Fix: Add Secure attribute to session cookie for HTTPS deployments

Co-authored-by: hsluoyz <3787410+hsluoyz@users.noreply.github.com>

.github/workflows/build.yml

@@ -1,6 +1,10 @@
 name: Build
 
-on: [ push, pull_request ]
+on:
+  push:
+    branches:
+      - master
+  pull_request:
 
 jobs:
 
@@ -20,7 +24,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache-dependency-path: ./go.mod
       - name: Tests
         run: |
@@ -40,6 +44,12 @@ jobs:
           cache-dependency-path: ./web/yarn.lock
       - run: yarn install && CI=false yarn run build
         working-directory: ./web
+      - name: Upload build artifacts
+        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-build-${{ github.run_id }}
+          path: ./web/build
 
   backend:
     name: Back-end
@@ -49,7 +59,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache-dependency-path: ./go.mod
       - run: go version
       - name: Build
@@ -65,7 +75,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache: false
 
       # gen a dummy config file
@@ -94,11 +104,28 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: '^1.16.5'
+          go-version: '1.23'
           cache-dependency-path: ./go.mod
       - name: start backend
-        run: nohup go run ./main.go &
+        run: nohup go run ./main.go > /tmp/backend.log 2>&1 &
         working-directory: ./
+      - name: Wait for backend to be ready
+        run: |
+          echo "Waiting for backend server to start on port 8000..."
+          for i in {1..60}; do
+            if curl -s http://localhost:8000 > /dev/null 2>&1; then
+              echo "Backend is ready!"
+              break
+            fi
+            if [ $i -eq 60 ]; then
+              echo "Backend failed to start within 60 seconds"
+              echo "Backend logs:"
+              cat /tmp/backend.log || echo "No backend logs available"
+              exit 1
+            fi
+            echo "Waiting... ($i/60)"
+            sleep 1
+          done
       - uses: actions/setup-node@v3
         with:
           node-version: 20
@@ -125,39 +152,95 @@ jobs:
           name: cypress-videos
           path: ./web/cypress/videos
 
-  release-and-push:
-    name: Release And Push
+  tag-release:
+    name: Create Tag
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
     if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
     needs: [ frontend, backend, linter, e2e ]
+    outputs:
+      new-release-published: ${{ steps.semantic.outputs.new_release_published }}
+      new-release-version: ${{ steps.semantic.outputs.new_release_version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create Tag with Semantic Release
+        id: semantic
+        uses: cycjimmy/semantic-release-action@v4
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  github-release:
+    name: GitHub Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && needs.tag-release.outputs.new-release-published == 'true'
+    needs: [ tag-release ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Free disk space
+        uses: jlumbroso/free-disk-space@v1.3.1
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: Download frontend build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: frontend-build-${{ github.run_id }}
+          path: ./web/build
+
+      - name: Prepare Go caches
+        run: |
+          echo "GOMODCACHE=$RUNNER_TEMP/gomod" >> $GITHUB_ENV
+          echo "GOCACHE=$RUNNER_TEMP/gocache" >> $GITHUB_ENV
+          go clean -cache -modcache -testcache -fuzzcache
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  docker-release:
+    name: Docker Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && needs.tag-release.outputs.new-release-published == 'true'
+    needs: [ tag-release ]
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: -1
-      - name: Setup Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 20
 
       - name: Fetch Previous version
         id: get-previous-tag
         uses: actions-ecosystem/action-get-latest-tag@v1.6.0
 
-      - name: Release
-        run: yarn global add semantic-release@17.4.4 && semantic-release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Fetch Current version
-        id: get-current-tag
-        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
-
       - name: Decide Should_Push Or Not
         id: should_push
         run: |
           old_version=${{steps.get-previous-tag.outputs.tag}}
-          new_version=${{steps.get-current-tag.outputs.tag }}
+          new_version=${{ needs.tag-release.outputs.new-release-version }}
 
           old_array=(${old_version//\./ })
           new_array=(${new_version//\./ })
@@ -196,7 +279,7 @@ jobs:
           target: STANDARD
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: casbin/casdoor:${{steps.get-current-tag.outputs.tag }},casbin/casdoor:latest
+          tags: casbin/casdoor:${{ needs.tag-release.outputs.new-release-version }},casbin/casdoor:latest
 
       - name: Push All In One Version to Docker Hub
         uses: docker/build-push-action@v3
@@ -206,7 +289,7 @@ jobs:
           target: ALLINONE
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: casbin/casdoor-all-in-one:${{steps.get-current-tag.outputs.tag }},casbin/casdoor-all-in-one:latest
+          tags: casbin/casdoor-all-in-one:${{ needs.tag-release.outputs.new-release-version }},casbin/casdoor-all-in-one:latest
 
       - uses: actions/checkout@v3
         if: steps.should_push.outputs.push=='true'
@@ -219,8 +302,8 @@ jobs:
         if: steps.should_push.outputs.push=='true'
         run: |
           # Set the appVersion and version of the chart to the current tag
-          sed -i "s/appVersion: .*/appVersion: ${{steps.get-current-tag.outputs.tag }}/g" ./charts/casdoor/Chart.yaml
-          sed -i "s/version: .*/version: ${{steps.get-current-tag.outputs.tag }}/g" ./charts/casdoor/Chart.yaml
+          sed -i "s/appVersion: .*/appVersion: ${{ needs.tag-release.outputs.new-release-version }}/g" ./charts/casdoor/Chart.yaml
+          sed -i "s/version: .*/version: ${{ needs.tag-release.outputs.new-release-version }}/g" ./charts/casdoor/Chart.yaml
 
           REGISTRY=oci://registry-1.docker.io/casbin
           cd charts/casdoor
@@ -234,6 +317,6 @@ jobs:
           git config --global user.name "casbin-bot"
           git config --global user.email "bot@casbin.org"
           git add Chart.yaml index.yaml
-          git commit -m "chore(helm): bump helm charts appVersion to ${{steps.get-current-tag.outputs.tag }}"
-          git tag ${{steps.get-current-tag.outputs.tag }}
+          git commit -m "chore(helm): bump helm charts appVersion to ${{ needs.tag-release.outputs.new-release-version }}"
+          git tag ${{ needs.tag-release.outputs.new-release-version }}
           git push origin HEAD:master --follow-tags

.gitignore

@@ -5,6 +5,7 @@
 *.so
 *.dylib
 *.swp
+server_*
 
 # Test binary, built with `go test -c`
 *.test

.goreleaser.yaml

@@ -0,0 +1,55 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    #- go generate ./...
+    - go test -v -run TestGetVersionInfo ./util/system_test.go ./util/system.go ./util/variable.go
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - src: 'web/build'
+        dst: './web/build'
+      - src: 'conf/app.conf'
+        dst: './conf/app.conf'
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

Dockerfile

@@ -1,14 +1,26 @@
-FROM --platform=$BUILDPLATFORM node:18.19.0 AS FRONT
+FROM --platform=$BUILDPLATFORM node:20.20.1 AS FRONT
 WORKDIR /web
+
+# Copy only dependency files first for better caching
+COPY ./web/package.json ./web/yarn.lock ./
+RUN yarn install --frozen-lockfile --network-timeout 1000000
+
+# Copy source files and build
 COPY ./web .
-RUN yarn install --frozen-lockfile --network-timeout 1000000 && NODE_OPTIONS="--max-old-space-size=4096" yarn run build
+RUN NODE_OPTIONS="--max-old-space-size=4096" yarn run build
 
-
-FROM --platform=$BUILDPLATFORM golang:1.21.13 AS BACK
+FROM --platform=$BUILDPLATFORM golang:1.24.13 AS BACK
 WORKDIR /go/src/casdoor
+
+# Copy only go.mod and go.sum first for dependency caching
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source files
 COPY . .
+
+RUN go test -v -run TestGetVersionInfo ./util/system_test.go ./util/system.go ./util/variable.go
 RUN ./build.sh
-RUN go test -v -run TestGetVersionInfo ./util/system_test.go ./util/system.go > version_info.txt
 
 FROM alpine:latest AS STANDARD
 LABEL MAINTAINER="https://casdoor.org/"
@@ -34,35 +46,25 @@ WORKDIR /
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/server_${BUILDX_ARCH} ./server
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/swagger ./swagger
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/conf/app.conf ./conf/app.conf
-COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/version_info.txt ./go/src/casdoor/version_info.txt
 COPY --from=FRONT --chown=$USER:$USER /web/build ./web/build
 
 ENTRYPOINT ["/server"]
 
 
-FROM debian:latest AS db
-RUN apt update \
-    && apt install -y \
-        mariadb-server \
-        mariadb-client \
-    && rm -rf /var/lib/apt/lists/*
-
-
-FROM db AS ALLINONE
+FROM debian:latest AS ALLINONE
 LABEL MAINTAINER="https://casdoor.org/"
 ARG TARGETOS
 ARG TARGETARCH
 ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"
 
 RUN apt update
-RUN apt install -y ca-certificates && update-ca-certificates
+RUN apt install -y ca-certificates lsof && update-ca-certificates
 
 WORKDIR /
 COPY --from=BACK /go/src/casdoor/server_${BUILDX_ARCH} ./server
 COPY --from=BACK /go/src/casdoor/swagger ./swagger
 COPY --from=BACK /go/src/casdoor/docker-entrypoint.sh /docker-entrypoint.sh
 COPY --from=BACK /go/src/casdoor/conf/app.conf ./conf/app.conf
-COPY --from=BACK /go/src/casdoor/version_info.txt ./go/src/casdoor/version_info.txt
 COPY --from=FRONT /web/build ./web/build
 
 ENTRYPOINT ["/bin/bash"]

README.md

@@ -1,5 +1,5 @@
 <h1 align="center" style="border-bottom: none;">📦⚡️ Casdoor</h1>
-<h3 align="center">An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA and RADIUS</h3>
+<h3 align="center">An open-source AI-first Identity and Access Management (IAM) /AI MCP gateway and auth server with web UI supporting MCP, A2A, OAuth 2.1, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD</h3>
 <p align="center">
   <a href="#badge">
     <img alt="semantic-release" src="https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg">
@@ -42,20 +42,6 @@
   </a>
 </p>
 
-<p align="center">
-  <sup>Sponsored by</sup>
-  <br>
-  <a href="https://stytch.com/docs?utm_source=oss-sponsorship&utm_medium=paid_sponsorship&utm_campaign=casbin">
-    <picture>
-      <source media="(prefers-color-scheme: dark)" srcset="https://cdn.casbin.org/img/stytch-white.png">
-      <source media="(prefers-color-scheme: light)" srcset="https://cdn.casbin.org/img/stytch-charcoal.png">
-      <img src="https://cdn.casbin.org/img/stytch-charcoal.png" width="275">
-    </picture>
-  </a><br/>
-  <a href="https://stytch.com/docs?utm_source=oss-sponsorship&utm_medium=paid_sponsorship&utm_campaign=casbin"><b>Build auth with fraud prevention, faster.</b><br/> Try Stytch for API-first authentication, user & org management, multi-tenant SSO, MFA, device fingerprinting, and more.</a>
-  <br>
-</p>
-
 ## Online demo
 
 - Read-only site: https://door.casdoor.com (any modification operation will fail)

authz/authz.go

@@ -46,6 +46,8 @@ p, *, *, POST, /api/login, *, *
 p, *, *, GET, /api/get-app-login, *, *
 p, *, *, POST, /api/logout, *, *
 p, *, *, GET, /api/logout, *, *
+p, *, *, POST, /api/sso-logout, *, *
+p, *, *, GET, /api/sso-logout, *, *
 p, *, *, POST, /api/callback, *, *
 p, *, *, POST, /api/device-auth, *, *
 p, *, *, GET, /api/get-account, *, *
@@ -57,18 +59,26 @@ p, *, *, GET, /api/get-qrcode, *, *
 p, *, *, GET, /api/get-webhook-event, *, *
 p, *, *, GET, /api/get-captcha-status, *, *
 p, *, *, *, /api/login/oauth, *, *
+p, *, *, POST, /api/oauth/register, *, *
 p, *, *, GET, /api/get-application, *, *
 p, *, *, GET, /api/get-organization-applications, *, *
 p, *, *, GET, /api/get-user, *, *
 p, *, *, GET, /api/get-user-application, *, *
+p, *, *, POST, /api/upload-users, *, *
 p, *, *, GET, /api/get-resources, *, *
 p, *, *, GET, /api/get-records, *, *
 p, *, *, GET, /api/get-product, *, *
-p, *, *, POST, /api/buy-product, *, *
+p, *, *, GET, /api/get-products, *, *
+p, *, *, GET, /api/get-order, *, *
+p, *, *, GET, /api/get-orders, *, *
+p, *, *, GET, /api/get-user-orders, *, *
 p, *, *, GET, /api/get-payment, *, *
 p, *, *, POST, /api/update-payment, *, *
 p, *, *, POST, /api/invoice-payment, *, *
 p, *, *, POST, /api/notify-payment, *, *
+p, *, *, POST, /api/place-order, *, *
+p, *, *, POST, /api/cancel-order, *, *
+p, *, *, POST, /api/pay-order, *, *
 p, *, *, POST, /api/unlink, *, *
 p, *, *, POST, /api/set-password, *, *
 p, *, *, POST, /api/send-verification-code, *, *
@@ -80,6 +90,9 @@ p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
 p, *, *, GET, /.well-known/webfinger, *, *
 p, *, *, *, /.well-known/jwks, *, *
+p, *, *, GET, /.well-known/:application/openid-configuration, *, *
+p, *, *, GET, /.well-known/:application/webfinger, *, *
+p, *, *, *, /.well-known/:application/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
 p, *, *, GET, /api/saml/metadata, *, *
@@ -94,6 +107,8 @@ p, *, *, *, /api/metrics, *, *
 p, *, *, GET, /api/get-pricing, *, *
 p, *, *, GET, /api/get-plan, *, *
 p, *, *, GET, /api/get-subscription, *, *
+p, *, *, GET, /api/get-transactions, *, *
+p, *, *, GET, /api/get-transaction, *, *
 p, *, *, GET, /api/get-provider, *, *
 p, *, *, GET, /api/get-organization-names, *, *
 p, *, *, GET, /api/get-all-objects, *, *
@@ -103,6 +118,7 @@ p, *, *, GET, /api/run-casbin-command, *, *
 p, *, *, POST, /api/refresh-engines, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
 p, *, *, GET, /api/faceid-signin-begin, *, *
+p, *, *, GET, /api/kerberos-login, *, *
 `
 
 		sa := stringadapter.NewAdapter(ruleText)
@@ -122,7 +138,15 @@ p, *, *, GET, /api/faceid-signin-begin, *, *
 	}
 }
 
-func IsAllowed(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
+func IsAllowed(subOwner string, subName string, method string, urlPath string, objOwner string, objName string, extraInfo map[string]interface{}) bool {
+	if urlPath == "/api/mcp" {
+		if detailPath, ok := extraInfo["detailPathUrl"].(string); ok {
+			if detailPath == "initialize" || detailPath == "notifications/initialized" || detailPath == "ping" || detailPath == "tools/list" {
+				return true
+			}
+		}
+	}
+
 	if conf.IsDemoMode() {
 		if !isAllowedInDemoMode(subOwner, subName, method, urlPath, objOwner, objName) {
 			return false
@@ -143,6 +167,10 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 			return false
 		}
 
+		if user.IsGlobalAdmin() {
+			return true
+		}
+
 		if user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
 			return true
 		}
@@ -153,12 +181,19 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 		panic(err)
 	}
 
+	if !res {
+		res, err = object.CheckApiPermission(util.GetId(subOwner, subName), objOwner, urlPath, method)
+		if err != nil {
+			panic(err)
+		}
+	}
+
 	return res
 }
 
 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/verify-code" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") || urlPath == "/api/webhook" || urlPath == "/api/get-qrcode" || urlPath == "/api/refresh-engines" {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/sso-logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/verify-code" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") || urlPath == "/api/webhook" || urlPath == "/api/get-qrcode" || urlPath == "/api/refresh-engines" {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information
@@ -166,7 +201,7 @@ func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath
 				return true
 			}
 			return false
-		} else if urlPath == "/api/upload-resource" {
+		} else if urlPath == "/api/upload-resource" || urlPath == "/api/add-transaction" {
 			if subOwner == "app" && subName == "app-casibase" {
 				return true
 			}

certificate/account.go

@@ -0,0 +1,107 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+import (
+	"crypto"
+
+	"github.com/casbin/lego/v4/acme"
+	"github.com/casbin/lego/v4/certcrypto"
+	"github.com/casbin/lego/v4/lego"
+	"github.com/casbin/lego/v4/registration"
+	"github.com/casdoor/casdoor/proxy"
+)
+
+type Account struct {
+	Email        string
+	Registration *registration.Resource
+	Key          crypto.PrivateKey
+}
+
+/** Implementation of the registration.User interface **/
+
+// GetEmail returns the email address for the account.
+func (a *Account) GetEmail() string {
+	return a.Email
+}
+
+// GetPrivateKey returns the private RSA account key.
+func (a *Account) GetPrivateKey() crypto.PrivateKey {
+	return a.Key
+}
+
+// GetRegistration returns the server registration.
+func (a *Account) GetRegistration() *registration.Resource {
+	return a.Registration
+}
+
+func getLegoClientAndAccount(email string, privateKey string, devMode bool) (*lego.Client, *Account, error) {
+	key, err := decodeEccKey(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	account := &Account{
+		Email: email,
+		Key:   key,
+	}
+
+	config := lego.NewConfig(account)
+	if devMode {
+		config.CADirURL = lego.LEDirectoryStaging
+	} else {
+		config.CADirURL = lego.LEDirectoryProduction
+	}
+
+	config.Certificate.KeyType = certcrypto.RSA2048
+	config.HTTPClient = proxy.ProxyHttpClient
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return client, account, err
+}
+
+// GetAcmeClient Incoming an email ,a privatekey and a Boolean value that controls the opening of the test environment
+// When this function is started for the first time, it will initialize the account-related configuration,
+// After initializing the configuration, It will try to obtain an account based on the private key,
+// if it fails, it will create an account based on the private key.
+// This account will be used during the running of the program
+func GetAcmeClient(email string, privateKey string, devMode bool) (*lego.Client, error) {
+	// Create a user. New accounts need an email and private key to start.
+	client, account, err := getLegoClientAndAccount(email, privateKey, devMode)
+
+	// try to obtain an account based on the private key
+	account.Registration, err = client.Registration.ResolveAccountByKey()
+	if err != nil {
+		acmeError, ok := err.(*acme.ProblemDetails)
+		if !ok {
+			return nil, err
+		}
+
+		if acmeError.Type != "urn:ietf:params:acme:error:accountDoesNotExist" {
+			return nil, acmeError
+		}
+
+		// Failed to get account, so create an account based on the private key.
+		account.Registration, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return client, nil
+}

certificate/account_test.go

@@ -0,0 +1,47 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skipCi
+// +build !skipCi
+
+package certificate
+
+import (
+	"testing"
+
+	"github.com/beego/beego/v2/server/web"
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/casdoor/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetClient(t *testing.T) {
+	err := web.LoadAppConfig("ini", "../conf/app.conf")
+	if err != nil {
+		panic(err)
+	}
+
+	proxy.InitHttpClient()
+
+	eccKey := util.ReadStringFromPath("acme_account.key")
+	println(eccKey)
+
+	client, err := GetAcmeClient("acme2@casbin.org", eccKey, false)
+	assert.Nil(t, err)
+	pem, key, err := ObtainCertificateAli(client, "casbin.com", accessKeyId, accessKeySecret)
+	assert.Nil(t, err)
+	println(pem)
+	println()
+	println(key)
+}

certificate/conf.go

@@ -0,0 +1,20 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+var (
+	accessKeyId     = ""
+	accessKeySecret = ""
+)

certificate/dns.go

@@ -0,0 +1,151 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/casbin/lego/v4/certificate"
+	"github.com/casbin/lego/v4/challenge/dns01"
+	"github.com/casbin/lego/v4/cmd"
+	"github.com/casbin/lego/v4/lego"
+	"github.com/casbin/lego/v4/providers/dns/alidns"
+	"github.com/casbin/lego/v4/providers/dns/godaddy"
+)
+
+type AliConf struct {
+	Domains       []string // The domain names for which you want to apply for a certificate
+	AccessKey     string   // Aliyun account's AccessKey, if this is not empty, Secret is required.
+	Secret        string
+	RAMRole       string // Use Ramrole to control aliyun account
+	SecurityToken string // Optional
+	Path          string // The path to store cert file
+	Timeout       int    // Maximum waiting time for certificate application, in minutes
+}
+
+type GodaddyConf struct {
+	Domains   []string // The domain names for which you want to apply for a certificate
+	APIKey    string   // GoDaddy account's API Key
+	APISecret string
+	Path      string // The path to store cert file
+	Timeout   int    // Maximum waiting time for certificate application, in minutes
+}
+
+// getCert Verify domain ownership, then obtain a certificate, and finally store it locally.
+// Need to pass in an AliConf struct, some parameters are required, other parameters can be left blank
+func getAliCert(client *lego.Client, conf AliConf) (string, string, error) {
+	if conf.Timeout <= 0 {
+		conf.Timeout = 3
+	}
+
+	config := alidns.NewDefaultConfig()
+	config.PropagationTimeout = time.Duration(conf.Timeout) * time.Minute
+	config.APIKey = conf.AccessKey
+	config.SecretKey = conf.Secret
+	config.RAMRole = conf.RAMRole
+	config.SecurityToken = conf.SecurityToken
+
+	dnsProvider, err := alidns.NewDNSProvider(config)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Choose a local DNS service provider to increase the authentication speed
+	servers := []string{"223.5.5.5:53"}
+	err = client.Challenge.SetDNS01Provider(dnsProvider, dns01.CondOption(len(servers) > 0, dns01.AddRecursiveNameservers(dns01.ParseNameservers(servers))), dns01.DisableCompletePropagationRequirement())
+	if err != nil {
+		return "", "", err
+	}
+
+	// Obtain the certificate
+	request := certificate.ObtainRequest{
+		Domains: conf.Domains,
+		Bundle:  true,
+	}
+	cert, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return "", "", err
+	}
+
+	return string(cert.Certificate), string(cert.PrivateKey), nil
+}
+
+func getGoDaddyCert(client *lego.Client, conf GodaddyConf) (string, string, error) {
+	if conf.Timeout <= 0 {
+		conf.Timeout = 3
+	}
+
+	config := godaddy.NewDefaultConfig()
+	config.PropagationTimeout = time.Duration(conf.Timeout) * time.Minute
+	config.PollingInterval = time.Duration(conf.Timeout) * time.Minute / 9
+	config.APIKey = conf.APIKey
+	config.APISecret = conf.APISecret
+
+	dnsProvider, err := godaddy.NewDNSProvider(config)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Choose a local DNS service provider to increase the authentication speed
+	servers := []string{"223.5.5.5:53"}
+	err = client.Challenge.SetDNS01Provider(dnsProvider, dns01.CondOption(len(servers) > 0, dns01.AddRecursiveNameservers(dns01.ParseNameservers(servers))), dns01.DisableCompletePropagationRequirement())
+	if err != nil {
+		return "", "", err
+	}
+
+	// Obtain the certificate
+	request := certificate.ObtainRequest{
+		Domains: conf.Domains,
+		Bundle:  true,
+	}
+	cert, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return "", "", err
+	}
+
+	return string(cert.Certificate), string(cert.PrivateKey), nil
+}
+
+func ObtainCertificateAli(client *lego.Client, domain string, accessKey string, accessSecret string) (string, string, error) {
+	conf := AliConf{
+		Domains:       []string{fmt.Sprintf("*.%s", domain), domain},
+		AccessKey:     accessKey,
+		Secret:        accessSecret,
+		RAMRole:       "",
+		SecurityToken: "",
+		Path:          "",
+		Timeout:       3,
+	}
+	return getAliCert(client, conf)
+}
+
+func ObtainCertificateGoDaddy(client *lego.Client, domain string, accessKey string, accessSecret string) (string, string, error) {
+	conf := GodaddyConf{
+		Domains:   []string{fmt.Sprintf("*.%s", domain), domain},
+		APIKey:    accessKey,
+		APISecret: accessSecret,
+		Path:      "",
+		Timeout:   3,
+	}
+	return getGoDaddyCert(client, conf)
+}
+
+func SaveCert(path, filename string, cert *certificate.Resource) {
+	// Store the certificate file locally
+	certsStorage := cmd.NewCertificatesStorageLib(path, filename, true)
+	certsStorage.CreateRootFolder()
+	certsStorage.SaveResource(cert)
+}

certificate/ecc.go

@@ -0,0 +1,55 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certificate
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// generateEccKey generates a public and private key pair.(NIST P-256)
+func generateEccKey() (*ecdsa.PrivateKey, error) {
+	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+}
+
+// encodeEccKey Return the input private key object as string type private key
+func encodeEccKey(privateKey *ecdsa.PrivateKey) (string, error) {
+	x509Encoded, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return "", err
+	}
+
+	pemEncoded := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: x509Encoded})
+	return string(pemEncoded), nil
+}
+
+// decodeEccKey Return the entered private key string as a private key object that can be used
+func decodeEccKey(pemEncoded string) (*ecdsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pemEncoded))
+	if block == nil {
+		return nil, fmt.Errorf("invalid PEM-encoded EC private key")
+	}
+	x509Encoded := block.Bytes
+	privateKey, err := x509.ParseECPrivateKey(x509Encoded)
+	if err != nil {
+		return nil, err
+	}
+
+	return privateKey, nil
+}

certificate/ecc_test.go

@@ -0,0 +1,34 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skipCi
+// +build !skipCi
+
+package certificate
+
+import (
+	"testing"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGenerateEccKey(t *testing.T) {
+	eccKey, err := generateEccKey()
+	assert.Nil(t, err)
+	eccKeyStr, err := encodeEccKey(eccKey)
+	assert.Nil(t, err)
+	println(eccKeyStr)
+	util.WriteStringToPath(eccKeyStr, "acme_account.key")
+}

conf/app.conf

@@ -23,6 +23,7 @@ isDemoMode = false
 batchSize = 100
 enableErrorMask = false
 enableGzip = true
+cookieSecure = false
 inactiveTimeoutMinutes =
 ldapServerPort = 389
 ldapsCertId = ""

conf/conf.go

@@ -15,21 +15,25 @@
 package conf
 
 import (
+	_ "embed"
 	"fmt"
 	"os"
 	"runtime"
 	"strconv"
 	"strings"
 
-	"github.com/beego/beego"
+	"github.com/beego/beego/v2/server/web"
 )
 
+//go:embed waf.conf
+var WafConf string
+
 func init() {
 	// this array contains the beego configuration items that may be modified via env
 	presetConfigItems := []string{"httpport", "appname"}
 	for _, key := range presetConfigItems {
 		if value, ok := os.LookupEnv(key); ok {
-			err := beego.AppConfig.Set(key, value)
+			err := web.AppConfig.Set(key, value)
 			if err != nil {
 				panic(err)
 			}
@@ -42,12 +46,13 @@ func GetConfigString(key string) string {
 		return value
 	}
 
-	res := beego.AppConfig.String(key)
+	res, _ := web.AppConfig.String(key)
 	if res == "" {
 		if key == "staticBaseUrl" {
 			res = "https://cdn.casbin.org"
 		} else if key == "logConfig" {
-			res = fmt.Sprintf("{\"filename\": \"logs/%s.log\", \"maxdays\":99999, \"perm\":\"0770\"}", beego.AppConfig.String("appname"))
+			appname, _ := web.AppConfig.String("appname")
+			res = fmt.Sprintf("{\"filename\": \"logs/%s.log\", \"maxdays\":99999, \"perm\":\"0770\"}", appname)
 		}
 	}
 

conf/conf_quota.go

@@ -17,7 +17,7 @@ package conf
 import (
 	"encoding/json"
 
-	"github.com/beego/beego"
+	"github.com/beego/beego/v2/server/web"
 )
 
 type Quota struct {
@@ -34,7 +34,7 @@ func init() {
 }
 
 func initQuota() {
-	res := beego.AppConfig.String("quota")
+	res, _ := web.AppConfig.String("quota")
 	if res != "" {
 		err := json.Unmarshal([]byte(res), quota)
 		if err != nil {

conf/conf_test.go

@@ -18,7 +18,7 @@ import (
 	"os"
 	"testing"
 
-	"github.com/beego/beego"
+	"github.com/beego/beego/v2/server/web"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -38,7 +38,7 @@ func TestGetConfString(t *testing.T) {
 	os.Setenv("appname", "casbin")
 	os.Setenv("key", "value")
 
-	err := beego.LoadAppConfig("ini", "app.conf")
+	err := web.LoadAppConfig("ini", "app.conf")
 	assert.Nil(t, err)
 
 	for _, scenery := range scenarios {
@@ -62,7 +62,7 @@ func TestGetConfInt(t *testing.T) {
 	// do some set up job
 	os.Setenv("httpport", "8001")
 
-	err := beego.LoadAppConfig("ini", "app.conf")
+	err := web.LoadAppConfig("ini", "app.conf")
 	assert.Nil(t, err)
 
 	for _, scenery := range scenarios {
@@ -83,7 +83,7 @@ func TestGetConfBool(t *testing.T) {
 		{"Should be return false", "copyrequestbody", true},
 	}
 
-	err := beego.LoadAppConfig("ini", "app.conf")
+	err := web.LoadAppConfig("ini", "app.conf")
 	assert.Nil(t, err)
 	for _, scenery := range scenarios {
 		t.Run(scenery.description, func(t *testing.T) {
@@ -102,7 +102,7 @@ func TestGetConfigQuota(t *testing.T) {
 		{"default", &Quota{-1, -1, -1, -1}},
 	}
 
-	err := beego.LoadAppConfig("ini", "app.conf")
+	err := web.LoadAppConfig("ini", "app.conf")
 	assert.Nil(t, err)
 	for _, scenery := range scenarios {
 		quota := GetConfigQuota()
@@ -118,7 +118,7 @@ func TestGetConfigLogs(t *testing.T) {
 		{"Default log config", `{"adapter":"file", "filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}`},
 	}
 
-	err := beego.LoadAppConfig("ini", "app.conf")
+	err := web.LoadAppConfig("ini", "app.conf")
 	assert.Nil(t, err)
 	for _, scenery := range scenarios {
 		quota := GetConfigString("logConfig")

conf/waf.conf

@@ -0,0 +1,246 @@
+# -- Rule engine initialization ----------------------------------------------
+
+# Enable Coraza, attaching it to every transaction. Use detection
+# only to start with, because that minimises the chances of post-installation
+# disruption.
+#
+SecRuleEngine DetectionOnly
+
+
+# -- Request body handling ---------------------------------------------------
+
+# Allow Coraza to access request bodies. If you don't, Coraza
+# won't be able to see any POST parameters, which opens a large security
+# hole for attackers to exploit.
+#
+SecRequestBodyAccess On
+
+# Enable XML request body parser.
+# Initiate XML Processor in case of xml content-type
+#
+SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+
+# Enable JSON request body parser.
+# Initiate JSON Processor in case of JSON content-type; change accordingly
+# if your application does not use 'application/json'
+#
+SecRule REQUEST_HEADERS:Content-Type "^application/json" \
+     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+# Sample rule to enable JSON request body parser for more subtypes.
+# Uncomment or adapt this rule if you want to engage the JSON
+# Processor for "+json" subtypes
+#
+#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
+#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+# Maximum request body size we will accept for buffering. If you support
+# file uploads then the value given on the first line has to be as large
+# as the largest file you are willing to accept. The second value refers
+# to the size of data, with files excluded. You want to keep that value as
+# low as practical.
+#
+SecRequestBodyLimit 13107200
+
+SecRequestBodyInMemoryLimit 131072
+
+# SecRequestBodyNoFilesLimit is currently not supported by Coraza
+# SecRequestBodyNoFilesLimit 131072
+
+# What to do if the request body size is above our configured limit.
+# Keep in mind that this setting will automatically be set to ProcessPartial
+# when SecRuleEngine is set to DetectionOnly mode in order to minimize
+# disruptions when initially deploying Coraza.
+#
+SecRequestBodyLimitAction Reject
+
+# Verify that we've correctly processed the request body.
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+SecRule REQBODY_ERROR "!@eq 0" \
+"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+#
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"id:'200003',phase:2,t:none,log,deny,status:400, \
+msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_MISSING_SEMICOLON}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IP %{MULTIPART_INVALID_PART}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+# Did we see anything that might be a boundary?
+#
+# Here is a short description about the Coraza Multipart parser: the
+# parser returns with value 0, if all "boundary-like" line matches with
+# the boundary string which given in MIME header. In any other cases it returns
+# with different value, eg. 1 or 2.
+#
+# The RFC 1341 descript the multipart content-type and its syntax must contains
+# only three mandatory lines (above the content):
+# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
+# * --BOUNDARY_STRING
+# * --BOUNDARY_STRING--
+#
+# First line indicates, that this is a multipart content, second shows that
+# here starts a part of the multipart content, third shows the end of content.
+#
+# If there are any other lines, which starts with "--", then it should be
+# another boundary id - or not.
+#
+# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
+#
+# If multipart content contains the three necessary lines with correct order, but
+# there are one or more lines with "--", then parser returns with value 2 (non-zero).
+#
+# If some of the necessary lines (usually the start or end) misses, or the order
+# is wrong, then parser returns with value 1 (also a non-zero).
+#
+# You can choose, which one is what you need. The example below contains the
+# 'strict' mode, which means if there are any lines with start of "--", then
+# Coraza blocked the content. But the next, commented example contains
+# the 'permissive' mode, then you check only if the necessary lines exists in
+# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
+# or other text files, which contains eg. HTTP headers.
+#
+# The difference is only the operator - in strict mode (first) the content blocked
+# in case of any non-zero value. In permissive mode (second, commented) the
+# content blocked only if the value is explicit 1. If it 0 or 2, the content will
+# allowed.
+#
+
+#
+# See #1747 and #1924 for further information on the possible values for
+# MULTIPART_UNMATCHED_BOUNDARY.
+#
+SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# Some internal errors will set flags in TX and we will need to look for these.
+# All of these are prefixed with "MSC_".  The following flags currently exist:
+#
+# COR_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+#
+SecRule TX:/^COR_/ "!@streq 0" \
+        "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
+
+
+# -- Response body handling --------------------------------------------------
+
+# Allow Coraza to access response bodies. 
+# You should have this directive enabled in order to identify errors
+# and data leakage issues.
+# 
+# Do keep in mind that enabling this directive does increases both
+# memory consumption and response latency.
+#
+SecResponseBodyAccess On
+
+# Which response MIME types do you want to inspect? You should adjust the
+# configuration below to catch documents but avoid static files
+# (e.g., images and archives).
+#
+SecResponseBodyMimeType text/plain text/html text/xml
+
+# Buffer response bodies of up to 512 KB in length.
+SecResponseBodyLimit 524288
+
+# What happens when we encounter a response body larger than the configured
+# limit? By default, we process what we have and let the rest through.
+# That's somewhat less secure, but does not break any legitimate pages.
+#
+SecResponseBodyLimitAction ProcessPartial
+
+
+# -- Filesystem configuration ------------------------------------------------
+
+# The location where Coraza will keep its persistent data.  This default setting 
+# is chosen due to all systems have /tmp available however, it
+# too should be updated to a place that other users can't access.
+#
+SecDataDir /tmp/
+
+
+# -- File uploads handling configuration -------------------------------------
+
+# The location where Coraza stores intercepted uploaded files. This
+# location must be private to Coraza. You don't want other users on
+# the server to access the files, do you?
+#
+#SecUploadDir /opt/coraza/var/upload/
+
+# By default, only keep the files that were determined to be unusual
+# in some way (by an external inspection script). For this to work you
+# will also need at least one file inspection rule.
+#
+#SecUploadKeepFiles RelevantOnly
+
+# Uploaded files are by default created with permissions that do not allow
+# any other user to access them. You may need to relax that if you want to
+# interface Coraza to an external program (e.g., an anti-virus).
+#
+#SecUploadFileMode 0600
+
+
+# -- Debug log configuration -------------------------------------------------
+
+# Default debug log path
+# Debug levels:
+# 0:   No logging (least verbose)
+# 1:   Error
+# 2:   Warn
+# 3:   Info
+# 4-8: Debug
+# 9:   Trace (most verbose)
+# Most logging has not been implemented because it will be replaced with
+# advanced rule profiling options
+#SecDebugLog /opt/coraza/var/log/debug.log
+#SecDebugLogLevel 3
+
+
+# -- Audit log configuration -------------------------------------------------
+
+# Log the transactions that are marked by a rule, as well as those that
+# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
+# level response status codes).
+#
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"
+
+# Log everything we know about a transaction.
+SecAuditLogParts ABIJDEFHZ
+
+# Use a single file for logging. This is much easier to look at, but
+# assumes that you will use the audit log only occasionally.
+#
+SecAuditLogType Serial
+
+
+# -- Miscellaneous -----------------------------------------------------------
+
+# Use the most commonly used application/x-www-form-urlencoded parameter
+# separator. There's probably only one application somewhere that uses
+# something else so don't expect to change this value.
+#
+SecArgumentSeparator &
+
+# Settle on version 0 (zero) cookies, as that is what most applications
+# use. Using an incorrect cookie version may open your installation to
+# evasion attacks (against the rules that examine named cookies).
+#
+SecCookieFormat 0

controllers/account.go

@@ -15,6 +15,7 @@
 package controllers
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -80,11 +81,6 @@ type LaravelResponse struct {
 // @Success 200 {object} controllers.Response The Response object
 // @router /signup [post]
 func (c *ApiController) Signup() {
-	if c.GetSessionUsername() != "" {
-		c.ResponseError(c.T("account:Please sign out first"), c.GetSessionUsername())
-		return
-	}
-
 	var authForm form.AuthForm
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &authForm)
 	if err != nil {
@@ -197,7 +193,7 @@ func (c *ApiController) Signup() {
 
 	userType := "normal-user"
 	if authForm.Plan != "" && authForm.Pricing != "" {
-		err = object.CheckPricingAndPlan(authForm.Organization, authForm.Pricing, authForm.Plan)
+		err = object.CheckPricingAndPlan(authForm.Organization, authForm.Pricing, authForm.Plan, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -218,7 +214,7 @@ func (c *ApiController) Signup() {
 		Tag:               authForm.Tag,
 		Education:         authForm.Education,
 		Avatar:            organization.DefaultAvatar,
-		Email:             authForm.Email,
+		Email:             strings.ToLower(authForm.Email),
 		Phone:             authForm.Phone,
 		CountryCode:       authForm.CountryCode,
 		Address:           []string{},
@@ -235,6 +231,8 @@ func (c *ApiController) Signup() {
 		Invitation:        invitationName,
 		InvitationCode:    authForm.InvitationCode,
 		EmailVerified:     userEmailVerified,
+		RegisterType:      "Application Signup",
+		RegisterSource:    fmt.Sprintf("%s/%s", authForm.Organization, application.Name),
 	}
 
 	if len(organization.Tags) > 0 {
@@ -288,6 +286,8 @@ func (c *ApiController) Signup() {
 
 	if user.Type == "normal-user" {
 		c.SetSessionUsername(user.GetId())
+	} else if user.Type == "paid-user" {
+		c.SetSession("paidUsername", user.GetId())
 	}
 
 	if authForm.Email != "" {
@@ -312,6 +312,40 @@ func (c *ApiController) Signup() {
 	userId := user.GetId()
 	util.LogInfo(c.Ctx, "API: [%s] is signed up as new user", userId)
 
+	// Check if this is an OAuth flow and automatically generate code
+	clientId := c.Ctx.Input.Query("clientId")
+	responseType := c.Ctx.Input.Query("responseType")
+	redirectUri := c.Ctx.Input.Query("redirectUri")
+	scope := c.Ctx.Input.Query("scope")
+	state := c.Ctx.Input.Query("state")
+	nonce := c.Ctx.Input.Query("nonce")
+	codeChallenge := c.Ctx.Input.Query("code_challenge")
+
+	// If OAuth parameters are present, generate OAuth code and return it
+	if clientId != "" && responseType == ResponseTypeCode {
+		consentRequired, err := object.CheckConsentRequired(user, application, scope)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if consentRequired {
+			c.ResponseOk(map[string]bool{"required": true})
+			return
+		}
+
+		code, err := object.GetOAuthCode(userId, clientId, "", "password", responseType, redirectUri, scope, state, nonce, codeChallenge, "", c.Ctx.Request.Host, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error(), nil)
+			return
+		}
+
+		resp := codeToResponse(code)
+		c.Data["json"] = resp
+		c.ServeJSON()
+		return
+	}
+
 	c.ResponseOk(userId)
 }
 
@@ -326,9 +360,9 @@ func (c *ApiController) Signup() {
 // @router /logout [post]
 func (c *ApiController) Logout() {
 	// https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html
-	accessToken := c.Input().Get("id_token_hint")
-	redirectUri := c.Input().Get("post_logout_redirect_uri")
-	state := c.Input().Get("state")
+	accessToken := c.GetString("id_token_hint")
+	redirectUri := c.GetString("post_logout_redirect_uri")
+	state := c.GetString("state")
 
 	user := c.GetSessionUsername()
 
@@ -341,15 +375,12 @@ func (c *ApiController) Logout() {
 
 		c.ClearUserSession()
 		c.ClearTokenSession()
-		owner, username := util.GetOwnerAndNameFromId(user)
-		_, err := object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
-		if err != nil {
+
+		if err := c.deleteUserSession(user); err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		util.LogInfo(c.Ctx, "API: [%s] logged out", user)
-
 		application := c.GetSessionApplication()
 		if application == nil || application.Name == "app-built-in" || application.HomepageUrl == "" {
 			c.ResponseOk(user)
@@ -378,7 +409,7 @@ func (c *ApiController) Logout() {
 			return
 		}
 		if application == nil {
-			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist")), token.Application)
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), token.Application))
 			return
 		}
 
@@ -388,17 +419,13 @@ func (c *ApiController) Logout() {
 
 		c.ClearUserSession()
 		c.ClearTokenSession()
-		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
-		owner, username := util.GetOwnerAndNameFromId(user)
 
-		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
-		if err != nil {
+		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
+		if err := c.deleteUserSession(user); err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		util.LogInfo(c.Ctx, "API: [%s] logged out", user)
-
 		if redirectUri == "" {
 			c.ResponseOk()
 			return
@@ -421,6 +448,108 @@ func (c *ApiController) Logout() {
 	}
 }
 
+// SsoLogout
+// @Title SsoLogout
+// @Tag Login API
+// @Description logout the current user from all applications or current session only
+// @Param   logoutAll   query    string  false     "Whether to logout from all sessions. Accepted values: 'true', '1', or empty (default: true). Any other value means false."
+// @Success 200 {object} controllers.Response The Response object
+// @router /sso-logout [get,post]
+func (c *ApiController) SsoLogout() {
+	user := c.GetSessionUsername()
+
+	if user == "" {
+		c.ResponseOk()
+		return
+	}
+
+	// Check if user wants to logout from all sessions or just current session
+	// Default is true for backward compatibility
+	logoutAll := c.Ctx.Input.Query("logoutAll")
+	logoutAllSessions := logoutAll == "" || logoutAll == "true" || logoutAll == "1"
+
+	c.ClearUserSession()
+	c.ClearTokenSession()
+	owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	currentSessionId := c.Ctx.Input.CruSession.SessionID(context.Background())
+	_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), currentSessionId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var tokens []*object.Token
+	var sessionIds []string
+
+	// Get tokens for notification (needed for both session-level and full logout)
+	// This enables subsystems to identify and invalidate corresponding access tokens
+	// Note: Tokens must be retrieved BEFORE expiration to include their hashes in the notification
+	tokens, err = object.GetTokensByUser(owner, username)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if logoutAllSessions {
+		// Logout from all sessions: expire all tokens and delete all sessions
+		_, err = object.ExpireTokenByUser(owner, username)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		sessions, err := object.GetUserSessions(owner, username)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		for _, session := range sessions {
+			sessionIds = append(sessionIds, session.SessionId...)
+		}
+		object.DeleteBeegoSession(sessionIds)
+
+		_, err = object.DeleteAllUserSessions(owner, username)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		util.LogInfo(c.Ctx, "API: [%s] logged out from all applications", user)
+	} else {
+		// Logout from current session only
+		sessionIds = []string{currentSessionId}
+
+		// Only delete the current session's Beego session
+		object.DeleteBeegoSession(sessionIds)
+
+		util.LogInfo(c.Ctx, "API: [%s] logged out from current session", user)
+	}
+
+	// Send SSO logout notifications to all notification providers in the user's signup application
+	// Now includes session-level information for targeted logout
+	userObj, err := object.GetUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if userObj != nil {
+		err = object.SendSsoLogoutNotifications(userObj, sessionIds, tokens)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
+	c.ResponseOk()
+}
+
 // GetAccount
 // @Title GetAccount
 // @Tag Account API
@@ -434,7 +563,7 @@ func (c *ApiController) GetAccount() {
 		return
 	}
 
-	managedAccounts := c.Input().Get("managedAccounts")
+	managedAccounts := c.Ctx.Input.Query("managedAccounts")
 	if managedAccounts == "1" {
 		user, err = object.ExtendManagedAccountsWithUser(user)
 		if err != nil {
@@ -552,9 +681,54 @@ func (c *ApiController) GetUserinfo2() {
 // @router /get-captcha [get]
 // @Success 200 {object} object.Userinfo The Response object
 func (c *ApiController) GetCaptcha() {
-	applicationId := c.Input().Get("applicationId")
-	isCurrentProvider := c.Input().Get("isCurrentProvider")
+	applicationId := c.Ctx.Input.Query("applicationId")
+	isCurrentProvider := c.Ctx.Input.Query("isCurrentProvider")
 
