feat: update i18n translations (#5021 )

feat: move captcha provider validation from frontend filter to backend check (#5019 )
feat: store OAuth tokens per provider instead of single originalToken field (#5016 )
2026-02-09 00:05:08 +08:00 · 2026-02-08 02:16:47 +08:00 · 2026-02-08 01:22:24 +08:00 · 2026-02-08 00:45:46 +08:00 · 2026-02-07 01:23:22 +08:00 · 2026-02-07 00:51:11 +08:00
145 changed files with 5843 additions and 1952 deletions
--- a/12
+++ b/12
@@ -51,22 +51,14 @@ COPY --from=FRONT --chown=$USER:$USER /web/build ./web/build
 ENTRYPOINT ["/server"]


-FROM debian:latest AS db
-RUN apt update \
-    && apt install -y \
-        mariadb-server \
-        mariadb-client \
-    && rm -rf /var/lib/apt/lists/*
-
-
-FROM db AS ALLINONE
+FROM debian:latest AS ALLINONE
 LABEL MAINTAINER="https://casdoor.org/"
 ARG TARGETOS
 ARG TARGETARCH
 ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"

 RUN apt update
-RUN apt install -y ca-certificates && update-ca-certificates
+RUN apt install -y ca-certificates lsof && update-ca-certificates

 WORKDIR /
 COPY --from=BACK /go/src/casdoor/server_${BUILDX_ARCH} ./server
--- a/controllers/account.go
+++ b/controllers/account.go
@@ -312,6 +312,29 @@ func (c *ApiController) Signup() {
 	userId := user.GetId()
 	util.LogInfo(c.Ctx, "API: [%s] is signed up as new user", userId)

+	// Check if this is an OAuth flow and automatically generate code
+	clientId := c.Ctx.Input.Query("clientId")
+	responseType := c.Ctx.Input.Query("responseType")
+	redirectUri := c.Ctx.Input.Query("redirectUri")
+	scope := c.Ctx.Input.Query("scope")
+	state := c.Ctx.Input.Query("state")
+	nonce := c.Ctx.Input.Query("nonce")
+	codeChallenge := c.Ctx.Input.Query("code_challenge")
+
+	// If OAuth parameters are present, generate OAuth code and return it
+	if clientId != "" && responseType == ResponseTypeCode {
+		code, err := object.GetOAuthCode(userId, clientId, "", "password", responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error(), nil)
+			return
+		}
+
+		resp := codeToResponse(code)
+		c.Data["json"] = resp
+		c.ServeJSON()
+		return
+	}
+
 	c.ResponseOk(userId)
 }

--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -739,6 +739,7 @@ func (c *ApiController) Login() {
 		} else if provider.Category == "OAuth" || provider.Category == "Web3" {
 			// OAuth
 			idpInfo := object.FromProviderToIdpInfo(c.Ctx, provider)
+			idpInfo.CodeVerifier = authForm.CodeVerifier
 			var idProvider idp.IdProvider
 			idProvider, err = idp.GetIdProvider(idpInfo, authForm.RedirectUri)
 			if err != nil {
@@ -866,10 +867,16 @@ func (c *ApiController) Login() {
 						return
 					}

-					if application.IsSignupItemRequired("Invitation code") {
-						c.ResponseError(c.T("check:Invitation code cannot be blank"))
+					// Check and validate invitation code
+					invitation, msg := object.CheckInvitationCode(application, organization, &authForm, c.GetAcceptLanguage())
+					if msg != "" {
+						c.ResponseError(msg)
 						return
 					}
+					invitationName := ""
+					if invitation != nil {
+						invitationName = invitation.Name
+					}

 					// Handle UseEmailAsUsername for OAuth and Web3
 					if organization.UseEmailAsUsername && userInfo.Email != "" {
@@ -936,11 +943,16 @@ func (c *ApiController) Login() {
 						IsDeleted:         false,
 						SignupApplication: application.Name,
 						Properties:        properties,
+						Invitation:        invitationName,
+						InvitationCode:    authForm.InvitationCode,
 						RegisterType:      "Application Signup",
 						RegisterSource:    fmt.Sprintf("%s/%s", application.Organization, application.Name),
 					}

-					if providerItem.SignupGroup != "" {
+					// Set group from invitation code if available, otherwise use provider's signup group
+					if invitation != nil && invitation.SignupGroup != "" {
+						user.Groups = []string{invitation.SignupGroup}
+					} else if providerItem.SignupGroup != "" {
 						user.Groups = []string{providerItem.SignupGroup}
 					}

@@ -955,6 +967,16 @@ func (c *ApiController) Login() {
 						c.ResponseError(fmt.Sprintf(c.T("auth:Failed to create user, user information is invalid: %s"), util.StructToJson(user)))
 						return
 					}
+
+					// Increment invitation usage count
+					if invitation != nil {
+						invitation.UsedCount += 1
+						_, err = object.UpdateInvitation(invitation.GetId(), invitation, c.GetAcceptLanguage())
+						if err != nil {
+							c.ResponseError(err.Error())
+							return
+						}
+					}
 				}

 				// sync info from 3rd-party if possible
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@@ -303,6 +303,13 @@ func (c *ApiController) BatchEnforce() {
 	c.ResponseOk(res, keyRes)
 }

+// GetAllObjects
+// @Title GetAllObjects
+// @Tag Enforcer API
+// @Description Get all objects for a user (Casbin API)
+// @Param   userId    query   string  false   "user id like built-in/admin"
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-all-objects [get]
 func (c *ApiController) GetAllObjects() {
 	userId := c.Ctx.Input.Query("userId")
 	if userId == "" {
@@ -322,6 +329,13 @@ func (c *ApiController) GetAllObjects() {
 	c.ResponseOk(objects)
 }

+// GetAllActions
+// @Title GetAllActions
+// @Tag Enforcer API
+// @Description Get all actions for a user (Casbin API)
+// @Param   userId    query   string  false   "user id like built-in/admin"
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-all-actions [get]
 func (c *ApiController) GetAllActions() {
 	userId := c.Ctx.Input.Query("userId")
 	if userId == "" {
@@ -341,6 +355,13 @@ func (c *ApiController) GetAllActions() {
 	c.ResponseOk(actions)
 }

