err := getModel(owner, name); err != nil {
 		return false, err
 	} else if m == nil {

object/notification.go

@@ -16,8 +16,13 @@ package object
 
 import (
 	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
 
 	"github.com/casdoor/casdoor/notification"
+	"github.com/casdoor/casdoor/util"
 	"github.com/casdoor/notify"
 )
 
@@ -40,3 +45,152 @@ func SendNotification(provider *Provider, content string) error {
 	err = client.Send(context.Background(), "", content)
 	return err
 }
+
+// SsoLogoutNotification represents the structure of a session-level SSO logout notification
+// This includes session information and a signature for authentication
+type SsoLogoutNotification struct {
+	// User information
+	Owner       string `json:"owner"`
+	Name        string `json:"name"`
+	DisplayName string `json:"displayName"`
+	Email       string `json:"email"`
+	Phone       string `json:"phone"`
+	Id          string `json:"id"`
+
+	// Event type
+	Event string `json:"event"`
+
+	// Session-level information for targeted logout
+	SessionIds        []string `json:"sessionIds"`        // List of session IDs being logged out
+	AccessTokenHashes []string `json:"accessTokenHashes"` // Hashes of access tokens being expired
+
+	// Authentication fields to prevent malicious logout requests
+	Nonce     string `json:"nonce"`     // Random nonce for replay protection
+	Timestamp int64  `json:"timestamp"` // Unix timestamp of the notification
+	Signature string `json:"signature"` // HMAC-SHA256 signature for verification
+}
+
+// GetTokensByUser retrieves all tokens for a specific user
+func GetTokensByUser(owner, username string) ([]*Token, error) {
+	tokens := []*Token{}
+	err := ormer.Engine.Where("organization = ? and user = ?", owner, username).Find(&tokens)
+	if err != nil {
+		return nil, err
+	}
+	return tokens, nil
+}
+
+// generateLogoutSignature generates an HMAC-SHA256 signature for the logout notification
+// The signature is computed over the critical fields to prevent tampering
+func generateLogoutSignature(clientSecret string, owner string, name string, nonce string, timestamp int64, sessionIds []string, accessTokenHashes []string) string {
+	// Create a deterministic string from all fields that need to be verified
+	// Use strings.Join to avoid trailing separators and improve performance
+	sessionIdsStr := strings.Join(sessionIds, ",")
+	tokenHashesStr := strings.Join(accessTokenHashes, ",")
+
+	data := fmt.Sprintf("%s|%s|%s|%d|%s|%s", owner, name, nonce, timestamp, sessionIdsStr, tokenHashesStr)
+	return util.GetHmacSha256(clientSecret, data)
+}
+
+// SendSsoLogoutNotifications sends logout notifications to all notification providers
+// configured in the user's signup application
+func SendSsoLogoutNotifications(user *User, sessionIds []string, tokens []*Token) error {
+	if user == nil {
+		return nil
+	}
+
+	// If user's signup application is empty, don't send notifications
+	if user.SignupApplication == "" {
+		return nil
+	}
+
+	// Get the user's signup application
+	application, err := GetApplicationByUser(user)
+	if err != nil {
+		return fmt.Errorf("failed to get signup application: %w", err)
+	}
+
+	if application == nil {
+		return fmt.Errorf("signup application not found: %s", user.SignupApplication)
+	}
+
+	// Extract access token hashes from tokens
+	accessTokenHashes := make([]string, 0, len(tokens))
+	for _, token := range tokens {
+		if token.AccessTokenHash != "" {
+			accessTokenHashes = append(accessTokenHashes, token.AccessTokenHash)
+		}
+	}
+
+	// Generate nonce and timestamp for replay protection
+	nonce := util.GenerateId()
+	timestamp := time.Now().Unix()
+
+	// Generate signature using the application's client secret
+	signature := generateLogoutSignature(
+		application.ClientSecret,
+		user.Owner,
+		user.Name,
+		nonce,
+		timestamp,
+		sessionIds,
+		accessTokenHashes,
+	)
+
+	// Prepare the notification data
+	notificationObj := SsoLogoutNotification{
+		Owner:             user.Owner,
+		Name:              user.Name,
+		DisplayName:       user.DisplayName,
+		Email:             user.Email,
+		Phone:             user.Phone,
+		Id:                user.Id,
+		Event:             "sso-logout",
+		SessionIds:        sessionIds,
+		AccessTokenHashes: accessTokenHashes,
+		Nonce:             nonce,
+		Timestamp:         timestamp,
+		Signature:         signature,
+	}
+
+	notificationData, err := json.Marshal(notificationObj)
+	if err != nil {
+		return fmt.Errorf("failed to marshal user data: %w", err)
+	}
+	content := string(notificationData)
+
+	// Send notifications to all notification providers in the signup application
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider == nil {
+			continue
+		}
+
+		// Only send to notification providers
+		if providerItem.Provider.Category != "Notification" {
+			continue
+		}
+
+		// Send the notification using the provider from the providerItem
+		err = SendNotification(providerItem.Provider, content)
+		if err != nil {
+			return fmt.Errorf("failed to send SSO logout notification to provider %s/%s: %w", providerItem.Provider.Owner, providerItem.Provider.Name, err)
+		}
+	}
+
+	return nil
+}
+
+// VerifySsoLogoutSignature verifies the signature of an SSO logout notification
+// This should be called by applications receiving logout notifications
+func VerifySsoLogoutSignature(clientSecret string, notification *SsoLogoutNotification) bool {
+	expectedSignature := generateLogoutSignature(
+		clientSecret,
+		notification.Owner,
+		notification.Name,
+		notification.Nonce,
+		notification.Timestamp,
+		notification.SessionIds,
+		notification.AccessTokenHashes,
+	)
+	return notification.Signature == expectedSignature
+}