+	// When isCurrentProvider == "true", the frontend passes a provider ID instead of an application ID.
+	// In that case, skip application lookup and rule evaluation, and just return the provider config.
+	shouldSkipCaptcha := false
+
+	if isCurrentProvider != "true" {
+		application, err := object.GetApplication(applicationId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if application == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), applicationId))
+			return
+		}
+
+		// Check the CAPTCHA rule to determine if CAPTCHA should be shown
+		clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
+
+		// For Internet-Only rule, we can determine on the backend if CAPTCHA should be shown
+		// For other rules (Dynamic, Always), we need to return the CAPTCHA config
+		for _, providerItem := range application.Providers {
+			if providerItem.Provider == nil || providerItem.Provider.Category != "Captcha" {
+				continue
+			}
+
+			// For "None" rule, skip CAPTCHA
+			if providerItem.Rule == "None" || providerItem.Rule == "" {
+				shouldSkipCaptcha = true
+			} else if providerItem.Rule == "Internet-Only" {
+				// For Internet-Only rule, check if the client is from intranet
+				if !util.IsInternetIp(clientIp) {
+					// Client is from intranet, skip CAPTCHA
+					shouldSkipCaptcha = true
+				}
+			}
+
+			break // Only check the first CAPTCHA provider
+		}
+
+		if shouldSkipCaptcha {
+			c.ResponseOk(Captcha{Type: "none"})
+			return
+		}
+	}
 	captchaProvider, err := object.GetCaptchaProviderByApplication(applicationId, isCurrentProvider, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -588,3 +762,24 @@ func (c *ApiController) GetCaptcha() {
 
 	c.ResponseOk(Captcha{Type: "none"})
 }
+
+func (c *ApiController) deleteUserSession(user string) error {
+	owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+	if err != nil {
+		return err
+	}
+
+	// Casdoor session ID derived from owner, username, and application
+	sessionId := util.GetSessionId(owner, username, object.CasdoorApplication)
+
+	// Explicitly get the Beego session ID from the context
+	beegoSessionId := c.Ctx.Input.CruSession.SessionID(context.Background())
+
+	_, err = object.DeleteSessionId(sessionId, beegoSessionId)
+	if err != nil {
+		return err
+	}
+
+	util.LogInfo(c.Ctx, "API: [%s] logged out", user)
+	return nil
+}

controllers/adapter.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Adapter The Response object
 // @router /get-adapters [get]
 func (c *ApiController) GetAdapters() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		adapters, err := object.GetAdapters(owner)
@@ -54,7 +54,7 @@ func (c *ApiController) GetAdapters() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		adapters, err := object.GetPaginationAdapters(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -73,7 +73,7 @@ func (c *ApiController) GetAdapters() {
 // @Success 200 {object} object.Adapter The Response object
 // @router /get-adapter [get]
 func (c *ApiController) GetAdapter() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	adapter, err := object.GetAdapter(id)
 	if err != nil {
@@ -93,7 +93,7 @@ func (c *ApiController) GetAdapter() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-adapter [post]
 func (c *ApiController) UpdateAdapter() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var adapter object.Adapter
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &adapter)

controllers/application.go

@@ -18,7 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -32,14 +32,14 @@ import (
 // @router /get-applications [get]
 func (c *ApiController) GetApplications() {
 	userId := c.GetSessionUsername()
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organization := c.Input().Get("organization")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	organization := c.Ctx.Input.Query("organization")
 	var err error
 	if limit == "" || page == "" {
 		var applications []*object.Application
@@ -61,7 +61,7 @@ func (c *ApiController) GetApplications() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		application, err := object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -82,7 +82,7 @@ func (c *ApiController) GetApplications() {
 // @router /get-application [get]
 func (c *ApiController) GetApplication() {
 	userId := c.GetSessionUsername()
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	application, err := object.GetApplication(id)
 	if err != nil {
@@ -90,7 +90,7 @@ func (c *ApiController) GetApplication() {
 		return
 	}
 
-	if c.Input().Get("withKey") != "" && application != nil && application.Cert != "" {
+	if c.Ctx.Input.Query("withKey") != "" && application != nil && application.Cert != "" {
 		cert, err := object.GetCert(util.GetId(application.Owner, application.Cert))
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -125,7 +125,7 @@ func (c *ApiController) GetApplication() {
 // @router /get-user-application [get]
 func (c *ApiController) GetUserApplication() {
 	userId := c.GetSessionUsername()
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	user, err := object.GetUser(id)
 	if err != nil {
@@ -159,14 +159,14 @@ func (c *ApiController) GetUserApplication() {
 // @router /get-organization-applications [get]
 func (c *ApiController) GetOrganizationApplications() {
 	userId := c.GetSessionUsername()
-	organization := c.Input().Get("organization")
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	organization := c.Ctx.Input.Query("organization")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if organization == "" {
 		c.ResponseError(c.T("general:Missing parameter") + ": organization")
@@ -196,7 +196,7 @@ func (c *ApiController) GetOrganizationApplications() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		applications, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -223,7 +223,7 @@ func (c *ApiController) GetOrganizationApplications() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-application [post]
 func (c *ApiController) UpdateApplication() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var application object.Application
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &application)
@@ -237,7 +237,7 @@ func (c *ApiController) UpdateApplication() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.UpdateApplication(id, &application))
+	c.Data["json"] = wrapActionResponse(object.UpdateApplication(id, &application, c.IsGlobalAdmin(), c.GetAcceptLanguage()))
 	c.ServeJSON()
 }
 

controllers/auth.go

@@ -15,6 +15,7 @@
 package controllers
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/xml"
@@ -27,6 +28,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/beego/beego/v2/server/web"
 	"github.com/casdoor/casdoor/captcha"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/form"
@@ -61,6 +63,11 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		return
 	}
 
+	if user.IsDeleted {
+		c.ResponseError(c.T("check:The user has been deleted and cannot be used to sign in, please contact the administrator"))
+		return
+	}
+
 	userId := user.GetId()
 
 	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
@@ -93,7 +100,8 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 	// check user's tag
 	if !user.IsGlobalAdmin() && !user.IsAdmin && len(application.Tags) > 0 {
 		// only users with the tag that is listed in the application tags can login
-		if !util.InSlice(application.Tags, user.Tag) {
+		// supports comma-separated tags in user.Tag (e.g., "default-policy,project-admin")
+		if !util.HasTagInSlice(application.Tags, user.Tag) {
 			c.ResponseError(fmt.Sprintf(c.T("auth:User's tag: %s is not listed in the application's tags"), user.Tag))
 			return
 		}
@@ -131,6 +139,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 				c.ResponseError(fmt.Sprintf(c.T("auth:paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"), user.Name, application.Name))
 				return
 			} else {
+				c.SetSession("paidUsername", user.GetId())
 				// let the paid-user select plan
 				c.ResponseOk("SelectPlan", pricing)
 				return
@@ -144,20 +153,34 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		util.LogInfo(c.Ctx, "API: [%s] signed in", userId)
 		resp = &Response{Status: "ok", Msg: "", Data: userId, Data3: user.NeedUpdatePassword}
 	} else if form.Type == ResponseTypeCode {
-		clientId := c.Input().Get("clientId")
-		responseType := c.Input().Get("responseType")
-		redirectUri := c.Input().Get("redirectUri")
-		scope := c.Input().Get("scope")
-		state := c.Input().Get("state")
-		nonce := c.Input().Get("nonce")
-		challengeMethod := c.Input().Get("code_challenge_method")
-		codeChallenge := c.Input().Get("code_challenge")
+		clientId := c.Ctx.Input.Query("clientId")
+		responseType := c.Ctx.Input.Query("responseType")
+		redirectUri := c.Ctx.Input.Query("redirectUri")
+		scope := c.Ctx.Input.Query("scope")
+		state := c.Ctx.Input.Query("state")
+		nonce := c.Ctx.Input.Query("nonce")
+		challengeMethod := c.Ctx.Input.Query("code_challenge_method")
+		codeChallenge := c.Ctx.Input.Query("code_challenge")
+		resource := c.Ctx.Input.Query("resource")
 
 		if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
 			c.ResponseError(c.T("auth:Challenge method should be S256"))
 			return
 		}
-		code, err := object.GetOAuthCode(userId, clientId, form.Provider, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
+
+		consentRequired, err := object.CheckConsentRequired(user, application, scope)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if consentRequired {
+			resp = &Response{Status: "ok", Data: map[string]bool{"required": true}}
+			resp.Data3 = user.NeedUpdatePassword
+			return
+		}
+
+		code, err := object.GetOAuthCode(userId, clientId, form.Provider, form.SigninMethod, responseType, redirectUri, scope, state, nonce, codeChallenge, resource, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
 			return
@@ -173,12 +196,17 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		if !object.IsGrantTypeValid(form.Type, application.GrantTypes) {
 			resp = &Response{Status: "error", Msg: fmt.Sprintf("error: grant_type: %s is not supported in this application", form.Type), Data: ""}
 		} else {
-			scope := c.Input().Get("scope")
-			nonce := c.Input().Get("nonce")
-			token, _ := object.GetTokenByUser(application, user, scope, nonce, c.Ctx.Request.Host)
-			resp = tokenToResponse(token)
+			scope := c.Ctx.Input.Query("scope")
+			nonce := c.Ctx.Input.Query("nonce")
+			expandedScope, valid := object.IsScopeValidAndExpand(scope, application)
+			if !valid {
+				resp = &Response{Status: "error", Msg: "error: invalid_scope", Data: ""}
+			} else {
+				token, _ := object.GetTokenByUser(application, user, expandedScope, nonce, c.Ctx.Request.Host)
+				resp = tokenToResponse(token)
 
-			resp.Data3 = user.NeedUpdatePassword
+				resp.Data3 = user.NeedUpdatePassword
+			}
 		}
 	} else if form.Type == ResponseTypeDevice {
 		authCache, ok := object.DeviceAuthMap.LoadAndDelete(form.UserCode)
@@ -220,7 +248,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		}
 	} else if form.Type == ResponseTypeCas {
 		// not oauth but CAS SSO protocol
-		service := c.Input().Get("service")
+		service := c.Ctx.Input.Query("service")
 		resp = wrapErrorResponse(nil)
 		if service != "" {
 			st, err := object.GenerateCasToken(userId, service)
@@ -239,9 +267,36 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		resp = wrapErrorResponse(fmt.Errorf("unknown response type: %s", form.Type))
 	}
 
-	// if user did not check auto signin
-	if resp.Status == "ok" && !form.AutoSignin {
-		c.setExpireForSession()
+	// For all successful logins, set the session expiration; if auto signin is not checked, cap it at 24 hours.
+	if resp.Status == "ok" {
+		expireInHours := application.CookieExpireInHours
+
+		if expireInHours == 0 {
+			expireInHours = 720
+		}
+
+		if !form.AutoSignin && expireInHours > 24 {
+			expireInHours = 24
+		}
+		c.setExpireForSession(expireInHours)
+	}
+
+	if application.EnableExclusiveSignin {
+		sessions, err := object.GetUserAppSessions(user.Owner, user.Name, application.Name)
+		if err != nil {
+			c.ResponseError(err.Error(), nil)
+			return
+		}
+
+		for _, session := range sessions {
+			for _, sid := range session.SessionId {
+				err := web.GlobalSessions.GetProvider().SessionDestroy(context.Background(), sid)
+				if err != nil {
+					c.ResponseError(err.Error(), nil)
+					return
+				}
+			}
+		}
 	}
 
 	if resp.Status == "ok" {
@@ -249,7 +304,9 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			Owner:       user.Owner,
 			Name:        user.Name,
 			Application: application.Name,
-			SessionId:   []string{c.Ctx.Input.CruSession.SessionID()},
+			SessionId:   []string{c.Ctx.Input.CruSession.SessionID(context.Background())},
+
+			ExclusiveSignin: application.EnableExclusiveSignin,
 		})
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
@@ -272,14 +329,14 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 // @Success 200 {object} controllers.Response The Response object
 // @router /get-app-login [get]
 func (c *ApiController) GetApplicationLogin() {
-	clientId := c.Input().Get("clientId")
-	responseType := c.Input().Get("responseType")
-	redirectUri := c.Input().Get("redirectUri")
-	scope := c.Input().Get("scope")
-	state := c.Input().Get("state")
-	id := c.Input().Get("id")
-	loginType := c.Input().Get("type")
-	userCode := c.Input().Get("userCode")
+	clientId := c.Ctx.Input.Query("clientId")
+	responseType := c.Ctx.Input.Query("responseType")
+	redirectUri := c.Ctx.Input.Query("redirectUri")
+	scope := c.Ctx.Input.Query("scope")
+	state := c.Ctx.Input.Query("state")
+	id := c.Ctx.Input.Query("id")
+	loginType := c.Ctx.Input.Query("type")
+	userCode := c.Ctx.Input.Query("userCode")
 
 	var application *object.Application
 	var msg string
@@ -390,7 +447,7 @@ func checkMfaEnable(c *ApiController, user *object.User, organization *object.Or
 		}
 		if len(mfaAllowList) >= 1 {
 			c.SetSession("verificationCodeType", verificationType)
-			c.Ctx.Input.CruSession.SessionRelease(c.Ctx.ResponseWriter)
+			c.Ctx.Input.CruSession.SessionRelease(context.Background(), c.Ctx.ResponseWriter)
 			c.ResponseOk(object.NextMfa, mfaAllowList)
 			return true
 		}
@@ -399,6 +456,55 @@ func checkMfaEnable(c *ApiController, user *object.User, organization *object.Or
 	return false
 }
 
+func getExistUserByBindingRule(providerItem *object.ProviderItem, application *object.Application, userInfo *idp.UserInfo) (user *object.User, err error) {
+	if providerItem.BindingRule == nil {
+		providerItem.BindingRule = &[]string{"Email", "Phone", "Name"}
+	}
+	if len(*providerItem.BindingRule) == 0 {
+		return nil, nil
+	}
+
+	for _, rule := range *providerItem.BindingRule {
+		// Find existing user with Email
+		if rule == "Email" {
+			user, err = object.GetUserByField(application.Organization, "email", userInfo.Email)
+			if err != nil {
+				return nil, err
+			}
+			if user != nil {
+				return user, nil
+			}
+		}
+
+		// Find existing user with phone number
+		if rule == "Phone" {
+			user, err = object.GetUserByField(application.Organization, "phone", userInfo.Phone)
+			if err != nil {
+				return nil, err
+			}
+			if user != nil {
+				return user, nil
+			}
+		}
+
+		// Try to find existing user by username (case-insensitive)
+		// This allows OAuth providers (e.g., Wecom) to automatically associate with
+		// existing users when usernames match, particularly useful for enterprise
+		// scenarios where signup is disabled and users already exist in Casdoor
+		if rule == "Name" {
+			user, err = object.GetUserByFields(application.Organization, userInfo.Username)
+			if err != nil {
+				return nil, err
+			}
+			if user != nil {
+				return user, nil
+			}
+		}
+	}
+
+	return user, nil
+}
+
 // Login ...
 // @Title Login
 // @Tag Login API
@@ -427,13 +533,6 @@ func (c *ApiController) Login() {
 	verificationType := ""
 
 	if authForm.Username != "" {
-		if authForm.Type == ResponseTypeLogin {
-			if c.GetSessionUsername() != "" {
-				c.ResponseError(c.T("account:Please sign out first"), c.GetSessionUsername())
-				return
-			}
-		}
-
 		var user *object.User
 		if authForm.SigninMethod == "Face ID" {
 			if user, err = object.GetUserByFields(authForm.Organization, authForm.Username); err != nil {
@@ -688,6 +787,7 @@ func (c *ApiController) Login() {
 		}
 		if provider == nil {
 			c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s does not exist"), authForm.Provider))
+			return
 		}
 
 		providerItem := application.GetProviderItem(provider.Name)
@@ -696,6 +796,7 @@ func (c *ApiController) Login() {
 			return
 		}
 		userInfo := &idp.UserInfo{}
+		var token *oauth2.Token
 		if provider.Category == "SAML" {
 			// SAML
 			userInfo, err = object.ParseSamlResponse(authForm.SamlResponse, provider, c.Ctx.Request.Host)
@@ -705,7 +806,12 @@ func (c *ApiController) Login() {
 			}
 		} else if provider.Category == "OAuth" || provider.Category == "Web3" {
 			// OAuth
-			idpInfo := object.FromProviderToIdpInfo(c.Ctx, provider)
+			idpInfo, err := object.FromProviderToIdpInfo(c.Ctx, provider)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			idpInfo.CodeVerifier = authForm.CodeVerifier
 			var idProvider idp.IdProvider
 			idProvider, err = idp.GetIdProvider(idpInfo, authForm.RedirectUri)
 			if err != nil {
@@ -719,13 +825,13 @@ func (c *ApiController) Login() {
 
 			setHttpClient(idProvider, provider.Type)
 
-			if authForm.State != conf.GetConfigString("authState") && authForm.State != application.Name {
+			stateApplicationName := strings.Split(authForm.State, "-org-")[0]
+			if authForm.State != conf.GetConfigString("authState") && stateApplicationName != application.Name {
 				c.ResponseError(fmt.Sprintf(c.T("auth:State expected: %s, but got: %s"), conf.GetConfigString("authState"), authForm.State))
 				return
 			}
 
 			// https://github.com/golang/oauth2/issues/123#issuecomment-103715338
-			var token *oauth2.Token
 			token, err = idProvider.GetToken(authForm.Code)
 			if err != nil {
 				c.ResponseError(err.Error())
@@ -750,7 +856,7 @@ func (c *ApiController) Login() {
 					return
 				}
 				if !reg.MatchString(userInfo.Email) {
-					c.ResponseError(fmt.Sprintf(c.T("check:Email is invalid")))
+					c.ResponseError(c.T("check:Email is invalid"))
 				}
 			}
 		}
@@ -775,7 +881,7 @@ func (c *ApiController) Login() {
 			if user != nil && !user.IsDeleted {
 				// Sign in via OAuth (want to sign up but already have account)
 				// sync info from 3rd-party if possible
-				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, token, provider.UserMapping)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@@ -788,43 +894,40 @@ func (c *ApiController) Login() {
 				resp = c.HandleLoggedIn(application, user, &authForm)
 
 				c.Ctx.Input.SetParam("recordUserId", user.GetId())
-			} else if provider.Category == "OAuth" || provider.Category == "Web3" {
+			} else if provider.Category == "OAuth" || provider.Category == "Web3" || provider.Category == "SAML" {
 				// Sign up via OAuth
-				if application.EnableLinkWithEmail {
-					if userInfo.Email != "" {
-						// Find existing user with Email
-						user, err = object.GetUserByField(application.Organization, "email", userInfo.Email)
-						if err != nil {
-							c.ResponseError(err.Error())
-							return
-						}
-					}
-
-					if user == nil && userInfo.Phone != "" {
-						// Find existing user with phone number
-						user, err = object.GetUserByField(application.Organization, "phone", userInfo.Phone)
-						if err != nil {
-							c.ResponseError(err.Error())
-							return
-						}
-					}
+				user, err = getExistUserByBindingRule(providerItem, application, userInfo)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
 				}
 
-				if user == nil || user.IsDeleted {
+				if user == nil {
 					if !application.EnableSignUp {
 						c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support"), provider.Type, userInfo.Username, userInfo.DisplayName))
 						return
 					}
 
 					if !providerItem.CanSignUp {
-						c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up"), provider.Type, userInfo.Username, userInfo.DisplayName, provider.Type))
+						c.ResponseError(fmt.Sprintf(c.T("auth:The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up"), provider.Type, userInfo.Username, userInfo.DisplayName, provider.Type))
 						return
 					}
 
-					if application.IsSignupItemRequired("Invitation code") {
-						c.ResponseError(c.T("check:Invitation code cannot be blank"))
+					// Check and validate invitation code
+					invitation, msg := object.CheckInvitationCode(application, organization, &authForm, c.GetAcceptLanguage())
+					if msg != "" {
+						c.ResponseError(msg)
 						return
 					}
+					invitationName := ""
+					if invitation != nil {
+						invitationName = invitation.Name
+					}
+
+					// Handle UseEmailAsUsername for OAuth and Web3
+					if organization.UseEmailAsUsername && userInfo.Email != "" {
+						userInfo.Username = userInfo.Email
+					}
 
 					// Handle username conflicts
 					var tmpUser *object.User
@@ -886,6 +989,19 @@ func (c *ApiController) Login() {
 						IsDeleted:         false,
 						SignupApplication: application.Name,
 						Properties:        properties,
+						Invitation:        invitationName,
+						InvitationCode:    authForm.InvitationCode,
+						RegisterType:      "Application Signup",
+						RegisterSource:    fmt.Sprintf("%s/%s", application.Organization, application.Name),
+					}
+
+					// Set group from invitation code if available, otherwise use provider's signup group or application's default group
+					if invitation != nil && invitation.SignupGroup != "" {
+						user.Groups = []string{invitation.SignupGroup}
+					} else if providerItem.SignupGroup != "" {
+						user.Groups = []string{providerItem.SignupGroup}
+					} else if application.DefaultGroup != "" {
+						user.Groups = []string{application.DefaultGroup}
 					}
 
 					var affected bool
@@ -900,9 +1016,10 @@ func (c *ApiController) Login() {
 						return
 					}
 
-					if providerItem.SignupGroup != "" {
-						user.Groups = []string{providerItem.SignupGroup}
-						_, err = object.UpdateUser(user.GetId(), user, []string{"groups"}, false)
+					// Increment invitation usage count
+					if invitation != nil {
+						invitation.UsedCount += 1
+						_, err = object.UpdateInvitation(invitation.GetId(), invitation, c.GetAcceptLanguage())
 						if err != nil {
 							c.ResponseError(err.Error())
 							return
@@ -911,7 +1028,7 @@ func (c *ApiController) Login() {
 				}
 
 				// sync info from 3rd-party if possible
-				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, token, provider.UserMapping)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@@ -959,7 +1076,7 @@ func (c *ApiController) Login() {
 			}
 
 			// sync info from 3rd-party if possible
-			_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+			_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo, token, provider.UserMapping)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@@ -1111,8 +1228,8 @@ func (c *ApiController) Login() {
 }
 
 func (c *ApiController) GetSamlLogin() {
-	providerId := c.Input().Get("id")
-	relayState := c.Input().Get("relayState")
+	providerId := c.Ctx.Input.Query("id")
+	relayState := c.Ctx.Input.Query("relayState")
 	authURL, method, err := object.GenerateSamlRequest(providerId, relayState, c.Ctx.Request.Host, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -1122,8 +1239,8 @@ func (c *ApiController) GetSamlLogin() {
 }
 
 func (c *ApiController) HandleSamlLogin() {
-	relayState := c.Input().Get("RelayState")
-	samlResponse := c.Input().Get("SAMLResponse")
+	relayState := c.Ctx.Input.Query("RelayState")
+	samlResponse := c.Ctx.Input.Query("SAMLResponse")
 	decode, err := base64.StdEncoding.DecodeString(relayState)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -1155,9 +1272,9 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 		c.ResponseError(err.Error())
 		return
 	}
-	signature := c.Input().Get("signature")
-	timestamp := c.Input().Get("timestamp")
-	nonce := c.Input().Get("nonce")
+	signature := c.Ctx.Input.Query("signature")
+	timestamp := c.Ctx.Input.Query("timestamp")
+	nonce := c.Ctx.Input.Query("nonce")
 	var data struct {
 		MsgType      string `xml:"MsgType"`
 		Event        string `xml:"Event"`
@@ -1175,7 +1292,7 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 		return
 	}
 	if data.Ticket == "" {
-		c.ResponseError(err.Error())
+		c.ResponseError("empty ticket")
 		return
 	}
 
@@ -1185,10 +1302,11 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 		c.ResponseError(err.Error())
 		return
 	}
-	if data.Ticket == "" {
-		c.ResponseError("empty ticket")
+	if provider == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s does not exist"), providerId))
 		return
 	}
+
 	if !idp.VerifyWechatSignature(provider.Content, nonce, timestamp, signature) {
 		c.ResponseError("invalid signature")
 		return
@@ -1214,7 +1332,7 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 // @Param   ticket     query    string  true        "The eventId of QRCode"
 // @Success 200 {object} controllers.Response The Response object
 func (c *ApiController) GetWebhookEventType() {
-	ticket := c.Input().Get("ticket")
+	ticket := c.Ctx.Input.Query("ticket")
 
 	idp.Lock.RLock()
 	_, ok := idp.WechatCacheMap[ticket]
@@ -1234,12 +1352,17 @@ func (c *ApiController) GetWebhookEventType() {
 // @Param   id     query    string  true        "The id ( owner/name ) of provider"
 // @Success 200 {object} controllers.Response The Response object
 func (c *ApiController) GetQRCode() {
-	providerId := c.Input().Get("id")
+	providerId := c.Ctx.Input.Query("id")
 	provider, err := object.GetProvider(providerId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	if provider == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s does not exist"), providerId))
+		return
+	}
+
 	code, ticket, err := idp.GetWechatOfficialAccountQRCode(provider.ClientId2, provider.ClientSecret2, providerId)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -1257,9 +1380,9 @@ func (c *ApiController) GetQRCode() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /get-captcha-status [get]
 func (c *ApiController) GetCaptchaStatus() {
-	organization := c.Input().Get("organization")
-	userId := c.Input().Get("userId")
-	applicationName := c.Input().Get("application")
+	organization := c.Ctx.Input.Query("organization")
+	userId := c.Ctx.Input.Query("userId")
+	applicationName := c.Ctx.Input.Query("application")
 
 	application, err := object.GetApplication(fmt.Sprintf("admin/%s", applicationName))
 	if err != nil {
@@ -1291,7 +1414,7 @@ func (c *ApiController) Callback() {
 	code := c.GetString("code")
 	state := c.GetString("state")
 
-	frontendCallbackUrl := fmt.Sprintf("/callback?code=%s&state=%s", code, state)
+	frontendCallbackUrl := fmt.Sprintf("/callback?code=%s&state=%s", url.QueryEscape(code), url.QueryEscape(state))
 	c.Ctx.Redirect(http.StatusFound, frontendCallbackUrl)
 }
 
@@ -1302,8 +1425,8 @@ func (c *ApiController) Callback() {
 // @router /device-auth [post]
 // @Success 200 {object} object.DeviceAuthResponse The Response object
 func (c *ApiController) DeviceAuth() {
-	clientId := c.Input().Get("client_id")
-	scope := c.Input().Get("scope")
+	clientId := c.Ctx.Input.Query("client_id")
+	scope := c.Ctx.Input.Query("scope")
 	application, err := object.GetApplicationByClientId(clientId)
 	if err != nil {
 		c.Data["json"] = object.TokenError{

controllers/base.go

@@ -15,11 +15,12 @@
 package controllers
 
 import (
+	"context"
 	"strings"
 	"time"
 
-	"github.com/beego/beego"
-	"github.com/beego/beego/logs"
+	"github.com/beego/beego/v2/core/logs"
+	"github.com/beego/beego/v2/server/web"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -27,7 +28,7 @@ import (
 // ApiController
 // controller for handlers under /api uri
 type ApiController struct {
-	beego.Controller
+	web.Controller
 }
 
 // RootController
@@ -104,6 +105,13 @@ func (c *ApiController) getCurrentUser() *object.User {
 
 // GetSessionUsername ...
 func (c *ApiController) GetSessionUsername() string {
+	// prefer username stored in Beego context by ApiFilter
+	if ctxUser := c.Ctx.Input.GetData("currentUserId"); ctxUser != nil {
+		if username, ok := ctxUser.(string); ok {
+			return username
+		}
+	}
+
 	// check if user session expired
 	sessionData := c.GetSessionData()
 
@@ -122,6 +130,26 @@ func (c *ApiController) GetSessionUsername() string {
 	return user.(string)
 }
 
+// GetPaidUsername ...
+func (c *ApiController) GetPaidUsername() string {
+	// check if user session expired
+	sessionData := c.GetSessionData()
+
+	if sessionData != nil &&
+		sessionData.ExpireTime != 0 &&
+		sessionData.ExpireTime < time.Now().Unix() {
+		c.ClearUserSession()
+		return ""
+	}
+
+	user := c.GetSession("paidUsername")
+	if user == nil {
+		return ""
+	}
+
+	return user.(string)
+}
+
 func (c *ApiController) GetSessionToken() string {
 	accessToken := c.GetSession("accessToken")
 	if accessToken == nil {
@@ -148,6 +176,7 @@ func (c *ApiController) GetSessionApplication() *object.Application {
 func (c *ApiController) ClearUserSession() {
 	c.SetSessionUsername("")
 	c.SetSessionData(nil)
+	_ = c.SessionRegenerateID()
 }
 
 func (c *ApiController) ClearTokenSession() {
@@ -216,16 +245,19 @@ func (c *ApiController) setMfaUserSession(userId string) {
 }
 
 func (c *ApiController) getMfaUserSession() string {
-	userId := c.Ctx.Input.CruSession.Get(object.MfaSessionUserId)
+	userId := c.Ctx.Input.CruSession.Get(context.Background(), object.MfaSessionUserId)
 	if userId == nil {
 		return ""
 	}
 	return userId.(string)
 }
 
-func (c *ApiController) setExpireForSession() {
+func (c *ApiController) setExpireForSession(cookieExpireInHours int64) {
 	timestamp := time.Now().Unix()
-	timestamp += 3600 * 24
+	if cookieExpireInHours == 0 {
+		cookieExpireInHours = 720
+	}
+	timestamp += 3600 * cookieExpireInHours
 	c.SetSessionData(&SessionData{
 		ExpireTime: timestamp,
 	})

controllers/cas.go

@@ -41,8 +41,8 @@ func queryUnescape(service string) string {
 }
 
 func (c *RootController) CasValidate() {
-	ticket := c.Input().Get("ticket")
-	service := c.Input().Get("service")
+	ticket := c.Ctx.Input.Query("ticket")
+	service := c.Ctx.Input.Query("service")
 	c.Ctx.Output.Header("Content-Type", "text/html; charset=utf-8")
 	if service == "" || ticket == "" {
 		c.Ctx.Output.Body([]byte("no\n"))
@@ -60,8 +60,8 @@ func (c *RootController) CasValidate() {
 }
 
 func (c *RootController) CasServiceValidate() {
-	ticket := c.Input().Get("ticket")
-	format := c.Input().Get("format")
+	ticket := c.Ctx.Input.Query("ticket")
+	format := c.Ctx.Input.Query("format")
 	if !strings.HasPrefix(ticket, "ST") {
 		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
 	}
@@ -75,8 +75,8 @@ func (c *RootController) CasProxyValidate() {
 }
 
 func (c *RootController) CasP3ServiceValidate() {
-	ticket := c.Input().Get("ticket")
-	format := c.Input().Get("format")
+	ticket := c.Ctx.Input.Query("ticket")
+	format := c.Ctx.Input.Query("format")
 	if !strings.HasPrefix(ticket, "ST") {
 		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
 	}
@@ -84,10 +84,10 @@ func (c *RootController) CasP3ServiceValidate() {
 }
 
 func (c *RootController) CasP3ProxyValidate() {
-	ticket := c.Input().Get("ticket")
-	format := c.Input().Get("format")
-	service := c.Input().Get("service")
-	pgtUrl := c.Input().Get("pgtUrl")
+	ticket := c.Ctx.Input.Query("ticket")
+	format := c.Ctx.Input.Query("format")
+	service := c.Ctx.Input.Query("service")
+	pgtUrl := c.Ctx.Input.Query("pgtUrl")
 
 	serviceResponse := object.CasServiceResponse{
 		Xmlns: "http://www.yale.edu/tp/cas",
@@ -161,9 +161,9 @@ func (c *RootController) CasP3ProxyValidate() {
 }
 
 func (c *RootController) CasProxy() {
-	pgt := c.Input().Get("pgt")
-	targetService := c.Input().Get("targetService")
-	format := c.Input().Get("format")
+	pgt := c.Ctx.Input.Query("pgt")
+	targetService := c.Ctx.Input.Query("targetService")
+	format := c.Ctx.Input.Query("format")
 	if pgt == "" || targetService == "" {
 		c.sendCasProxyResponseErr(InvalidRequest, "pgt and targetService must exist", format)
 		return
@@ -200,7 +200,7 @@ func (c *RootController) CasProxy() {
 
 func (c *RootController) SamlValidate() {
 	c.Ctx.Output.Header("Content-Type", "text/xml; charset=utf-8")
-	target := c.Input().Get("TARGET")
+	target := c.Ctx.Input.Query("TARGET")
 	body := c.Ctx.Input.RequestBody
 	envelopRequest := struct {
 		XMLName xml.Name `xml:"Envelope"`

controllers/casbin_api.go

@@ -34,11 +34,11 @@ import (
 // @Success 200 {object} controllers.Response The Response object
 // @router /enforce [post]
 func (c *ApiController) Enforce() {
-	permissionId := c.Input().Get("permissionId")
-	modelId := c.Input().Get("modelId")
-	resourceId := c.Input().Get("resourceId")
-	enforcerId := c.Input().Get("enforcerId")
-	owner := c.Input().Get("owner")
+	permissionId := c.Ctx.Input.Query("permissionId")
+	modelId := c.Ctx.Input.Query("modelId")
+	resourceId := c.Ctx.Input.Query("resourceId")
+	enforcerId := c.Ctx.Input.Query("enforcerId")
+	owner := c.Ctx.Input.Query("owner")
 
 	params := []string{permissionId, modelId, resourceId, enforcerId, owner}
 	nonEmpty := 0
@@ -119,7 +119,11 @@ func (c *ApiController) Enforce() {
 
 	permissions := []*object.Permission{}
 	if modelId != "" {
-		owner, modelName := util.GetOwnerAndNameFromId(modelId)
+		owner, modelName, err := util.GetOwnerAndNameFromIdWithError(modelId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 		permissions, err = object.GetPermissionsByModel(owner, modelName)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -176,10 +180,10 @@ func (c *ApiController) Enforce() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /batch-enforce [post]
 func (c *ApiController) BatchEnforce() {
-	permissionId := c.Input().Get("permissionId")
-	modelId := c.Input().Get("modelId")
-	enforcerId := c.Input().Get("enforcerId")
-	owner := c.Input().Get("owner")
+	permissionId := c.Ctx.Input.Query("permissionId")
+	modelId := c.Ctx.Input.Query("modelId")
+	enforcerId := c.Ctx.Input.Query("enforcerId")
+	owner := c.Ctx.Input.Query("owner")
 
 	params := []string{permissionId, modelId, enforcerId, owner}
 	nonEmpty := 0
@@ -255,7 +259,11 @@ func (c *ApiController) BatchEnforce() {
 
 	permissions := []*object.Permission{}
 	if modelId != "" {
-		owner, modelName := util.GetOwnerAndNameFromId(modelId)
+		owner, modelName, err := util.GetOwnerAndNameFromIdWithError(modelId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 		permissions, err = object.GetPermissionsByModel(owner, modelName)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -295,8 +303,15 @@ func (c *ApiController) BatchEnforce() {
 	c.ResponseOk(res, keyRes)
 }
 
+// GetAllObjects
+// @Title GetAllObjects
+// @Tag Enforcer API
+// @Description Get all objects for a user (Casbin API)
+// @Param   userId    query   string  false   "user id like built-in/admin"
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-all-objects [get]
 func (c *ApiController) GetAllObjects() {
-	userId := c.Input().Get("userId")
+	userId := c.Ctx.Input.Query("userId")
 	if userId == "" {
 		userId = c.GetSessionUsername()
 		if userId == "" {
@@ -314,8 +329,15 @@ func (c *ApiController) GetAllObjects() {
 	c.ResponseOk(objects)
 }
 
+// GetAllActions
+// @Title GetAllActions
+// @Tag Enforcer API
+// @Description Get all actions for a user (Casbin API)
+// @Param   userId    query   string  false   "user id like built-in/admin"
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-all-actions [get]
 func (c *ApiController) GetAllActions() {
-	userId := c.Input().Get("userId")
+	userId := c.Ctx.Input.Query("userId")
 	if userId == "" {
 		userId = c.GetSessionUsername()
 		if userId == "" {
@@ -333,8 +355,15 @@ func (c *ApiController) GetAllActions() {
 	c.ResponseOk(actions)
 }
 
+// GetAllRoles
+// @Title GetAllRoles
+// @Tag Enforcer API
+// @Description Get all roles for a user (Casbin API)
+// @Param   userId    query   string  false   "user id like built-in/admin"
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-all-roles [get]
 func (c *ApiController) GetAllRoles() {
-	userId := c.Input().Get("userId")
+	userId := c.Ctx.Input.Query("userId")
 	if userId == "" {
 		userId = c.GetSessionUsername()
 		if userId == "" {

controllers/casbin_cli_api.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"sort"
 	"strings"
 	"sync"
@@ -38,6 +39,46 @@ var (
 	cliVersionMutex sync.RWMutex
 )
 
+// cleanOldMEIFolders cleans up old _MEIXXX folders from the Casdoor temp directory
+// that are older than 24 hours. These folders are created by PyInstaller when
+// executing casbin-python-cli and can accumulate over time.
+func cleanOldMEIFolders() {
+	tempDir := "temp"
+	cutoffTime := time.Now().Add(-24 * time.Hour)
+
+	entries, err := os.ReadDir(tempDir)
+	if err != nil {
+		// Log error but don't fail - cleanup is best-effort
+		// This is expected if temp directory doesn't exist yet
+		return
+	}
+
+	for _, entry := range entries {
+		// Check if the entry is a directory and matches the _MEI pattern
+		if !entry.IsDir() || !strings.HasPrefix(entry.Name(), "_MEI") {
+			continue
+		}
+
+		dirPath := filepath.Join(tempDir, entry.Name())
+		info, err := entry.Info()
+		if err != nil {
+			continue
+		}
+
+		// Check if the folder is older than 24 hours
+		if info.ModTime().Before(cutoffTime) {
+			// Try to remove the directory
+			err = os.RemoveAll(dirPath)
+			if err != nil {
+				// Log but continue with other folders
+				fmt.Printf("failed to remove old MEI folder %s: %v\n", dirPath, err)
+			} else {
+				fmt.Printf("removed old MEI folder: %s\n", dirPath)
+			}
+		}
+	}
+}
+
 // getCLIVersion
 // @Title getCLIVersion
 // @Description Get CLI version with cache mechanism
@@ -66,6 +107,9 @@ func getCLIVersion(language string) (string, error) {
 	}
 	cliVersionMutex.RUnlock()
 
+	// Clean up old _MEI folders before running the command
+	cleanOldMEIFolders()
+
 	cmd := exec.Command(binaryName, "--version")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -125,8 +169,8 @@ func (c *ApiController) RunCasbinCommand() {
 		return
 	}
 
-	language := c.Input().Get("language")
-	argString := c.Input().Get("args")
+	language := c.Ctx.Input.Query("language")
+	argString := c.Ctx.Input.Query("args")
 
 	if language == "" {
 		language = "go"
@@ -152,6 +196,19 @@ func (c *ApiController) RunCasbinCommand() {
 		return
 	}
 
+	// Generate cache key for this command
+	cacheKey, err := generateCacheKey(language, args)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Check if result is cached
+	if cachedOutput, found := getCachedCommandResult(cacheKey); found {
+		c.ResponseOk(cachedOutput)
+		return
+	}
+
 	if len(args) > 0 && args[0] == "--version" {
 		version, err := getCLIVersion(language)
 		if err != nil {
@@ -173,6 +230,10 @@ func (c *ApiController) RunCasbinCommand() {
 		return
 	}
 
+	// Clean up old _MEI folders before running the command
+	// This is especially important for Python CLI which creates these folders
+	cleanOldMEIFolders()
+
 	command := exec.Command(binaryName, processedArgs...)
 	outputBytes, err := command.CombinedOutput()
 	if err != nil {
@@ -188,6 +249,10 @@ func (c *ApiController) RunCasbinCommand() {
 
 	output := string(outputBytes)
 	output = strings.TrimSuffix(output, "\n")
+
+	// Store result in cache
+	setCachedCommandResult(cacheKey, output)
+
 	c.ResponseOk(output)
 }
 
@@ -197,10 +262,10 @@ func (c *ApiController) RunCasbinCommand() {
 // @Param hash string The SHA-256 hash string
 // @Return error Returns error if validation fails, nil if successful
 func validateIdentifier(c *ApiController) error {
-	language := c.Input().Get("language")
-	args := c.Input().Get("args")
-	hash := c.Input().Get("m")
-	timestamp := c.Input().Get("t")
+	language := c.Ctx.Input.Query("language")
+	args := c.Ctx.Input.Query("args")
+	hash := c.Ctx.Input.Query("m")
+	timestamp := c.Ctx.Input.Query("t")
 
 	if hash == "" || timestamp == "" || language == "" || args == "" {
 		return fmt.Errorf("invalid identifier")

controllers/casbin_cli_api_cache.go

@@ -0,0 +1,100 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"sync"
+	"time"
+)
+
+type CommandCacheEntry struct {
+	Output     string
+	CachedTime time.Time
+}
+
+var (
+	commandCache      = make(map[string]*CommandCacheEntry)
+	commandCacheMutex sync.RWMutex
+	cacheTTL          = 5 * time.Minute
+	cleanupInProgress = false
+	cleanupMutex      sync.Mutex
+)
+
+// generateCacheKey creates a unique cache key based on language and arguments
+func generateCacheKey(language string, args []string) (string, error) {
+	argsJSON, err := json.Marshal(args)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal args: %v", err)
+	}
+	data := fmt.Sprintf("%s:%s", language, string(argsJSON))
+	hash := sha256.Sum256([]byte(data))
+	return hex.EncodeToString(hash[:]), nil
+}
+
+// cleanExpiredCacheEntries removes expired entries from the cache
+func cleanExpiredCacheEntries() {
+	commandCacheMutex.Lock()
+	defer commandCacheMutex.Unlock()
+
+	for key, entry := range commandCache {
+		if time.Since(entry.CachedTime) >= cacheTTL {
+			delete(commandCache, key)
+		}
+	}
+
+	cleanupMutex.Lock()
+	cleanupInProgress = false
+	cleanupMutex.Unlock()
+}
+
+// getCachedCommandResult retrieves cached command result if available and not expired
+func getCachedCommandResult(cacheKey string) (string, bool) {
+	commandCacheMutex.RLock()
+	defer commandCacheMutex.RUnlock()
+
+	if entry, exists := commandCache[cacheKey]; exists {
+		if time.Since(entry.CachedTime) < cacheTTL {
+			return entry.Output, true
+		}
+	}
+	return "", false
+}
+
+// setCachedCommandResult stores command result in cache and performs periodic cleanup
+func setCachedCommandResult(cacheKey string, output string) {
+	commandCacheMutex.Lock()
+	commandCache[cacheKey] = &CommandCacheEntry{
+		Output:     output,
+		CachedTime: time.Now(),
+	}
+	shouldCleanup := len(commandCache)%100 == 0
+	commandCacheMutex.Unlock()
+
+	// Periodically clean expired entries (every 100 cache sets)
+	if shouldCleanup {
+		cleanupMutex.Lock()
+		if !cleanupInProgress {
+			cleanupInProgress = true
+			cleanupMutex.Unlock()
+			go cleanExpiredCacheEntries()
+		} else {
+			cleanupMutex.Unlock()
+		}
+	}
+}

controllers/cert.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Cert The Response object
 // @router /get-certs [get]
 func (c *ApiController) GetCerts() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		certs, err := object.GetMaskedCerts(object.GetCerts(owner))
@@ -54,7 +54,7 @@ func (c *ApiController) GetCerts() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		certs, err := object.GetMaskedCerts(object.GetPaginationCerts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -72,12 +72,12 @@ func (c *ApiController) GetCerts() {
 // @Success 200 {array} object.Cert The Response object
 // @router /get-global-certs [get]
 func (c *ApiController) GetGlobalCerts() {
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		certs, err := object.GetMaskedCerts(object.GetGlobalCerts())
@@ -95,7 +95,7 @@ func (c *ApiController) GetGlobalCerts() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		certs, err := object.GetMaskedCerts(object.GetPaginationGlobalCerts(paginator.Offset(), limit, field, value, sortField, sortOrder))
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -114,7 +114,7 @@ func (c *ApiController) GetGlobalCerts() {
 // @Success 200 {object} object.Cert The Response object
 // @router /get-cert [get]
 func (c *ApiController) GetCert() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 	cert, err := object.GetCert(id)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -133,7 +133,7 @@ func (c *ApiController) GetCert() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-cert [post]
 func (c *ApiController) UpdateCert() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var cert object.Cert
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &cert)
@@ -183,3 +183,40 @@ func (c *ApiController) DeleteCert() {
 	c.Data["json"] = wrapActionResponse(object.DeleteCert(&cert))
 	c.ServeJSON()
 }
+
+// UpdateCertDomainExpire
+// @Title UpdateCertDomainExpire
+// @Tag Cert API
+// @Description update cert domain expire time
+// @Param   id     query   string  true        "The ID of the cert"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-cert-domain-expire [post]
+func (c *ApiController) UpdateCertDomainExpire() {
+	if _, ok := c.RequireSignedIn(); !ok {
+		return
+	}
+
+	id := c.Ctx.Input.Query("id")
+	cert, err := object.GetCert(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	domainExpireTime, err := object.GetDomainExpireTime(cert.Name)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if domainExpireTime == "" {
+		c.ResponseError("Failed to determine domain expiration time for domain " + cert.Name +
+			". Please verify that the domain is valid, publicly resolvable, and has a retrievable expiration date, " +
+			"or update the domain expiration time manually.")
+		return
+	}
+	cert.DomainExpireTime = domainExpireTime
+
+	c.Data["json"] = wrapActionResponse(object.UpdateCert(id, cert))
+	c.ServeJSON()
+}

controllers/cli_downloader.go

@@ -15,7 +15,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/beego/beego"
+	"github.com/beego/beego/v2/server/web"
 	"github.com/casdoor/casdoor/proxy"
 	"github.com/casdoor/casdoor/util"
 )
@@ -25,6 +25,7 @@ const (
 	goCliRepo      = "https://api.github.com/repos/casbin/casbin-go-cli/releases/latest"
 	rustCliRepo    = "https://api.github.com/repos/casbin-rs/casbin-rust-cli/releases/latest"
 	pythonCliRepo  = "https://api.github.com/repos/casbin/casbin-python-cli/releases/latest"
+	dotnetCliRepo  = "https://api.github.com/repos/casbin-net/casbin-dotnet-cli/releases/latest"
 	downloadFolder = "bin"
 )
 