+// GetAllRoles
+// @Title GetAllRoles
+// @Tag Enforcer API
+// @Description Get all roles for a user (Casbin API)
+// @Param   userId    query   string  false   "user id like built-in/admin"
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-all-roles [get]
 func (c *ApiController) GetAllRoles() {
 	userId := c.Ctx.Input.Query("userId")
 	if userId == "" {
--- a/controllers/invitation.go
+++ b/controllers/invitation.go
@@ -103,7 +103,7 @@ func (c *ApiController) GetInvitationCodeInfo() {
 		return
 	}
 	if application == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The application: %s does not exist"), applicationId))
+		c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), applicationId))
 		return
 	}

@@ -230,7 +230,7 @@ func (c *ApiController) SendInvitation() {
 		return
 	}
 	if organization == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The organization: %s does not exist"), invitation.Owner))
+		c.ResponseError(fmt.Sprintf(c.T("auth:The organization: %s does not exist"), invitation.Owner))
 		return
 	}

--- a/controllers/subscription.go
+++ b/controllers/subscription.go
@@ -16,6 +16,7 @@ package controllers

 import (
 	"encoding/json"
+	"fmt"

 	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -150,6 +151,26 @@ func (c *ApiController) AddSubscription() {
 		return
 	}

+	// Check if plan restricts user to one subscription
+	if subscription.Plan != "" {
+		plan, err := object.GetPlan(util.GetId(subscription.Owner, subscription.Plan))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if plan != nil && plan.IsExclusive {
+			hasSubscription, err := object.HasActiveSubscriptionForPlan(subscription.Owner, subscription.User, subscription.Plan)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			if hasSubscription {
+				c.ResponseError(fmt.Sprintf("User already has an active subscription for plan: %s", subscription.Plan))
+				return
+			}
+		}
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddSubscription(&subscription))
 	c.ServeJSON()
 }
--- a/controllers/token.go
+++ b/controllers/token.go
@@ -173,6 +173,9 @@ func (c *ApiController) GetOAuthToken() {
 	avatar := c.Ctx.Input.Query("avatar")
 	refreshToken := c.Ctx.Input.Query("refresh_token")
 	deviceCode := c.Ctx.Input.Query("device_code")
+	subjectToken := c.Ctx.Input.Query("subject_token")
+	subjectTokenType := c.Ctx.Input.Query("subject_token_type")
+	audience := c.Ctx.Input.Query("audience")

 	if clientId == "" && clientSecret == "" {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
@@ -219,6 +222,15 @@ func (c *ApiController) GetOAuthToken() {
 			if refreshToken == "" {
 				refreshToken = tokenRequest.RefreshToken
 			}
+			if subjectToken == "" {
+				subjectToken = tokenRequest.SubjectToken
+			}
+			if subjectTokenType == "" {
+				subjectTokenType = tokenRequest.SubjectTokenType
+			}
+			if audience == "" {
+				audience = tokenRequest.Audience
+			}
 		}
 	}

@@ -263,7 +275,7 @@ func (c *ApiController) GetOAuthToken() {
 	}

 	host := c.Ctx.Request.Host
-	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage())
+	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, audience)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/types.go
+++ b/controllers/types.go
@@ -15,16 +15,19 @@
 package controllers

 type TokenRequest struct {
-	ClientId     string `json:"client_id"`
-	ClientSecret string `json:"client_secret"`
-	GrantType    string `json:"grant_type"`
-	Code         string `json:"code"`
-	Verifier     string `json:"code_verifier"`
-	Scope        string `json:"scope"`
-	Nonce        string `json:"nonce"`
-	Username     string `json:"username"`
-	Password     string `json:"password"`
-	Tag          string `json:"tag"`
-	Avatar       string `json:"avatar"`
-	RefreshToken string `json:"refresh_token"`
+	ClientId         string `json:"client_id"`
+	ClientSecret     string `json:"client_secret"`
+	GrantType        string `json:"grant_type"`
+	Code             string `json:"code"`
+	Verifier         string `json:"code_verifier"`
+	Scope            string `json:"scope"`
+	Nonce            string `json:"nonce"`
+	Username         string `json:"username"`
+	Password         string `json:"password"`
+	Tag              string `json:"tag"`
+	Avatar           string `json:"avatar"`
+	RefreshToken     string `json:"refresh_token"`
+	SubjectToken     string `json:"subject_token"`
+	SubjectTokenType string `json:"subject_token_type"`
+	Audience         string `json:"audience"`
 }
--- a/controllers/user.go
+++ b/controllers/user.go
@@ -942,7 +942,7 @@ func (c *ApiController) VerifyIdentification() {
 		}

 		if provider == nil {
-			c.ResponseError(fmt.Sprintf(c.T("provider:The provider: %s does not exist"), providerName))
+			c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s does not exist"), providerName))
 			return
 		}

--- a/controllers/verification.go
+++ b/controllers/verification.go
@@ -187,6 +187,22 @@ func (c *ApiController) SendVerificationCode() {
 		return
 	}

+	// Check if "Forgot password?" signin item is visible when using forget verification
+	if vform.Method == ForgetVerification {
+		isForgotPasswordEnabled := false
+		for _, item := range application.SigninItems {
+			if item.Name == "Forgot password?" {
+				isForgotPasswordEnabled = item.Visible
+				break
+			}
+		}
+		// Block access if the signin item is not found or is explicitly hidden
+		if !isForgotPasswordEnabled {
+			c.ResponseError(c.T("verification:The forgot password feature is disabled"))
+			return
+		}
+	}
+
 	organization, err := object.GetOrganization(util.GetId(application.Owner, application.Organization))
 	if err != nil {
 		c.ResponseError(c.T(err.Error()))
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
-if [ "${MYSQL_ROOT_PASSWORD}" = "" ] ;then MYSQL_ROOT_PASSWORD=123456 ;fi

-service mariadb start
+if [ -z "${driverName:-}" ]; then
+  export driverName=sqlite
+fi
+if [ -z "${dataSourceName:-}" ]; then
+  export dataSourceName="file:casdoor.db?cache=shared"
+fi

-mysqladmin -u root password ${MYSQL_ROOT_PASSWORD}
-
-exec /server --createDatabase=true
+exec /server
--- a/form/auth.go
+++ b/form/auth.go
@@ -46,6 +46,7 @@ type AuthForm struct {
 	State        string `json:"state"`
 	RedirectUri  string `json:"redirectUri"`
 	Method       string `json:"method"`
+	CodeVerifier string `json:"codeVerifier"`