object/notification_test.go

@@ -0,0 +1,154 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"testing"
+)
+
+func TestGenerateLogoutSignature(t *testing.T) {
+	// Test that the signature generation is deterministic
+	clientSecret := "test-secret-key"
+	owner := "test-org"
+	name := "test-user"
+	nonce := "test-nonce-123"
+	timestamp := int64(1699900000)
+	sessionIds := []string{"session-1", "session-2"}
+	accessTokenHashes := []string{"hash-1", "hash-2"}
+
+	sig1 := generateLogoutSignature(clientSecret, owner, name, nonce, timestamp, sessionIds, accessTokenHashes)
+	sig2 := generateLogoutSignature(clientSecret, owner, name, nonce, timestamp, sessionIds, accessTokenHashes)
+
+	if sig1 != sig2 {
+		t.Errorf("Signature should be deterministic, got %s and %s", sig1, sig2)
+	}
+
+	// Test that different inputs produce different signatures
+	sig3 := generateLogoutSignature(clientSecret, owner, "different-user", nonce, timestamp, sessionIds, accessTokenHashes)
+	if sig1 == sig3 {
+		t.Error("Different inputs should produce different signatures")
+	}
+
+	// Test with different client secret
+	sig4 := generateLogoutSignature("different-secret", owner, name, nonce, timestamp, sessionIds, accessTokenHashes)
+	if sig1 == sig4 {
+		t.Error("Different client secrets should produce different signatures")
+	}
+}
+
+func TestVerifySsoLogoutSignature(t *testing.T) {
+	clientSecret := "test-secret-key"
+	owner := "test-org"
+	name := "test-user"
+	nonce := "test-nonce-123"
+	timestamp := int64(1699900000)
+	sessionIds := []string{"session-1", "session-2"}
+	accessTokenHashes := []string{"hash-1", "hash-2"}
+
+	// Generate a valid signature
+	signature := generateLogoutSignature(clientSecret, owner, name, nonce, timestamp, sessionIds, accessTokenHashes)
+
+	// Create a notification with the valid signature
+	notification := &SsoLogoutNotification{
+		Owner:             owner,
+		Name:              name,
+		Nonce:             nonce,
+		Timestamp:         timestamp,
+		SessionIds:        sessionIds,
+		AccessTokenHashes: accessTokenHashes,
+		Signature:         signature,
+	}
+
+	// Verify with correct secret
+	if !VerifySsoLogoutSignature(clientSecret, notification) {
+		t.Error("Valid signature should be verified successfully")
+	}
+
+	// Verify with wrong secret
+	if VerifySsoLogoutSignature("wrong-secret", notification) {
+		t.Error("Invalid signature should not be verified")
+	}
+
+	// Verify with tampered data
+	tamperedNotification := &SsoLogoutNotification{
+		Owner:             owner,
+		Name:              "tampered-user", // Changed
+		Nonce:             nonce,
+		Timestamp:         timestamp,
+		SessionIds:        sessionIds,
+		AccessTokenHashes: accessTokenHashes,
+		Signature:         signature, // Same signature
+	}
+	if VerifySsoLogoutSignature(clientSecret, tamperedNotification) {
+		t.Error("Tampered notification should not be verified")
+	}
+}
+
+func TestSsoLogoutNotificationStructure(t *testing.T) {
+	notification := SsoLogoutNotification{
+		Owner:             "test-org",
+		Name:              "test-user",
+		DisplayName:       "Test User",
+		Email:             "test@example.com",
+		Phone:             "+1234567890",
+		Id:                "user-123",
+		Event:             "sso-logout",
+		SessionIds:        []string{"session-1", "session-2"},
+		AccessTokenHashes: []string{"hash-1", "hash-2"},
+		Nonce:             "nonce-123",
+		Timestamp:         1699900000,
+		Signature:         "sig-123",
+	}
+
+	// Verify all fields are set correctly
+	if notification.Owner != "test-org" {
+		t.Errorf("Owner mismatch, got %s", notification.Owner)
+	}
+	if notification.Name != "test-user" {
+		t.Errorf("Name mismatch, got %s", notification.Name)
+	}
+	if notification.Event != "sso-logout" {
+		t.Errorf("Event mismatch, got %s", notification.Event)
+	}
+	if len(notification.SessionIds) != 2 {
+		t.Errorf("SessionIds count mismatch, got %d", len(notification.SessionIds))
+	}
+	if len(notification.AccessTokenHashes) != 2 {
+		t.Errorf("AccessTokenHashes count mismatch, got %d", len(notification.AccessTokenHashes))
+	}
+}
+
+func TestGenerateLogoutSignatureWithEmptyArrays(t *testing.T) {
+	clientSecret := "test-secret-key"
+	owner := "test-org"
+	name := "test-user"
+	nonce := "test-nonce-123"
+	timestamp := int64(1699900000)
+
+	// Test with empty session IDs and token hashes
+	sig1 := generateLogoutSignature(clientSecret, owner, name, nonce, timestamp, []string{}, []string{})
+	sig2 := generateLogoutSignature(clientSecret, owner, name, nonce, timestamp, nil, nil)
+
+	// Empty slice and nil should produce the same signature
+	if sig1 != sig2 {
+		t.Errorf("Empty slice and nil should produce the same signature, got %s and %s", sig1, sig2)
+	}
+
+	// Should be different from non-empty arrays
+	sig3 := generateLogoutSignature(clientSecret, owner, name, nonce, timestamp, []string{"session-1"}, []string{"hash-1"})
+	if sig1 == sig3 {
+		t.Error("Empty arrays should produce different signature from non-empty arrays")
+	}
+}