@@ -45,6 +46,7 @@ func getBinaryNames() map[string]string {
 		java   = "java"
 		rust   = "rust"
 		python = "python"
+		dotnet = "dotnet"
 	)
 
 	arch := runtime.GOARCH
@@ -65,6 +67,7 @@ func getBinaryNames() map[string]string {
 			java:   "casbin-java-cli.jar",
 			rust:   fmt.Sprintf("casbin-rust-cli-%s-pc-windows-gnu", archNames.rustArch),
 			python: fmt.Sprintf("casbin-python-cli-windows-%s.exe", archNames.goArch),
+			dotnet: fmt.Sprintf("casbin-dotnet-cli-windows-%s.exe", archNames.goArch),
 		}
 	case "darwin":
 		return map[string]string{
@@ -72,6 +75,7 @@ func getBinaryNames() map[string]string {
 			java:   "casbin-java-cli.jar",
 			rust:   fmt.Sprintf("casbin-rust-cli-%s-apple-darwin", archNames.rustArch),
 			python: fmt.Sprintf("casbin-python-cli-darwin-%s", archNames.goArch),
+			dotnet: fmt.Sprintf("casbin-dotnet-cli-darwin-%s", archNames.goArch),
 		}
 	case "linux":
 		return map[string]string{
@@ -79,6 +83,7 @@ func getBinaryNames() map[string]string {
 			java:   "casbin-java-cli.jar",
 			rust:   fmt.Sprintf("casbin-rust-cli-%s-unknown-linux-gnu", archNames.rustArch),
 			python: fmt.Sprintf("casbin-python-cli-linux-%s", archNames.goArch),
+			dotnet: fmt.Sprintf("casbin-dotnet-cli-linux-%s", archNames.goArch),
 		}
 	default:
 		return nil
@@ -108,6 +113,11 @@ func getFinalBinaryName(lang string) string {
 			return "casbin-python-cli.exe"
 		}
 		return "casbin-python-cli"
+	case "dotnet":
+		if runtime.GOOS == "windows" {
+			return "casbin-dotnet-cli.exe"
+		}
+		return "casbin-dotnet-cli"
 	default:
 		return ""
 	}
@@ -347,6 +357,7 @@ func downloadCLI() error {
 		"go":     goCliRepo,
 		"rust":   rustCliRepo,
 		"python": pythonCliRepo,
+		"dotnet": dotnetCliRepo,
 	}
 
 	for lang, repo := range repos {
@@ -435,13 +446,13 @@ func downloadCLI() error {
 // @Success 200 {object} controllers.Response The Response object
 // @router /refresh-engines [post]
 func (c *ApiController) RefreshEngines() {
-	if !beego.AppConfig.DefaultBool("isDemoMode", false) {
+	if !web.AppConfig.DefaultBool("isDemoMode", false) {
 		c.ResponseError("refresh engines is only available in demo mode")
 		return
 	}
 
-	hash := c.Input().Get("m")
-	timestamp := c.Input().Get("t")
+	hash := c.Ctx.Input.Query("m")
+	timestamp := c.Ctx.Input.Query("t")
 
 	if hash == "" || timestamp == "" {
 		c.ResponseError("invalid identifier")
@@ -487,7 +498,7 @@ func (c *ApiController) RefreshEngines() {
 // @Title ScheduleCLIUpdater
 // @Description Start periodic CLI update scheduler
 func ScheduleCLIUpdater() {
-	if !beego.AppConfig.DefaultBool("isDemoMode", false) {
+	if !web.AppConfig.DefaultBool("isDemoMode", false) {
 		return
 	}
 
@@ -515,7 +526,7 @@ func DownloadCLI() error {
 // @Title InitCLIDownloader
 // @Description Initialize CLI downloader and start update scheduler
 func InitCLIDownloader() {
-	if !beego.AppConfig.DefaultBool("isDemoMode", false) {
+	if !web.AppConfig.DefaultBool("isDemoMode", false) {
 		return
 	}
 

controllers/consent.go

@@ -0,0 +1,226 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+// RevokeConsent revokes a consent record
+// @Title RevokeConsent
+// @Tag Consent API
+// @Description revoke a consent record
+// @Param body body object.ConsentRecord true "The consent object"
+// @Success 200 {object} controllers.Response The Response object
+// @router /revoke-consent [post]
+func (c *ApiController) RevokeConsent() {
+	userId := c.GetSessionUsername()
+	if userId == "" {
+		c.ResponseError(c.T("general:Please login first"))
+		return
+	}
+
+	var consent object.ConsentRecord
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &consent)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Validate that consent.Application is not empty
+	if consent.Application == "" {
+		c.ResponseError(c.T("general:Application cannot be empty"))
+		return
+	}
+
+	// Validate that GrantedScopes is not empty when scope-specific revoke is requested
+	if len(consent.GrantedScopes) == 0 {
+		c.ResponseError(c.T("general:Granted scopes cannot be empty"))
+		return
+	}
+
+	userObj, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if userObj == nil {
+		c.ResponseError(c.T("general:The user doesn't exist"))
+		return
+	}
+
+	newScopes := []object.ConsentRecord{}
+	for _, record := range userObj.ApplicationScopes {
+		if record.Application != consent.Application {
+			// skip other applications
+			newScopes = append(newScopes, record)
+			continue
+		}
+		// revoke specified scopes
+		revokeSet := make(map[string]bool)
+		for _, s := range consent.GrantedScopes {
+			revokeSet[s] = true
+		}
+		remaining := []string{}
+		for _, s := range record.GrantedScopes {
+			if !revokeSet[s] {
+				remaining = append(remaining, s)
+			}
+		}
+		if len(remaining) > 0 {
+			// still have remaining scopes, keep the record and update
+			record.GrantedScopes = remaining
+			newScopes = append(newScopes, record)
+		}
+		// otherwise the application authorization is revoked, delete the whole record
+	}
+	userObj.ApplicationScopes = newScopes
+	success, err := object.UpdateUser(userObj.GetId(), userObj, nil, false)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.ResponseOk(success)
+}
+
+// GrantConsent grants consent for an OAuth application and returns authorization code
+// @Title GrantConsent
+// @Tag Consent API
+// @Description grant consent for an OAuth application and get authorization code
+// @Param body body object.ConsentRecord true "The consent object with OAuth parameters"
+// @Success 200 {object} controllers.Response The Response object
+// @router /grant-consent [post]
+func (c *ApiController) GrantConsent() {
+	userId := c.GetSessionUsername()
+	if userId == "" {
+		c.ResponseError(c.T("general:Please login first"))
+		return
+	}
+
+	var request struct {
+		Application  string   `json:"application"`
+		Scopes       []string `json:"grantedScopes"`
+		ClientId     string   `json:"clientId"`
+		Provider     string   `json:"provider"`
+		SigninMethod string   `json:"signinMethod"`
+		ResponseType string   `json:"responseType"`
+		RedirectUri  string   `json:"redirectUri"`
+		Scope        string   `json:"scope"`
+		State        string   `json:"state"`
+		Nonce        string   `json:"nonce"`
+		Challenge    string   `json:"challenge"`
+		Resource     string   `json:"resource"`
+	}
+
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &request)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Validate application by clientId
+	application, err := object.GetApplicationByClientId(request.ClientId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if application == nil {
+		c.ResponseError(c.T("general:Invalid client_id"))
+		return
+	}
+
+	// Verify that request.Application matches the application's actual ID
+	if request.Application != application.GetId() {
+		c.ResponseError(c.T("general:Invalid application"))
+		return
+	}
+
+	// Update user's ApplicationScopes
+	userObj, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if userObj == nil {
+		c.ResponseError(c.T("general:User not found"))
+		return
+	}
+
+	appId := application.GetId()
+	found := false
+	// Insert new scope into existing applicationScopes
+	for i, record := range userObj.ApplicationScopes {
+		if record.Application == appId {
+			existing := make(map[string]bool)
+			for _, s := range userObj.ApplicationScopes[i].GrantedScopes {
+				existing[s] = true
+			}
+			for _, s := range request.Scopes {
+				if !existing[s] {
+					userObj.ApplicationScopes[i].GrantedScopes = append(userObj.ApplicationScopes[i].GrantedScopes, s)
+					existing[s] = true
+				}
+			}
+			found = true
+			break
+		}
+	}
+	// create a new applicationScopes if not found
+	if !found {
+		uniqueScopes := []string{}
+		existing := make(map[string]bool)
+		for _, s := range request.Scopes {
+			if !existing[s] {
+				uniqueScopes = append(uniqueScopes, s)
+				existing[s] = true
+			}
+		}
+		userObj.ApplicationScopes = append(userObj.ApplicationScopes, object.ConsentRecord{
+			Application:   appId,
+			GrantedScopes: uniqueScopes,
+		})
+	}
+
+	_, err = object.UpdateUser(userObj.GetId(), userObj, []string{"application_scopes"}, false)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Now get the OAuth code
+	code, err := object.GetOAuthCode(
+		userId,
+		request.ClientId,
+		request.Provider,
+		request.SigninMethod,
+		request.ResponseType,
+		request.RedirectUri,
+		request.Scope,
+		request.State,
+		request.Nonce,
+		request.Challenge,
+		request.Resource,
+		c.Ctx.Request.Host,
+		c.GetAcceptLanguage(),
+	)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(code.Code)
+}

controllers/enforcer.go

@@ -17,9 +17,8 @@ package controllers
 import (
 	"encoding/json"
 	"fmt"
-	"strings"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 	xormadapter "github.com/casdoor/xorm-adapter/v3"
@@ -33,13 +32,13 @@ import (
 // @Success 200 {array} object.Enforcer
 // @router /get-enforcers [get]
 func (c *ApiController) GetEnforcers() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		enforcers, err := object.GetEnforcers(owner)
@@ -57,7 +56,7 @@ func (c *ApiController) GetEnforcers() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		enforcers, err := object.GetPaginationEnforcers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -76,8 +75,8 @@ func (c *ApiController) GetEnforcers() {
 // @Success 200 {object} object.Enforcer
 // @router /get-enforcer [get]
 func (c *ApiController) GetEnforcer() {
-	id := c.Input().Get("id")
-	loadModelCfg := c.Input().Get("loadModelCfg")
+	id := c.Ctx.Input.Query("id")
+	loadModelCfg := c.Ctx.Input.Query("loadModelCfg")
 
 	enforcer, err := object.GetEnforcer(id)
 	if err != nil {
@@ -85,10 +84,12 @@ func (c *ApiController) GetEnforcer() {
 		return
 	}
 
-	if loadModelCfg == "true" && enforcer.Model != "" {
-		err := enforcer.LoadModelCfg()
-		if err != nil {
-			return
+	if enforcer != nil {
+		if loadModelCfg == "true" && enforcer.Model != "" {
+			err = enforcer.LoadModelCfg()
+			if err != nil {
+				return
+			}
 		}
 	}
 
@@ -104,7 +105,7 @@ func (c *ApiController) GetEnforcer() {
 // @Success 200 {object} object.Enforcer
 // @router /update-enforcer [post]
 func (c *ApiController) UpdateEnforcer() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	enforcer := object.Enforcer{}
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &enforcer)
@@ -164,8 +165,8 @@ func (c *ApiController) DeleteEnforcer() {
 // @Success 200 {array} xormadapter.CasbinRule
 // @router /get-policies [get]
 func (c *ApiController) GetPolicies() {
-	id := c.Input().Get("id")
-	adapterId := c.Input().Get("adapterId")
+	id := c.Ctx.Input.Query("id")
+	adapterId := c.Ctx.Input.Query("adapterId")
 
 	if adapterId != "" {
 		adapter, err := object.GetAdapter(adapterId)
@@ -200,37 +201,28 @@ func (c *ApiController) GetPolicies() {
 // GetFilteredPolicies
 // @Title GetFilteredPolicies
 // @Tag Enforcer API
-// @Description get filtered policies
+// @Description get filtered policies with support for multiple filters via POST body
 // @Param   id     query    string  true        "The id ( owner/name )  of enforcer"
-// @Param   ptype     query    string  false        "Policy type, default is 'p'"
-// @Param   fieldIndex     query    int  false        "Field index for filtering"
-// @Param   fieldValues     query    string  false        "Field values for filtering, comma-separated"
+// @Param   body   body    []object.Filter  true        "Array of filter objects for multiple filters"
 // @Success 200 {array} xormadapter.CasbinRule
-// @router /get-filtered-policies [get]
+// @router /get-filtered-policies [post]
 func (c *ApiController) GetFilteredPolicies() {
-	id := c.Input().Get("id")
-	ptype := c.Input().Get("ptype")
-	fieldIndexStr := c.Input().Get("fieldIndex")
-	fieldValuesStr := c.Input().Get("fieldValues")
+	id := c.Ctx.Input.Query("id")
 
-	if ptype == "" {
-		ptype = "p"
-	}
-
-	fieldIndex := util.ParseInt(fieldIndexStr)
-
-	var fieldValues []string
-	if fieldValuesStr != "" {
-		fieldValues = strings.Split(fieldValuesStr, ",")
-	}
-
-	policies, err := object.GetFilteredPolicies(id, ptype, fieldIndex, fieldValues...)
+	var filters []object.Filter
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &filters)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 
-	c.ResponseOk(policies)
+	filteredPolicies, err := object.GetFilteredPoliciesMulti(id, filters)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(filteredPolicies)
 }
 
 // UpdatePolicy
@@ -242,7 +234,7 @@ func (c *ApiController) GetFilteredPolicies() {
 // @Success 200 {object} Response
 // @router /update-policy [post]
 func (c *ApiController) UpdatePolicy() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var policies []xormadapter.CasbinRule
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policies)
@@ -269,7 +261,7 @@ func (c *ApiController) UpdatePolicy() {
 // @Success 200 {object} Response
 // @router /add-policy [post]
 func (c *ApiController) AddPolicy() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var policy xormadapter.CasbinRule
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
@@ -296,7 +288,7 @@ func (c *ApiController) AddPolicy() {
 // @Success 200 {object} Response
 // @router /remove-policy [post]
 func (c *ApiController) RemovePolicy() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var policy xormadapter.CasbinRule
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)

controllers/face.go

@@ -33,8 +33,8 @@ import (
 // @Success 200 {object} controllers.Response The Response object
 // @router /faceid-signin-begin [get]
 func (c *ApiController) FaceIDSigninBegin() {
-	userOwner := c.Input().Get("owner")
-	userName := c.Input().Get("name")
+	userOwner := c.Ctx.Input.Query("owner")
+	userName := c.Ctx.Input.Query("name")
 
 	user, err := object.GetUserByFields(userOwner, userName)
 	if err != nil {

controllers/form.go

@@ -0,0 +1,175 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/v2/core/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetGlobalForms
+// @Title GetGlobalForms
+// @Tag Form API
+// @Description get global forms
+// @Success 200 {array} object.Form The Response object
+// @router /get-global-forms [get]
+func (c *ApiController) GetGlobalForms() {
+	forms, err := object.GetGlobalForms()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(object.GetMaskedForms(forms, true))
+}
+
+// GetForms
+// @Title GetForms
+// @Tag Form API
+// @Description get forms
+// @Param owner query string true "The owner of form"
+// @Success 200 {array} object.Form The Response object
+// @router /get-forms [get]
+func (c *ApiController) GetForms() {
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+
+	if limit == "" || page == "" {
+		forms, err := object.GetForms(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(object.GetMaskedForms(forms, true))
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetFormCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
+		forms, err := object.GetPaginationForms(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		c.ResponseOk(forms, paginator.Nums())
+	}
+}
+
+// GetForm
+// @Title GetForm
+// @Tag Form API
+// @Description get form
+// @Param id query string true "The id (owner/name) of form"
+// @Success 200 {object} object.Form The Response object
+// @router /get-form [get]
+func (c *ApiController) GetForm() {
+	id := c.Ctx.Input.Query("id")
+
+	form, err := object.GetForm(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(object.GetMaskedForm(form, true))
+}
+
+// UpdateForm
+// @Title UpdateForm
+// @Tag Form API
+// @Description update form
+// @Param id query string true "The id (owner/name) of the form"
+// @Param body body object.Form true "The details of the form"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-form [post]
+func (c *ApiController) UpdateForm() {
+	id := c.Ctx.Input.Query("id")
+
+	var form object.Form
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &form)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	success, err := object.UpdateForm(id, &form)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(success)
+}
+
+// AddForm
+// @Title AddForm
+// @Tag Form API
+// @Description add form
+// @Param body body object.Form true "The details of the form"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-form [post]
+func (c *ApiController) AddForm() {
+	var form object.Form
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &form)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	success, err := object.AddForm(&form)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(success)
+}
+
+// DeleteForm
+// @Title DeleteForm
+// @Tag Form API
+// @Description delete form
+// @Param body body object.Form true "The details of the form"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-form [post]
+func (c *ApiController) DeleteForm() {
+	var form object.Form
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &form)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	success, err := object.DeleteForm(&form)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(success)
+}

controllers/get-dashboard.go

@@ -23,7 +23,7 @@ import "github.com/casdoor/casdoor/object"
 // @Success 200 {object} controllers.Response The Response object
 // @router /get-dashboard [get]
 func (c *ApiController) GetDashboard() {
-	owner := c.Input().Get("owner")
+	owner := c.Ctx.Input.Query("owner")
 
 	data, err := object.GetDashboard(owner)
 	if err != nil {

controllers/group.go

@@ -17,7 +17,7 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,14 +30,14 @@ import (
 // @Success 200 {array} object.Group The Response object
 // @router /get-groups [get]
 func (c *ApiController) GetGroups() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	withTree := c.Input().Get("withTree")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	withTree := c.Ctx.Input.Query("withTree")
 
 	if limit == "" || page == "" {
 		groups, err := object.GetGroups(owner)
@@ -66,7 +66,7 @@ func (c *ApiController) GetGroups() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		groups, err := object.GetPaginationGroups(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -109,7 +109,7 @@ func (c *ApiController) GetGroups() {
 // @Success 200 {object} object.Group The Response object
 // @router /get-group [get]
 func (c *ApiController) GetGroup() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	group, err := object.GetGroup(id)
 	if err != nil {
@@ -135,7 +135,7 @@ func (c *ApiController) GetGroup() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-group [post]
 func (c *ApiController) UpdateGroup() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var group object.Group
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &group)

controllers/group_upload.go

@@ -24,7 +24,11 @@ import (
 
 func (c *ApiController) UploadGroups() {
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {

controllers/invitation.go

@@ -16,8 +16,10 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
+	"strings"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +32,13 @@ import (
 // @Success 200 {array} object.Invitation The Response object
 // @router /get-invitations [get]
 func (c *ApiController) GetInvitations() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		invitations, err := object.GetInvitations(owner)
@@ -54,7 +56,7 @@ func (c *ApiController) GetInvitations() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		invitations, err := object.GetPaginationInvitations(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -73,7 +75,7 @@ func (c *ApiController) GetInvitations() {
 // @Success 200 {object} object.Invitation The Response object
 // @router /get-invitation [get]
 func (c *ApiController) GetInvitation() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	invitation, err := object.GetInvitation(id)
 	if err != nil {
@@ -92,14 +94,18 @@ func (c *ApiController) GetInvitation() {
 // @Success 200 {object} object.Invitation The Response object
 // @router /get-invitation-info [get]
 func (c *ApiController) GetInvitationCodeInfo() {
-	code := c.Input().Get("code")
-	applicationId := c.Input().Get("applicationId")
+	code := c.Ctx.Input.Query("code")
+	applicationId := c.Ctx.Input.Query("applicationId")
 
 	application, err := object.GetApplication(applicationId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), applicationId))
+		return
+	}
 
 	invitation, msg := object.GetInvitationByCode(code, application.Organization, c.GetAcceptLanguage())
 	if msg != "" {
@@ -119,7 +125,7 @@ func (c *ApiController) GetInvitationCodeInfo() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-invitation [post]
 func (c *ApiController) UpdateInvitation() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var invitation object.Invitation
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &invitation)
@@ -178,7 +184,7 @@ func (c *ApiController) DeleteInvitation() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /verify-invitation [get]
 func (c *ApiController) VerifyInvitation() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	payment, attachInfo, err := object.VerifyInvitation(id)
 	if err != nil {
@@ -188,3 +194,90 @@ func (c *ApiController) VerifyInvitation() {
 
 	c.ResponseOk(payment, attachInfo)
 }
+
+// SendInvitation
+// @Title VerifyInvitation
+// @Tag Invitation API
+// @Description verify invitation
+// @Param   id     query    string	true        "The id ( owner/name ) of the invitation"
+// @Param   body    body	[]string  true        "The details of the invitation"
+// @Success 200 {object} controllers.Response The Response object
+// @router /send-invitation [post]
+func (c *ApiController) SendInvitation() {
+	id := c.Ctx.Input.Query("id")
+
+	var destinations []string
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &destinations)
+
+	if !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	invitation, err := object.GetInvitation(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if invitation == nil {
+		c.ResponseError(fmt.Sprintf(c.T("invitation:Invitation %s does not exist"), id))
+		return
+	}
+
+	organization, err := object.GetOrganization(fmt.Sprintf("admin/%s", invitation.Owner))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if organization == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The organization: %s does not exist"), invitation.Owner))
+		return
+	}
+
+	var application *object.Application
+	if invitation.Application != "" {
+		application, err = object.GetApplication(fmt.Sprintf("admin/%s-org-%s", invitation.Application, invitation.Owner))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else {
+		application, err = object.GetApplicationByOrganizationName(invitation.Owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The organization: %s should have one application at least"), invitation.Owner))
+		return
+	}
+
+	if application.IsShared {
+		application.Name = fmt.Sprintf("%s-org-%s", application.Name, invitation.Owner)
+	}
+
+	provider, err := application.GetEmailProvider("Invitation")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if provider == nil {
+		c.ResponseError(fmt.Sprintf(c.T("verification:please add an Email provider to the \"Providers\" list for the application: %s"), invitation.Owner))
+		return
+	}
+
+	content := provider.Metadata
+
+	content = strings.ReplaceAll(content, "%code", invitation.Code)
+	content = strings.ReplaceAll(content, "%link", invitation.GetInvitationLink(c.Ctx.Request.Host, application.Name))
+
+	err = object.SendEmail(provider, provider.Title, content, destinations, organization.DisplayName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk()
+}

controllers/kerberos.go

@@ -0,0 +1,105 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/casdoor/casdoor/form"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// KerberosLogin
+// @Title KerberosLogin
+// @Tag Login API
+// @Description Kerberos/SPNEGO login via Integrated Windows Authentication
+// @Param   application     query    string  true        "application name"
+// @Success 200 {object} controllers.Response The Response object
+// @router /kerberos-login [get]
+func (c *ApiController) KerberosLogin() {
+	applicationName := c.Ctx.Input.Query("application")
+	if applicationName == "" {
+		c.ResponseError(c.T("general:Missing parameter") + ": application")
+		return
+	}
+
+	application, err := object.GetApplication(fmt.Sprintf("admin/%s", applicationName))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), applicationName))
+		return
+	}
+
+	organization, err := object.GetOrganization(util.GetId("admin", application.Organization))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if organization == nil {
+		c.ResponseError(fmt.Sprintf("The organization: %s does not exist", application.Organization))
+		return
+	}
+
+	if organization.KerberosRealm == "" || organization.KerberosKeytab == "" {
+		c.ResponseError("Kerberos is not configured for this organization")
+		return
+	}
+
+	authHeader := c.Ctx.Input.Header("Authorization")
+	if authHeader == "" || !strings.HasPrefix(authHeader, "Negotiate ") {
+		c.Ctx.Output.Header("WWW-Authenticate", "Negotiate")
+		c.Ctx.Output.SetStatus(401)
+		c.Ctx.Output.Body([]byte("Kerberos authentication required"))
+		return
+	}
+
+	spnegoToken := strings.TrimPrefix(authHeader, "Negotiate ")
+
+	kerberosUsername, err := object.ValidateKerberosToken(organization, spnegoToken)
+	if err != nil {
+		c.Ctx.Output.Header("WWW-Authenticate", "Negotiate")
+		c.ResponseError(fmt.Sprintf("Kerberos authentication failed: %s", err.Error()))
+		return
+	}
+
+	user, err := object.GetUserByKerberosName(organization.Name, kerberosUsername)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), kerberosUsername))
+		return
+	}
+
+	application.OrganizationObj = organization
+
+	authForm := &form.AuthForm{
+		Type:         "code",
+		Application:  applicationName,
+		Organization: organization.Name,
+	}
+
+	resp := c.HandleLoggedIn(application, user, authForm)
+	if resp != nil {
+		c.Data["json"] = resp
+		c.ServeJSON()
+	}
+}

controllers/ldap.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -45,14 +46,22 @@ type LdapSyncResp struct {
 // @Success 200 {object} controllers.LdapResp The Response object
 // @router /get-ldap-users [get]
 func (c *ApiController) GetLdapUsers() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
-	_, ldapId := util.GetOwnerAndNameFromId(id)
+	_, ldapId, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	ldapServer, err := object.GetLdap(ldapId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	if ldapServer == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The LDAP: %s does not exist"), ldapId))
+		return
+	}
 
 	conn, err := ldapServer.GetLdapConn()
 	if err != nil {
@@ -105,7 +114,7 @@ func (c *ApiController) GetLdapUsers() {
 // @Success 200 {array} object.Ldap The Response object
 // @router /get-ldaps [get]
 func (c *ApiController) GetLdaps() {
-	owner := c.Input().Get("owner")
+	owner := c.Ctx.Input.Query("owner")
 
 	c.ResponseOk(object.GetMaskedLdaps(object.GetLdaps(owner)))
 }
@@ -118,14 +127,18 @@ func (c *ApiController) GetLdaps() {
 // @Success 200 {object} object.Ldap The Response object
 // @router /get-ldap [get]
 func (c *ApiController) GetLdap() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	if util.IsStringsEmpty(id) {
 		c.ResponseError(c.T("general:Missing parameter"))
 		return
 	}
 
-	_, name := util.GetOwnerAndNameFromId(id)
+	_, name, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	ldap, err := object.GetLdap(name)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -253,11 +266,15 @@ func (c *ApiController) DeleteLdap() {
 // @Success 200 {object} controllers.LdapSyncResp The Response object
 // @router /sync-ldap-users [post]
 func (c *ApiController) SyncLdapUsers() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
-	owner, ldapId := util.GetOwnerAndNameFromId(id)
+	owner, ldapId, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	var users []object.LdapUser
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &users)
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &users)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/mfa.go

@@ -64,7 +64,14 @@ func (c *ApiController) MfaSetupInitiate() {
 		return
 	}
 
-	mfaProps, err := MfaUtil.Initiate(user.GetId())
+	issuer := ""
+	if organization != nil && organization.DisplayName != "" {
+		issuer = organization.DisplayName
+	} else if organization != nil {
+		issuer = organization.Name
+	}
+
+	mfaProps, err := MfaUtil.Initiate(user.GetId(), issuer)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -124,6 +131,28 @@ func (c *ApiController) MfaSetupVerify() {
 			return
 		}
 		config.Secret = dest
+	} else if mfaType == object.RadiusType {
+		if dest == "" {
+			c.ResponseError("RADIUS username is missing")
+			return
+		}
+		config.Secret = dest
+		if secret == "" {
+			c.ResponseError("RADIUS provider is missing")
+			return
+		}
+		config.URL = secret
+	} else if mfaType == object.PushType {
+		if dest == "" {
+			c.ResponseError("push notification receiver is missing")
+			return
+		}
+		config.Secret = dest
+		if secret == "" {
+			c.ResponseError("push notification provider is missing")
+			return
+		}
+		config.URL = secret
 	}
 
 	mfaUtil := object.GetMfaUtil(mfaType, config)
@@ -200,6 +229,28 @@ func (c *ApiController) MfaSetupEnable() {
 			}
 			user.CountryCode = countryCode
 		}
+	} else if mfaType == object.RadiusType {
+		if dest == "" {
+			c.ResponseError("RADIUS username is missing")
+			return
+		}
+		config.Secret = dest
+		if secret == "" {
+			c.ResponseError("RADIUS provider is missing")
+			return
+		}
+		config.URL = secret
+	} else if mfaType == object.PushType {
+		if dest == "" {
+			c.ResponseError("push notification receiver is missing")
+			return
+		}
+		config.Secret = dest
+		if secret == "" {
+			c.ResponseError("push notification provider is missing")
+			return
+		}
+		config.URL = secret
 	}
 
 	if recoveryCodes == "" {

controllers/model.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Model The Response object
 // @router /get-models [get]
 func (c *ApiController) GetModels() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		models, err := object.GetModels(owner)
@@ -54,7 +54,7 @@ func (c *ApiController) GetModels() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		models, err := object.GetPaginationModels(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -73,7 +73,7 @@ func (c *ApiController) GetModels() {
 // @Success 200 {object} object.Model The Response object
 // @router /get-model [get]
 func (c *ApiController) GetModel() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	model, err := object.GetModel(id)
 	if err != nil {
@@ -93,7 +93,7 @@ func (c *ApiController) GetModel() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-model [post]
 func (c *ApiController) UpdateModel() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var model object.Model
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &model)

controllers/oauth_dcr.go

@@ -0,0 +1,74 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+// DynamicClientRegister
+// @Title DynamicClientRegister
+// @Tag OAuth API
+// @Description Register a new OAuth 2.0 client dynamically (RFC 7591)
+// @Param   organization     query    string  false        "The organization name (defaults to built-in)"
+// @Param   body    body   object.DynamicClientRegistrationRequest  true        "Client registration request"
+// @Success 201 {object} object.DynamicClientRegistrationResponse
+// @Failure 400 {object} object.DcrError
+// @router /api/oauth/register [post]
+func (c *ApiController) DynamicClientRegister() {
+	var req object.DynamicClientRegistrationRequest
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &req)
+	if err != nil {
+		c.Ctx.Output.Status = http.StatusBadRequest
+		c.Data["json"] = object.DcrError{
+			Error:            "invalid_client_metadata",
+			ErrorDescription: "invalid request body: " + err.Error(),
+		}
+		c.ServeJSON()
+		return
+	}
+
+	// Get organization from query parameter or default to built-in
+	organization := c.Ctx.Input.Query("organization")
+	if organization == "" {
+		organization = "built-in"
+	}
+
+	// Register the client
+	response, dcrErr, err := object.RegisterDynamicClient(&req, organization)
+	if err != nil {
+		c.Ctx.Output.Status = http.StatusInternalServerError
+		c.Data["json"] = object.DcrError{
+			Error:            "server_error",
+			ErrorDescription: err.Error(),
+		}
+		c.ServeJSON()
+		return
+	}
+	if dcrErr != nil {
+		c.Ctx.Output.Status = http.StatusBadRequest
+		c.Data["json"] = dcrErr
+		c.ServeJSON()
+		return
+	}
+
+	// Return 201 Created
+	c.Ctx.Output.Status = http.StatusCreated
+	c.Data["json"] = response
+	c.ServeJSON()
+}

controllers/oidc_discovery.go

@@ -1,76 +0,0 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"strings"
-
-	"github.com/casdoor/casdoor/object"
-)
-
-// GetOidcDiscovery
-// @Title GetOidcDiscovery
-// @Tag OIDC API
-// @Description Get Oidc Discovery
-// @Success 200 {object} object.OidcDiscovery
-// @router /.well-known/openid-configuration [get]
-func (c *RootController) GetOidcDiscovery() {
-	host := c.Ctx.Request.Host
-	c.Data["json"] = object.GetOidcDiscovery(host)
-	c.ServeJSON()
-}
-
-// GetJwks
-// @Title GetJwks
-// @Tag OIDC API
-// @Success 200 {object} jose.JSONWebKey
-// @router /.well-known/jwks [get]
-func (c *RootController) GetJwks() {
-	jwks, err := object.GetJsonWebKeySet()
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = jwks
-	c.ServeJSON()
-}
-
-// GetWebFinger
-// @Title GetWebFinger
-// @Tag OIDC API
-// @Param resource query string true "resource"
-// @Success 200 {object} object.WebFinger
-// @router /.well-known/webfinger [get]
-func (c *RootController) GetWebFinger() {
-	resource := c.Input().Get("resource")
-	rels := []string{}
-	host := c.Ctx.Request.Host
-
-	for key, value := range c.Input() {
-		if strings.HasPrefix(key, "rel") {
-			rels = append(rels, value...)
-		}
-	}
-
-	webfinger, err := object.GetWebFinger(resource, rels, host)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = webfinger
-	c.Ctx.Output.ContentType("application/jrd+json")
-	c.ServeJSON()
-}

controllers/order.go

@@ -0,0 +1,195 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/v2/core/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetOrders
+// @Title GetOrders
+// @Tag Order API
+// @Description get orders
+// @Param   owner     query    string  true        "The owner of orders"
+// @Success 200 {array} object.Order The Response object
+// @router /get-orders [get]
+func (c *ApiController) GetOrders() {
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+
+	if limit == "" || page == "" {
+		var orders []*object.Order
+		var err error
+
+		if c.IsAdmin() {
+			// If field is "user", filter by that user even for admins
+			if field == "user" && value != "" {
+				orders, err = object.GetUserOrders(owner, value)
+			} else {
+				orders, err = object.GetOrders(owner)
+			}
+		} else {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			orders, err = object.GetUserOrders(owner, userName)
+		}
+
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(orders)
+	} else {
+		limit := util.ParseInt(limit)
+		if !c.IsAdmin() {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			field = "user"
+			value = userName
+		}
+		count, err := object.GetOrderCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
+		orders, err := object.GetPaginationOrders(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(orders, paginator.Nums())
+	}
+}
+
+// GetUserOrders
+// @Title GetUserOrders
+// @Tag Order API
+// @Description get orders for a user
+// @Param   owner     query    string  true        "The owner of orders"
+// @Param   user    query   string  true           "The username of the user"
+// @Success 200 {array} object.Order The Response object
+// @router /get-user-orders [get]
+func (c *ApiController) GetUserOrders() {
+	owner := c.Ctx.Input.Query("owner")
+	user := c.Ctx.Input.Query("user")
+
+	orders, err := object.GetUserOrders(owner, user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(orders)
+}
+
+// GetOrder
+// @Title GetOrder
+// @Tag Order API
+// @Description get order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Success 200 {object} object.Order The Response object
+// @router /get-order [get]
+func (c *ApiController) GetOrder() {
+	id := c.Ctx.Input.Query("id")
+
+	order, err := object.GetOrder(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(order)
+}
+
+// UpdateOrder
+// @Title UpdateOrder
+// @Tag Order API
+// @Description update order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Param   body    body   object.Order  true        "The details of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-order [post]
+func (c *ApiController) UpdateOrder() {
+	id := c.Ctx.Input.Query("id")
+
+	var order object.Order
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &order)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateOrder(id, &order))
+	c.ServeJSON()
+}
+
+// AddOrder
+// @Title AddOrder
+// @Tag Order API
+// @Description add order
+// @Param   body    body   object.Order  true        "The details of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-order [post]
+func (c *ApiController) AddOrder() {
+	var order object.Order
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &order)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddOrder(&order))
+	c.ServeJSON()
+}
+
+// DeleteOrder
+// @Title DeleteOrder
+// @Tag Order API
+// @Description delete order
+// @Param   body    body   object.Order  true        "The details of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-order [post]
+func (c *ApiController) DeleteOrder() {
+	var order object.Order
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &order)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteOrder(&order))
+	c.ServeJSON()
+}

controllers/order_pay.go

@@ -0,0 +1,160 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// PlaceOrder
+// @Title PlaceOrder
+// @Tag Order API
+// @Description place an order for a product
+// @Param   productId     query    string  true        "The id ( owner/name ) of the product"
+// @Param   pricingName   query    string  false       "The name of the pricing (for subscription)"
+// @Param   planName      query    string  false       "The name of the plan (for subscription)"
+// @Param   customPrice   query    number  false       "Custom price for recharge products"
+// @Param   userName      query    string  false       "The username to place order for (admin only)"
+// @Success 200 {object} object.Order The Response object
+// @router /place-order [post]
+func (c *ApiController) PlaceOrder() {
+	owner := c.Ctx.Input.Query("owner")
+	paidUserName := c.Ctx.Input.Query("userName")
+
+	var req struct {
+		ProductInfos []object.ProductInfo `json:"productInfos"`
+	}
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &req)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	productInfos := req.ProductInfos
+	if len(productInfos) == 0 {
+		c.ResponseError(c.T("product:Product list cannot be empty"))
+		return
+	}
+
+	var userId string
+	if paidUserName != "" {
+		userId = util.GetId(owner, paidUserName)
+		if userId != c.GetSessionUsername() && !c.IsAdmin() && userId != c.GetPaidUsername() {
+			c.ResponseError(c.T("general:Only admin user can specify user"))
+			return
+		}
+
+		c.SetSession("paidUsername", "")
+	} else {
+		userId = c.GetSessionUsername()
+	}
+
+	if userId == "" {
+		c.ResponseError(c.T("general:Please login first"))
+		return
+	}
+
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+		return
+	}
+
+	order, err := object.PlaceOrder(owner, productInfos, user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(order)
+}
+
+// PayOrder
+// @Title PayOrder
+// @Tag Order API
+// @Description pay an existing order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Param   providerName    query    string  true  "The name of the provider"
+// @Success 200 {object} controllers.Response The Response object
+// @router /pay-order [post]
+func (c *ApiController) PayOrder() {
+	id := c.Ctx.Input.Query("id")
+	host := c.Ctx.Request.Host
+	providerName := c.Ctx.Input.Query("providerName")
+	paymentEnv := c.Ctx.Input.Query("paymentEnv")
+
+	order, err := object.GetOrder(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if order == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The order: %s does not exist"), id))
+		return
+	}
+
+	userId := c.GetSessionUsername()
+	orderUserId := util.GetId(order.Owner, order.User)
+	if userId != orderUserId && !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	payment, attachInfo, err := object.PayOrder(providerName, host, paymentEnv, order, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(payment, attachInfo)
+}
+
+// CancelOrder
+// @Title CancelOrder
+// @Tag Order API
+// @Description cancel an order
+// @Param   id     query    string  true        "The id ( owner/name ) of the order"
+// @Success 200 {object} controllers.Response The Response object
+// @router /cancel-order [post]
+func (c *ApiController) CancelOrder() {
+	id := c.Ctx.Input.Query("id")
+	order, err := object.GetOrder(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if order == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The order: %s does not exist"), id))
+		return
+	}
+
+	userId := c.GetSessionUsername()
+	orderUserId := util.GetId(order.Owner, order.User)
+	if userId != orderUserId && !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.CancelOrder(order))
+	c.ServeJSON()
+}

controllers/organization.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,14 +30,14 @@ import (
 // @Success 200 {array} object.Organization The Response object
 // @router /get-organizations [get]
 func (c *ApiController) GetOrganizations() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organizationName := c.Input().Get("organizationName")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	organizationName := c.Ctx.Input.Query("organizationName")
 
 	isGlobalAdmin := c.IsGlobalAdmin()
 	if limit == "" || page == "" {
@@ -71,7 +71,7 @@ func (c *ApiController) GetOrganizations() {
 				return
 			}
 
-			paginator := pagination.SetPaginator(c.Ctx, limit, count)
+			paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 			organizations, err := object.GetMaskedOrganizations(object.GetPaginationOrganizations(owner, organizationName, paginator.Offset(), limit, field, value, sortField, sortOrder))
 			if err != nil {
 				c.ResponseError(err.Error())
@@ -91,7 +91,7 @@ func (c *ApiController) GetOrganizations() {
 // @Success 200 {object} object.Organization The Response object
 // @router /get-organization [get]
 func (c *ApiController) GetOrganization() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 	organization, err := object.GetMaskedOrganization(object.GetOrganization(id))
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -114,7 +114,7 @@ func (c *ApiController) GetOrganization() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-organization [post]
 func (c *ApiController) UpdateOrganization() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var organization object.Organization
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &organization)
@@ -130,6 +130,10 @@ func (c *ApiController) UpdateOrganization() {
 
 	isGlobalAdmin, _ := c.isGlobalAdmin()
 
+	if organization.BalanceCurrency == "" {
+		organization.BalanceCurrency = "USD"
+	}
+
 	c.Data["json"] = wrapActionResponse(object.UpdateOrganization(id, &organization, isGlobalAdmin))
 	c.ServeJSON()
 }
@@ -165,6 +169,10 @@ func (c *ApiController) AddOrganization() {
 		return
 	}
 
+	if organization.BalanceCurrency == "" {
+		organization.BalanceCurrency = "USD"
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddOrganization(&organization))
 	c.ServeJSON()
 }
@@ -197,7 +205,7 @@ func (c *ApiController) DeleteOrganization() {
 // @router /get-default-application [get]
 func (c *ApiController) GetDefaultApplication() {
 	userId := c.GetSessionUsername()
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	application, err := object.GetDefaultApplication(id)
 	if err != nil {
@@ -217,7 +225,7 @@ func (c *ApiController) GetDefaultApplication() {
 // @Success 200 {array} object.Organization The Response object
 // @router /get-organization-names [get]
 func (c *ApiController) GetOrganizationNames() {
-	owner := c.Input().Get("owner")
+	owner := c.Ctx.Input.Query("owner")
 	organizationNames, err := object.GetOrganizationsByFields(owner, []string{"name", "display_name"}...)
 	if err != nil {
 		c.ResponseError(err.Error())

controllers/payment.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,16 +30,35 @@ import (
 // @Success 200 {array} object.Payment The Response object
 // @router /get-payments [get]
 func (c *ApiController) GetPayments() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
-		payments, err := object.GetPayments(owner)
+		var payments []*object.Payment
+		var err error
+
+		if c.IsAdmin() {
+			// If field is "user", filter by that user even for admins
+			if field == "user" && value != "" {
+				payments, err = object.GetUserPayments(owner, value)
+			} else {
+				payments, err = object.GetPayments(owner)
+			}
+		} else {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			payments, err = object.GetUserPayments(owner, userName)
+		}
+
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -48,13 +67,23 @@ func (c *ApiController) GetPayments() {
 		c.ResponseOk(payments)
 	} else {
 		limit := util.ParseInt(limit)
+		if !c.IsAdmin() {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			field = "user"
+			value = userName
+		}
 		count, err := object.GetPaymentCount(owner, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		payments, err := object.GetPaginationPayments(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -75,8 +104,8 @@ func (c *ApiController) GetPayments() {
 // @Success 200 {array} object.Payment The Response object
 // @router /get-user-payments [get]
 func (c *ApiController) GetUserPayments() {
-	owner := c.Input().Get("owner")
-	user := c.Input().Get("user")
+	owner := c.Ctx.Input.Query("owner")
+	user := c.Ctx.Input.Query("user")
 
 	payments, err := object.GetUserPayments(owner, user)
 	if err != nil {
@@ -95,7 +124,7 @@ func (c *ApiController) GetUserPayments() {
 // @Success 200 {object} object.Payment The Response object
 // @router /get-payment [get]
 func (c *ApiController) GetPayment() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	payment, err := object.GetPayment(id)
 	if err != nil {
@@ -115,7 +144,7 @@ func (c *ApiController) GetPayment() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-payment [post]
 func (c *ApiController) UpdatePayment() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var payment object.Payment
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &payment)
@@ -179,7 +208,7 @@ func (c *ApiController) NotifyPayment() {
 
 	body := c.Ctx.Input.RequestBody
 
-	payment, err := object.NotifyPayment(body, owner, paymentName)
+	payment, err := object.NotifyPayment(body, owner, paymentName, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -196,7 +225,7 @@ func (c *ApiController) NotifyPayment() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /invoice-payment [post]
 func (c *ApiController) InvoicePayment() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	payment, err := object.GetPayment(id)
 	if err != nil {

controllers/permission.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Permission The Response object
 // @router /get-permissions [get]
 func (c *ApiController) GetPermissions() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		permissions, err := object.GetPermissions(owner)
@@ -54,7 +54,7 @@ func (c *ApiController) GetPermissions() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		permissions, err := object.GetPaginationPermissions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -94,7 +94,7 @@ func (c *ApiController) GetPermissionsBySubmitter() {
 // @Success 200 {array} object.Permission The Response object
 // @router /get-permissions-by-role [get]
 func (c *ApiController) GetPermissionsByRole() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 	permissions, err := object.GetPermissionsByRole(id)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -112,7 +112,7 @@ func (c *ApiController) GetPermissionsByRole() {
 // @Success 200 {object} object.Permission The Response object
 // @router /get-permission [get]
 func (c *ApiController) GetPermission() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	permission, err := object.GetPermission(id)
 	if err != nil {
@@ -132,7 +132,7 @@ func (c *ApiController) GetPermission() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-permission [post]
 func (c *ApiController) UpdatePermission() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var permission object.Permission
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &permission)

controllers/permission_upload.go

@@ -24,7 +24,11 @@ import (
 
 func (c *ApiController) UploadPermissions() {
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {

controllers/plan.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Plan The Response object
 // @router /get-plans [get]
 func (c *ApiController) GetPlans() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		plans, err := object.GetPlans(owner)
@@ -54,7 +54,7 @@ func (c *ApiController) GetPlans() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		plan, err := object.GetPaginatedPlans(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -74,8 +74,8 @@ func (c *ApiController) GetPlans() {
 // @Success 200 {object} object.Plan The Response object
 // @router /get-plan [get]
 func (c *ApiController) GetPlan() {
-	id := c.Input().Get("id")
-	includeOption := c.Input().Get("includeOption") == "true"
+	id := c.Ctx.Input.Query("id")
+	includeOption := c.Ctx.Input.Query("includeOption") == "true"
 
 	plan, err := object.GetPlan(id)
 	if err != nil {
@@ -107,7 +107,7 @@ func (c *ApiController) GetPlan() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-plan [post]
 func (c *ApiController) UpdatePlan() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 	owner := util.GetOwnerFromId(id)
 	var plan object.Plan
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &plan)

controllers/pricing.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Pricing The Response object
 // @router /get-pricings [get]
 func (c *ApiController) GetPricings() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		pricings, err := object.GetPricings(owner)
@@ -54,7 +54,7 @@ func (c *ApiController) GetPricings() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		pricing, err := object.GetPaginatedPricings(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -73,7 +73,7 @@ func (c *ApiController) GetPricings() {
 // @Success 200 {object} object.Pricing The Response object
 // @router /get-pricing [get]
 func (c *ApiController) GetPricing() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	pricing, err := object.GetPricing(id)
 	if err != nil {
@@ -93,7 +93,7 @@ func (c *ApiController) GetPricing() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-pricing [post]
 func (c *ApiController) UpdatePricing() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var pricing object.Pricing
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &pricing)

controllers/product.go

@@ -16,10 +16,8 @@ package controllers
 
 import (
 	"encoding/json"
-	"fmt"
-	"strconv"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -32,13 +30,13 @@ import (
 // @Success 200 {array} object.Product The Response object
 // @router /get-products [get]
 func (c *ApiController) GetProducts() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		products, err := object.GetProducts(owner)
@@ -56,7 +54,7 @@ func (c *ApiController) GetProducts() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		products, err := object.GetPaginationProducts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -75,7 +73,7 @@ func (c *ApiController) GetProducts() {
 // @Success 200 {object} object.Product The Response object
 // @router /get-product [get]
 func (c *ApiController) GetProduct() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	product, err := object.GetProduct(id)
 	if err != nil {
@@ -101,7 +99,7 @@ func (c *ApiController) GetProduct() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-product [post]
 func (c *ApiController) UpdateProduct() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var product object.Product
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &product)
@@ -151,64 +149,3 @@ func (c *ApiController) DeleteProduct() {
 	c.Data["json"] = wrapActionResponse(object.DeleteProduct(&product))
 	c.ServeJSON()
 }
-
-// BuyProduct
-// @Title BuyProduct
-// @Tag Product API
-// @Description buy product
-// @Param   id     query    string  true        "The id ( owner/name ) of the product"
-// @Param   providerName    query    string  true  "The name of the provider"
-// @Success 200 {object} controllers.Response The Response object
-// @router /buy-product [post]
-func (c *ApiController) BuyProduct() {
-	id := c.Input().Get("id")
-	host := c.Ctx.Request.Host
-	providerName := c.Input().Get("providerName")
-	paymentEnv := c.Input().Get("paymentEnv")
-	customPriceStr := c.Input().Get("customPrice")
-	if customPriceStr == "" {
-		customPriceStr = "0"
-	}
-
-	customPrice, err := strconv.ParseFloat(customPriceStr, 64)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	// buy `pricingName/planName` for `paidUserName`
-	pricingName := c.Input().Get("pricingName")
-	planName := c.Input().Get("planName")
-	paidUserName := c.Input().Get("userName")
-	owner, _ := util.GetOwnerAndNameFromId(id)
-	userId := util.GetId(owner, paidUserName)
-	if paidUserName != "" && paidUserName != c.GetSessionUsername() && !c.IsAdmin() {
-		c.ResponseError(c.T("general:Only admin user can specify user"))
-		return
-	}
-	if paidUserName == "" {
-		userId = c.GetSessionUsername()
-	}
-	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
-	}
-
-	user, err := object.GetUser(userId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if user == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
-		return
-	}
-
-	payment, attachInfo, err := object.BuyProduct(id, user, providerName, pricingName, planName, host, paymentEnv, customPrice)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(payment, attachInfo)
-}

controllers/prometheus.go

@@ -16,6 +16,7 @@ package controllers
 
 import (
 	"github.com/casdoor/casdoor/object"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
 