 	EmailCode   string `json:"emailCode"`
 	PhoneCode   string `json:"phoneCode"`
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/alibabacloud-go/openapi-util v0.1.0
 	github.com/alibabacloud-go/tea v1.3.2
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.7
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107
 	github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible
 	github.com/aliyun/credentials-go v1.3.10
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0
@@ -111,7 +112,6 @@ require (
 	github.com/alibabacloud-go/tea-oss-utils v1.1.0 // indirect
 	github.com/alibabacloud-go/tea-utils v1.3.6 // indirect
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.62.545 // indirect
 	github.com/apistd/uni-go-sdk v0.0.2 // indirect
 	github.com/atc0005/go-teams-notify/v2 v2.13.0 // indirect
 	github.com/aws/aws-sdk-go v1.45.5 // indirect
--- a/go.sum
+++ b/go.sum
@@ -766,8 +766,8 @@ github.com/alibabacloud-go/tea-xml v1.1.1/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE
 github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
 github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0=
 github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
-github.com/aliyun/alibaba-cloud-sdk-go v1.62.545 h1:0LfzeUr4quwrrrTHn1kfLA0FBdsChCMs8eK2EzOwXVQ=
-github.com/aliyun/alibaba-cloud-sdk-go v1.62.545/go.mod h1:Api2AkmMgGaSUAhmk76oaFObkoeCPc/bKAqcyplPODs=
+github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 h1:qagvUyrgOnBIlVRQWOyCZGVKUIYbMBdGdJ104vBpRFU=
+github.com/aliyun/alibaba-cloud-sdk-go v1.63.107/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ=
 github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible h1:9gWa46nstkJ9miBReJcN8Gq34cBFbzSpQZVVT9N09TM=
 github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
@@ -1294,7 +1294,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aW
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/configor v1.2.1 h1:OKk9dsR8i6HPOCZR8BcMtcEImAFjIhbJFZNyn5GCZko=
 github.com/jinzhu/configor v1.2.1/go.mod h1:nX89/MOmDba7ZX7GCyU/VIaQ2Ar2aizBl2d3JLF/rDc=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -1308,7 +1307,6 @@ github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUB
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -2615,7 +2613,6 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
 gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -2637,6 +2634,7 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/i18n/deduplicate_test.go
+++ b/i18n/deduplicate_test.go
@@ -0,0 +1,140 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package i18n
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"testing"
+)
+
+// DuplicateInfo represents information about a duplicate key
+type DuplicateInfo struct {
+	Key          string
+	OldPrefix    string
+	NewPrefix    string
+	OldPrefixKey string // e.g., "general:Submitter"
+	NewPrefixKey string // e.g., "permission:Submitter"
+}
+
+// findDuplicateKeysInJSON finds duplicate keys across the entire JSON file
+// Returns a list of duplicate information showing old and new prefix:key pairs
+// The order is determined by the order keys appear in the JSON file (git history)
+func findDuplicateKeysInJSON(filePath string) ([]DuplicateInfo, error) {
+	// Read the JSON file
+	fileContent, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read file %s: %w", filePath, err)
+	}
+
+	// Track the first occurrence of each key (prefix where it was first seen)
+	keyFirstPrefix := make(map[string]string)
+	var duplicates []DuplicateInfo
+
+	// To preserve order, we need to parse the JSON with order preservation
+	// We'll use a decoder to read through the top-level object
+	decoder := json.NewDecoder(bytes.NewReader(fileContent))
+
+	// Read the opening brace of the top-level object
+	token, err := decoder.Token()
+	if err != nil {
+		return nil, fmt.Errorf("failed to read token: %w", err)
+	}
+	if delim, ok := token.(json.Delim); !ok || delim != '{' {
+		return nil, fmt.Errorf("expected object start, got %v", token)
+	}
+
+	// Read all namespaces in order
+	for decoder.More() {
+		// Read the namespace (prefix) name
+		token, err := decoder.Token()
+		if err != nil {
+			return nil, fmt.Errorf("failed to read namespace: %w", err)
+		}
+
+		prefix, ok := token.(string)
+		if !ok {
+			return nil, fmt.Errorf("expected string namespace, got %v", token)
+		}
+
+		// Read the namespace object as raw message
+		var namespaceData map[string]string
+		if err := decoder.Decode(&namespaceData); err != nil {
+			return nil, fmt.Errorf("failed to decode namespace %s: %w", prefix, err)
+		}
+
+		// Now check each key in this namespace
+		for key := range namespaceData {
+			// Check if this key was already seen in a different prefix
+			if firstPrefix, exists := keyFirstPrefix[key]; exists {
+				// This is a duplicate - the key exists in another prefix
+				duplicates = append(duplicates, DuplicateInfo{
+					Key:          key,
+					OldPrefix:    firstPrefix,
+					NewPrefix:    prefix,
+					OldPrefixKey: fmt.Sprintf("%s:%s", firstPrefix, key),
+					NewPrefixKey: fmt.Sprintf("%s:%s", prefix, key),
+				})
+			} else {
+				// First time seeing this key, record the prefix
+				keyFirstPrefix[key] = prefix
+			}
+		}
+	}
+
+	return duplicates, nil
+}
+
+// TestDeduplicateFrontendI18n checks for duplicate i18n keys in the frontend en.json file
+func TestDeduplicateFrontendI18n(t *testing.T) {
+	filePath := "../web/src/locales/en/data.json"
+
+	// Find duplicate keys
+	duplicates, err := findDuplicateKeysInJSON(filePath)
+	if err != nil {
+		t.Fatalf("Failed to check for duplicates in frontend i18n file: %v", err)
+	}
+
+	// Print all duplicates and fail the test if any are found
+	if len(duplicates) > 0 {
+		t.Errorf("Found duplicate i18n keys in frontend file (%s):", filePath)
+		for _, dup := range duplicates {
+			t.Errorf("  i18next.t(\"%s\") duplicates with i18next.t(\"%s\")", dup.NewPrefixKey, dup.OldPrefixKey)
+		}
+		t.Fail()
+	}
+}
+
+// TestDeduplicateBackendI18n checks for duplicate i18n keys in the backend en.json file
+func TestDeduplicateBackendI18n(t *testing.T) {
+	filePath := "../i18n/locales/en/data.json"
+
+	// Find duplicate keys
+	duplicates, err := findDuplicateKeysInJSON(filePath)
+	if err != nil {
+		t.Fatalf("Failed to check for duplicates in backend i18n file: %v", err)
+	}
+
+	// Print all duplicates and fail the test if any are found
+	if len(duplicates) > 0 {
+		t.Errorf("Found duplicate i18n keys in backend file (%s):", filePath)
+		for _, dup := range duplicates {
+			t.Errorf("  i18n.Translate(\"%s\") duplicates with i18n.Translate(\"%s\")", dup.NewPrefixKey, dup.OldPrefixKey)
+		}
+		t.Fail()
+	}
+}
--- a/i18n/generate.go
+++ b/i18n/generate.go
@@ -19,6 +19,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strconv"
 	"strings"