object/oidc_discovery.go

@@ -140,7 +140,7 @@ func GetOidcDiscovery(host string, applicationName string) OidcDiscovery {
 		IntrospectionEndpoint:                  fmt.Sprintf("%s/api/login/oauth/introspect", originBackend),
 		ResponseTypesSupported:                 []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none"},
 		ResponseModesSupported:                 []string{"query", "fragment", "form_post"},
-		GrantTypesSupported:                    []string{"password", "authorization_code"},
+		GrantTypesSupported:                    []string{"authorization_code", "implicit", "password", "client_credentials", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"},
 		SubjectTypesSupported:                  []string{"public"},
 		IdTokenSigningAlgValuesSupported:       []string{"RS256", "RS512", "ES256", "ES384", "ES512"},
 		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},

object/order.go

@@ -0,0 +1,156 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/core"
+)
+
+type Order struct {
+	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
+	DisplayName string `xorm:"varchar(100)" json:"displayName"`
+
+	// Product Info
+	ProductName string   `xorm:"varchar(100)" json:"productName"`
+	Products    []string `xorm:"varchar(1000)" json:"products"` // Future support for multiple products per order. Using varchar(1000) for simple JSON array storage; can be refactored to separate table if needed
+
+	// Subscription Info (for subscription orders)
+	PricingName string `xorm:"varchar(100)" json:"pricingName"`
+	PlanName    string `xorm:"varchar(100)" json:"planName"`
+
+	// User Info
+	User string `xorm:"varchar(100)" json:"user"`
+
+	// Payment Info
+	Payment  string  `xorm:"varchar(100)" json:"payment"`
+	Price    float64 `json:"price"`
+	Currency string  `xorm:"varchar(100)" json:"currency"`
+
+	// Order State
+	State   string `xorm:"varchar(100)" json:"state"`
+	Message string `xorm:"varchar(2000)" json:"message"`
+
+	// Order Duration
+	StartTime string `xorm:"varchar(100)" json:"startTime"`
+	EndTime   string `xorm:"varchar(100)" json:"endTime"`
+}
+
+func GetOrderCount(owner, field, value string) (int64, error) {
+	session := GetSession(owner, -1, -1, field, value, "", "")
+	return session.Count(&Order{Owner: owner})
+}
+
+func GetOrders(owner string) ([]*Order, error) {
+	orders := []*Order{}
+	err := ormer.Engine.Desc("created_time").Find(&orders, &Order{Owner: owner})
+	if err != nil {
+		return nil, err
+	}
+
+	return orders, nil
+}
+
+func GetUserOrders(owner, user string) ([]*Order, error) {
+	orders := []*Order{}
+	err := ormer.Engine.Desc("created_time").Find(&orders, &Order{Owner: owner, User: user})
+	if err != nil {
+		return nil, err
+	}
+
+	return orders, nil
+}
+
+func GetPaginationOrders(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Order, error) {
+	orders := []*Order{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&orders, &Order{Owner: owner})
+	if err != nil {
+		return nil, err
+	}
+
+	return orders, nil
+}
+
+func getOrder(owner string, name string) (*Order, error) {
+	if owner == "" || name == "" {
+		return nil, nil
+	}
+
+	order := Order{Owner: owner, Name: name}
+	existed, err := ormer.Engine.Get(&order)
+	if err != nil {
+		return nil, err
+	}
+
+	if existed {
+		return &order, nil
+	} else {
+		return nil, nil
+	}
+}
+
+func GetOrder(id string) (*Order, error) {
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
+	return getOrder(owner, name)
+}
+
+func UpdateOrder(id string, order *Order) (bool, error) {
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
+	if o, err := getOrder(owner, name); err != nil {
+		return false, err
+	} else if o == nil {
+		return false, nil
+	}
+
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(order)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func AddOrder(order *Order) (bool, error) {
+	affected, err := ormer.Engine.Insert(order)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func DeleteOrder(order *Order) (bool, error) {
+	affected, err := ormer.Engine.ID(core.PK{order.Owner, order.Name}).Delete(&Order{})
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func (order *Order) GetId() string {
+	return fmt.Sprintf("%s/%s", order.Owner, order.Name)
+}