 // GetPrometheusInfo
@@ -37,3 +38,17 @@ func (c *ApiController) GetPrometheusInfo() {
 
 	c.ResponseOk(prometheusInfo)
 }
+
+// GetMetrics
+// @Title GetMetrics
+// @Tag System API
+// @Description get Prometheus metrics
+// @Success 200 {string} Prometheus metrics in text format
+// @router /metrics [get]
+func (c *ApiController) GetMetrics() {
+	_, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+	promhttp.Handler().ServeHTTP(c.Ctx.ResponseWriter, c.Ctx.Request)
+}

controllers/provider.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Provider The Response object
 // @router /get-providers [get]
 func (c *ApiController) GetProviders() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	ok, isMaskEnabled := c.IsMaskedEnabled()
 	if !ok {
@@ -59,7 +59,7 @@ func (c *ApiController) GetProviders() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		paginationProviders, err := object.GetPaginationProviders(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -78,12 +78,12 @@ func (c *ApiController) GetProviders() {
 // @Success 200 {array} object.Provider The Response object
 // @router /get-global-providers [get]
 func (c *ApiController) GetGlobalProviders() {
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	ok, isMaskEnabled := c.IsMaskedEnabled()
 	if !ok {
@@ -106,7 +106,7 @@ func (c *ApiController) GetGlobalProviders() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		paginationGlobalProviders, err := object.GetPaginationGlobalProviders(paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -126,7 +126,7 @@ func (c *ApiController) GetGlobalProviders() {
 // @Success 200 {object} object.Provider The Response object
 // @router /get-provider [get]
 func (c *ApiController) GetProvider() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	ok, isMaskEnabled := c.IsMaskedEnabled()
 	if !ok {
@@ -164,7 +164,7 @@ func (c *ApiController) requireProviderPermission(provider *object.Provider) boo
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-provider [post]
 func (c *ApiController) UpdateProvider() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var provider object.Provider
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &provider)

controllers/record.go

@@ -19,7 +19,7 @@ import (
 
 	"github.com/casvisor/casvisor-go-sdk/casvisorsdk"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -38,13 +38,13 @@ func (c *ApiController) GetRecords() {
 		return
 	}
 
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organizationName := c.Input().Get("organizationName")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	organizationName := c.Ctx.Input.Query("organizationName")
 
 	if limit == "" || page == "" {
 		records, err := object.GetRecords()
@@ -66,7 +66,7 @@ func (c *ApiController) GetRecords() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		records, err := object.GetPaginationRecords(paginator.Offset(), limit, field, value, sortField, sortOrder, filterRecord)
 		if err != nil {
 			c.ResponseError(err.Error())

controllers/resource.go

@@ -20,10 +20,11 @@ import (
 	"fmt"
 	"io"
 	"mime"
+	"path"
 	"path/filepath"
 	"strings"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -43,14 +44,14 @@ import (
 // @Success		200 		{array} 	object.Resource 	The Response object
 // @router /get-resources [get]
 func (c *ApiController) GetResources() {
-	owner := c.Input().Get("owner")
-	user := c.Input().Get("user")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	user := c.Ctx.Input.Query("user")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	isOrgAdmin, ok := c.IsOrgAdmin()
 	if !ok {
@@ -92,7 +93,7 @@ func (c *ApiController) GetResources() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		resources, err := object.GetPaginationResources(owner, user, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -111,7 +112,7 @@ func (c *ApiController) GetResources() {
 // @Success 	200			{object}	object.Resource		The Response object
 // @router /get-resource [get]
 func (c *ApiController) GetResource() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	resource, err := object.GetResource(id)
 	if err != nil {
@@ -131,7 +132,7 @@ func (c *ApiController) GetResource() {
 // @Success 	200			{object}	controllers.Response					Success or error
 // @router /update-resource [post]
 func (c *ApiController) UpdateResource() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var resource object.Resource
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &resource)
@@ -177,9 +178,11 @@ func (c *ApiController) DeleteResource() {
 	}
 
 	if resource.Provider != "" {
-		c.Input().Set("provider", resource.Provider)
+		inputs, _ := c.Input()
+		inputs.Set("provider", resource.Provider)
 	}
-	c.Input().Set("fullFilePath", resource.Name)
+	inputs, _ := c.Input()
+	inputs.Set("fullFilePath", resource.Name)
 	provider, err := c.GetProviderFromContext("Storage")
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -187,6 +190,11 @@ func (c *ApiController) DeleteResource() {
 	}
 	_, resource.Name = refineFullFilePath(resource.Name)
 
+	tag := c.Ctx.Input.Query("tag")
+	if tag == "Direct" {
+		resource.Name = path.Join(provider.PathPrefix, resource.Name)
+	}
+
 	err = object.DeleteFile(provider, resource.Name, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -212,14 +220,14 @@ func (c *ApiController) DeleteResource() {
 // @Success   200             {object}  object.Resource  	FileUrl, objectKey
 // @router /upload-resource [post]
 func (c *ApiController) UploadResource() {
-	owner := c.Input().Get("owner")
-	username := c.Input().Get("user")
-	application := c.Input().Get("application")
-	tag := c.Input().Get("tag")
-	parent := c.Input().Get("parent")
-	fullFilePath := c.Input().Get("fullFilePath")
-	createdTime := c.Input().Get("createdTime")
-	description := c.Input().Get("description")
+	owner := c.Ctx.Input.Query("owner")
+	username := c.Ctx.Input.Query("user")
+	application := c.Ctx.Input.Query("application")
+	tag := c.Ctx.Input.Query("tag")
+	parent := c.Ctx.Input.Query("parent")
+	fullFilePath := c.Ctx.Input.Query("fullFilePath")
+	createdTime := c.Ctx.Input.Query("createdTime")
+	description := c.Ctx.Input.Query("description")
 
 	file, header, err := c.GetFile("file")
 	if err != nil {
@@ -358,7 +366,7 @@ func (c *ApiController) UploadResource() {
 		}
 
 		applicationObj.TermsOfUse = fileUrl
-		_, err = object.UpdateApplication(applicationId, applicationObj)
+		_, err = object.UpdateApplication(applicationId, applicationObj, true, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return

controllers/role.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +30,13 @@ import (
 // @Success 200 {array} object.Role The Response object
 // @router /get-roles [get]
 func (c *ApiController) GetRoles() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		roles, err := object.GetRoles(owner)
@@ -54,7 +54,7 @@ func (c *ApiController) GetRoles() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		roles, err := object.GetPaginationRoles(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -73,7 +73,7 @@ func (c *ApiController) GetRoles() {
 // @Success 200 {object} object.Role The Response object
 // @router /get-role [get]
 func (c *ApiController) GetRole() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	role, err := object.GetRole(id)
 	if err != nil {
@@ -93,7 +93,7 @@ func (c *ApiController) GetRole() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-role [post]
 func (c *ApiController) UpdateRole() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var role object.Role
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &role)

controllers/role_upload.go

@@ -24,7 +24,11 @@ import (
 
 func (c *ApiController) UploadRoles() {
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {

controllers/rule.go

@@ -0,0 +1,229 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"errors"
+	"net"
+	"strings"
+
+	"github.com/beego/beego/v2/server/web/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+	"github.com/hsluoyz/modsecurity-go/seclang/parser"
+)
+
+// GetRules
+// @Title GetRules
+// @Tag Rule API
+// @Description get rules
+// @Param   owner     query    string  true        "The owner of rules"
+// @Success 200 {array} object.Rule The Response object
+// @router /get-rules [get]
+func (c *ApiController) GetRules() {
+	owner := c.Ctx.Input.Query("owner")
+	if owner == "admin" {
+		owner = ""
+	}
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+
+	if limit == "" || page == "" {
+		rules, err := object.GetRules(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(rules)
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetRuleCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		rules, err := object.GetPaginationRules(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(rules, paginator.Nums())
+	}
+}
+
+// GetRule
+// @Title GetRule
+// @Tag Rule API
+// @Description get rule
+// @Param   id     query    string  true        "The id ( owner/name ) of the rule"
+// @Success 200 {object} object.Rule The Response object
+// @router /get-rule [get]
+func (c *ApiController) GetRule() {
+	id := c.Ctx.Input.Query("id")
+	rule, err := object.GetRule(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(rule)
+}
+
+// AddRule
+// @Title AddRule
+// @Tag Rule API
+// @Description add rule
+// @Param   body    body   object.Rule  true        "The details of the rule"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-rule [post]
+func (c *ApiController) AddRule() {
+	currentTime := util.GetCurrentTime()
+	rule := object.Rule{
+		CreatedTime: currentTime,
+		UpdatedTime: currentTime,
+	}
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &rule)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	err = checkExpressions(rule.Expressions, rule.Type)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = wrapActionResponse(object.AddRule(&rule))
+	c.ServeJSON()
+}
+
+// UpdateRule
+// @Title UpdateRule
+// @Tag Rule API
+// @Description update rule
+// @Param   id     query    string  true        "The id ( owner/name ) of the rule"
+// @Param   body    body   object.Rule  true        "The details of the rule"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-rule [post]
+func (c *ApiController) UpdateRule() {
+	var rule object.Rule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &rule)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	err = checkExpressions(rule.Expressions, rule.Type)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	id := c.Ctx.Input.Query("id")
+	c.Data["json"] = wrapActionResponse(object.UpdateRule(id, &rule))
+	c.ServeJSON()
+}
+
+// DeleteRule
+// @Title DeleteRule
+// @Tag Rule API
+// @Description delete rule
+// @Param   body    body   object.Rule  true        "The details of the rule"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-rule [post]
+func (c *ApiController) DeleteRule() {
+	var rule object.Rule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &rule)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteRule(&rule))
+	c.ServeJSON()
+}
+
+func checkExpressions(expressions []*object.Expression, ruleType string) error {
+	values := make([]string, len(expressions))
+	for i, expression := range expressions {
+		values[i] = expression.Value
+	}
+	switch ruleType {
+	case "WAF":
+		return checkWafRule(values)
+	case "IP":
+		return checkIpRule(values)
+	case "IP Rate Limiting":
+		return checkIpRateRule(expressions)
+	case "Compound":
+		return checkCompoundRules(values)
+	}
+	return nil
+}
+
+func checkWafRule(rules []string) error {
+	for _, rule := range rules {
+		scanner := parser.NewSecLangScannerFromString(rule)
+		_, err := scanner.AllDirective()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func checkIpRule(ipLists []string) error {
+	for _, ipList := range ipLists {
+		for _, ip := range strings.Split(ipList, ",") {
+			_, _, err := net.ParseCIDR(ip)
+			if net.ParseIP(ip) == nil && err != nil {
+				return errors.New("Invalid IP address: " + ip)
+			}
+		}
+	}
+	return nil
+}
+
+func checkIpRateRule(expressions []*object.Expression) error {
+	if len(expressions) != 1 {
+		return errors.New("IP Rate Limiting rule must have exactly one expression")
+	}
+	expression := expressions[0]
+	_, err := util.ParseIntWithError(expression.Operator)
+	if err != nil {
+		return err
+	}
+	_, err = util.ParseIntWithError(expression.Value)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func checkCompoundRules(rules []string) error {
+	_, err := object.GetRulesByRuleIds(rules)
+	if err != nil {
+		return err
+	}
+	return nil
+}

controllers/saml.go

@@ -17,13 +17,14 @@ package controllers
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"github.com/casdoor/casdoor/object"
 )
 
 func (c *ApiController) GetSamlMeta() {
 	host := c.Ctx.Request.Host
-	paramApp := c.Input().Get("application")
+	paramApp := c.Ctx.Input.Query("application")
 	application, err := object.GetApplication(paramApp)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -57,10 +58,13 @@ func (c *ApiController) HandleSamlRedirect() {
 	owner := c.Ctx.Input.Param(":owner")
 	application := c.Ctx.Input.Param(":application")
 
-	relayState := c.Input().Get("RelayState")
-	samlRequest := c.Input().Get("SAMLRequest")
+	relayState := c.Ctx.Input.Query("RelayState")
+	samlRequest := c.Ctx.Input.Query("SAMLRequest")
+	username := c.Ctx.Input.Query("username")
+	loginHint := c.Ctx.Input.Query("login_hint")
 
-	targetURL := object.GetSamlRedirectAddress(owner, application, relayState, samlRequest, host)
+	relayState = url.QueryEscape(relayState)
+	targetURL := object.GetSamlRedirectAddress(owner, application, relayState, samlRequest, host, username, loginHint)
 
 	c.Redirect(targetURL, http.StatusSeeOther)
 }

controllers/service.go

@@ -144,7 +144,7 @@ func (c *ApiController) SendEmail() {
 	content = strings.Replace(content, string(matchContent), "", -1)
 
 	for _, receiver := range emailForm.Receivers {
-		err = object.SendEmail(provider, emailForm.Title, content, receiver, emailForm.Sender)
+		err = object.SendEmail(provider, emailForm.Title, content, []string{receiver}, emailForm.Sender)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return

controllers/session.go

@@ -15,9 +15,11 @@
 package controllers
 
 import (
+	"context"
 	"encoding/json"
+	"fmt"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,13 +32,13 @@ import (
 // @Success 200 {array} string The Response object
 // @router /get-sessions [get]
 func (c *ApiController) GetSessions() {
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	owner := c.Input().Get("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
 
 	if limit == "" || page == "" {
 		sessions, err := object.GetSessions(owner)
@@ -53,7 +55,7 @@ func (c *ApiController) GetSessions() {
 			c.ResponseError(err.Error())
 			return
 		}
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		sessions, err := object.GetPaginationSessions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -68,11 +70,11 @@ func (c *ApiController) GetSessions() {
 // @Title GetSingleSession
 // @Tag Session API
 // @Description Get session for one user in one application.
-// @Param   id     query    string  true        "The id(organization/application/user) of session"
+// @Param   sessionPkId     query    string  true        "The session ID in format: organization/user/application (e.g., built-in/admin/app-built-in)"
 // @Success 200 {array} string The Response object
 // @router /get-session [get]
 func (c *ApiController) GetSingleSession() {
-	id := c.Input().Get("sessionPkId")
+	id := c.Ctx.Input.Query("sessionPkId")
 
 	session, err := object.GetSingleSession(id)
 	if err != nil {
@@ -87,8 +89,8 @@ func (c *ApiController) GetSingleSession() {
 // @Title UpdateSession
 // @Tag Session API
 // @Description Update session for one user in one application.
-// @Param   id     query    string  true        "The id(organization/application/user) of session"
-// @Success 200 {array} string The Response object
+// @Param   body     body    object.Session  true        "The session object to update"
+// @Success 200 {object} controllers.Response The Response object
 // @router /update-session [post]
 func (c *ApiController) UpdateSession() {
 	var session object.Session
@@ -106,9 +108,8 @@ func (c *ApiController) UpdateSession() {
 // @Title AddSession
 // @Tag Session API
 // @Description Add session for one user in one application. If there are other existing sessions, join the session into the list.
-// @Param   id     query    string  true        "The id(organization/application/user) of session"
-// @Param   sessionId     query    string  true        "sessionId to be added"
-// @Success 200 {array} string The Response object
+// @Param   body     body    object.Session  true        "The session object to add"
+// @Success 200 {object} controllers.Response The Response object
 // @router /add-session [post]
 func (c *ApiController) AddSession() {
 	var session object.Session
@@ -126,8 +127,8 @@ func (c *ApiController) AddSession() {
 // @Title DeleteSession
 // @Tag Session API
 // @Description Delete session for one user in one application.
-// @Param   id     query    string  true        "The id(organization/application/user) of session"
-// @Success 200 {array} string The Response object
+// @Param   body     body    object.Session  true        "The session object to delete"
+// @Success 200 {object} controllers.Response The Response object
 // @router /delete-session [post]
 func (c *ApiController) DeleteSession() {
 	var session object.Session
@@ -137,7 +138,21 @@ func (c *ApiController) DeleteSession() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.DeleteSession(util.GetSessionId(session.Owner, session.Name, session.Application)))
+	curSessionId := c.Ctx.Input.CruSession.SessionID(context.Background())
+
+	sessionId := c.Ctx.Input.Query("sessionId")
+	if curSessionId == sessionId && sessionId != "" {
+		c.ResponseError(fmt.Sprintf(c.T("session:session id %s is the current session and cannot be deleted"), curSessionId))
+		return
+	}
+
+	if sessionId != "" {
+		c.Data["json"] = wrapActionResponse(object.DeleteSessionId(util.GetSessionId(session.Owner, session.Name, session.Application), sessionId))
+		c.ServeJSON()
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteSession(util.GetSessionId(session.Owner, session.Name, session.Application), curSessionId))
 	c.ServeJSON()
 }
 
@@ -145,13 +160,13 @@ func (c *ApiController) DeleteSession() {
 // @Title IsSessionDuplicated
 // @Tag Session API
 // @Description Check if there are other different sessions for one user in one application.
-// @Param   id     query    string  true        "The id(organization/application/user) of session"
-// @Param   sessionId     query    string  true        "sessionId to be checked"
+// @Param   sessionPkId     query    string  true        "The session ID in format: organization/user/application (e.g., built-in/admin/app-built-in)"
+// @Param   sessionId     query    string  true        "The specific session ID to check"
 // @Success 200 {array} string The Response object
 // @router /is-session-duplicated [get]
 func (c *ApiController) IsSessionDuplicated() {
-	id := c.Input().Get("sessionPkId")
-	sessionId := c.Input().Get("sessionId")
+	id := c.Ctx.Input.Query("sessionPkId")
+	sessionId := c.Ctx.Input.Query("sessionId")
 
 	isUserSessionDuplicated, err := object.IsSessionDuplicated(id, sessionId)
 	if err != nil {

controllers/site.go

@@ -0,0 +1,165 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/v2/server/web/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetGlobalSites
+// @Title GetGlobalSites
+// @Tag Site API
+// @Description get global sites
+// @Success 200 {array} object.Site The Response object
+// @router /get-global-sites [get]
+func (c *ApiController) GetGlobalSites() {
+	sites, err := object.GetGlobalSites()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(object.GetMaskedSites(sites, util.GetHostname()))
+}
+
+// GetSites
+// @Title GetSites
+// @Tag Site API
+// @Description get sites
+// @Param   owner     query    string  true        "The owner of sites"
+// @Success 200 {array} object.Site The Response object
+// @router /get-sites [get]
+func (c *ApiController) GetSites() {
+	owner := c.Ctx.Input.Query("owner")
+	if owner == "admin" {
+		owner = ""
+	}
+
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+
+	if limit == "" || page == "" {
+		sites, err := object.GetSites(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		c.ResponseOk(object.GetMaskedSites(sites, util.GetHostname()))
+		return
+	}
+
+	limitInt := util.ParseInt(limit)
+	count, err := object.GetSiteCount(owner, field, value)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	paginator := pagination.SetPaginator(c.Ctx, limitInt, count)
+	sites, err := object.GetPaginationSites(owner, paginator.Offset(), limitInt, field, value, sortField, sortOrder)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(object.GetMaskedSites(sites, util.GetHostname()), paginator.Nums())
+}
+
+// GetSite
+// @Title GetSite
+// @Tag Site API
+// @Description get site
+// @Param   id     query    string  true        "The id ( owner/name ) of the site"
+// @Success 200 {object} object.Site The Response object
+// @router /get-site [get]
+func (c *ApiController) GetSite() {
+	id := c.Ctx.Input.Query("id")
+
+	site, err := object.GetSite(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(object.GetMaskedSite(site, util.GetHostname()))
+}
+
+// UpdateSite
+// @Title UpdateSite
+// @Tag Site API
+// @Description update site
+// @Param   id     query    string  true        "The id ( owner/name ) of the site"
+// @Param   body    body   object.Site  true        "The details of the site"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-site [post]
+func (c *ApiController) UpdateSite() {
+	id := c.Ctx.Input.Query("id")
+
+	var site object.Site
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &site)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateSite(id, &site))
+	c.ServeJSON()
+}
+
+// AddSite
+// @Title AddSite
+// @Tag Site API
+// @Description add site
+// @Param   body    body   object.Site  true        "The details of the site"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-site [post]
+func (c *ApiController) AddSite() {
+	var site object.Site
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &site)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddSite(&site))
+	c.ServeJSON()
+}
+
+// DeleteSite
+// @Title DeleteSite
+// @Tag Site API
+// @Description delete site
+// @Param   body    body   object.Site  true        "The details of the site"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-site [post]
+func (c *ApiController) DeleteSite() {
+	var site object.Site
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &site)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteSite(&site))
+	c.ServeJSON()
+}

controllers/subscription.go

@@ -16,8 +16,9 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,16 +31,35 @@ import (
 // @Success 200 {array} object.Subscription The Response object
 // @router /get-subscriptions [get]
 func (c *ApiController) GetSubscriptions() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
-		subscriptions, err := object.GetSubscriptions(owner)
+		var subscriptions []*object.Subscription
+		var err error
+
+		if c.IsAdmin() {
+			// If field is "user", filter by that user even for admins
+			if field == "user" && value != "" {
+				subscriptions, err = object.GetSubscriptionsByUser(owner, value)
+			} else {
+				subscriptions, err = object.GetSubscriptions(owner)
+			}
+		} else {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			subscriptions, err = object.GetSubscriptionsByUser(owner, userName)
+		}
+
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -48,13 +68,23 @@ func (c *ApiController) GetSubscriptions() {
 		c.ResponseOk(subscriptions)
 	} else {
 		limit := util.ParseInt(limit)
+		if !c.IsAdmin() {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			field = "user"
+			value = userName
+		}
 		count, err := object.GetSubscriptionCount(owner, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		subscription, err := object.GetPaginationSubscriptions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -73,7 +103,7 @@ func (c *ApiController) GetSubscriptions() {
 // @Success 200 {object} object.Subscription The Response object
 // @router /get-subscription [get]
 func (c *ApiController) GetSubscription() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	subscription, err := object.GetSubscription(id)
 	if err != nil {
@@ -93,7 +123,7 @@ func (c *ApiController) GetSubscription() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-subscription [post]
 func (c *ApiController) UpdateSubscription() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var subscription object.Subscription
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &subscription)
@@ -121,6 +151,26 @@ func (c *ApiController) AddSubscription() {
 		return
 	}
 
+	// Check if plan restricts user to one subscription
+	if subscription.Plan != "" {
+		plan, err := object.GetPlan(util.GetId(subscription.Owner, subscription.Plan))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if plan != nil && plan.IsExclusive {
+			hasSubscription, err := object.HasActiveSubscriptionForPlan(subscription.Owner, subscription.User, subscription.Plan)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			if hasSubscription {
+				c.ResponseError(fmt.Sprintf("User already has an active subscription for plan: %s", subscription.Plan))
+				return
+			}
+		}
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddSubscription(&subscription))
 	c.ServeJSON()
 }

controllers/syncer.go

@@ -16,8 +16,9 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,14 +31,14 @@ import (
 // @Success 200 {array} object.Syncer The Response object
 // @router /get-syncers [get]
 func (c *ApiController) GetSyncers() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organization := c.Input().Get("organization")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	organization := c.Ctx.Input.Query("organization")
 
 	if limit == "" || page == "" {
 		syncers, err := object.GetMaskedSyncers(object.GetOrganizationSyncers(owner, organization))
@@ -55,7 +56,7 @@ func (c *ApiController) GetSyncers() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		syncers, err := object.GetMaskedSyncers(object.GetPaginationSyncers(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder))
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -74,7 +75,7 @@ func (c *ApiController) GetSyncers() {
 // @Success 200 {object} object.Syncer The Response object
 // @router /get-syncer [get]
 func (c *ApiController) GetSyncer() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	syncer, err := object.GetMaskedSyncer(object.GetSyncer(id))
 	if err != nil {
@@ -94,7 +95,7 @@ func (c *ApiController) GetSyncer() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-syncer [post]
 func (c *ApiController) UpdateSyncer() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var syncer object.Syncer
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &syncer)
@@ -103,7 +104,7 @@ func (c *ApiController) UpdateSyncer() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.UpdateSyncer(id, &syncer))
+	c.Data["json"] = wrapActionResponse(object.UpdateSyncer(id, &syncer, c.IsGlobalAdmin(), c.GetAcceptLanguage()))
 	c.ServeJSON()
 }
 
@@ -153,12 +154,16 @@ func (c *ApiController) DeleteSyncer() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /run-syncer [get]
 func (c *ApiController) RunSyncer() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 	syncer, err := object.GetSyncer(id)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	if syncer == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The syncer: %s does not exist"), id))
+		return
+	}
 
 	err = object.RunSyncer(syncer)
 	if err != nil {
@@ -177,7 +182,7 @@ func (c *ApiController) TestSyncerDb() {
 		return
 	}
 
-	err = object.TestSyncerDb(syncer)
+	err = object.TestSyncer(syncer)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/system_info.go

@@ -15,7 +15,10 @@
 package controllers
 
 import (
+	"errors"
+
 	"github.com/casdoor/casdoor/util"
+	"github.com/go-git/go-git/v5"
 )
 
 // GetSystemInfo
@@ -46,10 +49,10 @@ func (c *ApiController) GetSystemInfo() {
 // @Success 200 {object} util.VersionInfo The Response object
 // @router /get-version-info [get]
 func (c *ApiController) GetVersionInfo() {
-	errInfo := ""
 	versionInfo, err := util.GetVersionInfo()
-	if err != nil {
-		errInfo = "Git error: " + err.Error()
+	if err != nil && !errors.Is(err, git.ErrRepositoryNotExists) {
+		c.ResponseError(err.Error())
+		return
 	}
 
 	if versionInfo.Version != "" {
@@ -57,14 +60,7 @@ func (c *ApiController) GetVersionInfo() {
 		return
 	}
 
-	versionInfo, err = util.GetVersionInfoFromFile()
-	if err != nil {
-		errInfo = errInfo + ", File error: " + err.Error()
-		c.ResponseError(errInfo)
-		return
-	}
-
-	c.ResponseOk(versionInfo)
+	c.ResponseOk(util.GetBuiltInVersionInfo())
 }
 
 // Health

controllers/ticket.go

@@ -0,0 +1,271 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/v2/core/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetTickets
+// @Title GetTickets
+// @Tag Ticket API
+// @Description get tickets
+// @Param   owner     query    string  true        "The owner of tickets"
+// @Success 200 {array} object.Ticket The Response object
+// @router /get-tickets [get]
+func (c *ApiController) GetTickets() {
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	var tickets []*object.Ticket
+	var err error
+
+	if limit == "" || page == "" {
+		if isAdmin {
+			tickets, err = object.GetTickets(owner)
+		} else {
+			tickets, err = object.GetUserTickets(owner, user.GetId())
+		}
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(tickets)
+	} else {
+		limit := util.ParseInt(limit)
+		var count int64
+
+		if isAdmin {
+			count, err = object.GetTicketCount(owner, field, value)
+		} else {
+			// For non-admin users, only show their own tickets
+			tickets, err = object.GetUserTickets(owner, user.GetId())
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			count = int64(len(tickets))
+		}
+
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
+
+		if isAdmin {
+			tickets, err = object.GetPaginationTickets(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		}
+
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(tickets, paginator.Nums())
+	}
+}
+
+// GetTicket
+// @Title GetTicket
+// @Tag Ticket API
+// @Description get ticket
+// @Param   id     query    string  true        "The id ( owner/name ) of the ticket"
+// @Success 200 {object} object.Ticket The Response object
+// @router /get-ticket [get]
+func (c *ApiController) GetTicket() {
+	id := c.Ctx.Input.Query("id")
+
+	ticket, err := object.GetTicket(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Check permission: user can only view their own tickets unless they are admin
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	if ticket != nil && !isAdmin && ticket.User != user.GetId() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	c.ResponseOk(ticket)
+}
+
+// UpdateTicket
+// @Title UpdateTicket
+// @Tag Ticket API
+// @Description update ticket
+// @Param   id     query    string  true        "The id ( owner/name ) of the ticket"
+// @Param   body    body   object.Ticket  true        "The details of the ticket"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-ticket [post]
+func (c *ApiController) UpdateTicket() {
+	id := c.Ctx.Input.Query("id")
+
+	var ticket object.Ticket
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ticket)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Check permission
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	existingTicket, err := object.GetTicket(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if existingTicket == nil {
+		c.ResponseError(c.T("ticket:Ticket not found"))
+		return
+	}
+
+	// Normal users can only close their own tickets
+	if !isAdmin {
+		if existingTicket.User != user.GetId() {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+		// Normal users can only change state to "Closed"
+		if ticket.State != "Closed" && ticket.State != existingTicket.State {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+		// Preserve original fields that users shouldn't modify
+		ticket.Owner = existingTicket.Owner
+		ticket.Name = existingTicket.Name
+		ticket.User = existingTicket.User
+		ticket.CreatedTime = existingTicket.CreatedTime
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateTicket(id, &ticket))
+	c.ServeJSON()
+}
+
+// AddTicket
+// @Title AddTicket
+// @Tag Ticket API
+// @Description add ticket
+// @Param   body    body   object.Ticket  true        "The details of the ticket"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-ticket [post]
+func (c *ApiController) AddTicket() {
+	var ticket object.Ticket
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ticket)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Set the user field to the current user
+	user := c.getCurrentUser()
+	ticket.User = user.GetId()
+
+	c.Data["json"] = wrapActionResponse(object.AddTicket(&ticket))
+	c.ServeJSON()
+}
+
+// DeleteTicket
+// @Title DeleteTicket
+// @Tag Ticket API
+// @Description delete ticket
+// @Param   body    body   object.Ticket  true        "The details of the ticket"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-ticket [post]
+func (c *ApiController) DeleteTicket() {
+	var ticket object.Ticket
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ticket)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Only admins can delete tickets
+	if !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteTicket(&ticket))
+	c.ServeJSON()
+}
+
+// AddTicketMessage
+// @Title AddTicketMessage
+// @Tag Ticket API
+// @Description add a message to a ticket
+// @Param   id     query    string  true        "The id ( owner/name ) of the ticket"
+// @Param   body    body   object.TicketMessage  true        "The message to add"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-ticket-message [post]
+func (c *ApiController) AddTicketMessage() {
+	id := c.Ctx.Input.Query("id")
+
+	var message object.TicketMessage
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &message)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Check permission
+	user := c.getCurrentUser()
+	isAdmin := c.IsAdmin()
+
+	ticket, err := object.GetTicket(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if ticket == nil {
+		c.ResponseError(c.T("ticket:Ticket not found"))
+		return
+	}
+
+	// Users can only add messages to their own tickets, admins can add to any ticket
+	if !isAdmin && ticket.User != user.GetId() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	// Set the author and admin flag
+	message.Author = user.GetId()
+	message.IsAdmin = isAdmin
+
+	c.Data["json"] = wrapActionResponse(object.AddTicketMessage(id, &message))
+	c.ServeJSON()
+}

controllers/token.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -28,20 +28,20 @@ import (
 // @Title GetTokens
 // @Tag Token API
 // @Description get tokens
-// @Param   owner     query    string  true        "The owner of tokens"
+// @Param   owner     query    string  true        "The organization name (e.g., built-in)"
 // @Param   pageSize     query    string  true        "The size of each page"
 // @Param   p     query    string  true        "The number of the page"
 // @Success 200 {array} object.Token The Response object
 // @router /get-tokens [get]
 func (c *ApiController) GetTokens() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organization := c.Input().Get("organization")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	organization := c.Ctx.Input.Query("organization")
 	if limit == "" || page == "" {
 		token, err := object.GetTokens(owner, organization)
 		if err != nil {
@@ -58,7 +58,7 @@ func (c *ApiController) GetTokens() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		tokens, err := object.GetPaginationTokens(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -73,11 +73,11 @@ func (c *ApiController) GetTokens() {
 // @Title GetToken
 // @Tag Token API
 // @Description get token
-// @Param   id     query    string  true        "The id ( owner/name ) of token"
+// @Param   id     query    string  true        "The token ID in format: organization/token-name (e.g., built-in/token-123456)"
 // @Success 200 {object} object.Token The Response object
 // @router /get-token [get]
 func (c *ApiController) GetToken() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 	token, err := object.GetToken(id)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -91,12 +91,12 @@ func (c *ApiController) GetToken() {
 // @Title UpdateToken
 // @Tag Token API
 // @Description update token
-// @Param   id     query    string  true        "The id ( owner/name ) of token"
+// @Param   id     query    string  true        "The token ID in format: organization/token-name (e.g., built-in/token-123456)"
 // @Param   body    body   object.Token  true        "Details of the token"
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-token [post]
 func (c *ApiController) UpdateToken() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var token object.Token
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &token)
@@ -105,7 +105,7 @@ func (c *ApiController) UpdateToken() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.UpdateToken(id, &token))
+	c.Data["json"] = wrapActionResponse(object.UpdateToken(id, &token, c.IsGlobalAdmin()))
 	c.ServeJSON()
 }
 
@@ -160,19 +160,26 @@ func (c *ApiController) DeleteToken() {
 // @Success 401 {object} object.TokenError The Response object
 // @router /login/oauth/access_token [post]
 func (c *ApiController) GetOAuthToken() {
-	clientId := c.Input().Get("client_id")
-	clientSecret := c.Input().Get("client_secret")
-	grantType := c.Input().Get("grant_type")
-	code := c.Input().Get("code")
-	verifier := c.Input().Get("code_verifier")
-	scope := c.Input().Get("scope")
-	nonce := c.Input().Get("nonce")
-	username := c.Input().Get("username")
-	password := c.Input().Get("password")
-	tag := c.Input().Get("tag")
-	avatar := c.Input().Get("avatar")
-	refreshToken := c.Input().Get("refresh_token")
-	deviceCode := c.Input().Get("device_code")
+	clientId := c.Ctx.Input.Query("client_id")
+	clientSecret := c.Ctx.Input.Query("client_secret")
+	assertion := c.Ctx.Input.Query("assertion")
+	clientAssertion := c.Ctx.Input.Query("client_assertion")
+	clientAssertionType := c.Ctx.Input.Query("client_assertion_type")
+	grantType := c.Ctx.Input.Query("grant_type")
+	code := c.Ctx.Input.Query("code")
+	verifier := c.Ctx.Input.Query("code_verifier")
+	scope := c.Ctx.Input.Query("scope")
+	nonce := c.Ctx.Input.Query("nonce")
+	username := c.Ctx.Input.Query("username")
+	password := c.Ctx.Input.Query("password")
+	tag := c.Ctx.Input.Query("tag")
+	avatar := c.Ctx.Input.Query("avatar")
+	refreshToken := c.Ctx.Input.Query("refresh_token")
+	deviceCode := c.Ctx.Input.Query("device_code")
+	subjectToken := c.Ctx.Input.Query("subject_token")
+	subjectTokenType := c.Ctx.Input.Query("subject_token_type")
+	audience := c.Ctx.Input.Query("audience")
+	resource := c.Ctx.Input.Query("resource")
 
 	if clientId == "" && clientSecret == "" {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
@@ -189,6 +196,12 @@ func (c *ApiController) GetOAuthToken() {
 			if clientSecret == "" {
 				clientSecret = tokenRequest.ClientSecret
 			}
+			if clientAssertion == "" {
+				clientAssertion = tokenRequest.ClientAssertion
+			}
+			if clientAssertionType == "" {
+				clientAssertionType = tokenRequest.ClientAssertionType
+			}
 			if grantType == "" {
 				grantType = tokenRequest.GrantType
 			}
@@ -219,9 +232,25 @@ func (c *ApiController) GetOAuthToken() {
 			if refreshToken == "" {
 				refreshToken = tokenRequest.RefreshToken
 			}
+			if subjectToken == "" {
+				subjectToken = tokenRequest.SubjectToken
+			}
+			if subjectTokenType == "" {
+				subjectTokenType = tokenRequest.SubjectTokenType
+			}
+			if audience == "" {
+				audience = tokenRequest.Audience
+			}
+			if resource == "" {
+				resource = tokenRequest.Resource
+			}
+			if assertion == "" {
+				assertion = tokenRequest.Assertion
+			}
 		}
 	}
 
+	host := c.Ctx.Request.Host
 	if deviceCode != "" {
 		deviceAuthCache, ok := object.DeviceAuthMap.Load(deviceCode)
 		if !ok {
@@ -262,8 +291,7 @@ func (c *ApiController) GetOAuthToken() {
 		username = deviceAuthCacheCast.UserName
 	}
 
-	host := c.Ctx.Request.Host
-	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage())
+	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, assertion, clientAssertion, clientAssertionType, audience, resource)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -288,11 +316,11 @@ func (c *ApiController) GetOAuthToken() {
 // @Success 401 {object} object.TokenError The Response object
 // @router /login/oauth/refresh_token [post]
 func (c *ApiController) RefreshToken() {
-	grantType := c.Input().Get("grant_type")
-	refreshToken := c.Input().Get("refresh_token")
-	scope := c.Input().Get("scope")
-	clientId := c.Input().Get("client_id")
-	clientSecret := c.Input().Get("client_secret")
+	grantType := c.Ctx.Input.Query("grant_type")
+	refreshToken := c.Ctx.Input.Query("refresh_token")
+	scope := c.Ctx.Input.Query("scope")
+	clientId := c.Ctx.Input.Query("client_id")
+	clientSecret := c.Ctx.Input.Query("client_secret")
 	host := c.Ctx.Request.Host
 
 	if clientId == "" {
@@ -307,7 +335,12 @@ func (c *ApiController) RefreshToken() {
 		}
 	}
 
-	refreshToken2, err := object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+	ok, application, clientId, _, err := c.ValidateOAuth(true)
+	if err != nil || !ok {
+		return
+	}
+
+	refreshToken2, err := object.RefreshToken(application, grantType, refreshToken, scope, clientId, clientSecret, host)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -318,14 +351,79 @@ func (c *ApiController) RefreshToken() {
 	c.ServeJSON()
 }
 
-func (c *ApiController) ResponseTokenError(errorMsg string) {
+func (c *ApiController) ResponseTokenError(errorMsg string, errorDescription string) {
 	c.Data["json"] = &object.TokenError{
-		Error: errorMsg,
+		Error:            errorMsg,
+		ErrorDescription: errorDescription,
 	}
 	c.SetTokenErrorHttpStatus()
 	c.ServeJSON()
 }
 
+func (c *ApiController) ValidateOAuth(ignoreValidSecret bool) (ok bool, application *object.Application, clientId, clientSecret string, err error) {
+	reqClientId := c.Ctx.Input.Query("client_id")
+	reqClientSecret := c.Ctx.Input.Query("client_secret")
+	clientAssertion := c.Ctx.Input.Query("client_assertion")
+	clientAssertionType := c.Ctx.Input.Query("client_assertion_type")
+
+	if reqClientId == "" && clientAssertionType == "" {
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			reqClientId = tokenRequest.ClientId
+			reqClientSecret = tokenRequest.ClientSecret
+			clientAssertion = tokenRequest.ClientAssertion
+			clientAssertionType = tokenRequest.ClientAssertionType
+		}
+	}
+
+	if clientAssertionType == "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" {
+		ok, application, err = object.ValidateClientAssertion(clientAssertion, c.Ctx.Request.Host)
+		if err != nil {
+			c.ResponseTokenError(object.InvalidClient, err.Error())
+			return
+		}
+
+		if !ok || application == nil {
+			c.ResponseTokenError(object.InvalidClient, "client_assertion is invalid")
+			return
+		}
+
+		clientSecret = application.ClientSecret
+		clientId = application.ClientId
+		ok = true
+		return
+	}
+
+	if reqClientId == "" && reqClientSecret == "" {
+		clientId, clientSecret, ok = c.Ctx.Request.BasicAuth()
+		if !ok {
+			clientId = c.Ctx.Input.Query("client_id")
+			clientSecret = c.Ctx.Input.Query("client_secret")
+			if clientId == "" || clientSecret == "" {
+				c.ResponseTokenError(object.InvalidRequest, "")
+				return
+			}
+		}
+	} else {
+		clientId = reqClientId
+		clientSecret = reqClientSecret
+	}
+
+	application, err = object.GetApplicationByClientId(clientId)
+	if err != nil {
+		c.ResponseTokenError(object.InvalidClient, err.Error())
+		return
+	}
+
+	if application == nil || (application.ClientSecret != clientSecret && !ignoreValidSecret) {
+		c.ResponseTokenError(object.InvalidClient, c.T("token:Invalid application or wrong clientSecret"))
+		return
+	}
+
+	ok = true
+	return
+}
+
 // IntrospectToken
 // @Title IntrospectToken
 // @Tag Login API
@@ -333,7 +431,7 @@ func (c *ApiController) ResponseTokenError(errorMsg string) {
 // parameter representing an OAuth 2.0 token and returns a JSON document
 // representing the meta information surrounding the
 // token, including whether this token is currently active.
-// This endpoint only support Basic Authorization.
+// This endpoint support Basic Authorization and authorization defined in RFC 7523.
 //
 // @Param token formData string true "access_token's value or refresh_token's value"
 // @Param token_type_hint formData string true "the token type access_token or refresh_token"
@@ -342,25 +440,10 @@ func (c *ApiController) ResponseTokenError(errorMsg string) {
 // @Success 401 {object} object.TokenError The Response object
 // @router /login/oauth/introspect [post]
 func (c *ApiController) IntrospectToken() {
-	tokenValue := c.Input().Get("token")
-	clientId, clientSecret, ok := c.Ctx.Request.BasicAuth()
-	if !ok {
-		clientId = c.Input().Get("client_id")
-		clientSecret = c.Input().Get("client_secret")
-		if clientId == "" || clientSecret == "" {
-			c.ResponseTokenError(object.InvalidRequest)
-			return
-		}
-	}
+	tokenValue := c.Ctx.Input.Query("token")
 
-	application, err := object.GetApplicationByClientId(clientId)
-	if err != nil {
-		c.ResponseTokenError(err.Error())
-		return
-	}
-
-	if application == nil || application.ClientSecret != clientSecret {
-		c.ResponseTokenError(c.T("token:Invalid application or wrong clientSecret"))
+	ok, application, clientId, _, err := c.ValidateOAuth(false)
+	if err != nil || !ok {
 		return
 	}
 
@@ -369,12 +452,12 @@ func (c *ApiController) IntrospectToken() {
 		c.ServeJSON()
 	}
 
-	tokenTypeHint := c.Input().Get("token_type_hint")
+	tokenTypeHint := c.Ctx.Input.Query("token_type_hint")
 	var token *object.Token
 	if tokenTypeHint != "" {
 		token, err = object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
 		if err != nil {
-			c.ResponseTokenError(err.Error())
+			c.ResponseTokenError(object.InvalidRequest, err.Error())
 			return
 		}
 		if token == nil || token.ExpiresIn <= 0 {
@@ -451,7 +534,7 @@ func (c *ApiController) IntrospectToken() {
 	if tokenTypeHint == "" {
 		token, err = object.GetTokenByTokenValue(tokenValue, introspectionResponse.TokenType)
 		if err != nil {
-			c.ResponseTokenError(err.Error())
+			c.ResponseTokenError(object.InvalidRequest, err.Error())
 			return
 		}
 		if token == nil || token.ExpiresIn <= 0 {
@@ -463,7 +546,7 @@ func (c *ApiController) IntrospectToken() {
 	if token != nil {
 		application, err = object.GetApplication(fmt.Sprintf("%s/%s", token.Owner, token.Application))
 		if err != nil {
-			c.ResponseTokenError(err.Error())
+			c.ResponseTokenError(object.InvalidClient, err.Error())
 			return
 		}
 		if application == nil {

controllers/transaction.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -30,16 +30,35 @@ import (
 // @Success 200 {array} object.Transaction The Response object
 // @router /get-transactions [get]
 func (c *ApiController) GetTransactions() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
-		transactions, err := object.GetTransactions(owner)
+		var transactions []*object.Transaction
+		var err error
+
+		if c.IsAdmin() {
+			// If field is "user", filter by that user even for admins
+			if field == "user" && value != "" {
+				transactions, err = object.GetUserTransactions(owner, value)
+			} else {
+				transactions, err = object.GetTransactions(owner)
+			}
+		} else {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			transactions, err = object.GetUserTransactions(owner, userName)
+		}
+
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -48,13 +67,26 @@ func (c *ApiController) GetTransactions() {
 		c.ResponseOk(transactions)
 	} else {
 		limit := util.ParseInt(limit)
+
+		// Apply user filter for non-admin users
+		if !c.IsAdmin() {
+			user := c.GetSessionUsername()
+			_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+			if userErr != nil {
+				c.ResponseError(userErr.Error())
+				return
+			}
+			field = "user"
+			value = userName
+		}
+
 		count, err := object.GetTransactionCount(owner, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		transactions, err := object.GetPaginationTransactions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -65,28 +97,6 @@ func (c *ApiController) GetTransactions() {
 	}
 }
 