 	"github.com/casdoor/casdoor/util"
@@ -47,7 +48,11 @@ func getAllI18nStringsFrontend(fileContent string) []string {
 	}

 	for _, match := range matches {
-		res = append(res, match[1])
+		target, err := strconv.Unquote("\"" + match[1] + "\"")
+		if err != nil {
+			target = match[1]
+		}
+		res = append(res, target)
 	}
 	return res
 }
@@ -61,7 +66,12 @@ func getAllI18nStringsBackend(fileContent string, isObjectPackage bool) []string
 		}
 		for _, match := range matches {
 			match := strings.SplitN(match[1], ",", 2)
-			res = append(res, match[1][2:])
+			target, err := strconv.Unquote("\"" + match[1][2:] + "\"")
+			if err != nil {
+				target = match[1][2:]
+			}
+
+			res = append(res, target)
 		}
 	} else {
 		matches := reI18nBackendController.FindAllStringSubmatch(fileContent, -1)
@@ -69,7 +79,11 @@ func getAllI18nStringsBackend(fileContent string, isObjectPackage bool) []string
 			return res
 		}
 		for _, match := range matches {
-			res = append(res, match[1][1:])
+			target, err := strconv.Unquote("\"" + match[1][1:] + "\"")
+			if err != nil {
+				target = match[1][1:]
+			}
+			res = append(res, target)
 		}
 	}