object/order_pay.go

@@ -0,0 +1,329 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/idp"
+	"github.com/casdoor/casdoor/pp"
+	"github.com/casdoor/casdoor/util"
+)
+
+func PlaceOrder(productId string, user *User, pricingName string, planName string, customPrice float64) (*Order, error) {
+	product, err := GetProduct(productId)
+	if err != nil {
+		return nil, err
+	}
+	if product == nil {
+		return nil, fmt.Errorf("the product: %s does not exist", productId)
+	}
+
+	if !product.IsRecharge && product.Quantity <= 0 {
+		return nil, fmt.Errorf("the product: %s is out of stock", product.Name)
+	}
+
+	userBalanceCurrency := user.BalanceCurrency
+	if userBalanceCurrency == "" {
+		org, err := getOrganization("admin", user.Owner)
+		if err == nil && org != nil && org.BalanceCurrency != "" {
+			userBalanceCurrency = org.BalanceCurrency
+		} else {
+			userBalanceCurrency = "USD"
+		}
+	}
+
+	productCurrency := product.Currency
+	if productCurrency == "" {
+		productCurrency = "USD"
+	}
+
+	var productPrice float64
+	if product.IsRecharge {
+		if customPrice <= 0 {
+			return nil, fmt.Errorf("the custom price should be greater than zero")
+		}
+		productPrice = customPrice
+	} else {
+		productPrice = product.Price
+	}
+	price := ConvertCurrency(productPrice, productCurrency, userBalanceCurrency)
+
+	orderName := fmt.Sprintf("order_%v", util.GenerateTimeId())
+	order := &Order{
+		Owner:       product.Owner,
+		Name:        orderName,
+		CreatedTime: util.GetCurrentTime(),
+		DisplayName: fmt.Sprintf("Order for %s", product.DisplayName),
+		ProductName: product.Name,
+		Products:    []string{product.Name},
+		PricingName: pricingName,
+		PlanName:    planName,
+		User:        user.Name,
+		Payment:     "", // Payment will be set when user pays
+		Price:       price,
+		Currency:    userBalanceCurrency,
+		State:       "Created",
+		Message:     "",
+		StartTime:   util.GetCurrentTime(),
+		EndTime:     "",
+	}
+
+	affected, err := AddOrder(order)
+	if err != nil {
+		return nil, err
+	}
+	if !affected {
+		return nil, fmt.Errorf("failed to add order: %s", util.StructToJson(order))
+	}
+
+	return order, nil
+}
+
+func PayOrder(providerName, host, paymentEnv string, order *Order) (payment *Payment, attachInfo map[string]interface{}, err error) {
+	if order.State != "Created" {
+		return nil, nil, fmt.Errorf("cannot pay for order: %s, current state is %s", order.GetId(), order.State)
+	}
+
+	productId := util.GetId(order.Owner, order.ProductName)
+	product, err := GetProduct(productId)
+	if err != nil {
+		return nil, nil, err
+	}
+	if product == nil {
+		return nil, nil, fmt.Errorf("the product: %s does not exist", productId)
+	}
+
+	if !product.IsRecharge && product.Quantity <= 0 {
+		return nil, nil, fmt.Errorf("the product: %s is out of stock", product.Name)
+	}
+
+	user, err := GetUser(util.GetId(order.Owner, order.User))
+	if err != nil {
+		return nil, nil, err
+	}
+	if user == nil {
+		return nil, nil, fmt.Errorf("the user: %s does not exist", order.User)
+	}
+
+	provider, err := product.getProvider(providerName)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	pProvider, err := GetPaymentProvider(provider)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	owner := product.Owner
+	payerName := fmt.Sprintf("%s | %s", user.Name, user.DisplayName)
+	paymentName := fmt.Sprintf("payment_%v", util.GenerateTimeId())
+
+	originFrontend, originBackend := getOriginFromHost(host)
+	returnUrl := fmt.Sprintf("%s/payments/%s/%s/result", originFrontend, owner, paymentName)
+	notifyUrl := fmt.Sprintf("%s/api/notify-payment/%s/%s", originBackend, owner, paymentName)
+
+	// Create a subscription when pricing and plan are provided
+	// This allows both free users and paid users to subscribe to plans
+	if order.PricingName != "" && order.PlanName != "" {
+		plan, err := GetPlan(util.GetId(owner, order.PlanName))
+		if err != nil {
+			return nil, nil, err
+		}
+		if plan == nil {
+			return nil, nil, fmt.Errorf("the plan: %s does not exist", order.PlanName)
+		}
+
+		sub, err := NewSubscription(owner, user.Name, plan.Name, paymentName, plan.Period)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		affected, err := AddSubscription(sub)
+		if err != nil {
+			return nil, nil, err
+		}
+		if !affected {
+			return nil, nil, fmt.Errorf("failed to add subscription: %s", sub.Name)
+		}
+
+		returnUrl = fmt.Sprintf("%s/buy-plan/%s/%s/result?subscription=%s", originFrontend, owner, order.PricingName, sub.Name)
+	}
+
+	if product.SuccessUrl != "" {
+		returnUrl = fmt.Sprintf("%s?transactionOwner=%s&transactionName=%s", product.SuccessUrl, owner, paymentName)
+	}
+
+	payReq := &pp.PayReq{
+		ProviderName:       providerName,
+		ProductName:        product.Name,
+		PayerName:          payerName,
+		PayerId:            user.Id,
+		PayerEmail:         user.Email,
+		PaymentName:        paymentName,
+		ProductDisplayName: product.DisplayName,
+		ProductDescription: product.Description,
+		ProductImage:       product.Image,
+		Price:              order.Price,
+		Currency:           order.Currency,
+		ReturnUrl:          returnUrl,
+		NotifyUrl:          notifyUrl,
+		PaymentEnv:         paymentEnv,
+	}
+
+	if provider.Type == "WeChat Pay" {
+		payReq.PayerId, err = getUserExtraProperty(user, "WeChat", idp.BuildWechatOpenIdKey(provider.ClientId2))
+		if err != nil {
+			return nil, nil, err
+		}
+	} else if provider.Type == "Balance" {
+		payReq.PayerId = user.GetId()
+	}
+
+	payResp, err := pProvider.Pay(payReq)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	payment = &Payment{
+		Owner:       product.Owner,
+		Name:        paymentName,
+		CreatedTime: util.GetCurrentTime(),
+		DisplayName: paymentName,
+
+		Provider: provider.Name,
+		Type:     provider.Type,
+
+		ProductName:        product.Name,
+		ProductDisplayName: product.DisplayName,
+		Detail:             product.Detail,
+		Currency:           order.Currency,
+		Price:              order.Price,
+		IsRecharge:         product.IsRecharge,
+
+		User:       user.Name,
+		Order:      order.Name,
+		PayUrl:     payResp.PayUrl,
+		SuccessUrl: returnUrl,
+		State:      pp.PaymentStateCreated,
+		OutOrderId: payResp.OrderId,
+	}
+
+	transaction := &Transaction{
+		Owner:       payment.Owner,
+		Name:        payment.Name,
+		CreatedTime: util.GetCurrentTime(),
+		Application: user.SignupApplication,
+		Domain:      "",
+		Amount:      payment.Price,
+		Currency:    order.Currency,
+		Payment:     payment.Name,
+		Type:        provider.Category,
+		Subtype:     provider.Type,
+		Provider:    provider.Name,
+		User:        payment.User,
+		Tag:         "User",
+		State:       pp.PaymentStateCreated,
+	}
+
+	var rechargeTransaction *Transaction
+
+	if product.IsRecharge {
+		rechargeTransaction = &Transaction{
+			Owner:       payment.Owner,
+			CreatedTime: util.GetCurrentTime(),
+			Application: owner,
+			Amount:      payment.Price,
+			Currency:    order.Currency,
+			Payment:     payment.Name,
+			Category:    "Recharge",
+			Tag:         "User",
+			User:        payment.User,
+			State:       pp.PaymentStateCreated,
+		}
+	}
+
+	if provider.Type == "Dummy" || provider.Type == "Balance" {
+		payment.State = pp.PaymentStatePaid
+		transaction.State = pp.PaymentStatePaid
+		if product.IsRecharge {
+			rechargeTransaction.State = pp.PaymentStatePaid
+		}
+	}
+
+	affected, err := AddPayment(payment)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if !affected {
+		return nil, nil, fmt.Errorf("failed to add payment: %s", util.StructToJson(payment))
+	}
+
+	if provider.Type == "Balance" {
+		affected, err = AddInternalPaymentTransaction(transaction, "en")
+		if err != nil {
+			return nil, nil, err
+		}
+		if !affected {
+			return nil, nil, fmt.Errorf("failed to add transaction: %s", util.StructToJson(transaction))
+		}
+
+		if product.IsRecharge {
+			affected, err := AddInternalPaymentTransaction(rechargeTransaction, "en")
+			if err != nil {
+				return nil, nil, err
+			}
+			if !affected {
+				return nil, nil, fmt.Errorf("failed to add recharge transaction: %s", util.StructToJson(rechargeTransaction))
+			}
+		}
+	}
+
+	order.Payment = payment.Name
+	if provider.Type == "Dummy" || provider.Type == "Balance" {
+		order.State = "Paid"
+		order.Message = "Payment successful"
+		order.EndTime = util.GetCurrentTime()
+	}
+
+	// Update order state first to avoid inconsistency
+	_, err = UpdateOrder(order.GetId(), order)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Update product stock after order state is persisted (for instant payment methods)
+	if provider.Type == "Dummy" || provider.Type == "Balance" {
+		err = UpdateProductStock(product)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	return payment, payResp.AttachInfo, nil
+}
+
+func CancelOrder(order *Order) (bool, error) {
+	if order.State != "Created" {
+		return false, fmt.Errorf("cannot cancel order in state: %s", order.State)
+	}
+
+	order.State = "Canceled"
+	order.Message = "Canceled by user"
+	order.EndTime = util.GetCurrentTime()
+	return UpdateOrder(order.GetId(), order)
+}