-// GetUserTransactions
-// @Title GetUserTransaction
-// @Tag Transaction API
-// @Description get transactions for a user
-// @Param   owner     query    string  true        "The owner of transactions"
-// @Param   organization    query   string  true   "The organization of the user"
-// @Param   user    query   string  true           "The username of the user"
-// @Success 200 {array} object.Transaction The Response object
-// @router /get-user-transactions [get]
-func (c *ApiController) GetUserTransactions() {
-	owner := c.Input().Get("owner")
-	user := c.Input().Get("user")
-
-	transactions, err := object.GetUserTransactions(owner, user)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(transactions)
-}
-
 // GetTransaction
 // @Title GetTransaction
 // @Tag Transaction API
@@ -95,7 +105,7 @@ func (c *ApiController) GetUserTransactions() {
 // @Success 200 {object} object.Transaction The Response object
 // @router /get-transaction [get]
 func (c *ApiController) GetTransaction() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	transaction, err := object.GetTransaction(id)
 	if err != nil {
@@ -103,6 +113,27 @@ func (c *ApiController) GetTransaction() {
 		return
 	}
 
+	if transaction == nil {
+		c.ResponseOk(nil)
+		return
+	}
+
+	// Check if non-admin user is trying to access someone else's transaction
+	if !c.IsAdmin() {
+		user := c.GetSessionUsername()
+		_, userName, userErr := util.GetOwnerAndNameFromIdWithError(user)
+		if userErr != nil {
+			c.ResponseError(userErr.Error())
+			return
+		}
+
+		// Only allow users to view their own transactions
+		if transaction.User != userName {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+	}
+
 	c.ResponseOk(transaction)
 }
 
@@ -115,7 +146,7 @@ func (c *ApiController) GetTransaction() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-transaction [post]
 func (c *ApiController) UpdateTransaction() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var transaction object.Transaction
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &transaction)
@@ -124,7 +155,7 @@ func (c *ApiController) UpdateTransaction() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.UpdateTransaction(id, &transaction))
+	c.Data["json"] = wrapActionResponse(object.UpdateTransaction(id, &transaction, c.GetAcceptLanguage()))
 	c.ServeJSON()
 }
 
@@ -133,6 +164,7 @@ func (c *ApiController) UpdateTransaction() {
 // @Tag Transaction API
 // @Description add transaction
 // @Param   body    body   object.Transaction  true        "The details of the transaction"
+// @Param   dryRun  query  string  false       "Dry run mode: set to 'true' or '1' to validate without committing"
 // @Success 200 {object} controllers.Response The Response object
 // @router /add-transaction [post]
 func (c *ApiController) AddTransaction() {
@@ -143,8 +175,22 @@ func (c *ApiController) AddTransaction() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.AddTransaction(&transaction))
-	c.ServeJSON()
+	dryRunParam := c.Ctx.Input.Query("dryRun")
+	dryRun := dryRunParam != ""
+
+	affected, transactionId, err := object.AddTransaction(&transaction, c.GetAcceptLanguage(), dryRun)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if !affected {
+		c.Data["json"] = wrapActionResponse(false)
+		c.ServeJSON()
+		return
+	}
+
+	c.ResponseOk(transactionId)
 }
 
 // DeleteTransaction
@@ -162,6 +208,6 @@ func (c *ApiController) DeleteTransaction() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.DeleteTransaction(&transaction))
+	c.Data["json"] = wrapActionResponse(object.DeleteTransaction(&transaction, c.GetAcceptLanguage()))
 	c.ServeJSON()
 }

controllers/types.go

@@ -15,16 +15,23 @@
 package controllers
 
 type TokenRequest struct {
-	ClientId     string `json:"client_id"`
-	ClientSecret string `json:"client_secret"`
-	GrantType    string `json:"grant_type"`
-	Code         string `json:"code"`
-	Verifier     string `json:"code_verifier"`
-	Scope        string `json:"scope"`
-	Nonce        string `json:"nonce"`
-	Username     string `json:"username"`
-	Password     string `json:"password"`
-	Tag          string `json:"tag"`
-	Avatar       string `json:"avatar"`
-	RefreshToken string `json:"refresh_token"`
+	Assertion           string `json:"assertion"`
+	ClientId            string `json:"client_id"`
+	ClientSecret        string `json:"client_secret"`
+	ClientAssertion     string `json:"client_assertion"`
+	ClientAssertionType string `json:"client_assertion_type"`
+	GrantType           string `json:"grant_type"`
+	Code                string `json:"code"`
+	Verifier            string `json:"code_verifier"`
+	Scope               string `json:"scope"`
+	Nonce               string `json:"nonce"`
+	Username            string `json:"username"`
+	Password            string `json:"password"`
+	Tag                 string `json:"tag"`
+	Avatar              string `json:"avatar"`
+	RefreshToken        string `json:"refresh_token"`
+	SubjectToken        string `json:"subject_token"`
+	SubjectTokenType    string `json:"subject_token_type"`
+	Audience            string `json:"audience"`
+	Resource            string `json:"resource"` // RFC 8707 Resource Indicator
 }

controllers/user.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -32,12 +32,12 @@ import (
 // @Success 200 {array} object.User The Response object
 // @router /get-global-users [get]
 func (c *ApiController) GetGlobalUsers() {
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		users, err := object.GetMaskedUsers(object.GetGlobalUsers())
@@ -55,7 +55,7 @@ func (c *ApiController) GetGlobalUsers() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		users, err := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -80,14 +80,14 @@ func (c *ApiController) GetGlobalUsers() {
 // @Success 200 {array} object.User The Response object
 // @router /get-users [get]
 func (c *ApiController) GetUsers() {
-	owner := c.Input().Get("owner")
-	groupName := c.Input().Get("groupName")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	owner := c.Ctx.Input.Query("owner")
+	groupName := c.Ctx.Input.Query("groupName")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
 
 	if limit == "" || page == "" {
 		if groupName != "" {
@@ -115,7 +115,7 @@ func (c *ApiController) GetUsers() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 		users, err := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder, groupName)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -144,11 +144,11 @@ func (c *ApiController) GetUsers() {
 // @Success 200 {object} object.User The Response object
 // @router /get-user [get]
 func (c *ApiController) GetUser() {
-	id := c.Input().Get("id")
-	email := c.Input().Get("email")
-	phone := c.Input().Get("phone")
-	userId := c.Input().Get("userId")
-	owner := c.Input().Get("owner")
+	id := c.Ctx.Input.Query("id")
+	email := c.Ctx.Input.Query("email")
+	phone := c.Ctx.Input.Query("phone")
+	userId := c.Ctx.Input.Query("userId")
+	owner := c.Ctx.Input.Query("owner")
 	var err error
 	var userFromUserId *object.User
 	if userId != "" && owner != "" {
@@ -252,13 +252,17 @@ func (c *ApiController) GetUser() {
 // @Title UpdateUser
 // @Tag User API
 // @Description update user
-// @Param   id     query    string  true        "The id ( owner/name ) of the user"
+// @Param   id     query    string  false        "The id ( owner/name ) of the user"
+// @Param   userId query    string  false        "The userId (UUID) of the user"
+// @Param   owner  query    string  false        "The owner of the user (required when using userId)"
 // @Param   body    body   object.User  true        "The details of the user"
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-user [post]
 func (c *ApiController) UpdateUser() {
-	id := c.Input().Get("id")
-	columnsStr := c.Input().Get("columns")
+	id := c.Ctx.Input.Query("id")
+	userId := c.Ctx.Input.Query("userId")
+	owner := c.Ctx.Input.Query("owner")
+	columnsStr := c.Ctx.Input.Query("columns")
 
 	var user object.User
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &user)
@@ -267,17 +271,38 @@ func (c *ApiController) UpdateUser() {
 		return
 	}
 
-	if id == "" {
+	if id == "" && userId == "" {
 		id = c.GetSessionUsername()
 		if id == "" {
 			c.ResponseError(c.T("general:Missing parameter"))
 			return
 		}
 	}
-	oldUser, err := object.GetUser(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
+
+	var userFromUserId *object.User
+	if userId != "" && owner != "" {
+		userFromUserId, err = object.GetUserByUserId(owner, userId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if userFromUserId == nil {
+			c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+			return
+		}
+
+		id = util.GetId(userFromUserId.Owner, userFromUserId.Name)
+	}
+
+	var oldUser *object.User
+	if userId != "" {
+		oldUser = userFromUserId
+	} else {
+		oldUser, err = object.GetUser(id)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}
 
 	if oldUser == nil {
@@ -311,7 +336,7 @@ func (c *ApiController) UpdateUser() {
 	}
 
 	isAdmin := c.IsAdmin()
-	allowDisplayNameEmpty := c.Input().Get("allowEmpty") != ""
+	allowDisplayNameEmpty := c.Ctx.Input.Query("allowEmpty") != ""
 	if pass, err := object.CheckPermissionForUpdateUser(oldUser, &user, isAdmin, allowDisplayNameEmpty, c.GetAcceptLanguage()); !pass {
 		c.ResponseError(err)
 		return
@@ -367,6 +392,17 @@ func (c *ApiController) AddUser() {
 		return
 	}
 
+	// Set RegisterSource based on the current user if not already set
+	if user.RegisterType == "" {
+		user.RegisterType = "Add User"
+	}
+	if user.RegisterSource == "" {
+		currentUser := c.getCurrentUser()
+		if currentUser != nil {
+			user.RegisterSource = currentUser.GetId()
+		}
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddUser(&user, c.GetAcceptLanguage()))
 	c.ServeJSON()
 }
@@ -464,11 +500,6 @@ func (c *ApiController) SetPassword() {
 	//	return
 	// }
 
-	if strings.Contains(newPassword, " ") {
-		c.ResponseError(c.T("user:New password cannot contain blank space."))
-		return
-	}
-
 	userId := util.GetId(userOwner, userName)
 
 	user, err := object.GetUser(userId)
@@ -481,6 +512,41 @@ func (c *ApiController) SetPassword() {
 		return
 	}
 
+	// Get organization to check for password obfuscation settings
+	organization, err := object.GetOrganizationByUser(user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if organization == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:the organization: %s is not found"), user.Owner))
+		return
+	}
+
+	// Deobfuscate passwords if organization has password obfuscator configured
+	// Note: Deobfuscation is optional - if it fails, we treat the password as plain text
+	// This allows SDKs and raw HTTP API calls to work without obfuscation support
+	if organization.PasswordObfuscatorType != "" && organization.PasswordObfuscatorType != "Plain" {
+		if oldPassword != "" {
+			deobfuscatedOldPassword, deobfuscateErr := util.GetUnobfuscatedPassword(organization.PasswordObfuscatorType, organization.PasswordObfuscatorKey, oldPassword)
+			if deobfuscateErr == nil {
+				oldPassword = deobfuscatedOldPassword
+			}
+		}
+
+		if newPassword != "" {
+			deobfuscatedNewPassword, deobfuscateErr := util.GetUnobfuscatedPassword(organization.PasswordObfuscatorType, organization.PasswordObfuscatorKey, newPassword)
+			if deobfuscateErr == nil {
+				newPassword = deobfuscatedNewPassword
+			}
+		}
+	}
+
+	if strings.Contains(newPassword, " ") {
+		c.ResponseError(c.T("user:New password cannot contain blank space."))
+		return
+	}
+
 	requestUserId := c.GetSessionUsername()
 	if requestUserId == "" && code == "" {
 		c.ResponseError(c.T("general:Please login first"), "Please login first")
@@ -524,30 +590,28 @@ func (c *ApiController) SetPassword() {
 			}
 		}
 	} else if code == "" {
-		if user.Ldap == "" {
-			err = object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
-		} else {
-			err = object.CheckLdapUserPassword(targetUser, oldPassword, c.GetAcceptLanguage())
-		}
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
+		if targetUser.Password != "" || user.Ldap != "" {
+			if user.Ldap == "" {
+				err = object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+			} else {
+				err = object.CheckLdapUserPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+			}
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
 		}
 	}
 
-	msg := object.CheckPasswordComplexity(targetUser, newPassword)
+	msg := object.CheckPasswordComplexity(targetUser, newPassword, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
 	}
 
-	organization, err := object.GetOrganizationByUser(targetUser)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if organization == nil {
-		c.ResponseError(fmt.Sprintf(c.T("auth:the organization: %s is not found"), targetUser.Owner))
+	// Check if the new password is the same as the current password
+	if !object.CheckPasswordNotSameAsCurrent(targetUser, newPassword, organization) {
+		c.ResponseError(c.T("user:The new password must be different from your current password"))
 		return
 	}
 
@@ -626,9 +690,9 @@ func (c *ApiController) CheckUserPassword() {
 // @Success 200 {array} object.User The Response object
 // @router /get-sorted-users [get]
 func (c *ApiController) GetSortedUsers() {
-	owner := c.Input().Get("owner")
-	sorter := c.Input().Get("sorter")
-	limit := util.ParseInt(c.Input().Get("limit"))
+	owner := c.Ctx.Input.Query("owner")
+	sorter := c.Ctx.Input.Query("sorter")
+	limit := util.ParseInt(c.Ctx.Input.Query("limit"))
 
 	users, err := object.GetMaskedUsers(object.GetSortedUsers(owner, sorter, limit))
 	if err != nil {
@@ -648,8 +712,8 @@ func (c *ApiController) GetSortedUsers() {
 // @Success 200 {int} int The count of filtered users for an organization
 // @router /get-user-count [get]
 func (c *ApiController) GetUserCount() {
-	owner := c.Input().Get("owner")
-	isOnline := c.Input().Get("isOnline")
+	owner := c.Ctx.Input.Query("owner")
+	isOnline := c.Ctx.Input.Query("isOnline")
 
 	var count int64
 	var err error
@@ -713,3 +777,205 @@ func (c *ApiController) RemoveUserFromGroup() {
 
 	c.ResponseOk(affected)
 }
+
+// ImpersonateUser
+// @Title ImpersonateUser
+// @Tag User API
+// @Description set impersonation user for current admin session
+// @Param   username    formData   string  true        "The username to impersonate (owner/name)"
+// @Success 200 {object} controllers.Response The Response object
+// @router /impersonation-user [post]
+func (c *ApiController) ImpersonateUser() {
+	org, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+
+	username := c.Ctx.Request.Form.Get("username")
+	if username == "" {
+		c.ResponseError(c.T("general:Missing parameter"))
+		return
+	}
+
+	owner, _, err := util.GetOwnerAndNameFromIdWithError(username)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if !(owner == org || org == "") {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	targetUser, err := object.GetUser(username)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if targetUser == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), username))
+		return
+	}
+
+	err = c.SetSession("impersonateUser", username)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Ctx.SetCookie("impersonateUser", username, 0, "/")
+	c.ResponseOk()
+}
+
+// ExitImpersonateUser
+// @Title ExitImpersonateUser
+// @Tag User API
+// @Description clear impersonation info for current session
+// @Success 200 {object} controllers.Response The Response object
+// @router /exit-impersonation-user [post]
+func (c *ApiController) ExitImpersonateUser() {
+	_, ok := c.Ctx.Input.GetData("impersonating").(bool)
+	if !ok {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	err := c.SetSession("impersonateUser", "")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Ctx.SetCookie("impersonateUser", "", -1, "/")
+	c.ResponseOk()
+}
+
+// VerifyIdentification
+// @Title VerifyIdentification
+// @Tag User API
+// @Description verify user's real identity using ID Verification provider
+// @Param   owner     query    string  false  "The owner of the user (optional, defaults to logged-in user)"
+// @Param   name      query    string  false  "The name of the user (optional, defaults to logged-in user)"
+// @Param   provider  query    string  false  "The name of the ID Verification provider (optional, auto-selected if not provided)"
+// @Success 200 {object} controllers.Response The Response object
+// @router /verify-identification [post]
+func (c *ApiController) VerifyIdentification() {
+	owner := c.Ctx.Input.Query("owner")
+	name := c.Ctx.Input.Query("name")
+	providerName := c.Ctx.Input.Query("provider")
+
+	// If user not specified, use logged-in user
+	if owner == "" || name == "" {
+		loggedInUser := c.GetSessionUsername()
+		if loggedInUser == "" {
+			c.ResponseError(c.T("general:Please login first"))
+			return
+		}
+		var err error
+		owner, name, err = util.GetOwnerAndNameFromIdWithError(loggedInUser)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else {
+		// If user is specified, check if current user has permission to verify other users
+		// Only admins can verify other users
+		loggedInUser := c.GetSessionUsername()
+		if loggedInUser != util.GetId(owner, name) && !c.IsAdmin() {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+	}
+
+	user, err := object.GetUser(util.GetId(owner, name))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(owner, name)))
+		return
+	}
+
+	if user.IdCard == "" || user.IdCardType == "" || user.RealName == "" {
+		c.ResponseError(c.T("user:ID card information and real name are required"))
+		return
+	}
+
+	if user.IsVerified {
+		c.ResponseError(c.T("user:User is already verified"))
+		return
+	}
+
+	var provider *object.Provider
+	// If provider not specified, find suitable IDV provider from user's application
+	if providerName == "" {
+		application, err := object.GetApplicationByUser(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if application == nil {
+			c.ResponseError(c.T("user:No application found for user"))
+			return
+		}
+
+		// Find IDV provider from application
+		idvProvider, err := object.GetIdvProviderByApplication(util.GetId(application.Owner, application.Name), "false", c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if idvProvider == nil {
+			c.ResponseError(c.T("provider:No ID Verification provider configured"))
+			return
+		}
+		provider = idvProvider
+	} else {
+		provider, err = object.GetProvider(providerName)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if provider == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s does not exist"), providerName))
+			return
+		}
+
+		if provider.Category != "ID Verification" {
+			c.ResponseError(c.T("provider:Provider is not an ID Verification provider"))
+			return
+		}
+	}
+
+	idvProvider := object.GetIdvProviderFromProvider(provider)
+	if idvProvider == nil {
+		c.ResponseError(c.T("provider:Failed to initialize ID Verification provider"))
+		return
+	}
+
+	verified, err := idvProvider.VerifyIdentity(user.IdCardType, user.IdCard, user.RealName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if !verified {
+		c.ResponseError(c.T("user:Identity verification failed"))
+		return
+	}
+
+	// Set IsVerified to true upon successful verification
+	user.IsVerified = true
+	_, err = object.UpdateUser(user.GetId(), user, []string{"is_verified"}, false)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(user.RealName)
+}

controllers/user_upload.go

@@ -40,8 +40,23 @@ func saveFile(path string, file *multipart.File) (err error) {
 }
 
 func (c *ApiController) UploadUsers() {
+	if !c.IsAdmin() {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
+	userObj := c.getCurrentUser()
+	if userObj == nil {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
 	userId := c.GetSessionUsername()
-	owner, user := util.GetOwnerAndNameFromId(userId)
+	owner, user, err := util.GetOwnerAndNameFromIdWithError(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 
 	file, header, err := c.Ctx.Request.FormFile("file")
 	if err != nil {
@@ -58,7 +73,7 @@ func (c *ApiController) UploadUsers() {
 		return
 	}
 
-	affected, err := object.UploadUsers(owner, path)
+	affected, err := object.UploadUsers(owner, path, userObj, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/util.go

@@ -15,6 +15,7 @@
 package controllers
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
@@ -106,7 +107,7 @@ func (c *ApiController) RequireSignedInUser() (*object.User, bool) {
 	}
 
 	if object.IsAppUser(userId) {
-		tmpUserId := c.Input().Get("userId")
+		tmpUserId := c.Ctx.Input.Query("userId")
 		if tmpUserId != "" {
 			userId = tmpUserId
 		}
@@ -172,7 +173,7 @@ func (c *ApiController) IsOrgAdmin() (bool, bool) {
 // IsMaskedEnabled ...
 func (c *ApiController) IsMaskedEnabled() (bool, bool) {
 	isMaskEnabled := true
-	withSecret := c.Input().Get("withSecret")
+	withSecret := c.Ctx.Input.Query("withSecret")
 	if withSecret == "1" {
 		isMaskEnabled = false
 
@@ -202,14 +203,14 @@ func refineFullFilePath(fullFilePath string) (string, string) {
 }
 
 func (c *ApiController) GetProviderFromContext(category string) (*object.Provider, error) {
-	providerName := c.Input().Get("provider")
+	providerName := c.Ctx.Input.Query("provider")
 	if providerName == "" {
-		field := c.Input().Get("field")
-		value := c.Input().Get("value")
+		field := c.Ctx.Input.Query("field")
+		value := c.Ctx.Input.Query("value")
 		if field == "provider" && value != "" {
 			providerName = value
 		} else {
-			fullFilePath := c.Input().Get("fullFilePath")
+			fullFilePath := c.Ctx.Input.Query("fullFilePath")
 			providerName, _ = refineFullFilePath(fullFilePath)
 		}
 	}
@@ -230,7 +231,7 @@ func (c *ApiController) GetProviderFromContext(category string) (*object.Provide
 
 	userId, ok := c.RequireSignedIn()
 	if !ok {
-		return nil, fmt.Errorf(c.T("general:Please login first"))
+		return nil, errors.New(c.T("general:Please login first"))
 	}
 
 	application, err := object.GetApplicationByUserId(userId)

controllers/verification.go

@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/captcha"
 	"github.com/casdoor/casdoor/form"
 	"github.com/casdoor/casdoor/object"
@@ -44,16 +44,27 @@ const (
 // @Success 200 {array} object.Verification The Response object
 // @router /get-payments [get]
 func (c *ApiController) GetVerifications() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
+	organization, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+
+	owner := c.Ctx.Input.Query("owner")
+	// For global admin with organizationName parameter, use it to filter
+	// For org admin, use their organization
+	if c.IsGlobalAdmin() && owner != "" {
+		organization = owner
+	}
 
 	if limit == "" || page == "" {
-		payments, err := object.GetVerifications(owner)
+		payments, err := object.GetVerifications(organization)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -62,14 +73,14 @@ func (c *ApiController) GetVerifications() {
 		c.ResponseOk(payments)
 	} else {
 		limit := util.ParseInt(limit)
-		count, err := object.GetVerificationCount(owner, field, value)
+		count, err := object.GetVerificationCount(organization, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		payments, err := object.GetPaginationVerifications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
+		payments, err := object.GetPaginationVerifications(organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -89,8 +100,8 @@ func (c *ApiController) GetVerifications() {
 // @Success 200 {array} object.Verification The Response object
 // @router /get-user-payments [get]
 func (c *ApiController) GetUserVerifications() {
-	owner := c.Input().Get("owner")
-	user := c.Input().Get("user")
+	owner := c.Ctx.Input.Query("owner")
+	user := c.Ctx.Input.Query("user")
 
 	payments, err := object.GetUserVerifications(owner, user)
 	if err != nil {
@@ -109,7 +120,7 @@ func (c *ApiController) GetUserVerifications() {
 // @Success 200 {object} object.Verification The Response object
 // @router /get-payment [get]
 func (c *ApiController) GetVerification() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	payment, err := object.GetVerification(id)
 	if err != nil {
@@ -140,42 +151,33 @@ func (c *ApiController) SendVerificationCode() {
 		return
 	}
 
-	provider, err := object.GetCaptchaProviderByApplication(vform.ApplicationId, "false", c.GetAcceptLanguage())
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if provider != nil {
-		if vform.CaptchaType != provider.Type {
-			c.ResponseError(c.T("verification:Turing test failed."))
-			return
-		}
-
-		if provider.Type != "Default" {
-			vform.ClientSecret = provider.ClientSecret
-		}
-
-		if vform.CaptchaType != "none" {
-			if captchaProvider := captcha.GetCaptchaProvider(vform.CaptchaType); captchaProvider == nil {
-				c.ResponseError(c.T("general:don't support captchaProvider: ") + vform.CaptchaType)
-				return
-			} else if isHuman, err := captchaProvider.VerifyCaptcha(vform.CaptchaToken, provider.ClientId, vform.ClientSecret, provider.ClientId2); err != nil {
-				c.ResponseError(err.Error())
-				return
-			} else if !isHuman {
-				c.ResponseError(c.T("verification:Turing test failed."))
-				return
-			}
-		}
-	}
-
 	application, err := object.GetApplication(vform.ApplicationId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 
+	if application == nil {
+		c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), vform.ApplicationId))
+		return
+	}
+
+	// Check if "Forgot password?" signin item is visible when using forget verification
+	if vform.Method == ForgetVerification {
+		isForgotPasswordEnabled := false
+		for _, item := range application.SigninItems {
+			if item.Name == "Forgot password?" {
+				isForgotPasswordEnabled = item.Visible
+				break
+			}
+		}
+		// Block access if the signin item is not found or is explicitly hidden
+		if !isForgotPasswordEnabled {
+			c.ResponseError(c.T("verification:The forgot password feature is disabled"))
+			return
+		}
+	}
+
 	organization, err := object.GetOrganization(util.GetId(application.Owner, application.Organization))
 	if err != nil {
 		c.ResponseError(c.T(err.Error()))
@@ -187,6 +189,7 @@ func (c *ApiController) SendVerificationCode() {
 	}
 
 	var user *object.User
+	// Try to resolve user for CAPTCHA rule checking
 	// checkUser != "", means method is ForgetVerification
 	if vform.CheckUser != "" {
 		owner := application.Organization
@@ -204,18 +207,86 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(c.T("check:The user is forbidden to sign in, please contact the administrator"))
 			return
 		}
-	}
-
-	// mfaUserSession != "", means method is MfaAuthVerification
-	if mfaUserSession := c.getMfaUserSession(); mfaUserSession != "" {
+	} else if mfaUserSession := c.getMfaUserSession(); mfaUserSession != "" {
+		// mfaUserSession != "", means method is MfaAuthVerification
 		user, err = object.GetUser(mfaUserSession)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
+	} else if vform.Method == ResetVerification {
+		// For reset verification, get the current logged-in user
+		user = c.getCurrentUser()
+	} else if vform.Method == LoginVerification {
+		// For login verification, try to find user by email/phone for CAPTCHA check
+		// This is a preliminary lookup; the actual validation happens later in the switch statement
+		if vform.Type == object.VerifyTypeEmail && util.IsEmailValid(vform.Dest) {
+			user, err = object.GetUserByEmail(organization.Name, vform.Dest)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		} else if vform.Type == object.VerifyTypePhone {
+			// Prefer resolving the user directly by phone, consistent with the later login switch,
+			// so that Dynamic CAPTCHA is not skipped due to missing/invalid country code.
+			user, err = object.GetUserByPhone(organization.Name, vform.Dest)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+	}
+
+	// Determine username for CAPTCHA check
+	username := ""
+	if user != nil {
+		username = user.Name
+	} else if vform.CheckUser != "" {
+		username = vform.CheckUser
+	}
+
+	// Check if CAPTCHA should be enabled based on the rule (Dynamic/Always/Internet-Only)
+	enableCaptcha, err := object.CheckToEnableCaptcha(application, organization.Name, username, clientIp)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	// Only verify CAPTCHA if it should be enabled
+	if enableCaptcha {
+		captchaProvider, err := object.GetCaptchaProviderByApplication(vform.ApplicationId, "false", c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		if captchaProvider != nil {
+			if vform.CaptchaType != captchaProvider.Type {
+				c.ResponseError(c.T("verification:Turing test failed."))
+				return
+			}
+
+			if captchaProvider.Type != "Default" {
+				vform.ClientSecret = captchaProvider.ClientSecret
+			}
+
+			if vform.CaptchaType != "none" {
+				if captchaService := captcha.GetCaptchaProvider(vform.CaptchaType); captchaService == nil {
+					c.ResponseError(c.T("general:don't support captchaProvider: ") + vform.CaptchaType)
+					return
+				} else if isHuman, err := captchaService.VerifyCaptcha(vform.CaptchaToken, captchaProvider.ClientId, vform.ClientSecret, captchaProvider.ClientId2); err != nil {
+					c.ResponseError(err.Error())
+					return
+				} else if !isHuman {
+					c.ResponseError(c.T("verification:Turing test failed."))
+					return
+				}
+			}
+		}
 	}
 
 	sendResp := errors.New("invalid dest type")
+	var provider *object.Provider
 
 	switch vform.Type {
 	case object.VerifyTypeEmail:
@@ -258,7 +329,7 @@ func (c *ApiController) SendVerificationCode() {
 			return
 		}
 
-		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, clientIp, vform.Dest, vform.Method, c.Ctx.Request.Host, application.Name)
+		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, clientIp, vform.Dest, vform.Method, c.Ctx.Request.Host, application.Name, application)
 	case object.VerifyTypePhone:
 		if vform.Method == LoginVerification || vform.Method == ForgetVerification {
 			if user != nil && util.GetMaskedPhone(user.Phone) == vform.Dest {
@@ -304,7 +375,7 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), vform.CountryCode))
 			return
 		} else {
-			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, clientIp, phone)
+			sendResp = object.SendVerificationCodeToPhone(organization, user, provider, clientIp, phone, application)
 		}
 	}
 
@@ -435,9 +506,15 @@ func (c *ApiController) ResetEmailOrPhone() {
 
 	switch destType {
 	case object.VerifyTypeEmail:
+		id := user.GetId()
 		user.Email = dest
 		user.EmailVerified = true
-		_, err = object.UpdateUser(user.GetId(), user, []string{"email", "email_verified"}, false)
+		columns := []string{"email", "email_verified"}
+		if organization.UseEmailAsUsername {
+			user.Name = user.Email
+			columns = append(columns, "name")
+		}
+		_, err = object.UpdateUser(id, user, columns, false)
 	case object.VerifyTypePhone:
 		user.Phone = dest
 		_, err = object.SetUserField(user, "phone", user.Phone)
@@ -449,6 +526,9 @@ func (c *ApiController) ResetEmailOrPhone() {
 		c.ResponseError(err.Error())
 		return
 	}
+	if organization.UseEmailAsUsername {
+		c.SetSessionUsername(user.GetId())
+	}
 
 	err = object.DisableVerificationCode(checkDest)
 	if err != nil {
@@ -518,15 +598,11 @@ func (c *ApiController) VerifyCode() {
 	}
 
 	if !passed {
-		result, err := object.CheckVerificationCode(checkDest, authForm.Code, c.GetAcceptLanguage())
+		err = object.CheckVerifyCodeWithLimit(user, checkDest, authForm.Code, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
-		if result.Code != object.VerificationSuccess {
-			c.ResponseError(result.Msg)
-			return
-		}
 
 		err = object.DisableVerificationCode(checkDest)
 		if err != nil {

controllers/webauthn.go

@@ -126,8 +126,8 @@ func (c *ApiController) WebAuthnSigninBegin() {
 		return
 	}
 
-	userOwner := c.Input().Get("owner")
-	userName := c.Input().Get("name")
+	userOwner := c.Ctx.Input.Query("owner")
+	userName := c.Ctx.Input.Query("name")
 
 	var options *protocol.CredentialAssertion
 	var sessionData *webauthn.SessionData
@@ -171,8 +171,8 @@ func (c *ApiController) WebAuthnSigninBegin() {
 // @Success 200 {object} controllers.Response "The Response object"
 // @router /webauthn/signin/finish [post]
 func (c *ApiController) WebAuthnSigninFinish() {
-	responseType := c.Input().Get("responseType")
-	clientId := c.Input().Get("clientId")
+	responseType := c.Ctx.Input.Query("responseType")
+	clientId := c.Ctx.Input.Query("clientId")
 	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
 	if err != nil {
 		c.ResponseError(err.Error())

controllers/webhook.go

@@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"
 
-	"github.com/beego/beego/utils/pagination"
+	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -31,14 +31,14 @@ import (
 // @router /get-webhooks [get]
 // @Security test_apiKey
 func (c *ApiController) GetWebhooks() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organization := c.Input().Get("organization")
+	owner := c.Ctx.Input.Query("owner")
+	limit := c.Ctx.Input.Query("pageSize")
+	page := c.Ctx.Input.Query("p")
+	field := c.Ctx.Input.Query("field")
+	value := c.Ctx.Input.Query("value")
+	sortField := c.Ctx.Input.Query("sortField")
+	sortOrder := c.Ctx.Input.Query("sortOrder")
+	organization := c.Ctx.Input.Query("organization")
 
 	if limit == "" || page == "" {
 		webhooks, err := object.GetWebhooks(owner, organization)
@@ -56,7 +56,7 @@ func (c *ApiController) GetWebhooks() {
 			return
 		}
 
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
 
 		webhooks, err := object.GetPaginationWebhooks(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
@@ -76,7 +76,7 @@ func (c *ApiController) GetWebhooks() {
 // @Success 200 {object} object.Webhook The Response object
 // @router /get-webhook [get]
 func (c *ApiController) GetWebhook() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	webhook, err := object.GetWebhook(id)
 	if err != nil {
@@ -96,7 +96,7 @@ func (c *ApiController) GetWebhook() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-webhook [post]
 func (c *ApiController) UpdateWebhook() {
-	id := c.Input().Get("id")
+	id := c.Ctx.Input.Query("id")
 
 	var webhook object.Webhook
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &webhook)
@@ -105,7 +105,7 @@ func (c *ApiController) UpdateWebhook() {
 		return
 	}
 
-	c.Data["json"] = wrapActionResponse(object.UpdateWebhook(id, &webhook))
+	c.Data["json"] = wrapActionResponse(object.UpdateWebhook(id, &webhook, c.IsGlobalAdmin(), c.GetAcceptLanguage()))
 	c.ServeJSON()
 }
 

controllers/wellknown_oauth_prm.go

@@ -0,0 +1,45 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"github.com/casdoor/casdoor/object"
+)
+
+// GetOauthProtectedResourceMetadata
+// @Title GetOauthProtectedResourceMetadata
+// @Tag OAuth 2.0 API
+// @Description Get OAuth 2.0 Protected Resource Metadata (RFC 9728)
+// @Success 200 {object} object.OauthProtectedResourceMetadata
+// @router /.well-known/oauth-protected-resource [get]
+func (c *RootController) GetOauthProtectedResourceMetadata() {
+	host := c.Ctx.Request.Host
+	c.Data["json"] = object.GetOauthProtectedResourceMetadata(host)
+	c.ServeJSON()
+}
+
+// GetOauthProtectedResourceMetadataByApplication
+// @Title GetOauthProtectedResourceMetadataByApplication
+// @Tag OAuth 2.0 API
+// @Description Get OAuth 2.0 Protected Resource Metadata for specific application (RFC 9728)
+// @Param application path string true "application name"
+// @Success 200 {object} object.OauthProtectedResourceMetadata
+// @router /.well-known/:application/oauth-protected-resource [get]
+func (c *RootController) GetOauthProtectedResourceMetadataByApplication() {
+	application := c.Ctx.Input.Param(":application")
+	host := c.Ctx.Request.Host
+	c.Data["json"] = object.GetOauthProtectedResourceMetadataByApplication(host, application)
+	c.ServeJSON()
+}

controllers/wellknown_oidc_discovery.go

@@ -0,0 +1,165 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"strings"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+// GetOidcDiscovery
+// @Title GetOidcDiscovery
+// @Tag OIDC API
+// @Description Get Oidc Discovery
+// @Success 200 {object} object.OidcDiscovery
+// @router /.well-known/openid-configuration [get]
+func (c *RootController) GetOidcDiscovery() {
+	host := c.Ctx.Request.Host
+	c.Data["json"] = object.GetOidcDiscovery(host, "")
+	c.ServeJSON()
+}
+
+// GetOidcDiscoveryByApplication
+// @Title GetOidcDiscoveryByApplication
+// @Tag OIDC API
+// @Description Get Oidc Discovery for specific application
+// @Param application path string true "application name"
+// @Success 200 {object} object.OidcDiscovery
+// @router /.well-known/:application/openid-configuration [get]
+func (c *RootController) GetOidcDiscoveryByApplication() {
+	application := c.Ctx.Input.Param(":application")
+	host := c.Ctx.Request.Host
+	c.Data["json"] = object.GetOidcDiscovery(host, application)
+	c.ServeJSON()
+}
+
+// GetJwks
+// @Title GetJwks
+// @Tag OIDC API
+// @Success 200 {object} jose.JSONWebKey
+// @router /.well-known/jwks [get]
+func (c *RootController) GetJwks() {
+	jwks, err := object.GetJsonWebKeySet("")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = jwks
+	c.ServeJSON()
+}
+
+// GetJwksByApplication
+// @Title GetJwksByApplication
+// @Tag OIDC API
+// @Param application path string true "application name"
+// @Success 200 {object} jose.JSONWebKey
+// @router /.well-known/:application/jwks [get]
+func (c *RootController) GetJwksByApplication() {
+	application := c.Ctx.Input.Param(":application")
+	jwks, err := object.GetJsonWebKeySet(application)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = jwks
+	c.ServeJSON()
+}
+
+// GetWebFinger
+// @Title GetWebFinger
+// @Tag OIDC API
+// @Param resource query string true "resource"
+// @Success 200 {object} object.WebFinger
+// @router /.well-known/webfinger [get]
+func (c *RootController) GetWebFinger() {
+	resource := c.Ctx.Input.Query("resource")
+	rels := []string{}
+	host := c.Ctx.Request.Host
+
+	inputs, _ := c.Input()
+	for key, value := range inputs {
+		if strings.HasPrefix(key, "rel") {
+			rels = append(rels, value...)
+		}
+	}
+
+	webfinger, err := object.GetWebFinger(resource, rels, host, "")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = webfinger
+	c.Ctx.Output.ContentType("application/jrd+json")
+	c.ServeJSON()
+}
+
+// GetWebFingerByApplication
+// @Title GetWebFingerByApplication
+// @Tag OIDC API
+// @Param application path string true "application name"
+// @Param resource query string true "resource"
+// @Success 200 {object} object.WebFinger
+// @router /.well-known/:application/webfinger [get]
+func (c *RootController) GetWebFingerByApplication() {
+	application := c.Ctx.Input.Param(":application")
+	resource := c.Ctx.Input.Query("resource")
+	rels := []string{}
+	host := c.Ctx.Request.Host
+
+	inputs, _ := c.Input()
+	for key, value := range inputs {
+		if strings.HasPrefix(key, "rel") {
+			rels = append(rels, value...)
+		}
+	}
+
+	webfinger, err := object.GetWebFinger(resource, rels, host, application)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = webfinger
+	c.Ctx.Output.ContentType("application/jrd+json")
+	c.ServeJSON()
+}
+
+// GetOAuthServerMetadata
+// @Title GetOAuthServerMetadata
+// @Tag OAuth API
+// @Description Get OAuth 2.0 Authorization Server Metadata (RFC 8414)
+// @Success 200 {object} object.OidcDiscovery
+// @router /.well-known/oauth-authorization-server [get]
+func (c *RootController) GetOAuthServerMetadata() {
+	host := c.Ctx.Request.Host
+	c.Data["json"] = object.GetOidcDiscovery(host, "")
+	c.ServeJSON()
+}
+
+// GetOAuthServerMetadataByApplication
+// @Title GetOAuthServerMetadataByApplication
+// @Tag OAuth API
+// @Description Get OAuth 2.0 Authorization Server Metadata for specific application (RFC 8414)
+// @Param application path string true "application name"
+// @Success 200 {object} object.OidcDiscovery
+// @router /.well-known/:application/oauth-authorization-server [get]
+func (c *RootController) GetOAuthServerMetadataByApplication() {
+	application := c.Ctx.Input.Param(":application")
+	host := c.Ctx.Request.Host
+	c.Data["json"] = object.GetOidcDiscovery(host, application)
+	c.ServeJSON()
+}

deployment/deploy_test.go

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 //go:build !skipCi
-// +build !skipCi
 
 package deployment
 

docker-entrypoint.sh

@@ -1,8 +1,10 @@
 #!/bin/bash
-if [ "${MYSQL_ROOT_PASSWORD}" = "" ] ;then MYSQL_ROOT_PASSWORD=123456 ;fi
 
-service mariadb start
+if [ -z "${driverName:-}" ]; then
+  export driverName=sqlite
+fi
+if [ -z "${dataSourceName:-}" ]; then
+  export dataSourceName="file:casdoor.db?cache=shared"
+fi
 
-mysqladmin -u root password ${MYSQL_ROOT_PASSWORD}
-
-exec /server --createDatabase=true
+exec /server

email/azure_acs.go

@@ -96,15 +96,17 @@ func NewAzureACSEmailProvider(accessKey string, endpoint string) *AzureACSEmailP
 	}
 }
 
-func newEmail(fromAddress string, toAddress string, subject string, content string) *Email {
+func newEmail(fromAddress string, toAddress []string, subject string, content string) *Email {
+	var to []EmailAddress
+	for _, addr := range toAddress {
+		to = append(to, EmailAddress{
+			DisplayName: addr,
+			Address:     addr,
+		})
+	}
 	return &Email{
 		Recipients: Recipients{
-			To: []EmailAddress{
-				{
-					DisplayName: toAddress,
-					Address:     toAddress,
-				},
-			},
+			To: to,
 		},
 		SenderAddress: fromAddress,
 		Content: Content{
@@ -116,7 +118,7 @@ func newEmail(fromAddress string, toAddress string, subject string, content stri
 	}
 }
 
-func (a *AzureACSEmailProvider) Send(fromAddress string, fromName string, toAddress string, subject string, content string) error {
+func (a *AzureACSEmailProvider) Send(fromAddress string, fromName string, toAddress []string, subject string, content string) error {
 	email := newEmail(fromAddress, toAddress, subject, content)
 
 	postBody, err := json.Marshal(email)

email/custom_http.go

@@ -48,21 +48,26 @@ func NewHttpEmailProvider(endpoint string, method string, httpHeaders map[string
 	return client
 }
 
-func (c *HttpEmailProvider) Send(fromAddress string, fromName string, toAddress string, subject string, content string) error {
+func (c *HttpEmailProvider) Send(fromAddress string, fromName string, toAddress []string, subject string, content string) error {
 	var req *http.Request
 	var err error
 
+	fromAddressField := "fromAddress"
 	fromNameField := "fromName"
 	toAddressField := "toAddress"
+	toAddressesField := "toAddresses"
 	subjectField := "subject"
 	contentField := "content"
-
 	for k, v := range c.bodyMapping {
 		switch k {
+		case "fromAddress":
+			fromAddressField = v
 		case "fromName":
 			fromNameField = v
 		case "toAddress":
 			toAddressField = v
+		case "toAddresses":
+			toAddressesField = v
 		case "subject":
 			subjectField = v
 		case "content":
@@ -72,8 +77,8 @@ func (c *HttpEmailProvider) Send(fromAddress string, fromName string, toAddress
 
 	if c.method == "POST" || c.method == "PUT" || c.method == "DELETE" {
 		bodyMap := make(map[string]string)
+		bodyMap[fromAddressField] = fromAddress
 		bodyMap[fromNameField] = fromName
-		bodyMap[toAddressField] = toAddress
 		bodyMap[subjectField] = subject
 		bodyMap[contentField] = content
 
@@ -89,6 +94,13 @@ func (c *HttpEmailProvider) Send(fromAddress string, fromName string, toAddress
 			for k, v := range bodyMap {
 				formValues.Add(k, v)
 			}
+			if len(toAddress) == 1 {
+				formValues.Add(toAddressField, toAddress[0])
+			} else {
+				for _, addr := range toAddress {
+					formValues.Add(toAddressesField, addr)
+				}
+			}
 			req, err = http.NewRequest(c.method, c.endpoint, strings.NewReader(formValues.Encode()))
 		}
 
@@ -104,8 +116,15 @@ func (c *HttpEmailProvider) Send(fromAddress string, fromName string, toAddress
 		}
 
 		q := req.URL.Query()
+		q.Add(fromAddressField, fromAddress)
 		q.Add(fromNameField, fromName)
-		q.Add(toAddressField, toAddress)
+		if len(toAddress) == 1 {
+			q.Add(toAddressField, toAddress[0])
+		} else {
+			for _, addr := range toAddress {
+				q.Add(toAddressesField, addr)
+			}
+		}
 		q.Add(subjectField, subject)
 		q.Add(contentField, content)
 		req.URL.RawQuery = q.Encode()

email/provider.go

@@ -15,17 +15,20 @@
 package email
 
 type EmailProvider interface {
-	Send(fromAddress string, fromName, toAddress string, subject string, content string) error
+	Send(fromAddress string, fromName string, toAddress []string, subject string, content string) error
 }
 
-func GetEmailProvider(typ string, clientId string, clientSecret string, host string, port int, disableSsl bool, endpoint string, method string, httpHeaders map[string]string, bodyMapping map[string]string, contentType string) EmailProvider {
-	if typ == "Azure ACS" {
+func GetEmailProvider(typ string, clientId string, clientSecret string, host string, port int, sslMode string, endpoint string, method string, httpHeaders map[string]string, bodyMapping map[string]string, contentType string, enableProxy bool) EmailProvider {
+	switch typ {
+	case "Azure ACS":
 		return NewAzureACSEmailProvider(clientSecret, host)
-	} else if typ == "Custom HTTP Email" {
+	case "Custom HTTP Email":
 		return NewHttpEmailProvider(endpoint, method, httpHeaders, bodyMapping, contentType)
-	} else if typ == "SendGrid" {
+	case "SendGrid":
 		return NewSendgridEmailProvider(clientSecret, host, endpoint)
-	} else {
-		return NewSmtpEmailProvider(clientId, clientSecret, host, port, typ, disableSsl)
+	case "Resend":
+		return NewResendEmailProvider(clientSecret)
+	default:
+		return NewSmtpEmailProvider(clientId, clientSecret, host, port, typ, sslMode, enableProxy)
 	}
 }

email/resend.go

@@ -0,0 +1,48 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package email
+
+import (
+	"fmt"
+
+	"github.com/resend/resend-go/v3"
+)
+
+type ResendEmailProvider struct {
+	Client *resend.Client
+}
+
+func NewResendEmailProvider(apiKey string) *ResendEmailProvider {
+	client := resend.NewClient(apiKey)
+	client.UserAgent += " Casdoor"
+	return &ResendEmailProvider{Client: client}
+}
+
+func (s *ResendEmailProvider) Send(fromAddress string, fromName string, toAddresses []string, subject string, content string) error {
+	from := fromAddress
+	if fromName != "" {
+		from = fmt.Sprintf("%s <%s>", fromName, fromAddress)
+	}
+	params := &resend.SendEmailRequest{
+		From:    from,
+		To:      toAddresses,
+		Subject: subject,
+		Html:    content,
+	}
+	if _, err := s.Client.Emails.Send(params); err != nil {
+		return err
+	}
+	return nil
+}

email/sendgrid.go

@@ -41,13 +41,24 @@ func NewSendgridEmailProvider(apiKey string, host string, endpoint string) *Send
 	return &SendgridEmailProvider{ApiKey: apiKey, Host: host, Endpoint: endpoint}
 }
 