--- a/i18n/locales/de/data.json
+++ b/i18n/locales/de/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Konnte den Benutzer nicht hinzufügen",
    "Get init score failed, error: %w": "Init-Score konnte nicht abgerufen werden, Fehler: %w",
-    "Please sign out first": "Bitte melden Sie sich zuerst ab",
    "The application does not allow to sign up new account": "Die Anwendung erlaubt es nicht, sich für ein neues Konto anzumelden"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "Die Anmeldemethode: Anmeldung per E-Mail ist für die Anwendung nicht aktiviert",
    "The login method: login with face is not enabled for the application": "Die Anmeldemethode: Anmeldung per Gesicht ist für die Anwendung nicht aktiviert",
    "The login method: login with password is not enabled for the application": "Die Anmeldeart \"Anmeldung mit Passwort\" ist für die Anwendung nicht aktiviert",
+    "The order: %s does not exist": "Die Bestellung: %s existiert nicht",
    "The organization: %s does not exist": "Die Organisation: %s existiert nicht",
    "The organization: %s has disabled users to signin": "Die Organisation: %s hat die Anmeldung von Benutzern deaktiviert",
    "The plan: %s does not exist": "Der Plan: %s existiert nicht",
@@ -48,7 +48,7 @@
    "CIDR for IP: %s should not be empty": "CIDR für IP: %s darf nicht leer sein",
    "Default code does not match the code's matching rules": "Standardcode entspricht nicht den Übereinstimmungsregeln des Codes",
    "DisplayName cannot be blank": "Anzeigename kann nicht leer sein",
-    "DisplayName is not valid real name": "DisplayName ist kein gültiger Vorname",
+    "DisplayName is not valid real name": "Der Anzeigename ist kein gültiger echter Name",
    "Email already exists": "E-Mail existiert bereits",
    "Email cannot be empty": "E-Mail darf nicht leer sein",
    "Email is invalid": "E-Mail ist ungültig",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Gesichtsdaten stimmen nicht überein",
    "Failed to parse client IP: %s": "Fehler beim Parsen der Client-IP: %s",
    "FirstName cannot be blank": "Vorname darf nicht leer sein",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Gastbenutzer müssen ihr Konto aktualisieren, indem sie einen Benutzernamen und ein Passwort festlegen, bevor sie sich direkt anmelden können",
    "Invitation code cannot be blank": "Einladungscode darf nicht leer sein",
    "Invitation code exhausted": "Einladungscode aufgebraucht",
    "Invitation code is invalid": "Einladungscode ist ungültig",
    "Invitation code suspended": "Einladungscode ausgesetzt",
-    "LDAP user name or password incorrect": "Ldap Benutzername oder Passwort falsch",
    "LastName cannot be blank": "Nachname darf nicht leer sein",
    "Multiple accounts with same uid, please check your ldap server": "Mehrere Konten mit derselben uid, bitte überprüfen Sie Ihren LDAP-Server",
    "Organization does not exist": "Organisation existiert nicht",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "Dem Benutzer ist der Zugang verboten, bitte kontaktieren Sie den Administrator",
    "The user: %s doesn't exist in LDAP server": "Der Benutzer: %s existiert nicht im LDAP-Server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Der Benutzername darf nur alphanumerische Zeichen, Unterstriche oder Bindestriche enthalten, keine aufeinanderfolgenden Bindestriche oder Unterstriche haben und darf nicht mit einem Bindestrich oder Unterstrich beginnen oder enden.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Der Wert \\\"%s\\\" für das Kontenfeld \\\"%s\\\" stimmt nicht mit dem Kontenelement-Regex überein",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Der Wert \\\"%s\\\" für das Registrierungsfeld \\\"%s\\\" stimmt nicht mit dem Registrierungselement-Regex der Anwendung \\\"%s\\\" überein",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "Der Wert \"%s\" für das Kontenfeld \"%s\" stimmt nicht mit dem Kontenelement-Regex überein",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "Der Wert \"%s\" für das Registrierungsfeld \"%s\" stimmt nicht mit dem Registrierungselement-Regex der Anwendung \"%s\" überein",
    "Username already exists": "Benutzername existiert bereits",
    "Username cannot be an email address": "Benutzername kann keine E-Mail-Adresse sein",
    "Username cannot contain white spaces": "Benutzername darf keine Leerzeichen enthalten",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Benutzername unterstützt E-Mail-Format. Der Benutzername darf nur alphanumerische Zeichen, Unterstriche oder Bindestriche enthalten, keine aufeinanderfolgenden Bindestriche oder Unterstriche haben und darf nicht mit einem Bindestrich oder Unterstrich beginnen oder enden. Achten Sie auch auf das E-Mail-Format.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Sie haben zu oft das falsche Passwort oder den falschen Code eingegeben. Bitte warten Sie %d Minuten und versuchen Sie es erneut",
    "Your IP address: %s has been banned according to the configuration of: ": "Ihre IP-Adresse: %s wurde laut Konfiguration gesperrt von: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Ihr Passwort ist abgelaufen. Bitte setzen Sie Ihr Passwort zurück, indem Sie auf \\\"Passwort vergessen\\\" klicken",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Ihr Passwort ist abgelaufen. Bitte setzen Sie Ihr Passwort zurück, indem Sie auf \"Passwort vergessen\" klicken",
    "Your region is not allow to signup by phone": "Ihre Region ist nicht berechtigt, sich telefonisch anzumelden",
    "password or code is incorrect": "Passwort oder Code ist falsch",
    "password or code is incorrect, you have %s remaining chances": "Das Passwort oder der Code ist falsch. Du hast noch %s Versuche übrig",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Gruppen importieren fehlgeschlagen",
    "Failed to import users": "Fehler beim Importieren von Benutzern",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Guthaben %v wäre unter dem Kreditlimit %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Organisationsguthaben %v wäre unter dem Kreditlimit %v",
    "Missing parameter": "Fehlender Parameter",
    "Only admin user can specify user": "Nur Administrator kann Benutzer angeben",
    "Please login first": "Bitte zuerst einloggen",
+    "The LDAP: %s does not exist": "Das LDAP: %s existiert nicht",
    "The organization: %s should have one application at least": "Die Organisation: %s sollte mindestens eine Anwendung haben",
+    "The syncer: %s does not exist": "Der Synchronizer: %s existiert nicht",
    "The user: %s doesn't exist": "Der Benutzer %s existiert nicht",
+    "The user: %s is not found": "Der Benutzer: %s wurde nicht gefunden",
+    "User is required for User category transaction": "Benutzer ist für Benutzer-Kategorie-Transaktionen erforderlich",
    "Wrong userId": "Falsche Benutzer-ID",
    "don't support captchaProvider: ": "Unterstütze captchaProvider nicht:",
    "this operation is not allowed in demo mode": "Dieser Vorgang ist im Demo-Modus nicht erlaubt",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Das Hinzufügen eines neuen Benutzers zur 'eingebauten' Organisation ist derzeit deaktiviert. Bitte beachten Sie: Alle Benutzer in der 'eingebauten' Organisation sind globale Administratoren in Casdoor. Siehe die Docs: https://casdoor.org/docs/basic/core-concepts#how  -does-casdoor-manage-sich selbst. Wenn Sie immer noch einen Benutzer für die 'eingebaute' Organisation erstellen möchten, gehen Sie auf die Einstellungsseite der Organisation und aktivieren Sie die Option 'Habt Berechtigungszustimmung'."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "Die Berechtigung: \\\"%s\\\" existiert nicht"
+    "The permission: \"%s\" doesn't exist": "Die Berechtigung: \"%s\" existiert nicht"
+  },
+  "product": {
+    "Product list cannot be empty": "Produktliste darf nicht leer sein"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "ID-Verifizierungsanbieter konnte nicht initialisiert werden",
    "Invalid application id": "Ungültige Anwendungs-ID",
+    "No ID Verification provider configured": "Kein ID-Verifizierungsanbieter konfiguriert",
+    "Provider is not an ID Verification provider": "Anbieter ist kein ID-Verifizierungsanbieter",
    "the provider: %s does not exist": "Der Anbieter %s existiert nicht"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Ungültige E-Mail-Empfänger: %s",
    "Invalid phone receivers: %s": "Ungültige Telefonempfänger: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "Sitzungs-ID %s ist die aktuelle Sitzung und kann nicht gelöscht werden"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "Der Objektschlüssel %s ist nicht erlaubt",