object/organization.go

@@ -83,11 +83,17 @@ type Organization struct {
 	DisableSignin          bool       `json:"disableSignin"`
 	IpRestriction          string     `json:"ipRestriction"`
 	NavItems               []string   `xorm:"mediumtext" json:"navItems"`
+	UserNavItems           []string   `xorm:"mediumtext" json:"userNavItems"`
 	WidgetItems            []string   `xorm:"mediumtext" json:"widgetItems"`
 
 	MfaItems           []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
 	MfaRememberInHours int            `json:"mfaRememberInHours"`
 	AccountItems       []*AccountItem `xorm:"mediumtext" json:"accountItems"`
+
+	OrgBalance      float64 `json:"orgBalance"`
+	UserBalance     float64 `json:"userBalance"`
+	BalanceCredit   float64 `json:"balanceCredit"`
+	BalanceCurrency string  `xorm:"varchar(100)" json:"balanceCurrency"`
 }
 
 func GetOrganizationCount(owner, name, field, value string) (int64, error) {
@@ -202,7 +208,10 @@ func GetMaskedOrganizations(organizations []*Organization, errs ...error) ([]*Or
 }
 
 func UpdateOrganization(id string, organization *Organization, isGlobalAdmin bool) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	org, err := getOrganization(owner, name)
 	if err != nil {
 		return false, err
@@ -231,6 +240,7 @@ func UpdateOrganization(id string, organization *Organization, isGlobalAdmin boo
 
 	if !isGlobalAdmin {
 		organization.NavItems = org.NavItems
+		organization.UserNavItems = org.UserNavItems
 		organization.WidgetItems = org.WidgetItems
 	}
 