-func (s *SendgridEmailProvider) Send(fromAddress string, fromName string, toAddress string, subject string, content string) error {
-	client := s.initSendgridClient()
-
+func (s *SendgridEmailProvider) Send(fromAddress string, fromName string, toAddresses []string, subject string, content string) error {
 	from := mail.NewEmail(fromName, fromAddress)
-	to := mail.NewEmail("", toAddress)
-	message := mail.NewSingleEmail(from, subject, to, "", content)
+	message := mail.NewV3Mail()
+	message.SetFrom(from)
+	message.AddContent(mail.NewContent("text/html", content))
 
+	personalization := mail.NewPersonalization()
+
+	for _, toAddress := range toAddresses {
+		to := mail.NewEmail(toAddress, toAddress)
+		personalization.AddTos(to)
+	}
+
+	personalization.Subject = subject
+
+	message.AddPersonalizations(personalization)
+
+	client := s.initSendgridClient()
 	resp, err := client.Send(message)
 	if err != nil {
 		return err

email/smtp.go

@@ -16,7 +16,6 @@ package email
 
 import (
 	"crypto/tls"
-	"strings"
 
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/gomail/v2"
@@ -26,15 +25,22 @@ type SmtpEmailProvider struct {
 	Dialer *gomail.Dialer
 }
 
-func NewSmtpEmailProvider(userName string, password string, host string, port int, typ string, disableSsl bool) *SmtpEmailProvider {
+func NewSmtpEmailProvider(userName string, password string, host string, port int, typ string, sslMode string, enableProxy bool) *SmtpEmailProvider {
 	dialer := gomail.NewDialer(host, port, userName, password)
 	if typ == "SUBMAIL" {
 		dialer.TLSConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 
-	dialer.SSL = !disableSsl
+	// Handle SSL mode: "Auto" (or empty) means don't override gomail's default behavior
+	// "Enable" means force SSL on, "Disable" means force SSL off
+	if sslMode == "Enable" {
+		dialer.SSL = true
+	} else if sslMode == "Disable" {
+		dialer.SSL = false
+	}
+	// If sslMode is "Auto" or empty, don't set dialer.SSL - let gomail decide based on port
 
-	if strings.HasSuffix(host, ".amazonaws.com") {
+	if enableProxy {
 		socks5Proxy := conf.GetConfigString("socks5Proxy")
 		if socks5Proxy != "" {
 			dialer.SetSocks5Proxy(socks5Proxy)
@@ -44,11 +50,15 @@ func NewSmtpEmailProvider(userName string, password string, host string, port in
 	return &SmtpEmailProvider{Dialer: dialer}
 }
 
-func (s *SmtpEmailProvider) Send(fromAddress string, fromName string, toAddress string, subject string, content string) error {
+func (s *SmtpEmailProvider) Send(fromAddress string, fromName string, toAddresses []string, subject string, content string) error {
 	message := gomail.NewMessage()
 
 	message.SetAddressHeader("From", fromAddress, fromName)
-	message.SetHeader("To", toAddress)
+	var addresses []string
+	for _, address := range toAddresses {
+		addresses = append(addresses, message.FormatAddress(address, ""))
+	}
+	message.SetHeader("To", addresses...)
 	message.SetHeader("Subject", subject)
 	message.SetBody("text/html", content)
 

form/auth.go

@@ -46,6 +46,7 @@ type AuthForm struct {
 	State        string `json:"state"`
 	RedirectUri  string `json:"redirectUri"`
 	Method       string `json:"method"`
+	CodeVerifier string `json:"codeVerifier"`
 
 	EmailCode   string `json:"emailCode"`
 	PhoneCode   string `json:"phoneCode"`

form/verification.go

@@ -47,7 +47,7 @@ func (form *VerificationForm) CheckParameter(checkType int, lang string) string
 			return i18n.Translate(lang, "general:Missing parameter") + ": dest."
 		}
 		if form.CaptchaType == "" {
-			return i18n.Translate(lang, "general:Missing parameter") + ": checkType."
+			return i18n.Translate(lang, "general:Missing parameter") + ": captchaType."
 		}
 		if !strings.Contains(form.ApplicationId, "/") {
 			return i18n.Translate(lang, "verification:Wrong parameter") + ": applicationId."

go.mod

@@ -1,92 +1,119 @@
 module github.com/casdoor/casdoor
 
-go 1.21
+go 1.24.0
+
+toolchain go1.24.13
 
 require (
 	github.com/Masterminds/squirrel v1.5.3
+	github.com/NdoleStudio/lemonsqueezy-go v1.2.4
+	github.com/PaddleHQ/paddle-go-sdk v1.0.0
+	github.com/adyen/adyen-go-api-library/v11 v11.0.0
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
+	github.com/alibabacloud-go/cloudauth-20190307/v3 v3.9.2
 	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.4
 	github.com/alibabacloud-go/facebody-20191230/v5 v5.1.2
 	github.com/alibabacloud-go/openapi-util v0.1.0
 	github.com/alibabacloud-go/tea v1.3.2
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.7
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107
+	github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible
+	github.com/aliyun/credentials-go v1.3.10
 	github.com/aws/aws-sdk-go v1.45.5
-	github.com/beego/beego v1.12.12
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0
+	github.com/beego/beego/v2 v2.3.8
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.77.2
+	github.com/casbin/lego/v4 v4.5.4
+	github.com/casdoor/casdoor-go-sdk v0.50.0
 	github.com/casdoor/go-sms-sender v0.25.0
-	github.com/casdoor/gomail/v2 v2.1.0
+	github.com/casdoor/gomail/v2 v2.2.0
 	github.com/casdoor/ldapserver v1.2.0
-	github.com/casdoor/notify v1.0.1
+	github.com/casdoor/notify2 v1.6.0
 	github.com/casdoor/oss v1.8.0
 	github.com/casdoor/xorm-adapter/v3 v3.1.0
 	github.com/casvisor/casvisor-go-sdk v1.4.0
+	github.com/corazawaf/coraza/v3 v3.3.3
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
-	github.com/denisenkom/go-mssqldb v0.9.0
 	github.com/elimity-com/scim v0.0.0-20230426070224-941a5eac92f3
 	github.com/fogleman/gg v1.3.0
 	github.com/go-asn1-ber/asn1-ber v1.5.5
-	github.com/go-git/go-git/v5 v5.13.0
+	github.com/go-git/go-git/v5 v5.16.3
+	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/go-ldap/ldap/v3 v3.4.6
 	github.com/go-mysql-org/go-mysql v1.7.0
-	github.com/go-pay/gopay v1.5.72
-	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-pay/gopay v1.5.115
+	github.com/go-pay/util v0.0.4
+	github.com/go-sql-driver/mysql v1.8.1
 	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.10.2
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/uuid v1.6.0
+	github.com/hsluoyz/modsecurity-go v0.0.7
+	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/json-iterator/go v1.1.12
 	github.com/lestrrat-go/jwx v1.2.29
 	github.com/lib/pq v1.10.9
+	github.com/likexian/whois v1.15.1
+	github.com/likexian/whois-parser v1.24.9
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
-	github.com/markbates/goth v1.79.0
+	github.com/markbates/goth v1.82.0
+	github.com/microsoft/go-mssqldb v1.9.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/nyaruka/phonenumbers v1.1.5
+	github.com/nyaruka/phonenumbers v1.2.2
+	github.com/polarsource/polar-go v0.12.0
 	github.com/pquerna/otp v1.4.0
-	github.com/prometheus/client_golang v1.11.1
-	github.com/prometheus/client_model v0.4.0
+	github.com/prometheus/client_golang v1.19.0
+	github.com/prometheus/client_model v0.6.2
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
+	github.com/resend/resend-go/v3 v3.1.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
-	github.com/sendgrid/sendgrid-go v3.14.0+incompatible
-	github.com/shirou/gopsutil v3.21.11+incompatible
+	github.com/sendgrid/sendgrid-go v3.16.0+incompatible
+	github.com/shirou/gopsutil/v4 v4.25.9
 	github.com/siddontang/go-log v0.0.0-20190221022429-1e957dd83bed
-	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/stripe/stripe-go/v74 v74.29.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
 	github.com/xorm-io/builder v0.3.13
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
-	golang.org/x/crypto v0.32.0
-	golang.org/x/net v0.34.0
-	golang.org/x/oauth2 v0.17.0
-	golang.org/x/text v0.21.0
-	google.golang.org/api v0.150.0
-	gopkg.in/square/go-jose.v2 v2.6.0
-	layeh.com/radius v0.0.0-20221205141417-e7fbddd11d68
-	maunium.net/go/mautrix v0.16.0
+	golang.org/x/crypto v0.47.0
+	golang.org/x/net v0.49.0
+	golang.org/x/oauth2 v0.32.0
+	golang.org/x/text v0.33.0
+	golang.org/x/time v0.8.0
+	google.golang.org/api v0.215.0
+	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
+	maunium.net/go/mautrix v0.22.1
 	modernc.org/sqlite v1.18.2
 )
 
 require (
-	cloud.google.com/go v0.110.8 // indirect
-	cloud.google.com/go/compute v1.23.1 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.3 // indirect
-	cloud.google.com/go/storage v1.35.1 // indirect
+	cel.dev/expr v0.24.0 // indirect
+	cloud.google.com/go v0.116.0 // indirect
+	cloud.google.com/go/auth v0.13.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	cloud.google.com/go/iam v1.2.2 // indirect
+	cloud.google.com/go/monitoring v1.21.2 // indirect
+	cloud.google.com/go/storage v1.47.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
 	github.com/Azure/azure-storage-blob-go v0.15.0 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v0.3.1 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v1.1.3 // indirect
-	github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20221121042443-a3fd332d56d9 // indirect
-	github.com/SherClockHolmes/webpush-go v1.2.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/go-crypto v1.1.6 // indirect
+	github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20240116134246-a8cbe886bab0 // indirect
+	github.com/SherClockHolmes/webpush-go v1.4.0 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
 	github.com/alibabacloud-go/darabonba-number v1.0.4 // indirect
 	github.com/alibabacloud-go/debug v1.0.1 // indirect
@@ -97,58 +124,76 @@ require (
 	github.com/alibabacloud-go/tea-oss-utils v1.1.0 // indirect
 	github.com/alibabacloud-go/tea-utils v1.3.6 // indirect
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.62.545 // indirect
-	github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible // indirect
-	github.com/aliyun/credentials-go v1.3.10 // indirect
 	github.com/apistd/uni-go-sdk v0.0.2 // indirect
 	github.com/atc0005/go-teams-notify/v2 v2.13.0 // indirect
+	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/baidubce/bce-sdk-go v0.9.156 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/blinkbean/dingtalk v0.0.0-20210905093040-7d935c0f7e19 // indirect
-	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
-	github.com/bwmarrin/discordgo v0.27.1 // indirect
-	github.com/casdoor/casdoor-go-sdk v0.50.0 // indirect
-	github.com/casdoor/go-reddit/v2 v2.1.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/blinkbean/dingtalk v1.1.3 // indirect
+	github.com/boombuler/barcode v1.0.1 // indirect
+	github.com/bwmarrin/discordgo v0.28.1 // indirect
+	github.com/caarlos0/go-reddit/v3 v3.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
+	github.com/corazawaf/libinjection-go v0.2.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
 	github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb // indirect
-	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
-	github.com/dghubble/oauth1 v0.7.2 // indirect
-	github.com/dghubble/sling v1.4.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/dghubble/oauth1 v0.7.3 // indirect
+	github.com/dghubble/sling v1.4.2 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/di-wu/parser v0.2.2 // indirect
 	github.com/di-wu/xsd-datetime v1.0.0 // indirect
 	github.com/drswork/go-twitter v0.0.0-20221107160839-dea1b6ed53d7 // indirect
-	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
+	github.com/ebitengine/purego v0.9.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.35.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/ggicci/httpin v0.19.0 // indirect
+	github.com/ggicci/owl v0.8.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.6.0 // indirect
-	github.com/go-lark/lark v1.9.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-lark/lark v1.15.1 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/go-pay/crypto v0.0.1 // indirect
+	github.com/go-pay/errgroup v0.0.3 // indirect
+	github.com/go-pay/smap v0.0.2 // indirect
+	github.com/go-pay/xlog v0.0.3 // indirect
+	github.com/go-pay/xtime v0.0.2 // indirect
 	github.com/go-webauthn/x v0.1.9 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
+	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/mock v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gomodule/redigo v2.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/gregdel/pushover v1.2.1 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/gregdel/pushover v1.3.1 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.7.6 // indirect
+	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -156,94 +201,114 @@ require (
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/likexian/gokit v0.25.13 // indirect
 	github.com/line/line-bot-sdk-go v7.8.0+incompatible // indirect
+	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/magefile/mage v1.15.1-0.20241126214340-bdc92f694516 // indirect
 	github.com/markbates/going v1.0.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-ieproxy v0.0.1 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.57 // indirect
 	github.com/mileusna/viber v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4 // indirect
 	github.com/pingcap/errors v0.11.5-0.20210425183316-da1aaba5fb63 // indirect
 	github.com/pingcap/log v0.0.0-20210625125904-98ed8e2eb1c7 // indirect
 	github.com/pingcap/tidb/parser v0.0.0-20221126021158-6b02a5d8ba7d // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/common v0.30.0 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/qiniu/go-sdk/v7 v7.12.1 // indirect
+	github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2 // indirect
+	github.com/redis/go-redis/v9 v9.5.5 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
-	github.com/rs/zerolog v1.30.0 // indirect
+	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/scim2/filter-parser/v2 v2.2.0 // indirect
 	github.com/sendgrid/rest v2.6.9+incompatible // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/skeema/knownhosts v1.3.0 // indirect
-	github.com/slack-go/slack v0.12.3 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/slack-go/slack v0.15.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
+	github.com/spyzhov/ajson v0.8.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
 	github.com/technoweenie/multipartstreamer v1.0.1 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.744 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sms v1.0.744 // indirect
-	github.com/tidwall/gjson v1.16.0 // indirect
+	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.10 // indirect
-	github.com/tklauser/numcpus v0.4.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/twilio/twilio-go v1.13.0 // indirect
 	github.com/ucloud/ucloud-sdk-go v0.22.5 // indirect
+	github.com/urfave/cli v1.22.5 // indirect
 	github.com/utahta/go-linenotify v0.5.0 // indirect
+	github.com/valllabh/ocsf-schema-golang v1.0.3 // indirect
 	github.com/volcengine/volc-sdk-golang v1.0.117 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	go.mau.fi/util v0.0.0-20230805171708-199bf3eec776 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mau.fi/util v0.8.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.1 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/image v0.0.0-20190802002840-cff245a6509b // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
-	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect
+	golang.org/x/image v0.18.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	lukechampine.com/uint128 v1.1.1 // indirect
-	maunium.net/go/maulogger/v2 v2.4.1 // indirect
+	lukechampine.com/uint128 v1.2.0 // indirect
 	modernc.org/cc/v3 v3.37.0 // indirect
 	modernc.org/ccgo/v3 v3.16.9 // indirect
 	modernc.org/libc v1.18.0 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.3.0 // indirect
-	modernc.org/opt v0.1.1 // indirect
+	modernc.org/opt v0.1.3 // indirect
 	modernc.org/strutil v1.1.3 // indirect
 	modernc.org/token v1.0.1 // indirect
+	rsc.io/binaryregexp v0.2.0 // indirect
 )

i18n/deduplicate_test.go

@@ -0,0 +1,140 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package i18n
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"testing"
+)
+
+// DuplicateInfo represents information about a duplicate key
+type DuplicateInfo struct {
+	Key          string
+	OldPrefix    string
+	NewPrefix    string
+	OldPrefixKey string // e.g., "general:Submitter"
+	NewPrefixKey string // e.g., "permission:Submitter"
+}
+
+// findDuplicateKeysInJSON finds duplicate keys across the entire JSON file
+// Returns a list of duplicate information showing old and new prefix:key pairs
+// The order is determined by the order keys appear in the JSON file (git history)
+func findDuplicateKeysInJSON(filePath string) ([]DuplicateInfo, error) {
+	// Read the JSON file
+	fileContent, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read file %s: %w", filePath, err)
+	}
+
+	// Track the first occurrence of each key (prefix where it was first seen)
+	keyFirstPrefix := make(map[string]string)
+	var duplicates []DuplicateInfo
+
+	// To preserve order, we need to parse the JSON with order preservation
+	// We'll use a decoder to read through the top-level object
+	decoder := json.NewDecoder(bytes.NewReader(fileContent))
+
+	// Read the opening brace of the top-level object
+	token, err := decoder.Token()
+	if err != nil {
+		return nil, fmt.Errorf("failed to read token: %w", err)
+	}
+	if delim, ok := token.(json.Delim); !ok || delim != '{' {
+		return nil, fmt.Errorf("expected object start, got %v", token)
+	}
+
+	// Read all namespaces in order
+	for decoder.More() {
+		// Read the namespace (prefix) name
+		token, err := decoder.Token()
+		if err != nil {
+			return nil, fmt.Errorf("failed to read namespace: %w", err)
+		}
+
+		prefix, ok := token.(string)
+		if !ok {
+			return nil, fmt.Errorf("expected string namespace, got %v", token)
+		}
+
+		// Read the namespace object as raw message
+		var namespaceData map[string]string
+		if err := decoder.Decode(&namespaceData); err != nil {
+			return nil, fmt.Errorf("failed to decode namespace %s: %w", prefix, err)
+		}
+
+		// Now check each key in this namespace
+		for key := range namespaceData {
+			// Check if this key was already seen in a different prefix
+			if firstPrefix, exists := keyFirstPrefix[key]; exists {
+				// This is a duplicate - the key exists in another prefix
+				duplicates = append(duplicates, DuplicateInfo{
+					Key:          key,
+					OldPrefix:    firstPrefix,
+					NewPrefix:    prefix,
+					OldPrefixKey: fmt.Sprintf("%s:%s", firstPrefix, key),
+					NewPrefixKey: fmt.Sprintf("%s:%s", prefix, key),
+				})
+			} else {
+				// First time seeing this key, record the prefix
+				keyFirstPrefix[key] = prefix
+			}
+		}
+	}
+
+	return duplicates, nil
+}
+
+// TestDeduplicateFrontendI18n checks for duplicate i18n keys in the frontend en.json file
+func TestDeduplicateFrontendI18n(t *testing.T) {
+	filePath := "../web/src/locales/en/data.json"
+
+	// Find duplicate keys
+	duplicates, err := findDuplicateKeysInJSON(filePath)
+	if err != nil {
+		t.Fatalf("Failed to check for duplicates in frontend i18n file: %v", err)
+	}
+
+	// Print all duplicates and fail the test if any are found
+	if len(duplicates) > 0 {
+		t.Errorf("Found duplicate i18n keys in frontend file (%s):", filePath)
+		for _, dup := range duplicates {
+			t.Errorf("  i18next.t(\"%s\") duplicates with i18next.t(\"%s\")", dup.NewPrefixKey, dup.OldPrefixKey)
+		}
+		t.Fail()
+	}
+}
+
+// TestDeduplicateBackendI18n checks for duplicate i18n keys in the backend en.json file
+func TestDeduplicateBackendI18n(t *testing.T) {
+	filePath := "../i18n/locales/en/data.json"
+
+	// Find duplicate keys
+	duplicates, err := findDuplicateKeysInJSON(filePath)
+	if err != nil {
+		t.Fatalf("Failed to check for duplicates in backend i18n file: %v", err)
+	}
+
+	// Print all duplicates and fail the test if any are found
+	if len(duplicates) > 0 {
+		t.Errorf("Found duplicate i18n keys in backend file (%s):", filePath)
+		for _, dup := range duplicates {
+			t.Errorf("  i18n.Translate(\"%s\") duplicates with i18n.Translate(\"%s\")", dup.NewPrefixKey, dup.OldPrefixKey)
+		}
+		t.Fail()
+	}
+}

i18n/generate.go

@@ -19,6 +19,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strconv"
 	"strings"
 
 	"github.com/casdoor/casdoor/util"
@@ -47,7 +48,11 @@ func getAllI18nStringsFrontend(fileContent string) []string {
 	}
 
 	for _, match := range matches {
-		res = append(res, match[1])
+		target, err := strconv.Unquote("\"" + match[1] + "\"")
+		if err != nil {
+			target = match[1]
+		}
+		res = append(res, target)
 	}
 	return res
 }
@@ -61,7 +66,12 @@ func getAllI18nStringsBackend(fileContent string, isObjectPackage bool) []string
 		}
 		for _, match := range matches {
 			match := strings.SplitN(match[1], ",", 2)
-			res = append(res, match[1][2:])
+			target, err := strconv.Unquote("\"" + match[1][2:] + "\"")
+			if err != nil {
+				target = match[1][2:]
+			}
+
+			res = append(res, target)
 		}
 	} else {
 		matches := reI18nBackendController.FindAllStringSubmatch(fileContent, -1)
@@ -69,7 +79,11 @@ func getAllI18nStringsBackend(fileContent string, isObjectPackage bool) []string
 			return res
 		}
 		for _, match := range matches {
-			res = append(res, match[1][1:])
+			target, err := strconv.Unquote("\"" + match[1][1:] + "\"")
+			if err != nil {
+				target = match[1][1:]
+			}
+			res = append(res, target)
 		}
 	}
 
@@ -141,10 +155,26 @@ func parseAllWords(category string) *I18nData {
 	return &data
 }
 
+// copyI18nData creates a deep copy of an I18nData structure to prevent shared reference issues
+// between language translations. This ensures each language starts with fresh English defaults
+// rather than inheriting values from previously processed languages.
+func copyI18nData(src *I18nData) *I18nData {
+	dst := I18nData{}
+	for namespace, pairs := range *src {
+		dst[namespace] = make(map[string]string)
+		for key, value := range pairs {
+			dst[namespace][key] = value
+		}
+	}
+	return &dst
+}
+
 func applyToOtherLanguage(category string, language string, newData *I18nData) {
 	oldData := readI18nFile(category, language)
 	println(oldData)
 
-	applyData(newData, oldData)
-	writeI18nFile(category, language, newData)
+	// Create a copy of newData to avoid modifying the shared data across languages
+	dataCopy := copyI18nData(newData)
+	applyData(dataCopy, oldData)
+	writeI18nFile(category, language, dataCopy)
 }

i18n/generate_test.go

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 //go:build !skipCi
-// +build !skipCi
 
 package i18n
 
@@ -23,58 +22,30 @@ func TestGenerateI18nFrontend(t *testing.T) {
 	data := parseAllWords("frontend")
 
 	applyToOtherLanguage("frontend", "en", data)
-	applyToOtherLanguage("frontend", "zh", data)
 	applyToOtherLanguage("frontend", "es", data)
 	applyToOtherLanguage("frontend", "fr", data)
 	applyToOtherLanguage("frontend", "de", data)
-	applyToOtherLanguage("frontend", "id", data)
 	applyToOtherLanguage("frontend", "ja", data)
-	applyToOtherLanguage("frontend", "ko", data)
-	applyToOtherLanguage("frontend", "ru", data)
+	applyToOtherLanguage("frontend", "zh", data)
 	applyToOtherLanguage("frontend", "vi", data)
 	applyToOtherLanguage("frontend", "pt", data)
-	applyToOtherLanguage("frontend", "it", data)
-	applyToOtherLanguage("frontend", "ms", data)
 	applyToOtherLanguage("frontend", "tr", data)
-	applyToOtherLanguage("frontend", "ar", data)
-	applyToOtherLanguage("frontend", "he", data)
-	applyToOtherLanguage("frontend", "nl", data)
 	applyToOtherLanguage("frontend", "pl", data)
-	applyToOtherLanguage("frontend", "fi", data)
-	applyToOtherLanguage("frontend", "sv", data)
 	applyToOtherLanguage("frontend", "uk", data)
-	applyToOtherLanguage("frontend", "kk", data)
-	applyToOtherLanguage("frontend", "fa", data)
-	applyToOtherLanguage("frontend", "cs", data)
-	applyToOtherLanguage("frontend", "sk", data)
 }
 
 func TestGenerateI18nBackend(t *testing.T) {
 	data := parseAllWords("backend")
 
 	applyToOtherLanguage("backend", "en", data)
-	applyToOtherLanguage("backend", "zh", data)
 	applyToOtherLanguage("backend", "es", data)
 	applyToOtherLanguage("backend", "fr", data)
 	applyToOtherLanguage("backend", "de", data)
-	applyToOtherLanguage("backend", "id", data)
 	applyToOtherLanguage("backend", "ja", data)
-	applyToOtherLanguage("backend", "ko", data)
-	applyToOtherLanguage("backend", "ru", data)
+	applyToOtherLanguage("backend", "zh", data)
 	applyToOtherLanguage("backend", "vi", data)
 	applyToOtherLanguage("backend", "pt", data)
-	applyToOtherLanguage("backend", "it", data)
-	applyToOtherLanguage("backend", "ms", data)
 	applyToOtherLanguage("backend", "tr", data)
-	applyToOtherLanguage("backend", "ar", data)
-	applyToOtherLanguage("backend", "he", data)
-	applyToOtherLanguage("backend", "nl", data)
 	applyToOtherLanguage("backend", "pl", data)
-	applyToOtherLanguage("backend", "fi", data)
-	applyToOtherLanguage("backend", "sv", data)
 	applyToOtherLanguage("backend", "uk", data)
-	applyToOtherLanguage("backend", "kk", data)
-	applyToOtherLanguage("backend", "fa", data)
-	applyToOtherLanguage("backend", "cs", data)
-	applyToOtherLanguage("backend", "sk", data)
 }

i18n/locales/ar/data.json

@@ -1,193 +0,0 @@
-{
-  "account": {
-    "Failed to add user": "فشل إضافة المستخدم",
-    "Get init score failed, error: %w": "فشل الحصول على النتيجة الأولية، الخطأ: %w",
-    "Please sign out first": "يرجى تسجيل الخروج أولاً",
-    "The application does not allow to sign up new account": "التطبيق لا يسمح بالتسجيل بحساب جديد"
-  },
-  "auth": {
-    "Challenge method should be S256": "يجب أن تكون طريقة التحدي S256",
-    "DeviceCode Invalid": "رمز الجهاز غير صالح",
-    "Failed to create user, user information is invalid: %s": "فشل إنشاء المستخدم، معلومات المستخدم غير صالحة: %s",
-    "Failed to login in: %s": "فشل تسجيل الدخول: %s",
-    "Invalid token": "الرمز غير صالح",
-    "State expected: %s, but got: %s": "كان من المتوقع الحالة: %s، لكن حصلنا على: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "الحساب الخاص بالمزود: %s واسم المستخدم: %s (%s) غير موجود ولا يُسمح بالتسجيل كحساب جديد عبر %%s، يرجى استخدام طريقة أخرى للتسجيل",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "الحساب الخاص بالمزود: %s واسم المستخدم: %s (%s) غير موجود ولا يُسمح بالتسجيل كحساب جديد، يرجى الاتصال بدعم تكنولوجيا المعلومات",
-    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "الحساب الخاص بالمزود: %s واسم المستخدم: %s (%s) مرتبط بالفعل بحساب آخر: %s (%s)",
-    "The application: %s does not exist": "التطبيق: %s غير موجود",
-    "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
-    "The login method: login with LDAP is not enabled for the application": "طريقة تسجيل الدخول: تسجيل الدخول باستخدام LDAP غير مفعّلة لهذا التطبيق",
-    "The login method: login with SMS is not enabled for the application": "طريقة تسجيل الدخول: تسجيل الدخول باستخدام الرسائل النصية غير مفعّلة لهذا التطبيق",
-    "The login method: login with email is not enabled for the application": "طريقة تسجيل الدخول: تسجيل الدخول باستخدام البريد الإلكتروني غير مفعّلة لهذا التطبيق",
-    "The login method: login with face is not enabled for the application": "طريقة تسجيل الدخول: تسجيل الدخول باستخدام الوجه غير مفعّلة لهذا التطبيق",
-    "The login method: login with password is not enabled for the application": "طريقة تسجيل الدخول: تسجيل الدخول باستخدام كلمة المرور غير مفعّلة لهذا التطبيق",
-    "The organization: %s does not exist": "المنظمة: %s غير موجودة",
-    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
-    "The provider: %s does not exist": "المزود: %s غير موجود",
-    "The provider: %s is not enabled for the application": "المزود: %s غير مفعّل لهذا التطبيق",
-    "Unauthorized operation": "عملية غير مصرح بها",
-    "Unknown authentication type (not password or provider), form = %s": "نوع مصادقة غير معروف (ليس كلمة مرور أو مزود)، النموذج = %s",
-    "User's tag: %s is not listed in the application's tags": "وسم المستخدم: %s غير مدرج في وسوم التطبيق",
-    "UserCode Expired": "رمز المستخدم منتهي الصلاحية",
-    "UserCode Invalid": "رمز المستخدم غير صالح",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "المستخدم المدفوع %s ليس لديه اشتراك نشط أو معلق والتطبيق: %s ليس لديه تسعير افتراضي",
-    "the application for user %s is not found": "لم يتم العثور على التطبيق الخاص بالمستخدم %s",
-    "the organization: %s is not found": "لم يتم العثور على المنظمة: %s"
-  },
-  "cas": {
-    "Service %s and %s do not match": "الخدمة %s و %s غير متطابقتين"
-  },
-  "check": {
-    "%s does not meet the CIDR format requirements: %s": "%s لا تلبي متطلبات تنسيق CIDR: %s",
-    "Affiliation cannot be blank": "الانتماء لا يمكن أن يكون فارغاً",
-    "CIDR for IP: %s should not be empty": "CIDR لعنوان IP: %s لا يجب أن يكون فارغاً",
-    "Default code does not match the code's matching rules": "الرمز الافتراضي لا يتطابق مع قواعد المطابقة",
-    "DisplayName cannot be blank": "اسم العرض لا يمكن أن يكون فارغاً",
-    "DisplayName is not valid real name": "اسم العرض ليس اسمًا حقيقيًا صالحًا",
-    "Email already exists": "البريد الإلكتروني موجود بالفعل",
-    "Email cannot be empty": "البريد الإلكتروني لا يمكن أن يكون فارغاً",
-    "Email is invalid": "البريد الإلكتروني غير صالح",
-    "Empty username.": "اسم المستخدم فارغ.",
-    "Face data does not exist, cannot log in": "بيانات الوجه غير موجودة، لا يمكن تسجيل الدخول",
-    "Face data mismatch": "عدم تطابق بيانات الوجه",
-    "Failed to parse client IP: %s": "فشل تحليل IP العميل: %s",
-    "FirstName cannot be blank": "الاسم الأول لا يمكن أن يكون فارغاً",
-    "Invitation code cannot be blank": "رمز الدعوة لا يمكن أن يكون فارغاً",
-    "Invitation code exhausted": "رمز الدعوة استُنفِد",
-    "Invitation code is invalid": "رمز الدعوة غير صالح",
-    "Invitation code suspended": "رمز الدعوة موقوف",
-    "LDAP user name or password incorrect": "اسم مستخدم LDAP أو كلمة المرور غير صحيحة",
-    "LastName cannot be blank": "الاسم الأخير لا يمكن أن يكون فارغاً",
-    "Multiple accounts with same uid, please check your ldap server": "حسابات متعددة بنفس uid، يرجى التحقق من خادم ldap الخاص بك",
-    "Organization does not exist": "المنظمة غير موجودة",
-    "Password cannot be empty": "كلمة المرور لا يمكن أن تكون فارغة",
-    "Phone already exists": "الهاتف موجود بالفعل",
-    "Phone cannot be empty": "الهاتف لا يمكن أن يكون فارغاً",
-    "Phone number is invalid": "رقم الهاتف غير صالح",
-    "Please register using the email corresponding to the invitation code": "يرجى التسجيل باستخدام البريد الإلكتروني المطابق لرمز الدعوة",
-    "Please register using the phone  corresponding to the invitation code": "يرجى التسجيل باستخدام الهاتف المطابق لرمز الدعوة",
-    "Please register using the username corresponding to the invitation code": "يرجى التسجيل باستخدام اسم المستخدم المطابق لرمز الدعوة",
-    "Session outdated, please login again": "الجلسة منتهية الصلاحية، يرجى تسجيل الدخول مرة أخرى",
-    "The invitation code has already been used": "رمز الدعوة تم استخدامه بالفعل",
-    "The user is forbidden to sign in, please contact the administrator": "المستخدم ممنوع من تسجيل الدخول، يرجى الاتصال بالمسؤول",
-    "The user: %s doesn't exist in LDAP server": "المستخدم: %s غير موجود في خادم LDAP",
-    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "اسم المستخدم يمكن أن يحتوي فقط على أحرف وأرقام، شرطات سفلية أو علوية، لا يمكن أن تحتوي على شرطات متتالية، ولا يمكن أن يبدأ أو ينتهي بشرطة.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Hesap alanı \\\"%s\\\" için \\\"%s\\\" değeri, hesap öğesi regex'iyle eşleşmiyor",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Kayıt alanı \\\"%s\\\" için \\\"%s\\\" değeri, \\\"%s\\\" uygulamasının kayıt öğesi regex'iyle eşleşmiyor",
-    "Username already exists": "اسم المستخدم موجود بالفعل",
-    "Username cannot be an email address": "اسم المستخدم لا يمكن أن يكون عنوان بريد إلكتروني",
-    "Username cannot contain white spaces": "اسم المستخدم لا يمكن أن يحتوي على مسافات",
-    "Username cannot start with a digit": "اسم المستخدم لا يمكن أن يبدأ برقم",
-    "Username is too long (maximum is 255 characters).": "اسم المستخدم طويل جداً (الحد الأقصى 255 حرفاً).",
-    "Username must have at least 2 characters": "اسم المستخدم يجب أن يحتوي على حرفين على الأقل",
-    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "اسم المستخدم يدعم تنسيق البريد الإلكتروني. كما أن اسم المستخدم يمكن أن يحتوي فقط على أحرف وأرقام، شرطات سفلية أو علوية، لا يمكن أن تحتوي على شرطات متتالية، ولا يمكن أن يبدأ أو ينتهي بشرطة. انتبه أيضًا لتنسيق البريد الإلكتروني.",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "لقد قمت بإدخال كلمة المرور أو الرمز الخطأ عدة مرات، يرجى الانتظار %d دقائق ثم المحاولة مرة أخرى",
-    "Your IP address: %s has been banned according to the configuration of: ": "عنوان IP الخاص بك: %s تم حظره وفقًا لتكوين: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Şifrenizin süresi doldu. Lütfen \\\"Şifremi unuttum\\\"a tıklayarak şifrenizi sıfırlayın",
-    "Your region is not allow to signup by phone": "منطقتك لا تسمح بالتسجيل عبر الهاتف",
-    "password or code is incorrect": "كلمة المرور أو الرمز غير صحيح",
-    "password or code is incorrect, you have %s remaining chances": "كلمة المرور أو الرمز غير صحيح، لديك %s فرصة متبقية",
-    "unsupported password type: %s": "نوع كلمة المرور غير مدعوم: %s"
-  },
-  "enforcer": {
-    "the adapter: %s is not found": "المحول: %s غير موجود"
-  },
-  "general": {
-    "Failed to import groups": "فشل استيراد المجموعات",
-    "Failed to import users": "فشل استيراد المستخدمين",
-    "Missing parameter": "المعلمة مفقودة",
-    "Only admin user can specify user": "فقط المسؤول يمكنه تحديد المستخدم",
-    "Please login first": "يرجى تسجيل الدخول أولاً",
-    "The organization: %s should have one application at least": "المنظمة: %s يجب أن تحتوي على تطبيق واحد على الأقل",
-    "The user: %s doesn't exist": "المستخدم: %s غير موجود",
-    "Wrong userId": "معرف المستخدم غير صحيح",
-    "don't support captchaProvider: ": "لا يدعم captchaProvider: ",
-    "this operation is not allowed in demo mode": "هذه العملية غير مسموح بها في وضع العرض التوضيحي",
-    "this operation requires administrator to perform": "هذه العملية تتطلب مسؤولاً لتنفيذها"
-  },
-  "ldap": {
-    "Ldap server exist": "خادم LDAP موجود"
-  },
-  "link": {
-    "Please link first": "يرجى الربط أولاً",
-    "This application has no providers": "هذا التطبيق لا يحتوي على مزودين",
-    "This application has no providers of type": "هذا التطبيق لا يحتوي على مزودين من النوع",
-    "This provider can't be unlinked": "لا يمكن فصل هذا المزود",
-    "You are not the global admin, you can't unlink other users": "أنت لست المسؤول العام، لا يمكنك فصل مستخدمين آخرين",
-    "You can't unlink yourself, you are not a member of any application": "لا يمكنك فصل نفسك، أنت لست عضواً في أي تطبيق"
-  },
-  "organization": {
-    "Only admin can modify the %s.": "فقط المسؤول يمكنه تعديل %s.",
-    "The %s is immutable.": "%s غير قابل للتعديل.",
-    "Unknown modify rule %s.": "قاعدة تعديل غير معروفة %s.",
-    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "إضافة مستخدم جديد إلى المنظمة \"المدمجة\" غير متوفر حاليًا. يرجى ملاحظة: جميع المستخدمين في المنظمة \"المدمجة\" هم مسؤولون عالميون في Casdoor. يرجى الرجوع إلى الوثائق: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. إذا كنت لا تزال ترغب في إنشاء مستخدم للمنظمة \"المدمجة\"، اไป إلى صفحة إعدادات المنظمة وقم بتمكين خيار \"لديه موافقة صلاحية\"."
-  },
-  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "İzin: \\\"%s\\\" mevcut değil"
-  },
-  "provider": {
-    "Invalid application id": "معرف التطبيق غير صالح",
-    "the provider: %s does not exist": "المزود: %s غير موجود"
-  },
-  "resource": {
-    "User is nil for tag: avatar": "المستخدم nil للوسم: avatar",
-    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "اسم المستخدم أو fullFilePath فارغ: username = %s، fullFilePath = %s"
-  },
-  "saml": {
-    "Application %s not found": "التطبيق %s غير موجود"
-  },
-  "saml_sp": {
-    "provider %s's category is not SAML": "فئة المزود %s ليست SAML"
-  },
-  "service": {
-    "Empty parameters for emailForm: %v": "معلمات فارغة لـ emailForm: %v",
-    "Invalid Email receivers: %s": "مستقبلو البريد الإلكتروني غير صالحين: %s",
-    "Invalid phone receivers: %s": "مستقلو الهاتف غير صالحين: %s"
-  },
-  "storage": {
-    "The objectKey: %s is not allowed": "مفتاح الكائن: %s غير مسموح به",
-    "The provider type: %s is not supported": "نوع المزود: %s غير مدعوم"
-  },
-  "subscription": {
-    "Error": "خطأ"
-  },
-  "token": {
-    "Grant_type: %s is not supported in this application": "Grant_type: %s غير مدعوم في هذا التطبيق",
-    "Invalid application or wrong clientSecret": "تطبيق غير صالح أو clientSecret خاطئ",
-    "Invalid client_id": "client_id غير صالح",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s غير موجود في قائمة Redirect URI المسموح بها",
-    "Token not found, invalid accessToken": "الرمز غير موجود، accessToken غير صالح"
-  },
-  "user": {
-    "Display name cannot be empty": "اسم العرض لا يمكن أن يكون فارغاً",
-    "MFA email is enabled but email is empty": "تم تمكين MFA للبريد الإلكتروني لكن البريد الإلكتروني فارغ",
-    "MFA phone is enabled but phone number is empty": "تم تمكين MFA للهاتف لكن رقم الهاتف فارغ",
-    "New password cannot contain blank space.": "كلمة المرور الجديدة لا يمكن أن تحتوي على مسافات.",
-    "the user's owner and name should not be empty": "مالك المستخدم واسمه لا يجب أن يكونا فارغين"
-  },
-  "util": {
-    "No application is found for userId: %s": "لم يتم العثور على تطبيق لـ userId: %s",
-    "No provider for category: %s is found for application: %s": "لم يتم العثور على مزود للفئة: %s للتطبيق: %s",
-    "The provider: %s is not found": "المزود: %s غير موجود"
-  },
-  "verification": {
-    "Invalid captcha provider.": "مزود captcha غير صالح.",
-    "Phone number is invalid in your region %s": "رقم الهاتف غير صالح في منطقتك %s",
-    "The verification code has already been used!": "رمز التحقق تم استخدامه بالفعل!",
-    "The verification code has not been sent yet!": "رمز التحقق لم يُرسل بعد!",
-    "Turing test failed.": "فشل اختبار تورينغ.",
-    "Unable to get the email modify rule.": "غير قادر على الحصول على قاعدة تعديل البريد الإلكتروني.",
-    "Unable to get the phone modify rule.": "غير قادر على الحصول على قاعدة تعديل الهاتف.",
-    "Unknown type": "نوع غير معروف",
-    "Wrong verification code!": "رمز التحقق خاطئ!",
-    "You should verify your code in %d min!": "يجب عليك التحقق من الرمز خلال %d دقيقة!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "lütfen uygulama için \\\"Sağlayıcılar\\\" listesine bir SMS sağlayıcı ekleyin: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "lütfen uygulama için \\\"Sağlayıcılar\\\" listesine bir E-posta sağlayıcı ekleyin: %s",
-    "the user does not exist, please sign up first": "المستخدم غير موجود، يرجى التسجيل أولاً"
-  },
-  "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
-    "Please call WebAuthnSigninBegin first": "يرجى استدعاء WebAuthnSigninBegin أولاً"
-  }
-}