    "The provider type: %s is not supported": "Der Anbieter-Typ %s wird nicht unterstützt"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Fehler"
  },
+  "ticket": {
+    "Ticket not found": "Ticket nicht gefunden"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Grant_type: %s wird von dieser Anwendung nicht unterstützt",
    "Invalid application or wrong clientSecret": "Ungültige Anwendung oder falsches clientSecret",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "Anzeigename darf nicht leer sein",
+    "ID card information and real name are required": "Personalausweisinformationen und vollständiger Name sind erforderlich",
+    "Identity verification failed": "Identitätsprüfung fehlgeschlagen",
    "MFA email is enabled but email is empty": "MFA-E-Mail ist aktiviert, aber E-Mail ist leer",
    "MFA phone is enabled but phone number is empty": "MFA-Telefon ist aktiviert, aber Telefonnummer ist leer",
    "New password cannot contain blank space.": "Das neue Passwort darf keine Leerzeichen enthalten.",
+    "No application found for user": "Keine Anwendung für Benutzer gefunden",
    "The new password must be different from your current password": "Das neue Passwort muss sich von Ihrem aktuellen Passwort unterscheiden",
+    "User is already verified": "Benutzer ist bereits verifiziert",
    "the user's owner and name should not be empty": "Eigentümer und Name des Benutzers dürfen nicht leer sein"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Ungültiger Captcha-Anbieter.",
    "Phone number is invalid in your region %s": "Die Telefonnummer ist in Ihrer Region %s ungültig",
+    "The forgot password feature is disabled": "Die Funktion \"Passwort vergessen\" ist deaktiviert",
    "The verification code has already been used!": "Der Verifizierungscode wurde bereits verwendet!",
    "The verification code has not been sent yet!": "Der Verifizierungscode wurde noch nicht gesendet!",
    "Turing test failed.": "Turing-Test fehlgeschlagen.",
@@ -196,8 +219,8 @@
    "Unknown type": "Unbekannter Typ",
    "Wrong verification code!": "Falscher Bestätigungscode!",
    "You should verify your code in %d min!": "Du solltest deinen Code in %d Minuten verifizieren!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "Bitte fügen Sie einen SMS-Anbieter zur \\\"Providers\\\"-Liste für die Anwendung hinzu: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "Bitte fügen Sie einen E-Mail-Anbieter zur \\\"Providers\\\"-Liste für die Anwendung hinzu: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "Bitte fügen Sie einen SMS-Anbieter zur \"Providers\"-Liste für die Anwendung hinzu: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "Bitte fügen Sie einen E-Mail-Anbieter zur \"Providers\"-Liste für die Anwendung hinzu: %s",
    "the user does not exist, please sign up first": "Der Benutzer existiert nicht, bitte zuerst anmelden"
  },
  "webauthn": {
--- a/i18n/locales/en/data.json
+++ b/i18n/locales/en/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Failed to add user",
    "Get init score failed, error: %w": "Get init score failed, error: %w",
-    "Please sign out first": "Please sign out first",
    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The order: %s does not exist": "The order: %s does not exist",
    "The organization: %s does not exist": "The organization: %s does not exist",
    "The organization: %s has disabled users to signin": "The organization: %s has disabled users to signin",
    "The plan: %s does not exist": "The plan: %s does not exist",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Face data mismatch",
    "Failed to parse client IP: %s": "Failed to parse client IP: %s",
    "FirstName cannot be blank": "FirstName cannot be blank",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Guest users must upgrade their account by setting a username and password before they can sign in directly",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
    "Invitation code is invalid": "Invitation code is invalid",
    "Invitation code suspended": "Invitation code suspended",
-    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
    "LastName cannot be blank": "LastName cannot be blank",
    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
    "Organization does not exist": "Organization does not exist",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "The value \"%s\" for account field \"%s\" doesn't match the account item regex",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
    "Username cannot contain white spaces": "Username cannot contain white spaces",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
    "Your IP address: %s has been banned according to the configuration of: ": "Your IP address: %s has been banned according to the configuration of: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Your password has expired. Please reset your password by clicking \"Forgot password\"",
    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
    "password or code is incorrect": "password or code is incorrect",
    "password or code is incorrect, you have %s remaining chances": "password or code is incorrect, you have %s remaining chances",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Failed to import groups",
    "Failed to import users": "Failed to import users",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Insufficient balance: new balance %v would be below credit limit %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Insufficient balance: new organization balance %v would be below credit limit %v",
    "Missing parameter": "Missing parameter",
    "Only admin user can specify user": "Only admin user can specify user",
    "Please login first": "Please login first",
+    "The LDAP: %s does not exist": "The LDAP: %s does not exist",
    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
+    "The syncer: %s does not exist": "The syncer: %s does not exist",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "The user: %s is not found": "The user: %s is not found",
+    "User is required for User category transaction": "User is required for User category transaction",
    "Wrong userId": "Wrong userId",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+    "The permission: \"%s\" doesn't exist": "The permission: \"%s\" doesn't exist"
+  },
+  "product": {
+    "Product list cannot be empty": "Product list cannot be empty"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Failed to initialize ID Verification provider",
    "Invalid application id": "Invalid application id",
+    "No ID Verification provider configured": "No ID Verification provider configured",
+    "Provider is not an ID Verification provider": "Provider is not an ID Verification provider",
    "the provider: %s does not exist": "the provider: %s does not exist"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "session id %s is the current session and cannot be deleted"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
    "The provider type: %s is not supported": "The provider type: %s is not supported"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Error"
  },
+  "ticket": {
+    "Ticket not found": "Ticket not found"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "Display name cannot be empty",
+    "ID card information and real name are required": "ID card information and real name are required",
+    "Identity verification failed": "Identity verification failed",
    "MFA email is enabled but email is empty": "MFA email is enabled but email is empty",
    "MFA phone is enabled but phone number is empty": "MFA phone is enabled but phone number is empty",
    "New password cannot contain blank space.": "New password cannot contain blank space.",
+    "No application found for user": "No application found for user",
    "The new password must be different from your current password": "The new password must be different from your current password",
+    "User is already verified": "User is already verified",
    "the user's owner and name should not be empty": "the user's owner and name should not be empty"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Invalid captcha provider.",
    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "The forgot password feature is disabled": "The forgot password feature is disabled",
    "The verification code has already been used!": "The verification code has already been used!",
    "The verification code has not been sent yet!": "The verification code has not been sent yet!",
    "Turing test failed.": "Turing test failed.",