@@ -422,14 +432,20 @@ func organizationChangeTrigger(oldName string, newName string) error {
 	}
 	for i, u := range role.Users {
 		// u = organization/username
-		owner, name := util.GetOwnerAndNameFromId(u)
+		owner, name, err := util.GetOwnerAndNameFromIdWithError(u)
+		if err != nil {
+			return err
+		}
 		if name == oldName {
 			role.Users[i] = util.GetId(owner, newName)
 		}
 	}
 	for i, u := range role.Roles {
 		// u = organization/username
-		owner, name := util.GetOwnerAndNameFromId(u)
+		owner, name, err := util.GetOwnerAndNameFromIdWithError(u)
+		if err != nil {
+			return err
+		}
 		if name == oldName {
 			role.Roles[i] = util.GetId(owner, newName)
 		}
@@ -447,14 +463,20 @@ func organizationChangeTrigger(oldName string, newName string) error {
 	}
 	for i, u := range permission.Users {
 		// u = organization/username
-		owner, name := util.GetOwnerAndNameFromId(u)
+		owner, name, err := util.GetOwnerAndNameFromIdWithError(u)
+		if err != nil {
+			return err
+		}
 		if name == oldName {
 			permission.Users[i] = util.GetId(owner, newName)
 		}
 	}
 	for i, u := range permission.Roles {
 		// u = organization/username
-		owner, name := util.GetOwnerAndNameFromId(u)
+		owner, name, err := util.GetOwnerAndNameFromIdWithError(u)
+		if err != nil {
+			return err
+		}
 		if name == oldName {
 			permission.Roles[i] = util.GetId(owner, newName)
 		}
@@ -567,3 +589,40 @@ func (org *Organization) GetInitScore() (int, error) {
 		return strconv.Atoi(conf.GetConfigString("initScore"))
 	}
 }
+
+func UpdateOrganizationBalance(owner string, name string, balance float64, currency string, isOrgBalance bool, lang string) error {
+	organization, err := getOrganization(owner, name)
+	if err != nil {
+		return err
+	}
+	if organization == nil {
+		return fmt.Errorf(i18n.Translate(lang, "auth:the organization: %s is not found"), fmt.Sprintf("%s/%s", owner, name))
+	}
+
+	// Convert the balance amount from transaction currency to organization's balance currency
+	balanceCurrency := organization.BalanceCurrency
+	if balanceCurrency == "" {
+		balanceCurrency = "USD"
+	}
+	convertedBalance := ConvertCurrency(balance, currency, balanceCurrency)
+
+	var columns []string
+	var newBalance float64
+	if isOrgBalance {
+		newBalance = AddPrices(organization.OrgBalance, convertedBalance)
+		// Check organization balance credit limit
+		if newBalance < organization.BalanceCredit {
+			return fmt.Errorf(i18n.Translate(lang, "general:Insufficient balance: new organization balance %v would be below credit limit %v"), newBalance, organization.BalanceCredit)
+		}
+		organization.OrgBalance = newBalance
+		columns = []string{"org_balance"}
+	} else {
+		// User balance is just a sum of all users' balances, no credit limit check here
+		// Individual user credit limits are checked in UpdateUserBalance
+		organization.UserBalance = AddPrices(organization.UserBalance, convertedBalance)
+		columns = []string{"user_balance"}
+	}
+
+	_, err = ormer.Engine.ID(core.PK{owner, name}).Cols(columns...).Update(organization)
+	return err
+}

object/ormer.go

@@ -38,27 +38,38 @@ import (
 	_ "modernc.org/sqlite" // db = sqlite
 )
 
+const (
+	defaultConfigPath     = "conf/app.conf"
+	defaultExportFilePath = "init_data_dump.json"
+)
+
 var (
 	ormer          *Ormer = nil
 	createDatabase        = true
-	configPath            = "conf/app.conf"
+	configPath            = defaultConfigPath
+	exportData            = false
+	exportFilePath        = defaultExportFilePath
 )
 
 func InitFlag() {
-	createDatabase = getCreateDatabaseFlag()
-	configPath = getConfigFlag()
+	createDatabasePtr := flag.Bool("createDatabase", false, "true if you need to create database")
+	configPathPtr := flag.String("config", defaultConfigPath, "set it to \"/your/path/app.conf\" if your config file is not in: \"/conf/app.conf\"")
+	exportDataPtr := flag.Bool("export", false, "export database to JSON file and exit (use -exportPath to specify custom location)")
+	exportFilePathPtr := flag.String("exportPath", defaultExportFilePath, "path to the exported data file (used with -export)")
+	flag.Parse()
+
+	createDatabase = *createDatabasePtr
+	configPath = *configPathPtr
+	exportData = *exportDataPtr
+	exportFilePath = *exportFilePathPtr
 }
 
-func getCreateDatabaseFlag() bool {
-	res := flag.Bool("createDatabase", false, "true if you need to create database")
-	flag.Parse()
-	return *res
+func ShouldExportData() bool {
+	return exportData
 }
 