i18n/locales/cs/data.json

@@ -1,193 +0,0 @@
-{
-  "account": {
-    "Failed to add user": "Nepodařilo se přidat uživatele",
-    "Get init score failed, error: %w": "Nepodařilo se získat počáteční skóre, chyba: %w",
-    "Please sign out first": "Nejprve se prosím odhlaste",
-    "The application does not allow to sign up new account": "Aplikace neumožňuje registraci nového účtu"
-  },
-  "auth": {
-    "Challenge method should be S256": "Metoda výzvy by měla být S256",
-    "DeviceCode Invalid": "DeviceCode je neplatný",
-    "Failed to create user, user information is invalid: %s": "Nepodařilo se vytvořit uživatele, informace o uživateli jsou neplatné: %s",
-    "Failed to login in: %s": "Nepodařilo se přihlásit: %s",
-    "Invalid token": "Neplatný token",
-    "State expected: %s, but got: %s": "Očekávaný stav: %s, ale získán: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "Účet pro poskytovatele: %s a uživatelské jméno: %s (%s) neexistuje a není povoleno se registrovat jako nový účet přes %%s, prosím použijte jiný způsob registrace",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Účet pro poskytovatele: %s a uživatelské jméno: %s (%s) neexistuje a není povoleno se registrovat jako nový účet, prosím kontaktujte svou IT podporu",
-    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Účet pro poskytovatele: %s a uživatelské jméno: %s (%s) je již propojen s jiným účtem: %s (%s)",
-    "The application: %s does not exist": "Aplikace: %s neexistuje",
-    "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
-    "The login method: login with LDAP is not enabled for the application": "Přihlašovací metoda: přihlášení pomocí LDAP není pro aplikaci povolena",
-    "The login method: login with SMS is not enabled for the application": "Přihlašovací metoda: přihlášení pomocí SMS není pro aplikaci povolena",
-    "The login method: login with email is not enabled for the application": "Přihlašovací metoda: přihlášení pomocí e-mailu není pro aplikaci povolena",
-    "The login method: login with face is not enabled for the application": "Přihlašovací metoda: přihlášení pomocí obličeje není pro aplikaci povolena",
-    "The login method: login with password is not enabled for the application": "Metoda přihlášení: přihlášení pomocí hesla není pro aplikaci povolena",
-    "The organization: %s does not exist": "Organizace: %s neexistuje",
-    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
-    "The provider: %s does not exist": "Poskytovatel: %s neexistuje",
-    "The provider: %s is not enabled for the application": "Poskytovatel: %s není pro aplikaci povolen",
-    "Unauthorized operation": "Neoprávněná operace",
-    "Unknown authentication type (not password or provider), form = %s": "Neznámý typ autentizace (není heslo nebo poskytovatel), formulář = %s",
-    "User's tag: %s is not listed in the application's tags": "Uživatelův tag: %s není uveden v tagech aplikace",
-    "UserCode Expired": "UserCode vypršel",
-    "UserCode Invalid": "UserCode je neplatný",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "Placený uživatel %s nemá aktivní ani čekající předplatné a aplikace: %s nemá výchozí ceny",
-    "the application for user %s is not found": "Aplikace pro uživatele %s nebyla nalezena",
-    "the organization: %s is not found": "Organizace: %s nebyla nalezena"
-  },
-  "cas": {
-    "Service %s and %s do not match": "Služba %s a %s se neshodují"
-  },
-  "check": {
-    "%s does not meet the CIDR format requirements: %s": "%s nesplňuje požadavky formátu CIDR: %s",
-    "Affiliation cannot be blank": "Příslušnost nemůže být prázdná",
-    "CIDR for IP: %s should not be empty": "CIDR pro IP: %s by neměl být prázdný",
-    "Default code does not match the code's matching rules": "Výchozí kód neodpovídá pravidlům shody kódu",
-    "DisplayName cannot be blank": "Zobrazované jméno nemůže být prázdné",
-    "DisplayName is not valid real name": "Zobrazované jméno není platné skutečné jméno",
-    "Email already exists": "Email již existuje",
-    "Email cannot be empty": "Email nemůže být prázdný",
-    "Email is invalid": "Email je neplatný",
-    "Empty username.": "Prázdné uživatelské jméno.",
-    "Face data does not exist, cannot log in": "Data obličeje neexistují, nelze se přihlásit",
-    "Face data mismatch": "Neshoda dat obličeje",
-    "Failed to parse client IP: %s": "Nepodařilo se parsovat IP klienta: %s",
-    "FirstName cannot be blank": "Křestní jméno nemůže být prázdné",
-    "Invitation code cannot be blank": "Pozvánkový kód nemůže být prázdný",
-    "Invitation code exhausted": "Pozvánkový kód je vyčerpán",
-    "Invitation code is invalid": "Pozvánkový kód je neplatný",
-    "Invitation code suspended": "Pozvánkový kód je pozastaven",
-    "LDAP user name or password incorrect": "Uživatelské jméno nebo heslo LDAP je nesprávné",
-    "LastName cannot be blank": "Příjmení nemůže být prázdné",
-    "Multiple accounts with same uid, please check your ldap server": "Více účtů se stejným uid, prosím zkontrolujte svůj ldap server",
-    "Organization does not exist": "Organizace neexistuje",
-    "Password cannot be empty": "Heslo nemůže být prázdné",
-    "Phone already exists": "Telefon již existuje",
-    "Phone cannot be empty": "Telefon nemůže být prázdný",
-    "Phone number is invalid": "Telefonní číslo je neplatné",
-    "Please register using the email corresponding to the invitation code": "Prosím registrujte se pomocí e-mailu odpovídajícího pozvánkovému kódu",
-    "Please register using the phone  corresponding to the invitation code": "Prosím registrujte se pomocí telefonu odpovídajícího pozvánkovému kódu",
-    "Please register using the username corresponding to the invitation code": "Prosím registrujte se pomocí uživatelského jména odpovídajícího pozvánkovému kódu",
-    "Session outdated, please login again": "Relace je zastaralá, prosím přihlaste se znovu",
-    "The invitation code has already been used": "Pozvánkový kód již byl použit",
-    "The user is forbidden to sign in, please contact the administrator": "Uživatel má zakázáno se přihlásit, prosím kontaktujte administrátora",
-    "The user: %s doesn't exist in LDAP server": "Uživatel: %s neexistuje na LDAP serveru",
-    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Uživatelské jméno může obsahovat pouze alfanumerické znaky, podtržítka nebo pomlčky, nemůže mít po sobě jdoucí pomlčky nebo podtržítka a nemůže začínat nebo končit pomlčkou nebo podtržítkem.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Hodnota \\\"%s\\\" pro pole účtu \\\"%s\\\" neodpovídá regexu položky účtu",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Hodnota \\\"%s\\\" pro pole registrace \\\"%s\\\" neodpovídá regexu položky registrace aplikace \\\"%s\\\"",
-    "Username already exists": "Uživatelské jméno již existuje",
-    "Username cannot be an email address": "Uživatelské jméno nemůže být emailová adresa",
-    "Username cannot contain white spaces": "Uživatelské jméno nemůže obsahovat mezery",
-    "Username cannot start with a digit": "Uživatelské jméno nemůže začínat číslicí",
-    "Username is too long (maximum is 255 characters).": "Uživatelské jméno je příliš dlouhé (maximálně 255 znaků).",
-    "Username must have at least 2 characters": "Uživatelské jméno musí mít alespoň 2 znaky",
-    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Uživatelské jméno podporuje formát e-mailu. Také uživatelské jméno může obsahovat pouze alfanumerické znaky, podtržítka nebo pomlčky, nemůže mít souvislé pomlčky nebo podtržítka a nemůže začínat nebo končit pomlčkou nebo podtržítkem. Také dbejte na formát e-mailu.",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Zadali jste špatné heslo nebo kód příliš mnohokrát, prosím počkejte %d minut a zkuste to znovu",
-    "Your IP address: %s has been banned according to the configuration of: ": "Vaše IP adresa: %s byla zablokována podle konfigurace: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Vaše heslo vypršelo. Prosím resetujte si heslo kliknutím na \\\"Zapomněl jsem heslo\\\"",
-    "Your region is not allow to signup by phone": "Vaše oblast neumožňuje registraci pomocí telefonu",
-    "password or code is incorrect": "heslo nebo kód je nesprávný",
-    "password or code is incorrect, you have %s remaining chances": "heslo nebo kód je nesprávné, máte %s zbývajících pokusů",
-    "unsupported password type: %s": "nepodporovaný typ hesla: %s"
-  },
-  "enforcer": {
-    "the adapter: %s is not found": "adaptér: %s nebyl nalezen"
-  },
-  "general": {
-    "Failed to import groups": "Nepodařilo se importovat skupiny",
-    "Failed to import users": "Nepodařilo se importovat uživatele",
-    "Missing parameter": "Chybějící parametr",
-    "Only admin user can specify user": "Pouze administrátor může určit uživatele",
-    "Please login first": "Prosím, přihlaste se nejprve",
-    "The organization: %s should have one application at least": "Organizace: %s by měla mít alespoň jednu aplikaci",
-    "The user: %s doesn't exist": "Uživatel: %s neexistuje",
-    "Wrong userId": "Nesprávné uživatelské ID",
-    "don't support captchaProvider: ": "nepodporuje captchaProvider: ",
-    "this operation is not allowed in demo mode": "tato operace není povolena v demo režimu",
-    "this operation requires administrator to perform": "tato operace vyžaduje administrátora k provedení"
-  },
-  "ldap": {
-    "Ldap server exist": "Ldap server existuje"
-  },
-  "link": {
-    "Please link first": "Prosím, nejprve propojte",
-    "This application has no providers": "Tato aplikace nemá žádné poskytovatele",
-    "This application has no providers of type": "Tato aplikace nemá žádné poskytovatele typu",
-    "This provider can't be unlinked": "Tento poskytovatel nemůže být odpojen",
-    "You are not the global admin, you can't unlink other users": "Nejste globální administrátor, nemůžete odpojovat jiné uživatele",
-    "You can't unlink yourself, you are not a member of any application": "Nemůžete odpojit sami sebe, nejste členem žádné aplikace"
-  },
-  "organization": {
-    "Only admin can modify the %s.": "Pouze administrátor může upravit %s.",
-    "The %s is immutable.": "%s je neměnný.",
-    "Unknown modify rule %s.": "Neznámé pravidlo úpravy %s.",
-    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Přidání nového uživatele do 'vestavěné' organizace je momentálně zakázáno. Poznámka: všichni uživatelé v 'vestavěné' organizaci jsou globálními správci v Casdooru. Viz docs: https://casdoor.org/docs/basic/core-concepts#how  -dělá-casdoor-spravovat-sám. Pokud stále chcete vytvořit uživatele pro 'vestavěnou' organizaci, přejděte na stránku nastavení organizace a aktivujte možnost 'Má souhlas s oprávněními'."
-  },
-  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "Oprávnění: \\\"%s\\\" neexistuje"
-  },
-  "provider": {
-    "Invalid application id": "Neplatné ID aplikace",
-    "the provider: %s does not exist": "poskytovatel: %s neexistuje"
-  },
-  "resource": {
-    "User is nil for tag: avatar": "Uživatel je nil pro tag: avatar",
-    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Uživatelské jméno nebo úplná cesta k souboru je prázdná: uživatelské jméno = %s, úplná cesta k souboru = %s"
-  },
-  "saml": {
-    "Application %s not found": "Aplikace %s nebyla nalezena"
-  },
-  "saml_sp": {
-    "provider %s's category is not SAML": "poskytovatel %s není kategorie SAML"
-  },
-  "service": {
-    "Empty parameters for emailForm: %v": "Prázdné parametry pro emailForm: %v",
-    "Invalid Email receivers: %s": "Neplatní příjemci emailu: %s",
-    "Invalid phone receivers: %s": "Neplatní příjemci telefonu: %s"
-  },
-  "storage": {
-    "The objectKey: %s is not allowed": "objectKey: %s není povolen",
-    "The provider type: %s is not supported": "typ poskytovatele: %s není podporován"
-  },
-  "subscription": {
-    "Error": "Chyba"
-  },
-  "token": {
-    "Grant_type: %s is not supported in this application": "Grant_type: %s není v této aplikaci podporován",
-    "Invalid application or wrong clientSecret": "Neplatná aplikace nebo špatný clientSecret",
-    "Invalid client_id": "Neplatné client_id",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Přesměrovací URI: %s neexistuje v seznamu povolených přesměrovacích URI",
-    "Token not found, invalid accessToken": "Token nenalezen, neplatný accessToken"
-  },
-  "user": {
-    "Display name cannot be empty": "Zobrazované jméno nemůže být prázdné",
-    "MFA email is enabled but email is empty": "MFA e-mail je povolen, ale e-mail je prázdný",
-    "MFA phone is enabled but phone number is empty": "MFA telefon je povolen, ale telefonní číslo je prázdné",
-    "New password cannot contain blank space.": "Nové heslo nemůže obsahovat prázdné místo.",
-    "the user's owner and name should not be empty": "vlastník a jméno uživatele by neměly být prázdné"
-  },
-  "util": {
-    "No application is found for userId: %s": "Pro userId: %s nebyla nalezena žádná aplikace",
-    "No provider for category: %s is found for application: %s": "Pro kategorii: %s nebyl nalezen žádný poskytovatel pro aplikaci: %s",
-    "The provider: %s is not found": "Poskytovatel: %s nebyl nalezen"
-  },
-  "verification": {
-    "Invalid captcha provider.": "Neplatný poskytovatel captcha.",
-    "Phone number is invalid in your region %s": "Telefonní číslo je ve vaší oblasti %s neplatné",
-    "The verification code has already been used!": "Ověřovací kód již byl použit!",
-    "The verification code has not been sent yet!": "Ověřovací kód ještě nebyl odeslán!",
-    "Turing test failed.": "Turingův test selhal.",
-    "Unable to get the email modify rule.": "Nelze získat pravidlo pro úpravu emailu.",
-    "Unable to get the phone modify rule.": "Nelze získat pravidlo pro úpravu telefonu.",
-    "Unknown type": "Neznámý typ",
-    "Wrong verification code!": "Špatný ověřovací kód!",
-    "You should verify your code in %d min!": "Měli byste ověřit svůj kód do %d minut!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "prosím přidejte SMS poskytovatele do seznamu \\\"Providers\\\" pro aplikaci: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "prosím přidejte e-mailového poskytovatele do seznamu \\\"Providers\\\" pro aplikaci: %s",
-    "the user does not exist, please sign up first": "uživatel neexistuje, prosím nejprve se zaregistrujte"
-  },
-  "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
-    "Please call WebAuthnSigninBegin first": "Prosím, nejprve zavolejte WebAuthnSigninBegin"
-  }
-}

i18n/locales/de/data.json

@@ -2,7 +2,6 @@
   "account": {
     "Failed to add user": "Konnte den Benutzer nicht hinzufügen",
     "Get init score failed, error: %w": "Init-Score konnte nicht abgerufen werden, Fehler: %w",
-    "Please sign out first": "Bitte melden Sie sich zuerst ab",
     "The application does not allow to sign up new account": "Die Anwendung erlaubt es nicht, sich für ein neues Konto anzumelden"
   },
   "auth": {
@@ -12,18 +11,23 @@
     "Failed to login in: %s": "Konnte nicht anmelden: %s",
     "Invalid token": "Ungültiges Token",
     "State expected: %s, but got: %s": "Erwarteter Zustand: %s, aber erhalten: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "Das Konto für den Anbieter: %s und Benutzernamen: %s (%s) existiert nicht und darf nicht über %%s als neues Konto erstellt werden. Bitte nutzen Sie einen anderen Weg, um sich anzumelden",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up": "Das Konto für den Anbieter: %s und Benutzernamen: %s (%s) existiert nicht und darf nicht über %s als neues Konto erstellt werden. Bitte nutzen Sie einen anderen Weg, um sich anzumelden",
     "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Das Konto für den Anbieter %s und Benutzernamen %s (%s) existiert nicht und es ist nicht erlaubt, ein neues Konto anzumelden. Bitte wenden Sie sich an Ihren IT-Support",
     "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Das Konto für den Anbieter %s und Benutzernamen %s (%s) ist bereits mit einem anderen Konto verknüpft: %s (%s)",
     "The application: %s does not exist": "Die Anwendung: %s existiert nicht",
-    "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
+    "The application: %s has disabled users to signin": "Die Anwendung: %s hat die Anmeldung von Benutzern deaktiviert",
+    "The group: %s does not exist": "Die Gruppe: %s existiert nicht",
     "The login method: login with LDAP is not enabled for the application": "Die Anmeldemethode: Anmeldung mit LDAP ist für die Anwendung nicht aktiviert",
     "The login method: login with SMS is not enabled for the application": "Die Anmeldemethode: Anmeldung per SMS ist für die Anwendung nicht aktiviert",
     "The login method: login with email is not enabled for the application": "Die Anmeldemethode: Anmeldung per E-Mail ist für die Anwendung nicht aktiviert",
     "The login method: login with face is not enabled for the application": "Die Anmeldemethode: Anmeldung per Gesicht ist für die Anwendung nicht aktiviert",
     "The login method: login with password is not enabled for the application": "Die Anmeldeart \"Anmeldung mit Passwort\" ist für die Anwendung nicht aktiviert",
+    "The order: %s does not exist": "Die Bestellung: %s existiert nicht",
     "The organization: %s does not exist": "Die Organisation: %s existiert nicht",
-    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
+    "The organization: %s has disabled users to signin": "Die Organisation: %s hat die Anmeldung von Benutzern deaktiviert",
+    "The plan: %s does not exist": "Der Plan: %s existiert nicht",
+    "The pricing: %s does not exist": "Die Preisgestaltung: %s existiert nicht",
+    "The pricing: %s does not have plan: %s": "Die Preisgestaltung: %s hat keinen Plan: %s",
     "The provider: %s does not exist": "Der Anbieter: %s existiert nicht",
     "The provider: %s is not enabled for the application": "Der Anbieter: %s ist nicht für die Anwendung aktiviert",
     "Unauthorized operation": "Nicht autorisierte Operation",
@@ -44,7 +48,7 @@
     "CIDR for IP: %s should not be empty": "CIDR für IP: %s darf nicht leer sein",
     "Default code does not match the code's matching rules": "Standardcode entspricht nicht den Übereinstimmungsregeln des Codes",
     "DisplayName cannot be blank": "Anzeigename kann nicht leer sein",
-    "DisplayName is not valid real name": "DisplayName ist kein gültiger Vorname",
+    "DisplayName is not valid real name": "Der Anzeigename ist kein gültiger echter Name",
     "Email already exists": "E-Mail existiert bereits",
     "Email cannot be empty": "E-Mail darf nicht leer sein",
     "Email is invalid": "E-Mail ist ungültig",
@@ -53,11 +57,11 @@
     "Face data mismatch": "Gesichtsdaten stimmen nicht überein",
     "Failed to parse client IP: %s": "Fehler beim Parsen der Client-IP: %s",
     "FirstName cannot be blank": "Vorname darf nicht leer sein",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Gastbenutzer müssen ihr Konto aktualisieren, indem sie einen Benutzernamen und ein Passwort festlegen, bevor sie sich direkt anmelden können",
     "Invitation code cannot be blank": "Einladungscode darf nicht leer sein",
     "Invitation code exhausted": "Einladungscode aufgebraucht",
     "Invitation code is invalid": "Einladungscode ist ungültig",
     "Invitation code suspended": "Einladungscode ausgesetzt",
-    "LDAP user name or password incorrect": "Ldap Benutzername oder Passwort falsch",
     "LastName cannot be blank": "Nachname darf nicht leer sein",
     "Multiple accounts with same uid, please check your ldap server": "Mehrere Konten mit derselben uid, bitte überprüfen Sie Ihren LDAP-Server",
     "Organization does not exist": "Organisation existiert nicht",
@@ -70,11 +74,17 @@
     "Please register using the username corresponding to the invitation code": "Bitte registrieren Sie sich mit dem Benutzernamen, der zum Einladungscode gehört",
     "Session outdated, please login again": "Sitzung abgelaufen, bitte erneut anmelden",
     "The invitation code has already been used": "Der Einladungscode wurde bereits verwendet",
+    "The password must contain at least one special character": "Das Passwort muss mindestens ein Sonderzeichen enthalten",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Das Passwort muss mindestens einen Großbuchstaben, einen Kleinbuchstaben und eine Ziffer enthalten",
+    "The password must have at least 6 characters": "Das Passwort muss mindestens 6 Zeichen haben",
+    "The password must have at least 8 characters": "Das Passwort muss mindestens 8 Zeichen haben",
+    "The password must not contain any repeated characters": "Das Passwort darf keine wiederholten Zeichen enthalten",
+    "The user has been deleted and cannot be used to sign in, please contact the administrator": "Der Benutzer wurde gelöscht und kann nicht zur Anmeldung verwendet werden. Bitte wenden Sie sich an den Administrator",
     "The user is forbidden to sign in, please contact the administrator": "Dem Benutzer ist der Zugang verboten, bitte kontaktieren Sie den Administrator",
     "The user: %s doesn't exist in LDAP server": "Der Benutzer: %s existiert nicht im LDAP-Server",
     "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Der Benutzername darf nur alphanumerische Zeichen, Unterstriche oder Bindestriche enthalten, keine aufeinanderfolgenden Bindestriche oder Unterstriche haben und darf nicht mit einem Bindestrich oder Unterstrich beginnen oder enden.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Der Wert \\\"%s\\\" für das Kontenfeld \\\"%s\\\" stimmt nicht mit dem Kontenelement-Regex überein",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Der Wert \\\"%s\\\" für das Registrierungsfeld \\\"%s\\\" stimmt nicht mit dem Registrierungselement-Regex der Anwendung \\\"%s\\\" überein",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "Der Wert \"%s\" für das Kontenfeld \"%s\" stimmt nicht mit dem Kontenelement-Regex überein",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "Der Wert \"%s\" für das Registrierungsfeld \"%s\" stimmt nicht mit dem Registrierungselement-Regex der Anwendung \"%s\" überein",
     "Username already exists": "Benutzername existiert bereits",
     "Username cannot be an email address": "Benutzername kann keine E-Mail-Adresse sein",
     "Username cannot contain white spaces": "Benutzername darf keine Leerzeichen enthalten",
@@ -84,7 +94,7 @@
     "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Benutzername unterstützt E-Mail-Format. Der Benutzername darf nur alphanumerische Zeichen, Unterstriche oder Bindestriche enthalten, keine aufeinanderfolgenden Bindestriche oder Unterstriche haben und darf nicht mit einem Bindestrich oder Unterstrich beginnen oder enden. Achten Sie auch auf das E-Mail-Format.",
     "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Sie haben zu oft das falsche Passwort oder den falschen Code eingegeben. Bitte warten Sie %d Minuten und versuchen Sie es erneut",
     "Your IP address: %s has been banned according to the configuration of: ": "Ihre IP-Adresse: %s wurde laut Konfiguration gesperrt von: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Ihr Passwort ist abgelaufen. Bitte setzen Sie Ihr Passwort zurück, indem Sie auf \\\"Passwort vergessen\\\" klicken",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Ihr Passwort ist abgelaufen. Bitte setzen Sie Ihr Passwort zurück, indem Sie auf \"Passwort vergessen\" klicken",
     "Your region is not allow to signup by phone": "Ihre Region ist nicht berechtigt, sich telefonisch anzumelden",
     "password or code is incorrect": "Passwort oder Code ist falsch",
     "password or code is incorrect, you have %s remaining chances": "Das Passwort oder der Code ist falsch. Du hast noch %s Versuche übrig",
@@ -96,16 +106,25 @@
   "general": {
     "Failed to import groups": "Gruppen importieren fehlgeschlagen",
     "Failed to import users": "Fehler beim Importieren von Benutzern",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Guthaben %v wäre unter dem Kreditlimit %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Organisationsguthaben %v wäre unter dem Kreditlimit %v",
     "Missing parameter": "Fehlender Parameter",
     "Only admin user can specify user": "Nur Administrator kann Benutzer angeben",
     "Please login first": "Bitte zuerst einloggen",
+    "The LDAP: %s does not exist": "Das LDAP: %s existiert nicht",
     "The organization: %s should have one application at least": "Die Organisation: %s sollte mindestens eine Anwendung haben",
+    "The syncer: %s does not exist": "Der Synchronizer: %s existiert nicht",
     "The user: %s doesn't exist": "Der Benutzer %s existiert nicht",
+    "The user: %s is not found": "Der Benutzer: %s wurde nicht gefunden",
+    "User is required for User category transaction": "Benutzer ist für Benutzer-Kategorie-Transaktionen erforderlich",
     "Wrong userId": "Falsche Benutzer-ID",
     "don't support captchaProvider: ": "Unterstütze captchaProvider nicht:",
     "this operation is not allowed in demo mode": "Dieser Vorgang ist im Demo-Modus nicht erlaubt",
     "this operation requires administrator to perform": "Dieser Vorgang erfordert einen Administrator zur Ausführung"
   },
+  "invitation": {
+    "Invitation %s does not exist": "Einladung %s existiert nicht"
+  },
   "ldap": {
     "Ldap server exist": "Es gibt einen LDAP-Server"
   },
@@ -124,10 +143,16 @@
     "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Das Hinzufügen eines neuen Benutzers zur 'eingebauten' Organisation ist derzeit deaktiviert. Bitte beachten Sie: Alle Benutzer in der 'eingebauten' Organisation sind globale Administratoren in Casdoor. Siehe die Docs: https://casdoor.org/docs/basic/core-concepts#how  -does-casdoor-manage-sich selbst. Wenn Sie immer noch einen Benutzer für die 'eingebaute' Organisation erstellen möchten, gehen Sie auf die Einstellungsseite der Organisation und aktivieren Sie die Option 'Habt Berechtigungszustimmung'."
   },
   "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "Die Berechtigung: \\\"%s\\\" existiert nicht"
+    "The permission: \"%s\" doesn't exist": "Die Berechtigung: \"%s\" existiert nicht"
+  },
+  "product": {
+    "Product list cannot be empty": "Produktliste darf nicht leer sein"
   },
   "provider": {
+    "Failed to initialize ID Verification provider": "ID-Verifizierungsanbieter konnte nicht initialisiert werden",
     "Invalid application id": "Ungültige Anwendungs-ID",
+    "No ID Verification provider configured": "Kein ID-Verifizierungsanbieter konfiguriert",
+    "Provider is not an ID Verification provider": "Anbieter ist kein ID-Verifizierungsanbieter",
     "the provider: %s does not exist": "Der Anbieter %s existiert nicht"
   },
   "resource": {
@@ -145,6 +170,9 @@
     "Invalid Email receivers: %s": "Ungültige E-Mail-Empfänger: %s",
     "Invalid phone receivers: %s": "Ungültige Telefonempfänger: %s"
   },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "Sitzungs-ID %s ist die aktuelle Sitzung und kann nicht gelöscht werden"
+  },
   "storage": {
     "The objectKey: %s is not allowed": "Der Objektschlüssel %s ist nicht erlaubt",
     "The provider type: %s is not supported": "Der Anbieter-Typ %s wird nicht unterstützt"
@@ -152,6 +180,9 @@
   "subscription": {
     "Error": "Fehler"
   },
+  "ticket": {
+    "Ticket not found": "Ticket nicht gefunden"
+  },
   "token": {
     "Grant_type: %s is not supported in this application": "Grant_type: %s wird von dieser Anwendung nicht unterstützt",
     "Invalid application or wrong clientSecret": "Ungültige Anwendung oder falsches clientSecret",
@@ -161,9 +192,14 @@
   },
   "user": {
     "Display name cannot be empty": "Anzeigename darf nicht leer sein",
+    "ID card information and real name are required": "Personalausweisinformationen und vollständiger Name sind erforderlich",
+    "Identity verification failed": "Identitätsprüfung fehlgeschlagen",
     "MFA email is enabled but email is empty": "MFA-E-Mail ist aktiviert, aber E-Mail ist leer",
     "MFA phone is enabled but phone number is empty": "MFA-Telefon ist aktiviert, aber Telefonnummer ist leer",
     "New password cannot contain blank space.": "Das neue Passwort darf keine Leerzeichen enthalten.",
+    "No application found for user": "Keine Anwendung für Benutzer gefunden",
+    "The new password must be different from your current password": "Das neue Passwort muss sich von Ihrem aktuellen Passwort unterscheiden",
+    "User is already verified": "Benutzer ist bereits verifiziert",
     "the user's owner and name should not be empty": "Eigentümer und Name des Benutzers dürfen nicht leer sein"
   },
   "util": {
@@ -174,6 +210,7 @@
   "verification": {
     "Invalid captcha provider.": "Ungültiger Captcha-Anbieter.",
     "Phone number is invalid in your region %s": "Die Telefonnummer ist in Ihrer Region %s ungültig",
+    "The forgot password feature is disabled": "Die Funktion \"Passwort vergessen\" ist deaktiviert",
     "The verification code has already been used!": "Der Verifizierungscode wurde bereits verwendet!",
     "The verification code has not been sent yet!": "Der Verifizierungscode wurde noch nicht gesendet!",
     "Turing test failed.": "Turing-Test fehlgeschlagen.",
@@ -182,12 +219,12 @@
     "Unknown type": "Unbekannter Typ",
     "Wrong verification code!": "Falscher Bestätigungscode!",
     "You should verify your code in %d min!": "Du solltest deinen Code in %d Minuten verifizieren!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "Bitte fügen Sie einen SMS-Anbieter zur \\\"Providers\\\"-Liste für die Anwendung hinzu: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "Bitte fügen Sie einen E-Mail-Anbieter zur \\\"Providers\\\"-Liste für die Anwendung hinzu: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "Bitte fügen Sie einen SMS-Anbieter zur \"Providers\"-Liste für die Anwendung hinzu: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "Bitte fügen Sie einen E-Mail-Anbieter zur \"Providers\"-Liste für die Anwendung hinzu: %s",
     "the user does not exist, please sign up first": "Der Benutzer existiert nicht, bitte zuerst anmelden"
   },
   "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
+    "Found no credentials for this user": "Für diesen Benutzer wurden keine Anmeldeinformationen gefunden",
     "Please call WebAuthnSigninBegin first": "Bitte rufen Sie zuerst WebAuthnSigninBegin auf"
   }
 }

i18n/locales/en/data.json

@@ -2,7 +2,6 @@
   "account": {
     "Failed to add user": "Failed to add user",
     "Get init score failed, error: %w": "Get init score failed, error: %w",
-    "Please sign out first": "Please sign out first",
     "The application does not allow to sign up new account": "The application does not allow to sign up new account"
   },
   "auth": {
@@ -12,18 +11,23 @@
     "Failed to login in: %s": "Failed to login in: %s",
     "Invalid token": "Invalid token",
     "State expected: %s, but got: %s": "State expected: %s, but got: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up",
     "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
     "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
     "The application: %s does not exist": "The application: %s does not exist",
     "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
+    "The group: %s does not exist": "The group: %s does not exist",
     "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
     "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
     "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
     "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
     "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The order: %s does not exist": "The order: %s does not exist",
     "The organization: %s does not exist": "The organization: %s does not exist",
     "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
+    "The plan: %s does not exist": "The plan: %s does not exist",
+    "The pricing: %s does not exist": "The pricing: %s does not exist",
+    "The pricing: %s does not have plan: %s": "The pricing: %s does not have plan: %s",
     "The provider: %s does not exist": "The provider: %s does not exist",
     "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
     "Unauthorized operation": "Unauthorized operation",
@@ -53,11 +57,11 @@
     "Face data mismatch": "Face data mismatch",
     "Failed to parse client IP: %s": "Failed to parse client IP: %s",
     "FirstName cannot be blank": "FirstName cannot be blank",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Guest users must upgrade their account by setting a username and password before they can sign in directly",
     "Invitation code cannot be blank": "Invitation code cannot be blank",
     "Invitation code exhausted": "Invitation code exhausted",
     "Invitation code is invalid": "Invitation code is invalid",
     "Invitation code suspended": "Invitation code suspended",
-    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
     "LastName cannot be blank": "LastName cannot be blank",
     "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
     "Organization does not exist": "Organization does not exist",
@@ -70,11 +74,17 @@
     "Please register using the username corresponding to the invitation code": "Please register using the username corresponding to the invitation code",
     "Session outdated, please login again": "Session outdated, please login again",
     "The invitation code has already been used": "The invitation code has already been used",
+    "The password must contain at least one special character": "The password must contain at least one special character",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "The password must contain at least one uppercase letter, one lowercase letter and one digit",
+    "The password must have at least 6 characters": "The password must have at least 6 characters",
+    "The password must have at least 8 characters": "The password must have at least 8 characters",
+    "The password must not contain any repeated characters": "The password must not contain any repeated characters",
+    "The user has been deleted and cannot be used to sign in, please contact the administrator": "The user has been deleted and cannot be used to sign in, please contact the administrator",
     "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
     "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
     "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "The value \"%s\" for account field \"%s\" doesn't match the account item regex",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"",
     "Username already exists": "Username already exists",
     "Username cannot be an email address": "Username cannot be an email address",
     "Username cannot contain white spaces": "Username cannot contain white spaces",
@@ -84,7 +94,7 @@
     "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.",
     "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
     "Your IP address: %s has been banned according to the configuration of: ": "Your IP address: %s has been banned according to the configuration of: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Your password has expired. Please reset your password by clicking \"Forgot password\"",
     "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
     "password or code is incorrect": "password or code is incorrect",
     "password or code is incorrect, you have %s remaining chances": "password or code is incorrect, you have %s remaining chances",
@@ -96,16 +106,25 @@
   "general": {
     "Failed to import groups": "Failed to import groups",
     "Failed to import users": "Failed to import users",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Insufficient balance: new balance %v would be below credit limit %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Insufficient balance: new organization balance %v would be below credit limit %v",
     "Missing parameter": "Missing parameter",
     "Only admin user can specify user": "Only admin user can specify user",
     "Please login first": "Please login first",
+    "The LDAP: %s does not exist": "The LDAP: %s does not exist",
     "The organization: %s should have one application at least": "The organization: %s should have one application at least",
+    "The syncer: %s does not exist": "The syncer: %s does not exist",
     "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "The user: %s is not found": "The user: %s is not found",
+    "User is required for User category transaction": "User is required for User category transaction",
     "Wrong userId": "Wrong userId",
     "don't support captchaProvider: ": "don't support captchaProvider: ",
     "this operation is not allowed in demo mode": "this operation is not allowed in demo mode",
     "this operation requires administrator to perform": "this operation requires administrator to perform"
   },
+  "invitation": {
+    "Invitation %s does not exist": "Invitation %s does not exist"
+  },
   "ldap": {
     "Ldap server exist": "Ldap server exist"
   },
@@ -124,10 +143,16 @@
     "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option."
   },
   "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \"%s\" doesn't exist": "The permission: \"%s\" doesn't exist"
+  },
+  "product": {
+    "Product list cannot be empty": "Product list cannot be empty"
   },
   "provider": {
+    "Failed to initialize ID Verification provider": "Failed to initialize ID Verification provider",
     "Invalid application id": "Invalid application id",
+    "No ID Verification provider configured": "No ID Verification provider configured",
+    "Provider is not an ID Verification provider": "Provider is not an ID Verification provider",
     "the provider: %s does not exist": "the provider: %s does not exist"
   },
   "resource": {
@@ -145,6 +170,9 @@
     "Invalid Email receivers: %s": "Invalid Email receivers: %s",
     "Invalid phone receivers: %s": "Invalid phone receivers: %s"
   },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "session id %s is the current session and cannot be deleted"
+  },
   "storage": {
     "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
     "The provider type: %s is not supported": "The provider type: %s is not supported"
@@ -152,6 +180,9 @@
   "subscription": {
     "Error": "Error"
   },
+  "ticket": {
+    "Ticket not found": "Ticket not found"
+  },
   "token": {
     "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
     "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
@@ -161,9 +192,14 @@
   },
   "user": {
     "Display name cannot be empty": "Display name cannot be empty",
+    "ID card information and real name are required": "ID card information and real name are required",
+    "Identity verification failed": "Identity verification failed",
     "MFA email is enabled but email is empty": "MFA email is enabled but email is empty",
     "MFA phone is enabled but phone number is empty": "MFA phone is enabled but phone number is empty",
     "New password cannot contain blank space.": "New password cannot contain blank space.",
+    "No application found for user": "No application found for user",
+    "The new password must be different from your current password": "The new password must be different from your current password",
+    "User is already verified": "User is already verified",
     "the user's owner and name should not be empty": "the user's owner and name should not be empty"
   },
   "util": {
@@ -174,6 +210,7 @@
   "verification": {
     "Invalid captcha provider.": "Invalid captcha provider.",
     "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "The forgot password feature is disabled": "The forgot password feature is disabled",
     "The verification code has already been used!": "The verification code has already been used!",
     "The verification code has not been sent yet!": "The verification code has not been sent yet!",
     "Turing test failed.": "Turing test failed.",
@@ -182,8 +219,8 @@
     "Unknown type": "Unknown type",
     "Wrong verification code!": "Wrong verification code!",
     "You should verify your code in %d min!": "You should verify your code in %d min!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "please add a SMS provider to the \"Providers\" list for the application: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "please add an Email provider to the \"Providers\" list for the application: %s",
     "the user does not exist, please sign up first": "the user does not exist, please sign up first"
   },
   "webauthn": {

i18n/locales/es/data.json

@@ -2,7 +2,6 @@
   "account": {
     "Failed to add user": "No se pudo agregar el usuario",
     "Get init score failed, error: %w": "Error al obtener el puntaje de inicio, error: %w",
-    "Please sign out first": "Por favor, cierra sesión primero",
     "The application does not allow to sign up new account": "La aplicación no permite registrarse con una cuenta nueva"
   },
   "auth": {
@@ -12,18 +11,23 @@
     "Failed to login in: %s": "No se ha podido iniciar sesión en: %s",
     "Invalid token": "Token inválido",
     "State expected: %s, but got: %s": "Estado esperado: %s, pero se obtuvo: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "La cuenta para el proveedor: %s y nombre de usuario: %s (%s) no existe y no está permitido registrarse como una cuenta nueva a través de %%s, por favor use otro método para registrarse",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up": "La cuenta para el proveedor: %s y nombre de usuario: %s (%s) no existe y no está permitido registrarse como una cuenta nueva a través de %s, por favor use otro método para registrarse",
     "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "La cuenta para el proveedor: %s y el nombre de usuario: %s (%s) no existe y no se permite registrarse como una nueva cuenta, por favor contacte a su soporte de TI",
     "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "La cuenta para proveedor: %s y nombre de usuario: %s (%s) ya está vinculada a otra cuenta: %s (%s)",
     "The application: %s does not exist": "La aplicación: %s no existe",
-    "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
+    "The application: %s has disabled users to signin": "La aplicación: %s ha desactivado el inicio de sesión de usuarios",
+    "The group: %s does not exist": "El grupo: %s no existe",
     "The login method: login with LDAP is not enabled for the application": "El método de inicio de sesión: inicio de sesión con LDAP no está habilitado para la aplicación",
     "The login method: login with SMS is not enabled for the application": "El método de inicio de sesión: inicio de sesión con SMS no está habilitado para la aplicación",
     "The login method: login with email is not enabled for the application": "El método de inicio de sesión: inicio de sesión con correo electrónico no está habilitado para la aplicación",
     "The login method: login with face is not enabled for the application": "El método de inicio de sesión: inicio de sesión con reconocimiento facial no está habilitado para la aplicación",
     "The login method: login with password is not enabled for the application": "El método de inicio de sesión: inicio de sesión con contraseña no está habilitado para la aplicación",
+    "The order: %s does not exist": "El pedido: %s no existe",
     "The organization: %s does not exist": "La organización: %s no existe",
-    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
+    "The organization: %s has disabled users to signin": "La organización: %s ha desactivado el inicio de sesión de usuarios",
+    "The plan: %s does not exist": "El plan: %s no existe",
+    "The pricing: %s does not exist": "El precio: %s no existe",
+    "The pricing: %s does not have plan: %s": "El precio: %s no tiene el plan: %s",
     "The provider: %s does not exist": "El proveedor: %s no existe",
     "The provider: %s is not enabled for the application": "El proveedor: %s no está habilitado para la aplicación",
     "Unauthorized operation": "Operación no autorizada",
@@ -31,7 +35,7 @@
     "User's tag: %s is not listed in the application's tags": "La etiqueta del usuario: %s no está incluida en las etiquetas de la aplicación",
     "UserCode Expired": "Código de usuario expirado",
     "UserCode Invalid": "Código de usuario inválido",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "El usuario de pago %s no tiene una suscripción activa o pendiente y la aplicación: %s no tiene precio predeterminado",
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "El usuario de pago %s no tiene una suscripción activa o pendiente y la aplicación %s no tiene precios predeterminados",
     "the application for user %s is not found": "no se encontró la aplicación para el usuario %s",
     "the organization: %s is not found": "no se encontró la organización: %s"
   },
@@ -40,9 +44,9 @@
   },
   "check": {
     "%s does not meet the CIDR format requirements: %s": "%s no cumple con los requisitos del formato CIDR: %s",
-    "Affiliation cannot be blank": "Afiliación no puede estar en blanco",
+    "Affiliation cannot be blank": "La afiliación no puede estar vacía",
     "CIDR for IP: %s should not be empty": "El CIDR para la IP: %s no debe estar vacío",
-    "Default code does not match the code's matching rules": "El código predeterminado no coincide con las reglas de coincidencia de códigos",
+    "Default code does not match the code's matching rules": "El código predeterminado no cumple con las reglas de validación del código",
     "DisplayName cannot be blank": "El nombre de visualización no puede estar en blanco",
     "DisplayName is not valid real name": "El nombre de pantalla no es un nombre real válido",
     "Email already exists": "El correo electrónico ya existe",
@@ -53,11 +57,11 @@
     "Face data mismatch": "Los datos faciales no coinciden",
     "Failed to parse client IP: %s": "Error al analizar la IP del cliente: %s",
     "FirstName cannot be blank": "El nombre no puede estar en blanco",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Los usuarios invitados deben actualizar su cuenta configurando un nombre de usuario y una contraseña antes de poder iniciar sesión directamente",
     "Invitation code cannot be blank": "El código de invitación no puede estar vacío",
     "Invitation code exhausted": "Código de invitación agotado",
     "Invitation code is invalid": "Código de invitación inválido",
     "Invitation code suspended": "Código de invitación suspendido",
-    "LDAP user name or password incorrect": "Nombre de usuario o contraseña de Ldap incorrectos",
     "LastName cannot be blank": "El apellido no puede estar en blanco",
     "Multiple accounts with same uid, please check your ldap server": "Cuentas múltiples con el mismo uid, por favor revise su servidor ldap",
     "Organization does not exist": "La organización no existe",
@@ -70,11 +74,17 @@
     "Please register using the username corresponding to the invitation code": "Regístrese usando el nombre de usuario correspondiente al código de invitación",
     "Session outdated, please login again": "Sesión expirada, por favor vuelva a iniciar sesión",
     "The invitation code has already been used": "El código de invitación ya ha sido utilizado",
+    "The password must contain at least one special character": "La contraseña debe contener al menos un carácter especial",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "La contraseña debe contener al menos una letra mayúscula, una letra minúscula y un dígito",
+    "The password must have at least 6 characters": "La contraseña debe tener al menos 6 caracteres",
+    "The password must have at least 8 characters": "La contraseña debe tener al menos 8 caracteres",
+    "The password must not contain any repeated characters": "La contraseña no debe contener caracteres repetidos",
+    "The user has been deleted and cannot be used to sign in, please contact the administrator": "El usuario ha sido eliminado y no se puede usar para iniciar sesión, póngase en contacto con el administrador",
     "The user is forbidden to sign in, please contact the administrator": "El usuario no está autorizado a iniciar sesión, por favor contacte al administrador",
     "The user: %s doesn't exist in LDAP server": "El usuario: %s no existe en el servidor LDAP",
     "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "El nombre de usuario solo puede contener caracteres alfanuméricos, guiones bajos o guiones, no puede tener guiones o subrayados consecutivos, y no puede comenzar ni terminar con un guión o subrayado.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "El valor \\\"%s\\\" para el campo de cuenta \\\"%s\\\" no coincide con la expresión regular del elemento de cuenta",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "El valor \\\"%s\\\" para el campo de registro \\\"%s\\\" no coincide con la expresión regular del elemento de registro de la aplicación \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "El valor \"%s\" para el campo de cuenta \"%s\" no coincide con la expresión regular del elemento de cuenta",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "El valor \"%s\" para el campo de registro \"%s\" no coincide con la expresión regular del elemento de registro de la aplicación \"%s\"",
     "Username already exists": "El nombre de usuario ya existe",
     "Username cannot be an email address": "Nombre de usuario no puede ser una dirección de correo electrónico",
     "Username cannot contain white spaces": "Nombre de usuario no puede contener espacios en blanco",
@@ -84,7 +94,7 @@
     "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "El nombre de usuario admite formato de correo electrónico. Además, el nombre de usuario solo puede contener caracteres alfanuméricos, guiones bajos o guiones, no puede tener guiones bajos o guiones consecutivos y no puede comenzar ni terminar con un guión o guión bajo. También preste atención al formato del correo electrónico.",
     "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Has ingresado la contraseña o código incorrecto demasiadas veces, por favor espera %d minutos e intenta de nuevo",
     "Your IP address: %s has been banned according to the configuration of: ": "Su dirección IP: %s ha sido bloqueada según la configuración de: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Su contraseña ha expirado. Restablezca su contraseña haciendo clic en \\\"Olvidé mi contraseña\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Su contraseña ha expirado. Restablezca su contraseña haciendo clic en \"Olvidé mi contraseña\"",
     "Your region is not allow to signup by phone": "Tu región no está permitida para registrarse por teléfono",
     "password or code is incorrect": "contraseña o código incorrecto",
     "password or code is incorrect, you have %s remaining chances": "Contraseña o código incorrecto, tienes %s intentos restantes",
@@ -96,16 +106,25 @@
   "general": {
     "Failed to import groups": "Error al importar grupos",
     "Failed to import users": "Error al importar usuarios",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo %v estaría por debajo del límite de crédito %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo de la organización %v estaría por debajo del límite de crédito %v",
     "Missing parameter": "Parámetro faltante",
     "Only admin user can specify user": "Solo el usuario administrador puede especificar usuario",
     "Please login first": "Por favor, inicia sesión primero",
+    "The LDAP: %s does not exist": "El LDAP: %s no existe",
     "The organization: %s should have one application at least": "La organización: %s debe tener al menos una aplicación",
+    "The syncer: %s does not exist": "El sincronizador: %s no existe",
     "The user: %s doesn't exist": "El usuario: %s no existe",
+    "The user: %s is not found": "El usuario: %s no encontrado",
+    "User is required for User category transaction": "El usuario es obligatorio para la transacción de la categoría Usuario",
     "Wrong userId": "ID de usuario incorrecto",
     "don't support captchaProvider: ": "No apoyo a captchaProvider",
     "this operation is not allowed in demo mode": "esta operación no está permitida en modo de demostración",
     "this operation requires administrator to perform": "esta operación requiere que el administrador la realice"
   },
+  "invitation": {
+    "Invitation %s does not exist": "La invitación %s no existe"
+  },
   "ldap": {
     "Ldap server exist": "El servidor LDAP existe"
   },
@@ -124,10 +143,16 @@
     "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "La adición de un nuevo usuario a la organización 'integrada' está actualmente deshabilitada. Tenga en cuenta: todos los usuarios de la organización 'integrada' son administradores globales en Casdoor. Consulte los docs: https://casdoor.org/docs/basic/core-concepts#how  -does-casdoor-manage-itself. Si todavía desea crear un usuario para la organización 'integrada', vaya a la página de configuración de la organización y habilite la opción 'Tiene consentimiento de privilegios'."
   },
   "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "El permiso: \\\"%s\\\" no existe"
+    "The permission: \"%s\" doesn't exist": "El permiso: \"%s\" no existe"
+  },
+  "product": {
+    "Product list cannot be empty": "La lista de productos no puede estar vacía"
   },
   "provider": {
+    "Failed to initialize ID Verification provider": "Error al inicializar el proveedor de verificación de ID",
     "Invalid application id": "Identificación de aplicación no válida",
+    "No ID Verification provider configured": "No hay proveedor de verificación de ID configurado",
+    "Provider is not an ID Verification provider": "El proveedor no es un proveedor de verificación de ID",
     "the provider: %s does not exist": "El proveedor: %s no existe"
   },
   "resource": {
@@ -145,6 +170,9 @@
     "Invalid Email receivers: %s": "Receptores de correo electrónico no válidos: %s",
     "Invalid phone receivers: %s": "Receptores de teléfono no válidos: %s"
   },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "session id %s is the current session and cannot be deleted"
+  },
   "storage": {
     "The objectKey: %s is not allowed": "El objectKey: %s no está permitido",
     "The provider type: %s is not supported": "El tipo de proveedor: %s no es compatible"
@@ -152,6 +180,9 @@
   "subscription": {
     "Error": "Error"
   },
+  "ticket": {
+    "Ticket not found": "Ticket no encontrado"
+  },
   "token": {
     "Grant_type: %s is not supported in this application": "El tipo de subvención: %s no es compatible con esta aplicación",
     "Invalid application or wrong clientSecret": "Solicitud inválida o clientSecret incorrecto",
@@ -161,9 +192,14 @@
   },
   "user": {
     "Display name cannot be empty": "El nombre de pantalla no puede estar vacío",
+    "ID card information and real name are required": "Se requiere información de la tarjeta de identificación y el nombre real",
+    "Identity verification failed": "Falló la verificación de identidad",
     "MFA email is enabled but email is empty": "El correo electrónico MFA está habilitado pero el correo está vacío",
     "MFA phone is enabled but phone number is empty": "El teléfono MFA está habilitado pero el número de teléfono está vacío",
     "New password cannot contain blank space.": "La nueva contraseña no puede contener espacios en blanco.",
+    "No application found for user": "No se encontró aplicación para el usuario",
+    "The new password must be different from your current password": "La nueva contraseña debe ser diferente de su contraseña actual",
+    "User is already verified": "El usuario ya está verificado",
     "the user's owner and name should not be empty": "el propietario y el nombre del usuario no deben estar vacíos"
   },
   "util": {
@@ -174,6 +210,7 @@
   "verification": {
     "Invalid captcha provider.": "Proveedor de captcha no válido.",
     "Phone number is invalid in your region %s": "El número de teléfono es inválido en tu región %s",
+    "The forgot password feature is disabled": "La función de contraseña olvidada está deshabilitada",
     "The verification code has already been used!": "¡El código de verificación ya ha sido utilizado!",
     "The verification code has not been sent yet!": "¡El código de verificación aún no ha sido enviado!",
     "Turing test failed.": "El test de Turing falló.",
@@ -182,12 +219,12 @@
     "Unknown type": "Tipo desconocido",
     "Wrong verification code!": "¡Código de verificación incorrecto!",
     "You should verify your code in %d min!": "¡Deberías verificar tu código en %d minutos!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "agregue un proveedor de SMS a la lista \\\"Proveedores\\\" para la aplicación: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "agregue un proveedor de correo electrónico a la lista \\\"Proveedores\\\" para la aplicación: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "agregue un proveedor de SMS a la lista \"Proveedores\" para la aplicación: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "agregue un proveedor de correo electrónico a la lista \"Proveedores\" para la aplicación: %s",
     "the user does not exist, please sign up first": "El usuario no existe, por favor regístrese primero"
   },
   "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
+    "Found no credentials for this user": "No se encontraron credenciales para este usuario",
     "Please call WebAuthnSigninBegin first": "Por favor, llama primero a WebAuthnSigninBegin"
   }
 }