@@ -196,8 +219,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "please add a SMS provider to the \"Providers\" list for the application: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "please add an Email provider to the \"Providers\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/es/data.json
+++ b/i18n/locales/es/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "No se pudo agregar el usuario",
    "Get init score failed, error: %w": "Error al obtener el puntaje de inicio, error: %w",
-    "Please sign out first": "Por favor, cierra sesión primero",
    "The application does not allow to sign up new account": "La aplicación no permite registrarse con una cuenta nueva"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "El método de inicio de sesión: inicio de sesión con correo electrónico no está habilitado para la aplicación",
    "The login method: login with face is not enabled for the application": "El método de inicio de sesión: inicio de sesión con reconocimiento facial no está habilitado para la aplicación",
    "The login method: login with password is not enabled for the application": "El método de inicio de sesión: inicio de sesión con contraseña no está habilitado para la aplicación",
+    "The order: %s does not exist": "El pedido: %s no existe",
    "The organization: %s does not exist": "La organización: %s no existe",
    "The organization: %s has disabled users to signin": "La organización: %s ha desactivado el inicio de sesión de usuarios",
    "The plan: %s does not exist": "El plan: %s no existe",
@@ -35,7 +35,7 @@
    "User's tag: %s is not listed in the application's tags": "La etiqueta del usuario: %s no está incluida en las etiquetas de la aplicación",
    "UserCode Expired": "Código de usuario expirado",
    "UserCode Invalid": "Código de usuario inválido",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "El usuario de pago %s no tiene una suscripción activa o pendiente y la aplicación: %s no tiene precio predeterminado",
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "El usuario de pago %s no tiene una suscripción activa o pendiente y la aplicación %s no tiene precios predeterminados",
    "the application for user %s is not found": "no se encontró la aplicación para el usuario %s",
    "the organization: %s is not found": "no se encontró la organización: %s"
  },
@@ -44,9 +44,9 @@
  },
  "check": {
    "%s does not meet the CIDR format requirements: %s": "%s no cumple con los requisitos del formato CIDR: %s",
-    "Affiliation cannot be blank": "Afiliación no puede estar en blanco",
+    "Affiliation cannot be blank": "La afiliación no puede estar vacía",
    "CIDR for IP: %s should not be empty": "El CIDR para la IP: %s no debe estar vacío",
-    "Default code does not match the code's matching rules": "El código predeterminado no coincide con las reglas de coincidencia de códigos",
+    "Default code does not match the code's matching rules": "El código predeterminado no cumple con las reglas de validación del código",
    "DisplayName cannot be blank": "El nombre de visualización no puede estar en blanco",
    "DisplayName is not valid real name": "El nombre de pantalla no es un nombre real válido",
    "Email already exists": "El correo electrónico ya existe",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Los datos faciales no coinciden",
    "Failed to parse client IP: %s": "Error al analizar la IP del cliente: %s",
    "FirstName cannot be blank": "El nombre no puede estar en blanco",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Los usuarios invitados deben actualizar su cuenta configurando un nombre de usuario y una contraseña antes de poder iniciar sesión directamente",
    "Invitation code cannot be blank": "El código de invitación no puede estar vacío",
    "Invitation code exhausted": "Código de invitación agotado",
    "Invitation code is invalid": "Código de invitación inválido",
    "Invitation code suspended": "Código de invitación suspendido",
-    "LDAP user name or password incorrect": "Nombre de usuario o contraseña de Ldap incorrectos",
    "LastName cannot be blank": "El apellido no puede estar en blanco",
    "Multiple accounts with same uid, please check your ldap server": "Cuentas múltiples con el mismo uid, por favor revise su servidor ldap",
    "Organization does not exist": "La organización no existe",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "El usuario no está autorizado a iniciar sesión, por favor contacte al administrador",
    "The user: %s doesn't exist in LDAP server": "El usuario: %s no existe en el servidor LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "El nombre de usuario solo puede contener caracteres alfanuméricos, guiones bajos o guiones, no puede tener guiones o subrayados consecutivos, y no puede comenzar ni terminar con un guión o subrayado.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "El valor \\\"%s\\\" para el campo de cuenta \\\"%s\\\" no coincide con la expresión regular del elemento de cuenta",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "El valor \\\"%s\\\" para el campo de registro \\\"%s\\\" no coincide con la expresión regular del elemento de registro de la aplicación \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "El valor \"%s\" para el campo de cuenta \"%s\" no coincide con la expresión regular del elemento de cuenta",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "El valor \"%s\" para el campo de registro \"%s\" no coincide con la expresión regular del elemento de registro de la aplicación \"%s\"",
    "Username already exists": "El nombre de usuario ya existe",
    "Username cannot be an email address": "Nombre de usuario no puede ser una dirección de correo electrónico",
    "Username cannot contain white spaces": "Nombre de usuario no puede contener espacios en blanco",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "El nombre de usuario admite formato de correo electrónico. Además, el nombre de usuario solo puede contener caracteres alfanuméricos, guiones bajos o guiones, no puede tener guiones bajos o guiones consecutivos y no puede comenzar ni terminar con un guión o guión bajo. También preste atención al formato del correo electrónico.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Has ingresado la contraseña o código incorrecto demasiadas veces, por favor espera %d minutos e intenta de nuevo",
    "Your IP address: %s has been banned according to the configuration of: ": "Su dirección IP: %s ha sido bloqueada según la configuración de: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Su contraseña ha expirado. Restablezca su contraseña haciendo clic en \\\"Olvidé mi contraseña\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Su contraseña ha expirado. Restablezca su contraseña haciendo clic en \"Olvidé mi contraseña\"",
    "Your region is not allow to signup by phone": "Tu región no está permitida para registrarse por teléfono",
    "password or code is incorrect": "contraseña o código incorrecto",
    "password or code is incorrect, you have %s remaining chances": "Contraseña o código incorrecto, tienes %s intentos restantes",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Error al importar grupos",
    "Failed to import users": "Error al importar usuarios",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo %v estaría por debajo del límite de crédito %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo de la organización %v estaría por debajo del límite de crédito %v",
    "Missing parameter": "Parámetro faltante",
    "Only admin user can specify user": "Solo el usuario administrador puede especificar usuario",
    "Please login first": "Por favor, inicia sesión primero",
+    "The LDAP: %s does not exist": "El LDAP: %s no existe",
    "The organization: %s should have one application at least": "La organización: %s debe tener al menos una aplicación",
+    "The syncer: %s does not exist": "El sincronizador: %s no existe",
    "The user: %s doesn't exist": "El usuario: %s no existe",
+    "The user: %s is not found": "El usuario: %s no encontrado",
+    "User is required for User category transaction": "El usuario es obligatorio para la transacción de la categoría Usuario",
    "Wrong userId": "ID de usuario incorrecto",
    "don't support captchaProvider: ": "No apoyo a captchaProvider",
    "this operation is not allowed in demo mode": "esta operación no está permitida en modo de demostración",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "La adición de un nuevo usuario a la organización 'integrada' está actualmente deshabilitada. Tenga en cuenta: todos los usuarios de la organización 'integrada' son administradores globales en Casdoor. Consulte los docs: https://casdoor.org/docs/basic/core-concepts#how  -does-casdoor-manage-itself. Si todavía desea crear un usuario para la organización 'integrada', vaya a la página de configuración de la organización y habilite la opción 'Tiene consentimiento de privilegios'."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "El permiso: \\\"%s\\\" no existe"