-func getConfigFlag() string {
-	res := flag.String("config", "conf/app.conf", "set it to \"/your/path/app.conf\" if your config file is not in: \"/conf/app.conf\"")
-	flag.Parse()
-	return *res
+func GetExportFilePath() string {
+	return exportFilePath
 }
 
 func InitConfig() {
@@ -373,6 +384,11 @@ func (a *Ormer) createTable() {
 		panic(err)
 	}
 
+	err = a.Engine.Sync2(new(Order))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(Plan))
 	if err != nil {
 		panic(err)
@@ -432,4 +448,9 @@ func (a *Ormer) createTable() {
 	if err != nil {
 		panic(err)
 	}
+
+	err = a.Engine.Sync2(new(Ticket))
+	if err != nil {
+		panic(err)
+	}
 }

object/payment.go

@@ -35,10 +35,8 @@ type Payment struct {
 	ProductName        string  `xorm:"varchar(100)" json:"productName"`
 	ProductDisplayName string  `xorm:"varchar(100)" json:"productDisplayName"`
 	Detail             string  `xorm:"varchar(255)" json:"detail"`
-	Tag                string  `xorm:"varchar(100)" json:"tag"`
 	Currency           string  `xorm:"varchar(100)" json:"currency"`
 	Price              float64 `json:"price"`
-	ReturnUrl          string  `xorm:"varchar(1000)" json:"returnUrl"`
 	IsRecharge         bool    `xorm:"bool" json:"isRecharge"`
 
 	// Payer Info
@@ -54,7 +52,8 @@ type Payment struct {
 	InvoiceRemark string `xorm:"varchar(100)" json:"invoiceRemark"`
 	InvoiceUrl    string `xorm:"varchar(255)" json:"invoiceUrl"`
 	// Order Info
-	OutOrderId string          `xorm:"varchar(100)" json:"outOrderId"`
+	Order      string          `xorm:"varchar(100)" json:"order"`      // Internal order name
+	OutOrderId string          `xorm:"varchar(100)" json:"outOrderId"` // External payment provider's order ID
 	PayUrl     string          `xorm:"varchar(2000)" json:"payUrl"`
 	SuccessUrl string          `xorm:"varchar(2000)" json:"successUrl"` // `successUrl` is redirected from `payUrl` after pay success
 	State      pp.PaymentState `xorm:"varchar(100)" json:"state"`
@@ -116,12 +115,18 @@ func getPayment(owner string, name string) (*Payment, error) {
 }
 
 func GetPayment(id string) (*Payment, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getPayment(owner, name)
 }
 
 func UpdatePayment(id string, payment *Payment) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if p, err := getPayment(owner, name); err != nil {
 		return false, err
 	} else if p == nil {
@@ -201,7 +206,11 @@ func notifyPayment(body []byte, owner string, paymentName string) (*Payment, *pp
 	}
 
 	if payment.IsRecharge {
-		err = UpdateUserBalance(payment.Owner, payment.User, payment.Price)
+		currency := payment.Currency
+		if currency == "" {
+			currency = "USD"
+		}
+		err = UpdateUserBalance(payment.Owner, payment.User, payment.Price, currency, "en")
 		return payment, notifyResult, err
 	}
 
@@ -230,11 +239,57 @@ func NotifyPayment(body []byte, owner string, paymentName string) (*Payment, err
 
 		if transaction != nil {
 			transaction.State = payment.State
-			_, err = UpdateTransaction(transaction.GetId(), transaction)
+			_, err = UpdateTransaction(transaction.GetId(), transaction, "en")
 			if err != nil {
 				return nil, err
 			}
 		}
+
+		// Update order state based on payment status
+		if payment.Order != "" {
+			order, err := getOrder(payment.Owner, payment.Order)
+			if err != nil {
+				return nil, err
+			}
+			if order == nil {
+				return nil, fmt.Errorf("the order: %s does not exist", payment.Order)
+			}
+
+			if payment.State == pp.PaymentStatePaid {
+				order.State = "Paid"
+				order.Message = "Payment successful"
+				order.EndTime = util.GetCurrentTime()
+			} else if payment.State == pp.PaymentStateError {
+				order.State = "PaymentFailed"
+				order.Message = payment.Message
+			} else if payment.State == pp.PaymentStateCanceled {
+				order.State = "Canceled"
+				order.Message = "Payment was cancelled"
+			} else if payment.State == pp.PaymentStateTimeout {
+				order.State = "Timeout"
+				order.Message = "Payment timed out"
+			}
+			_, err = UpdateOrder(order.GetId(), order)
+			if err != nil {
+				return nil, err
+			}
+
+			// Update product stock after order state is persisted
+			if payment.State == pp.PaymentStatePaid {
+				product, err := getProduct(payment.Owner, payment.ProductName)
+				if err != nil {
+					return nil, err
+				}
+				if product == nil {
+					return nil, fmt.Errorf("the product: %s does not exist", payment.ProductName)
+				}
+
+				err = UpdateProductStock(product)
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
 	}
 
 	return payment, nil

object/permission.go

@@ -148,7 +148,7 @@ func UpdatePermission(id string, permission *Permission) (bool, error) {
 	}
 
 	if permission.ResourceType == "Application" && permission.Model != "" {
-		model, err := GetModelEx(util.GetId(permission.Owner, permission.Model))
+		model, err := getModelEx(permission.Model)
 		if err != nil {
 			return false, err
 		} else if model == nil {
@@ -477,13 +477,19 @@ func (p *Permission) GetModelAndAdapter() string {
 }
 
 func (p *Permission) isUserHit(name string) bool {
-	targetOrg, targetName := util.GetOwnerAndNameFromId(name)
+	targetOrg, targetName, err := util.GetOwnerAndNameFromIdWithError(name)
+	if err != nil {
+		return false
+	}
 	for _, user := range p.Users {
 		if user == "*" {
 			return true
 		}
 