i18n/locales/fa/data.json

@@ -1,193 +0,0 @@
-{
-  "account": {
-    "Failed to add user": "عدم موفقیت در افزودن کاربر",
-    "Get init score failed, error: %w": "عدم موفقیت در دریافت امتیاز اولیه، خطا: %w",
-    "Please sign out first": "لطفاً ابتدا خارج شوید",
-    "The application does not allow to sign up new account": "برنامه اجازه ثبت‌نام حساب جدید را نمی‌دهد"
-  },
-  "auth": {
-    "Challenge method should be S256": "روش چالش باید S256 باشد",
-    "DeviceCode Invalid": "کد دستگاه نامعتبر است",
-    "Failed to create user, user information is invalid: %s": "عدم موفقیت در ایجاد کاربر، اطلاعات کاربر نامعتبر است: %s",
-    "Failed to login in: %s": "عدم موفقیت در ورود: %s",
-    "Invalid token": "توکن نامعتبر",
-    "State expected: %s, but got: %s": "وضعیت مورد انتظار: %s، اما دریافت شد: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) وجود ندارد و مجاز به ثبت‌نام به‌عنوان حساب جدید از طریق %%s نیست، لطفاً از روش دیگری برای ثبت‌نام استفاده کنید",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) وجود ندارد و مجاز به ثبت‌نام به‌عنوان حساب جدید نیست، لطفاً با پشتیبانی IT خود تماس بگیرید",
-    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "حساب برای ارائه‌دهنده: %s و نام کاربری: %s (%s) در حال حاضر به حساب دیگری مرتبط است: %s (%s)",
-    "The application: %s does not exist": "برنامه: %s وجود ندارد",
-    "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
-    "The login method: login with LDAP is not enabled for the application": "روش ورود: ورود با LDAP برای برنامه فعال نیست",
-    "The login method: login with SMS is not enabled for the application": "روش ورود: ورود با پیامک برای برنامه فعال نیست",
-    "The login method: login with email is not enabled for the application": "روش ورود: ورود با ایمیل برای برنامه فعال نیست",
-    "The login method: login with face is not enabled for the application": "روش ورود: ورود با چهره برای برنامه فعال نیست",
-    "The login method: login with password is not enabled for the application": "روش ورود: ورود با رمز عبور برای برنامه فعال نیست",
-    "The organization: %s does not exist": "سازمان: %s وجود ندارد",
-    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
-    "The provider: %s does not exist": "ارائه‌کننده: %s وجود ندارد",
-    "The provider: %s is not enabled for the application": "ارائه‌دهنده: %s برای برنامه فعال نیست",
-    "Unauthorized operation": "عملیات غیرمجاز",
-    "Unknown authentication type (not password or provider), form = %s": "نوع احراز هویت ناشناخته (نه رمز عبور و نه ارائه‌دهنده)، فرم = %s",
-    "User's tag: %s is not listed in the application's tags": "برچسب کاربر: %s در برچسب‌های برنامه فهرست نشده است",
-    "UserCode Expired": "کد کاربر منقضی شده است",
-    "UserCode Invalid": "کد کاربر نامعتبر است",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "کاربر پرداختی %s اشتراک فعال یا در انتظار ندارد و برنامه: %s قیمت‌گذاری پیش‌فرض ندارد",
-    "the application for user %s is not found": " برنامه برای کاربر %s پیدا نشد",
-    "the organization: %s is not found": "سازمان: %s پیدا نشد"
-  },
-  "cas": {
-    "Service %s and %s do not match": "سرویس %s و %s مطابقت ندارند"
-  },
-  "check": {
-    "%s does not meet the CIDR format requirements: %s": "%s با نیازهای فرمت CIDR مطابقت ندارد: %s",
-    "Affiliation cannot be blank": "وابستگی نمی‌تواند خالی باشد",
-    "CIDR for IP: %s should not be empty": "CIDR برای IP: %s نباید خالی باشد",
-    "Default code does not match the code's matching rules": "کد پیش‌فرض با قوانین تطبیق کد مطابقت ندارد",
-    "DisplayName cannot be blank": "نام نمایشی نمی‌تواند خالی باشد",
-    "DisplayName is not valid real name": "نام نمایشی یک نام واقعی معتبر نیست",
-    "Email already exists": "ایمیل قبلاً وجود دارد",
-    "Email cannot be empty": "ایمیل نمی‌تواند خالی باشد",
-    "Email is invalid": "ایمیل نامعتبر است",
-    "Empty username.": "نام کاربری خالی است.",
-    "Face data does not exist, cannot log in": "داده‌های چهره وجود ندارد، نمی‌توان وارد شد",
-    "Face data mismatch": "عدم تطابق داده‌های چهره",
-    "Failed to parse client IP: %s": "پارس کردن IP مشتری ناموفق بود: %s",
-    "FirstName cannot be blank": "نام نمی‌تواند خالی باشد",
-    "Invitation code cannot be blank": "کد دعوت نمی‌تواند خالی باشد",
-    "Invitation code exhausted": "کد دعوت استفاده شده است",
-    "Invitation code is invalid": "کد دعوت نامعتبر است",
-    "Invitation code suspended": "کد دعوت معلق است",
-    "LDAP user name or password incorrect": "نام کاربری یا رمز عبور LDAP نادرست است",
-    "LastName cannot be blank": "نام خانوادگی نمی‌تواند خالی باشد",
-    "Multiple accounts with same uid, please check your ldap server": "چندین حساب با uid یکسان، لطفاً سرور LDAP خود را بررسی کنید",
-    "Organization does not exist": "سازمان وجود ندارد",
-    "Password cannot be empty": "رمز عبور نمی‌تواند خالی باشد",
-    "Phone already exists": "تلفن قبلاً وجود دارد",
-    "Phone cannot be empty": "تلفن نمی‌تواند خالی باشد",
-    "Phone number is invalid": "شماره تلفن نامعتبر است",
-    "Please register using the email corresponding to the invitation code": "لطفاً با استفاده از ایمیل مربوط به کد دعوت ثبت‌نام کنید",
-    "Please register using the phone  corresponding to the invitation code": "لطفاً با استفاده از تلفن مربوط به کد دعوت ثبت‌نام کنید",
-    "Please register using the username corresponding to the invitation code": "لطفاً با استفاده از نام کاربری مربوط به کد دعوت ثبت‌نام کنید",
-    "Session outdated, please login again": "جلسه منقضی شده است، لطفاً دوباره وارد شوید",
-    "The invitation code has already been used": "کد دعوت قبلاً استفاده شده است",
-    "The user is forbidden to sign in, please contact the administrator": "ورود کاربر ممنوع است، لطفاً با مدیر تماس بگیرید",
-    "The user: %s doesn't exist in LDAP server": "کاربر: %s در سرور LDAP وجود ندارد",
-    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "نام کاربری فقط می‌تواند حاوی کاراکترهای الفبایی عددی، زیرخط یا خط تیره باشد، نمی‌تواند خط تیره یا زیرخط متوالی داشته باشد، و نمی‌تواند با خط تیره یا زیرخط شروع یا پایان یابد.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "مقدار \\\"%s\\\" برای فیلد حساب \\\"%s\\\" با regex مورد نظر مطابقت ندارد",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "مقدار \\\"%s\\\" برای فیلد ثبت‌نام \\\"%s\\\" با regex مورد نظر برنامه \\\"%s\\\" مطابقت ندارد",
-    "Username already exists": "نام کاربری قبلاً وجود دارد",
-    "Username cannot be an email address": "نام کاربری نمی‌تواند یک آدرس ایمیل باشد",
-    "Username cannot contain white spaces": "نام کاربری نمی‌تواند حاوی فاصله باشد",
-    "Username cannot start with a digit": "نام کاربری نمی‌تواند با یک رقم شروع شود",
-    "Username is too long (maximum is 255 characters).": "نام کاربری بیش از حد طولانی است (حداکثر ۳۹ کاراکتر).",
-    "Username must have at least 2 characters": "نام کاربری باید حداقل ۲ کاراکتر داشته باشد",
-    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "نام کاربری از فرمت ایمیل پشتیبانی می‌کند. همچنین نام کاربری تنها می‌تواند شامل کاراکترهای الفبایی-عددی، زیرخط یا خط تیره باشد، نمی‌تواند دارای خطوط تیره یا زیرخطوط متوالی باشد و نمی‌تواند با خط تیره یا زیرخط شروع یا پایان یابد. همچنین به فرمت ایمیل توجه کنید.",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "شما رمز عبور یا کد اشتباه را بیش از حد وارد کرده‌اید، لطفاً %d دقیقه صبر کنید و دوباره تلاش کنید",
-    "Your IP address: %s has been banned according to the configuration of: ": "آدرس IP شما: %s طبق تنظیمات بلاک شده است: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "رمز عبور شما منقضی شده است. لطفاً با کلیک بر روی \\\"فراموشی رمز عبور\\\" رمز عبور خود را بازنشانی کنید",
-    "Your region is not allow to signup by phone": "منطقه شما اجازه ثبت‌نام با تلفن را ندارد",
-    "password or code is incorrect": "رمز عبور یا کد نادرست است",
-    "password or code is incorrect, you have %s remaining chances": "رمز عبور یا کد نادرست است، شما %s فرصت باقی‌مانده دارید",
-    "unsupported password type: %s": "نوع رمز عبور پشتیبانی نشده: %s"
-  },
-  "enforcer": {
-    "the adapter: %s is not found": "آداپتر: %s پیدا نشد"
-  },
-  "general": {
-    "Failed to import groups": "ورود گروه‌ها ناموفق بود",
-    "Failed to import users": "عدم موفقیت در وارد کردن کاربران",
-    "Missing parameter": "پارامتر گمشده",
-    "Only admin user can specify user": "فقط کاربر مدیر می‌تواند کاربر را مشخص کند",
-    "Please login first": "لطفاً ابتدا وارد شوید",
-    "The organization: %s should have one application at least": "سازمان: %s باید حداقل یک برنامه داشته باشد",
-    "The user: %s doesn't exist": "کاربر: %s وجود ندارد",
-    "Wrong userId": "شناسه کاربر اشتباه است",
-    "don't support captchaProvider: ": "از captchaProvider پشتیبانی نمی‌شود: ",
-    "this operation is not allowed in demo mode": "این عملیات در حالت دمو مجاز نیست",
-    "this operation requires administrator to perform": "این عملیات نیاز به مدیر برای انجام دارد"
-  },
-  "ldap": {
-    "Ldap server exist": "سرور LDAP وجود دارد"
-  },
-  "link": {
-    "Please link first": "لطفاً ابتدا پیوند دهید",
-    "This application has no providers": "این برنامه ارائه‌دهنده‌ای ندارد",
-    "This application has no providers of type": "این برنامه ارائه‌دهنده‌ای از نوع ندارد",
-    "This provider can't be unlinked": "این ارائه‌دهنده نمی‌تواند لغو پیوند شود",
-    "You are not the global admin, you can't unlink other users": "شما مدیر جهانی نیستید، نمی‌توانید کاربران دیگر را لغو پیوند کنید",
-    "You can't unlink yourself, you are not a member of any application": "شما نمی‌توانید خودتان را لغو پیوند کنید، شما عضو هیچ برنامه‌ای نیستید"
-  },
-  "organization": {
-    "Only admin can modify the %s.": "فقط مدیر می‌تواند %s را تغییر دهد.",
-    "The %s is immutable.": "%s غیرقابل تغییر است.",
-    "Unknown modify rule %s.": "قانون تغییر ناشناخته %s.",
-    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "افزودن کاربر جدید به سازمان «built-in» (درونی) در حال حاضر غیرفعال است. توجه داشته باشید: همه کاربران در سازمان «built-in» مدیران جهانی در Casdoor هستند. به مستندات مراجعه کنید: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. اگر همچنان می‌خواهید یک کاربر برای سازمان «built-in» ایجاد کنید، به صفحه تنظیمات سازمان بروید و گزینه «مجوز موافقت با امتیازات» را فعال کنید."
-  },
-  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "مجوز: \\\"%s\\\" وجود ندارد"
-  },
-  "provider": {
-    "Invalid application id": "شناسه برنامه نامعتبر",
-    "the provider: %s does not exist": "ارائه‌دهنده: %s وجود ندارد"
-  },
-  "resource": {
-    "User is nil for tag: avatar": "کاربر برای برچسب: آواتار تهی است",
-    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "نام کاربری یا مسیر کامل فایل خالی است: نام کاربری = %s، مسیر کامل فایل = %s"
-  },
-  "saml": {
-    "Application %s not found": "برنامه %s یافت نشد"
-  },
-  "saml_sp": {
-    "provider %s's category is not SAML": "دسته‌بندی ارائه‌دهنده %s SAML نیست"
-  },
-  "service": {
-    "Empty parameters for emailForm: %v": "پارامترهای خالی برای emailForm: %v",
-    "Invalid Email receivers: %s": "گیرندگان ایمیل نامعتبر: %s",
-    "Invalid phone receivers: %s": "گیرندگان تلفن نامعتبر: %s"
-  },
-  "storage": {
-    "The objectKey: %s is not allowed": "objectKey: %s مجاز نیست",
-    "The provider type: %s is not supported": "نوع ارائه‌دهنده: %s پشتیبانی نمی‌شود"
-  },
-  "subscription": {
-    "Error": "خطا"
-  },
-  "token": {
-    "Grant_type: %s is not supported in this application": "grant_type: %s در این برنامه پشتیبانی نمی‌شود",
-    "Invalid application or wrong clientSecret": "برنامه نامعتبر یا clientSecret نادرست",
-    "Invalid client_id": "client_id نامعتبر",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "آدرس بازگشت: %s در لیست آدرس‌های بازگشت مجاز وجود ندارد",
-    "Token not found, invalid accessToken": "توکن یافت نشد، accessToken نامعتبر"
-  },
-  "user": {
-    "Display name cannot be empty": "نام نمایشی نمی‌تواند خالی باشد",
-    "MFA email is enabled but email is empty": "ایمیل MFA فعال است اما ایمیل خالی است",
-    "MFA phone is enabled but phone number is empty": "تلفن MFA فعال است اما شماره تلفن خالی است",
-    "New password cannot contain blank space.": "رمز عبور جدید نمی‌تواند حاوی فاصله خالی باشد.",
-    "the user's owner and name should not be empty": "مالک و نام کاربر نباید خالی باشند"
-  },
-  "util": {
-    "No application is found for userId: %s": "هیچ برنامه‌ای برای userId: %s یافت نشد",
-    "No provider for category: %s is found for application: %s": "هیچ ارائه‌دهنده‌ای برای دسته‌بندی: %s برای برنامه: %s یافت نشد",
-    "The provider: %s is not found": "ارائه‌دهنده: %s یافت نشد"
-  },
-  "verification": {
-    "Invalid captcha provider.": "ارائه‌دهنده کپچا نامعتبر.",
-    "Phone number is invalid in your region %s": "شماره تلفن در منطقه شما نامعتبر است %s",
-    "The verification code has already been used!": "کد تایید قبلاً استفاده شده است!",
-    "The verification code has not been sent yet!": "کد تأیید هنوز ارسال نشده است!",
-    "Turing test failed.": "تست تورینگ ناموفق بود.",
-    "Unable to get the email modify rule.": "عدم توانایی در دریافت قانون تغییر ایمیل.",
-    "Unable to get the phone modify rule.": "عدم توانایی در دریافت قانون تغییر تلفن.",
-    "Unknown type": "نوع ناشناخته",
-    "Wrong verification code!": "کد تأیید اشتباه!",
-    "You should verify your code in %d min!": "شما باید کد خود را در %d دقیقه تأیید کنید!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "لطفاً یک ارائه‌کننده SMS به لیست \\\"ارائه‌کنندگان\\\" برای برنامه اضافه کنید: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "لطفاً یک ارائه‌کننده ایمیل به لیست \\\"ارائه‌کنندگان\\\" برای برنامه اضافه کنید: %s",
-    "the user does not exist, please sign up first": "کاربر وجود ندارد، لطفاً ابتدا ثبت‌نام کنید"
-  },
-  "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
-    "Please call WebAuthnSigninBegin first": "لطفاً ابتدا WebAuthnSigninBegin را فراخوانی کنید"
-  }
-}

i18n/locales/fi/data.json

@@ -1,193 +0,0 @@
-{
-  "account": {
-    "Failed to add user": "Käyttäjän lisäys epäonnistui",
-    "Get init score failed, error: %w": "Alkupisteen haku epäonnistui, virhe: %w",
-    "Please sign out first": "Kirjaudu ensin ulos",
-    "The application does not allow to sign up new account": "Sovellus ei salli uuden tilin luomista"
-  },
-  "auth": {
-    "Challenge method should be S256": "Haasteen metodin tulee olla S256",
-    "DeviceCode Invalid": "DeviceCode virheellinen",
-    "Failed to create user, user information is invalid: %s": "Käyttäjän luonti epäonnistui, käyttäjätiedot ovat virheelliset: %s",
-    "Failed to login in: %s": "Sisäänkirjautuminen epäonnistui: %s",
-    "Invalid token": "Virheellinen token",
-    "State expected: %s, but got: %s": "Odotettiin tilaa: %s, mutta saatiin: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "Tiliä providerille: %s ja käyttäjälle: %s (%s) ei ole olemassa, eikä sitä voi rekisteröidä uutena tilinä kautta %%s, käytä toista tapaa rekisteröityä",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Tiliä providerille: %s ja käyttäjälle: %s (%s) ei ole olemassa, eikä sitä voi rekisteröidä uutena tilinä, ota yhteyttä IT-tukeen",
-    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Tili providerille: %s ja käyttäjälle: %s (%s) on jo linkitetty toiseen tiliin: %s (%s)",
-    "The application: %s does not exist": "Sovellus: %s ei ole olemassa",
-    "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
-    "The login method: login with LDAP is not enabled for the application": "Kirjautumistapa: kirjautuminen LDAP:n kautta ei ole käytössä sovelluksessa",
-    "The login method: login with SMS is not enabled for the application": "Kirjautumistapa: kirjautuminen SMS:n kautta ei ole käytössä sovelluksessa",
-    "The login method: login with email is not enabled for the application": "Kirjautumistapa: kirjautuminen sähköpostin kautta ei ole käytössä sovelluksessa",
-    "The login method: login with face is not enabled for the application": "Kirjautumistapa: kirjautuminen kasvotunnistuksella ei ole käytössä sovelluksessa",
-    "The login method: login with password is not enabled for the application": "Kirjautumistapa: kirjautuminen salasanalla ei ole käytössä sovelluksessa",
-    "The organization: %s does not exist": "Organisaatio: %s ei ole olemassa",
-    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
-    "The provider: %s does not exist": "Provider: %s ei ole olemassa",
-    "The provider: %s is not enabled for the application": "Provider: %s ei ole käytössä sovelluksessa",
-    "Unauthorized operation": "Luvaton toiminto",
-    "Unknown authentication type (not password or provider), form = %s": "Tuntematon todennustyyppi (ei salasana tai provider), form = %s",
-    "User's tag: %s is not listed in the application's tags": "Käyttäjän tagi: %s ei ole listattu sovelluksen tageissa",
-    "UserCode Expired": "UserCode vanhentunut",
-    "UserCode Invalid": "UserCode virheellinen",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "maksettu-käyttäjä %s ei ole aktiivista tai odottavaa tilausta ja sovellus: %s ei ole oletushinnoittelua",
-    "the application for user %s is not found": "sovellusta käyttäjälle %s ei löydy",
-    "the organization: %s is not found": "organisaatiota: %s ei löydy"
-  },
-  "cas": {
-    "Service %s and %s do not match": "Palvelu %s ja %s eivät täsmää"
-  },
-  "check": {
-    "%s does not meet the CIDR format requirements: %s": "%s ei täytä CIDR-muodon vaatimuksia: %s",
-    "Affiliation cannot be blank": "Affiliaatio ei voi olla tyhjä",
-    "CIDR for IP: %s should not be empty": "CIDR IP:lle: %s ei saa olla tyhjä",
-    "Default code does not match the code's matching rules": "Oletuskoodi ei täsmää koodin täsmäyssääntöihin",
-    "DisplayName cannot be blank": "Näyttönimi ei voi olla tyhjä",
-    "DisplayName is not valid real name": "Näyttönimi ei ole kelvollinen oikea nimi",
-    "Email already exists": "Sähköposti on jo olemassa",
-    "Email cannot be empty": "Sähköposti ei voi olla tyhjä",
-    "Email is invalid": "Sähköposti on virheellinen",
-    "Empty username.": "Tyhjä käyttäjänimi.",
-    "Face data does not exist, cannot log in": "Kasvodataa ei ole olemassa, ei voi kirjautua",
-    "Face data mismatch": "Kasvodata ei täsmää",
-    "Failed to parse client IP: %s": "Client IP:n jäsentäminen epäonnistui: %s",
-    "FirstName cannot be blank": "Etunimi ei voi olla tyhjä",
-    "Invitation code cannot be blank": "Kutsukoodi ei voi olla tyhjä",
-    "Invitation code exhausted": "Kutsukoodi on käytetty loppuun",
-    "Invitation code is invalid": "Kutsukoodi on virheellinen",
-    "Invitation code suspended": "Kutsukoodi on keskeytetty",
-    "LDAP user name or password incorrect": "LDAP-käyttäjänimi tai salasana on virheellinen",
-    "LastName cannot be blank": "Sukunimi ei voi olla tyhjä",
-    "Multiple accounts with same uid, please check your ldap server": "Useita tilejä samalla uid:llä, tarkista ldap-palvelimesi",
-    "Organization does not exist": "Organisaatiota ei ole olemassa",
-    "Password cannot be empty": "Salasana ei voi olla tyhjä",
-    "Phone already exists": "Puhelinnumero on jo olemassa",
-    "Phone cannot be empty": "Puhelinnumero ei voi olla tyhjä",
-    "Phone number is invalid": "Puhelinnumero on virheellinen",
-    "Please register using the email corresponding to the invitation code": "Rekisteröidy käyttämällä kutsukoodiin vastaavaa sähköpostia",
-    "Please register using the phone  corresponding to the invitation code": "Rekisteröidy käyttämällä kutsukoodiin vastaavaa puhelinnumeroa",
-    "Please register using the username corresponding to the invitation code": "Rekisteröidy käyttämällä kutsukoodiin vastaavaa käyttäjänimeä",
-    "Session outdated, please login again": "Istunto vanhentunut, kirjaudu uudelleen",
-    "The invitation code has already been used": "Kutsukoodi on jo käytetty",
-    "The user is forbidden to sign in, please contact the administrator": "Käyttäjän kirjautuminen on estetty, ota yhteyttä ylläpitäjään",
-    "The user: %s doesn't exist in LDAP server": "Käyttäjä: %s ei ole olemassa LDAP-palvelimessa",
-    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Käyttäjänimi voi sisältää vain alfanumeerisia merkkejä, alaviivoja tai tavuviivoja, ei voi sisältää peräkkäisiä tavuviivoja tai alaviivoja, eikä voi alkaa tai loppua tavuviivalla tai alaviivalla.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Arvo \\\"%s\\\" tili-kentälle \\\"%s\\\" ei täsmää tili-alkion regexiin",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Arvo \\\"%s\\\" rekisteröitymiskentälle \\\"%s\\\" ei täsmää sovelluksen \\\"%s\\\" rekisteröitymiskentän regexiin",
-    "Username already exists": "Käyttäjänimi on jo olemassa",
-    "Username cannot be an email address": "Käyttäjänimi ei voi olla sähköpostiosoite",
-    "Username cannot contain white spaces": "Käyttäjänimi ei voi sisältää välilyöntejä",
-    "Username cannot start with a digit": "Käyttäjänimi ei voi alkaa numerolla",
-    "Username is too long (maximum is 255 characters).": "Käyttäjänimi on liian pitkä (enintään 255 merkkiä).",
-    "Username must have at least 2 characters": "Käyttäjänimessä on oltava vähintään 2 merkkiä",
-    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Käyttäjänimi tukee sähköpostimuotoa. Lisäksi käyttäjänimi voi sisältää vain alfanumeerisia merkkejä, alaviivoja tai tavuviivoja, ei voi sisältää peräkkäisiä tavuviivoja tai alaviivoja, eikä voi alkaa tai loppua tavuviivalla tai alaviivalla. Huomioi myös sähköpostimuoto.",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Olet syöttänyt väärän salasanan tai koodin liian monta kertaa, odota %d minuuttia ja yritä uudelleen",
-    "Your IP address: %s has been banned according to the configuration of: ": "IP-osoitteesi: %s on estetty asetuksen mukaan: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Salasanasi on vanhentunut. Nollaa salasanasi klikkaamalla \\\"Unohdin salasanan\\\"",
-    "Your region is not allow to signup by phone": "Alueellasi ei ole sallittua rekisteröityä puhelimella",
-    "password or code is incorrect": "salasana tai koodi on virheellinen",
-    "password or code is incorrect, you have %s remaining chances": "salasana tai koodi on virheellinen, sinulla on %s yritystä jäljellä",
-    "unsupported password type: %s": "ei-tuettu salasanatyyppi: %s"
-  },
-  "enforcer": {
-    "the adapter: %s is not found": "adapteria: %s ei löydy"
-  },
-  "general": {
-    "Failed to import groups": "Ryhmien tuonti epäonnistui",
-    "Failed to import users": "Käyttäjien tuonti epäonnistui",
-    "Missing parameter": "Parametri puuttuu",
-    "Only admin user can specify user": "Vain ylläpitäjä voi määrittää käyttäjän",
-    "Please login first": "Kirjaudu ensin sisään",
-    "The organization: %s should have one application at least": "Organisaatiolla: %s on oltava vähintään yksi sovellus",
-    "The user: %s doesn't exist": "Käyttäjää: %s ei ole olemassa",
-    "Wrong userId": "Väärä userId",
-    "don't support captchaProvider: ": "ei tueta captchaProvider: ",
-    "this operation is not allowed in demo mode": "tämä toiminto ei ole sallittu demo-tilassa",
-    "this operation requires administrator to perform": "tämä toiminto vaatii ylläpitäjän suorittamista"
-  },
-  "ldap": {
-    "Ldap server exist": "LDAP-palvelin on olemassa"
-  },
-  "link": {
-    "Please link first": "Linkitä ensin",
-    "This application has no providers": "Tällä sovelluksella ei ole providereita",
-    "This application has no providers of type": "Tällä sovelluksella ei ole tämän tyyppisiä providereita",
-    "This provider can't be unlinked": "Tätä provideria ei voi irrottaa",
-    "You are not the global admin, you can't unlink other users": "Et ole globaali ylläpitäjä, et voi irrottaa muita käyttäjiä",
-    "You can't unlink yourself, you are not a member of any application": "Et voi irrottaa itseäsi, et ole minkään sovelluksen jäsen"
-  },
-  "organization": {
-    "Only admin can modify the %s.": "Vain ylläpitäjä voi muokata %s.",
-    "The %s is immutable.": "%s on muuttumaton.",
-    "Unknown modify rule %s.": "Tuntematon muokkaussääntö %s.",
-    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Uuden käyttäjän lisääminen 'built-in'-organisaatioon on tällä hetkellä poistettu käytöstä. Huomioi: Kaikki 'built-in'-organisaation käyttäjät ovat Casdoorin globaaleja ylläpitäjiä. Katso dokumentaatio: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Jos haluat silti luoda käyttäjän 'built-in'-organisaatiolle, siirry organisaation asetussivulle ja käytä käyttöön vaihtoehdon 'On oikeuksien suostumus'."
-  },
-  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "Oikeutta: \\\"%s\\\" ei ole olemassa"
-  },
-  "provider": {
-    "Invalid application id": "Virheellinen sovelluksen id",
-    "the provider: %s does not exist": "provideria: %s ei ole olemassa"
-  },
-  "resource": {
-    "User is nil for tag: avatar": "Käyttäjä on nil tagille: avatar",
-    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Käyttäjänimi tai fullFilePath on tyhjä: username = %s, fullFilePath = %s"
-  },
-  "saml": {
-    "Application %s not found": "Sovellusta %s ei löydy"
-  },
-  "saml_sp": {
-    "provider %s's category is not SAML": "provider %s:n kategoria ei ole SAML"
-  },
-  "service": {
-    "Empty parameters for emailForm: %v": "Tyhjät parametrit emailFormille: %v",
-    "Invalid Email receivers: %s": "Virheelliset sähköpostivastaanottajat: %s",
-    "Invalid phone receivers: %s": "Virheelliset puhelinvastaanottajat: %s"
-  },
-  "storage": {
-    "The objectKey: %s is not allowed": "objectKey: %s ei ole sallittu",
-    "The provider type: %s is not supported": "Provider-tyyppiä: %s ei tueta"
-  },
-  "subscription": {
-    "Error": "Virhe"
-  },
-  "token": {
-    "Grant_type: %s is not supported in this application": "Grant_type: %s ei ole tuettu tässä sovelluksessa",
-    "Invalid application or wrong clientSecret": "Virheellinen sovellus tai väärä clientSecret",
-    "Invalid client_id": "Virheellinen client_id",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Uudelleenohjaus-URI: %s ei ole sallittujen uudelleenohjaus-URI-listassa",
-    "Token not found, invalid accessToken": "Tokenia ei löydy, virheellinen accessToken"
-  },
-  "user": {
-    "Display name cannot be empty": "Näyttönimi ei voi olla tyhjä",
-    "MFA email is enabled but email is empty": "MFA-sähköposti on käytössä, mutta sähköposti on tyhjä",
-    "MFA phone is enabled but phone number is empty": "MFA-puhelin on käytössä, mutta puhelinnumero on tyhjä",
-    "New password cannot contain blank space.": "Uusi salasana ei voi sisältää välilyöntejä.",
-    "the user's owner and name should not be empty": "käyttäjän omistaja ja nimi eivät saa olla tyhjiä"
-  },
-  "util": {
-    "No application is found for userId: %s": "Sovellusta ei löydy userId:lle: %s",
-    "No provider for category: %s is found for application: %s": "Provideria kategorialle: %s ei löydy sovellukselle: %s",
-    "The provider: %s is not found": "Provideria: %s ei löydy"
-  },
-  "verification": {
-    "Invalid captcha provider.": "Virheellinen captcha-provider.",
-    "Phone number is invalid in your region %s": "Puhelinnumero on virheellinen alueellasi %s",
-    "The verification code has already been used!": "Vahvistuskoodi on jo käytetty!",
-    "The verification code has not been sent yet!": "Vahvistuskoodia ei ole vielä lähetetty!",
-    "Turing test failed.": "Turing-testi epäonnistui.",
-    "Unable to get the email modify rule.": "Sähköpostin muokkaussääntöä ei saada.",
-    "Unable to get the phone modify rule.": "Puhelimen muokkaussääntöä ei saada.",
-    "Unknown type": "Tuntematon tyyppi",
-    "Wrong verification code!": "Väärä vahvistuskoodi!",
-    "You should verify your code in %d min!": "Sinun tulee vahvistaa koodisi %d minuutissa!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "lisää SMS-provider \"Providers\"-listalle sovellukselle: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "lisää sähköposti-provider \"Providers\"-listalle sovellukselle: %s",
-    "the user does not exist, please sign up first": "käyttäjää ei ole olemassa, rekisteröidy ensin"
-  },
-  "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
-    "Please call WebAuthnSigninBegin first": "Kutsu ensin WebAuthnSigninBegin"
-  }
-}

i18n/locales/fr/data.json

@@ -2,7 +2,6 @@
   "account": {
     "Failed to add user": "Échec d'ajout d'utilisateur",
     "Get init score failed, error: %w": "Obtention du score initiale échouée, erreur : %w",
-    "Please sign out first": "Veuillez vous déconnecter en premier",
     "The application does not allow to sign up new account": "L'application ne permet pas de créer un nouveau compte"
   },
   "auth": {
@@ -12,18 +11,23 @@
     "Failed to login in: %s": "Échec de la connexion : %s",
     "Invalid token": "Jeton invalide",
     "State expected: %s, but got: %s": "État attendu : %s, mais obtenu : %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "Le compte pour le fournisseur : %s et le nom d'utilisateur : %s (%s) n'existe pas et n'est pas autorisé à s'inscrire en tant que nouveau compte via %%s, veuillez utiliser une autre méthode pour vous inscrire",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up": "Le compte pour le fournisseur : %s et le nom d'utilisateur : %s (%s) n'existe pas et n'est pas autorisé à s'inscrire en tant que nouveau compte via %s, veuillez utiliser une autre méthode pour vous inscrire",
     "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Le compte pour le fournisseur : %s et le nom d'utilisateur : %s (%s) n'existe pas et n'est pas autorisé à s'inscrire comme nouveau compte, veuillez contacter votre support informatique",
     "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Le compte du fournisseur : %s et le nom d'utilisateur : %s (%s) sont déjà liés à un autre compte : %s (%s)",
     "The application: %s does not exist": "L'application : %s n'existe pas",
-    "The application: %s has disabled users to signin": "The application: %s has disabled users to signin",
+    "The application: %s has disabled users to signin": "L'application: %s a désactivé la connexion des utilisateurs",
+    "The group: %s does not exist": "Le groupe : %s n'existe pas",
     "The login method: login with LDAP is not enabled for the application": "La méthode de connexion : connexion LDAP n'est pas activée pour l'application",
     "The login method: login with SMS is not enabled for the application": "La méthode de connexion : connexion par SMS n'est pas activée pour l'application",
     "The login method: login with email is not enabled for the application": "La méthode de connexion : connexion par e-mail n'est pas activée pour l'application",
     "The login method: login with face is not enabled for the application": "La méthode de connexion : connexion par visage n'est pas activée pour l'application",
     "The login method: login with password is not enabled for the application": "La méthode de connexion : connexion avec mot de passe n'est pas activée pour l'application",
+    "The order: %s does not exist": "La commande : %s n'existe pas",
     "The organization: %s does not exist": "L'organisation : %s n'existe pas",
-    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
+    "The organization: %s has disabled users to signin": "L'organisation: %s a désactivé la connexion des utilisateurs",
+    "The plan: %s does not exist": "Le plan : %s n'existe pas",
+    "The pricing: %s does not exist": "Le tarif : %s n'existe pas",
+    "The pricing: %s does not have plan: %s": "Le tarif : %s n'a pas de plan : %s",
     "The provider: %s does not exist": "Le fournisseur : %s n'existe pas",
     "The provider: %s is not enabled for the application": "Le fournisseur :%s n'est pas activé pour l'application",
     "Unauthorized operation": "Opération non autorisée",
@@ -31,7 +35,7 @@
     "User's tag: %s is not listed in the application's tags": "Le tag de l'utilisateur : %s n'est pas répertorié dans les tags de l'application",
     "UserCode Expired": "Code utilisateur expiré",
     "UserCode Invalid": "Code utilisateur invalide",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "L'utilisateur payant %s n'a pas d'abonnement actif ou en attente et l'application : %s n'a pas de tarification par défaut",
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "L'utilisateur payant %s n'a pas d'abonnement actif ou en attente et l'application %s n'a pas de tarification par défaut",
     "the application for user %s is not found": "L'application pour l'utilisateur %s est introuvable",
     "the organization: %s is not found": "L'organisation : %s est introuvable"
   },
@@ -40,9 +44,9 @@
   },
   "check": {
     "%s does not meet the CIDR format requirements: %s": "%s ne respecte pas les exigences du format CIDR : %s",
-    "Affiliation cannot be blank": "Affiliation ne peut pas être vide",
+    "Affiliation cannot be blank": "L'affiliation ne peut pas être vide",
     "CIDR for IP: %s should not be empty": "Le CIDR pour l'IP : %s ne doit pas être vide",
-    "Default code does not match the code's matching rules": "Le code par défaut ne correspond pas aux règles de correspondance du code",
+    "Default code does not match the code's matching rules": "Le code par défaut ne respecte pas les règles de validation du code",
     "DisplayName cannot be blank": "Le nom d'affichage ne peut pas être vide",
     "DisplayName is not valid real name": "DisplayName n'est pas un nom réel valide",
     "Email already exists": "E-mail déjà existant",
@@ -53,11 +57,11 @@
     "Face data mismatch": "Données faciales incorrectes",
     "Failed to parse client IP: %s": "Échec de l'analyse de l'IP client : %s",
     "FirstName cannot be blank": "Le prénom ne peut pas être laissé vide",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Les utilisateurs invités doivent mettre à niveau leur compte en définissant un nom d'utilisateur et un mot de passe avant de pouvoir se connecter directement",
     "Invitation code cannot be blank": "Le code d'invitation ne peut pas être vide",
     "Invitation code exhausted": "Code d'invitation épuisé",
     "Invitation code is invalid": "Code d'invitation invalide",
     "Invitation code suspended": "Code d'invitation suspendu",
-    "LDAP user name or password incorrect": "Nom d'utilisateur ou mot de passe LDAP incorrect",
     "LastName cannot be blank": "Le nom de famille ne peut pas être vide",
     "Multiple accounts with same uid, please check your ldap server": "Plusieurs comptes avec le même identifiant d'utilisateur, veuillez vérifier votre serveur LDAP",
     "Organization does not exist": "L'organisation n'existe pas",
@@ -70,11 +74,17 @@
     "Please register using the username corresponding to the invitation code": "Veuillez vous inscrire avec le nom d'utilisateur correspondant au code d'invitation",
     "Session outdated, please login again": "Session expirée, veuillez vous connecter à nouveau",
     "The invitation code has already been used": "Le code d'invitation a déjà été utilisé",
+    "The password must contain at least one special character": "Le mot de passe doit contenir au moins un caractère spécial",
+    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Le mot de passe doit contenir au moins une lettre majuscule, une lettre minuscule et un chiffre",
+    "The password must have at least 6 characters": "Le mot de passe doit contenir au moins 6 caractères",
+    "The password must have at least 8 characters": "Le mot de passe doit contenir au moins 8 caractères",
+    "The password must not contain any repeated characters": "Le mot de passe ne doit pas contenir de caractères répétés",
+    "The user has been deleted and cannot be used to sign in, please contact the administrator": "L'utilisateur a été supprimé et ne peut pas être utilisé pour se connecter, veuillez contacter l'administrateur",
     "The user is forbidden to sign in, please contact the administrator": "L'utilisateur est interdit de se connecter, veuillez contacter l'administrateur",
     "The user: %s doesn't exist in LDAP server": "L'utilisateur : %s n'existe pas sur le serveur LDAP",
     "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Le nom d'utilisateur ne peut contenir que des caractères alphanumériques, des traits soulignés ou des tirets, ne peut pas avoir de tirets ou de traits soulignés consécutifs et ne peut pas commencer ou se terminer par un tiret ou un trait souligné.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "La valeur \\\"%s\\\" pour le champ de compte \\\"%s\\\" ne correspond pas à l'expression régulière de l'élément de compte",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "La valeur \\\"%s\\\" pour le champ d'inscription \\\"%s\\\" ne correspond pas à l'expression régulière de l'élément d'inscription de l'application \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "La valeur \"%s\" pour le champ de compte \"%s\" ne correspond pas à l'expression régulière de l'élément de compte",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "La valeur \"%s\" pour le champ d'inscription \"%s\" ne correspond pas à l'expression régulière de l'élément d'inscription de l'application \"%s\"",
     "Username already exists": "Nom d'utilisateur existe déjà",
     "Username cannot be an email address": "Nom d'utilisateur ne peut pas être une adresse e-mail",
     "Username cannot contain white spaces": "Nom d'utilisateur ne peut pas contenir d'espaces blancs",
@@ -84,7 +94,7 @@
     "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Le nom d'utilisateur prend en charge le format e-mail. De plus, il ne peut contenir que des caractères alphanumériques, des tirets bas ou des traits d'union, ne peut pas avoir de traits d'union ou de tirets bas consécutifs, et ne peut pas commencer ou se terminer par un trait d'union ou un tiret bas. Faites également attention au format de l'e-mail.",
     "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Vous avez entré le mauvais mot de passe ou code plusieurs fois, veuillez attendre %d minutes et réessayer",
     "Your IP address: %s has been banned according to the configuration of: ": "Votre adresse IP : %s a été bannie selon la configuration de : ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Votre mot de passe a expiré. Veuillez le réinitialiser en cliquant sur \\\"Mot de passe oublié\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Votre mot de passe a expiré. Veuillez le réinitialiser en cliquant sur \"Mot de passe oublié\"",
     "Your region is not allow to signup by phone": "Votre région n'est pas autorisée à s'inscrire par téléphone",
     "password or code is incorrect": "mot de passe ou code incorrect",
     "password or code is incorrect, you have %s remaining chances": "Le mot de passe ou le code est incorrect, il vous reste %s chances",
@@ -96,16 +106,25 @@
   "general": {
     "Failed to import groups": "Échec de l'importation des groupes",
     "Failed to import users": "Échec de l'importation des utilisateurs",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde %v serait inférieur à la limite de crédit %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde de l'organisation %v serait inférieur à la limite de crédit %v",
     "Missing parameter": "Paramètre manquant",
     "Only admin user can specify user": "Seul un administrateur peut désigner un utilisateur",
     "Please login first": "Veuillez d'abord vous connecter",
+    "The LDAP: %s does not exist": "Le LDAP : %s n'existe pas",
     "The organization: %s should have one application at least": "L'organisation : %s doit avoir au moins une application",
+    "The syncer: %s does not exist": "Le synchroniseur : %s n'existe pas",
     "The user: %s doesn't exist": "L'utilisateur : %s n'existe pas",
+    "The user: %s is not found": "L'utilisateur : %s est introuvable",
+    "User is required for User category transaction": "L'utilisateur est requis pour la transaction de catégorie Utilisateur",
     "Wrong userId": "ID utilisateur incorrect",
     "don't support captchaProvider: ": "ne prend pas en charge captchaProvider: ",
     "this operation is not allowed in demo mode": "cette opération n'est pas autorisée en mode démo",
     "this operation requires administrator to perform": "cette opération nécessite un administrateur pour être effectuée"
   },
+  "invitation": {
+    "Invitation %s does not exist": "L'invitation %s n'existe pas"
+  },
   "ldap": {
     "Ldap server exist": "Le serveur LDAP existe"
   },
@@ -124,10 +143,16 @@
     "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "L'ajout d'un nouvel utilisateur à l'organisation « built-in » (intégrée) est actuellement désactivé. Veuillez noter : Tous les utilisateurs de l'organisation « built-in » sont des administrateurs globaux dans Casdoor. Consulter la documentation : https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Si vous souhaitez encore créer un utilisateur pour l'organisation « built-in », accédez à la page des paramètres de l'organisation et activez l'option « A le consentement aux privilèges »."
   },
   "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "La permission : \\\"%s\\\" n'existe pas"
+    "The permission: \"%s\" doesn't exist": "La permission : \"%s\" n'existe pas"
+  },
+  "product": {
+    "Product list cannot be empty": "La liste des produits ne peut pas être vide"
   },
   "provider": {
+    "Failed to initialize ID Verification provider": "Échec de l'initialisation du fournisseur de vérification d'identité",
     "Invalid application id": "Identifiant d'application invalide",
+    "No ID Verification provider configured": "Aucun fournisseur de vérification d'identité configuré",
+    "Provider is not an ID Verification provider": "Le fournisseur n'est pas un fournisseur de vérification d'identité",
     "the provider: %s does not exist": "Le fournisseur : %s n'existe pas"
   },
   "resource": {
@@ -145,6 +170,9 @@
     "Invalid Email receivers: %s": "Destinataires d'e-mail invalides : %s",
     "Invalid phone receivers: %s": "Destinataires de téléphone invalide : %s"
   },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "session id %s is the current session and cannot be deleted"
+  },
   "storage": {
     "The objectKey: %s is not allowed": "La clé d'objet : %s n'est pas autorisée",
     "The provider type: %s is not supported": "Le type de fournisseur : %s n'est pas pris en charge"
@@ -152,6 +180,9 @@
   "subscription": {
     "Error": "Erreur"
   },
+  "ticket": {
+    "Ticket not found": "Ticket introuvable"
+  },
   "token": {
     "Grant_type: %s is not supported in this application": "Type_de_subvention : %s n'est pas pris en charge dans cette application",
     "Invalid application or wrong clientSecret": "Application invalide ou clientSecret incorrect",
@@ -161,9 +192,14 @@
   },
   "user": {
     "Display name cannot be empty": "Le nom d'affichage ne peut pas être vide",
+    "ID card information and real name are required": "Les informations de la carte d'identité et le nom réel sont requis",
+    "Identity verification failed": "Échec de la vérification d'identité",
     "MFA email is enabled but email is empty": "L'authentification MFA par e-mail est activée mais l'e-mail est vide",
     "MFA phone is enabled but phone number is empty": "L'authentification MFA par téléphone est activée mais le numéro de téléphone est vide",
     "New password cannot contain blank space.": "Le nouveau mot de passe ne peut pas contenir d'espace.",
+    "No application found for user": "Aucune application trouvée pour l'utilisateur",
+    "The new password must be different from your current password": "Le nouveau mot de passe doit être différent de votre mot de passe actuel",
+    "User is already verified": "L'utilisateur est déjà vérifié",
     "the user's owner and name should not be empty": "le propriétaire et le nom de l'utilisateur ne doivent pas être vides"
   },
   "util": {
@@ -174,6 +210,7 @@
   "verification": {
     "Invalid captcha provider.": "Fournisseur de captcha invalide.",
     "Phone number is invalid in your region %s": "Le numéro de téléphone n'est pas valide dans votre région %s",
+    "The forgot password feature is disabled": "La fonction de mot de passe oublié est désactivée",
     "The verification code has already been used!": "Le code de vérification a déjà été utilisé !",
     "The verification code has not been sent yet!": "Le code de vérification n'a pas encore été envoyé !",
     "Turing test failed.": "Le test de Turing a échoué.",
@@ -182,12 +219,12 @@
     "Unknown type": "Type inconnu",
     "Wrong verification code!": "Mauvais code de vérification !",
     "You should verify your code in %d min!": "Vous devriez vérifier votre code en %d min !",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "veuillez ajouter un fournisseur SMS à la liste \\\"Providers\\\" pour l'application : %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "veuillez ajouter un fournisseur d'e-mail à la liste \\\"Providers\\\" pour l'application : %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "veuillez ajouter un fournisseur SMS à la liste \"Providers\" pour l'application : %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "veuillez ajouter un fournisseur d'e-mail à la liste \"Providers\" pour l'application : %s",
     "the user does not exist, please sign up first": "L'utilisateur n'existe pas, veuillez vous inscrire d'abord"
   },
   "webauthn": {
-    "Found no credentials for this user": "Found no credentials for this user",
+    "Found no credentials for this user": "Aucune information d'identification trouvée pour cet utilisateur",
     "Please call WebAuthnSigninBegin first": "Veuillez d'abord appeler WebAuthnSigninBegin"
   }
 }