-		userOrg, userName := util.GetOwnerAndNameFromId(user)
+		userOrg, userName, err := util.GetOwnerAndNameFromIdWithError(user)
+		if err != nil {
+			continue
+		}
 		if userOrg == targetOrg && (userName == "*" || userName == targetName) {
 			return true
 		}

object/permission_enforcer.go

@@ -90,9 +90,13 @@ func (p *Permission) setEnforcerAdapter(enforcer *casbin.Enforcer) error {
 }
 
 func (p *Permission) setEnforcerModel(enforcer *casbin.Enforcer) error {
-	permissionModel, err := getModel(p.Owner, p.Model)
-	if err != nil {
-		return err
+	var permissionModel *Model
+	var err error
+	if p.Model != "" {
+		permissionModel, err = GetModel(p.Model)
+		if err != nil {
+			return err
+		}
 	}
 
 	// TODO: return error if permissionModel is nil.
@@ -138,7 +142,10 @@ func getPolicies(permission *Permission) [][]string {
 }
 
 func getRolesInRole(roleId string, visited map[string]struct{}) ([]*Role, error) {
-	roleOwner, roleName := util.GetOwnerAndNameFromId(roleId)
+	roleOwner, roleName, err := util.GetOwnerAndNameFromIdWithError(roleId)
+	if err != nil {
+		return []*Role{}, err
+	}
 	if roleName == "*" {
 		roles, err := GetRoles(roleOwner)
 		if err != nil {

object/permission_upload.go

@@ -15,6 +15,9 @@
 package object
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/casdoor/casdoor/xlsx"
 )
 
@@ -36,45 +39,30 @@ func getPermissionMap(owner string) (map[string]*Permission, error) {
 func UploadPermissions(owner string, path string) (bool, error) {
 	table := xlsx.ReadXlsxFile(path)
 
-	oldUserMap, err := getPermissionMap(owner)
+	if len(table) == 0 {
+		return false, fmt.Errorf("empty table")
+	}
+
+	for idx, row := range table[0] {
+		splitRow := strings.Split(row, "#")
+		if len(splitRow) > 1 {
+			table[0][idx] = splitRow[1]
+		}
+	}
+
+	uploadedPermissions, err := StringArrayToStruct[Permission](table)
+	if err != nil {
+		return false, err
+	}
+
+	oldPermissionMap, err := getPermissionMap(owner)
 	if err != nil {
 		return false, err
 	}
 
 	newPermissions := []*Permission{}
-	for index, line := range table {
-		line := line
-		if index == 0 || parseLineItem(&line, 0) == "" {
-			continue
-		}
-
-		permission := &Permission{
-			Owner:       parseLineItem(&line, 0),
-			Name:        parseLineItem(&line, 1),
-			CreatedTime: parseLineItem(&line, 2),
-			DisplayName: parseLineItem(&line, 3),
-
-			Users:   parseListItem(&line, 4),
-			Roles:   parseListItem(&line, 5),
-			Domains: parseListItem(&line, 6),
-
-			Model:        parseLineItem(&line, 7),
-			Adapter:      parseLineItem(&line, 8),
-			ResourceType: parseLineItem(&line, 9),
-
-			Resources: parseListItem(&line, 10),
-			Actions:   parseListItem(&line, 11),
-
-			Effect:    parseLineItem(&line, 12),
-			IsEnabled: parseLineItemBool(&line, 13),
-
-			Submitter:   parseLineItem(&line, 14),
-			Approver:    parseLineItem(&line, 15),
-			ApproveTime: parseLineItem(&line, 16),
-			State:       parseLineItem(&line, 17),
-		}
-
-		if _, ok := oldUserMap[permission.GetId()]; !ok {
+	for _, permission := range uploadedPermissions {
+		if _, ok := oldPermissionMap[permission.GetId()]; !ok {
 			newPermissions = append(newPermissions, permission)
 		}
 	}

object/plan.go

@@ -108,12 +108,18 @@ func getPlan(owner, name string) (*Plan, error) {
 }
 
 func GetPlan(id string) (*Plan, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getPlan(owner, name)
 }
 
 func UpdatePlan(id string, plan *Plan) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if p, err := getPlan(owner, name); err != nil {
 		return false, err
 	} else if p == nil {

object/pricing.go

@@ -98,7 +98,10 @@ func getPricing(owner, name string) (*Pricing, error) {
 }
 
 func GetPricing(id string) (*Pricing, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, err
+	}
 	return getPricing(owner, name)
 }
 
@@ -117,7 +120,10 @@ func GetApplicationDefaultPricing(owner, appName string) (*Pricing, error) {
 }
 
 func UpdatePricing(id string, pricing *Pricing) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return false, err
+	}
 	if p, err := getPricing(owner, name); err != nil {
 		return false, err
 	} else if p == nil {