+    "The permission: \"%s\" doesn't exist": "El permiso: \"%s\" no existe"
+  },
+  "product": {
+    "Product list cannot be empty": "La lista de productos no puede estar vacía"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Error al inicializar el proveedor de verificación de ID",
    "Invalid application id": "Identificación de aplicación no válida",
+    "No ID Verification provider configured": "No hay proveedor de verificación de ID configurado",
+    "Provider is not an ID Verification provider": "El proveedor no es un proveedor de verificación de ID",
    "the provider: %s does not exist": "El proveedor: %s no existe"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Receptores de correo electrónico no válidos: %s",
    "Invalid phone receivers: %s": "Receptores de teléfono no válidos: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "session id %s is the current session and cannot be deleted"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "El objectKey: %s no está permitido",
    "The provider type: %s is not supported": "El tipo de proveedor: %s no es compatible"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Error"
  },
+  "ticket": {
+    "Ticket not found": "Ticket no encontrado"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "El tipo de subvención: %s no es compatible con esta aplicación",
    "Invalid application or wrong clientSecret": "Solicitud inválida o clientSecret incorrecto",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "El nombre de pantalla no puede estar vacío",
+    "ID card information and real name are required": "Se requiere información de la tarjeta de identificación y el nombre real",
+    "Identity verification failed": "Falló la verificación de identidad",
    "MFA email is enabled but email is empty": "El correo electrónico MFA está habilitado pero el correo está vacío",
    "MFA phone is enabled but phone number is empty": "El teléfono MFA está habilitado pero el número de teléfono está vacío",
    "New password cannot contain blank space.": "La nueva contraseña no puede contener espacios en blanco.",
+    "No application found for user": "No se encontró aplicación para el usuario",
    "The new password must be different from your current password": "La nueva contraseña debe ser diferente de su contraseña actual",
+    "User is already verified": "El usuario ya está verificado",
    "the user's owner and name should not be empty": "el propietario y el nombre del usuario no deben estar vacíos"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Proveedor de captcha no válido.",
    "Phone number is invalid in your region %s": "El número de teléfono es inválido en tu región %s",
+    "The forgot password feature is disabled": "La función de contraseña olvidada está deshabilitada",
    "The verification code has already been used!": "¡El código de verificación ya ha sido utilizado!",
    "The verification code has not been sent yet!": "¡El código de verificación aún no ha sido enviado!",
    "Turing test failed.": "El test de Turing falló.",
@@ -196,8 +219,8 @@
    "Unknown type": "Tipo desconocido",
    "Wrong verification code!": "¡Código de verificación incorrecto!",
    "You should verify your code in %d min!": "¡Deberías verificar tu código en %d minutos!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "agregue un proveedor de SMS a la lista \\\"Proveedores\\\" para la aplicación: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "agregue un proveedor de correo electrónico a la lista \\\"Proveedores\\\" para la aplicación: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "agregue un proveedor de SMS a la lista \"Proveedores\" para la aplicación: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "agregue un proveedor de correo electrónico a la lista \"Proveedores\" para la aplicación: %s",
    "the user does not exist, please sign up first": "El usuario no existe, por favor regístrese primero"
  },
  "webauthn": {
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Échec d'ajout d'utilisateur",
    "Get init score failed, error: %w": "Obtention du score initiale échouée, erreur : %w",
-    "Please sign out first": "Veuillez vous déconnecter en premier",
    "The application does not allow to sign up new account": "L'application ne permet pas de créer un nouveau compte"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "La méthode de connexion : connexion par e-mail n'est pas activée pour l'application",
    "The login method: login with face is not enabled for the application": "La méthode de connexion : connexion par visage n'est pas activée pour l'application",
    "The login method: login with password is not enabled for the application": "La méthode de connexion : connexion avec mot de passe n'est pas activée pour l'application",
+    "The order: %s does not exist": "La commande : %s n'existe pas",
    "The organization: %s does not exist": "L'organisation : %s n'existe pas",
    "The organization: %s has disabled users to signin": "L'organisation: %s a désactivé la connexion des utilisateurs",
    "The plan: %s does not exist": "Le plan : %s n'existe pas",
@@ -35,7 +35,7 @@
    "User's tag: %s is not listed in the application's tags": "Le tag de l'utilisateur : %s n'est pas répertorié dans les tags de l'application",
    "UserCode Expired": "Code utilisateur expiré",
    "UserCode Invalid": "Code utilisateur invalide",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "L'utilisateur payant %s n'a pas d'abonnement actif ou en attente et l'application : %s n'a pas de tarification par défaut",
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "L'utilisateur payant %s n'a pas d'abonnement actif ou en attente et l'application %s n'a pas de tarification par défaut",
    "the application for user %s is not found": "L'application pour l'utilisateur %s est introuvable",
    "the organization: %s is not found": "L'organisation : %s est introuvable"
  },
@@ -44,9 +44,9 @@
  },
  "check": {
    "%s does not meet the CIDR format requirements: %s": "%s ne respecte pas les exigences du format CIDR : %s",
-    "Affiliation cannot be blank": "Affiliation ne peut pas être vide",
+    "Affiliation cannot be blank": "L'affiliation ne peut pas être vide",
    "CIDR for IP: %s should not be empty": "Le CIDR pour l'IP : %s ne doit pas être vide",
-    "Default code does not match the code's matching rules": "Le code par défaut ne correspond pas aux règles de correspondance du code",
+    "Default code does not match the code's matching rules": "Le code par défaut ne respecte pas les règles de validation du code",
    "DisplayName cannot be blank": "Le nom d'affichage ne peut pas être vide",
    "DisplayName is not valid real name": "DisplayName n'est pas un nom réel valide",
    "Email already exists": "E-mail déjà existant",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Données faciales incorrectes",
    "Failed to parse client IP: %s": "Échec de l'analyse de l'IP client : %s",
    "FirstName cannot be blank": "Le prénom ne peut pas être laissé vide",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Les utilisateurs invités doivent mettre à niveau leur compte en définissant un nom d'utilisateur et un mot de passe avant de pouvoir se connecter directement",
    "Invitation code cannot be blank": "Le code d'invitation ne peut pas être vide",
    "Invitation code exhausted": "Code d'invitation épuisé",
    "Invitation code is invalid": "Code d'invitation invalide",
    "Invitation code suspended": "Code d'invitation suspendu",
-    "LDAP user name or password incorrect": "Nom d'utilisateur ou mot de passe LDAP incorrect",
    "LastName cannot be blank": "Le nom de famille ne peut pas être vide",
    "Multiple accounts with same uid, please check your ldap server": "Plusieurs comptes avec le même identifiant d'utilisateur, veuillez vérifier votre serveur LDAP",
    "Organization does not exist": "L'organisation n'existe pas",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "L'utilisateur est interdit de se connecter, veuillez contacter l'administrateur",
    "The user: %s doesn't exist in LDAP server": "L'utilisateur : %s n'existe pas sur le serveur LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Le nom d'utilisateur ne peut contenir que des caractères alphanumériques, des traits soulignés ou des tirets, ne peut pas avoir de tirets ou de traits soulignés consécutifs et ne peut pas commencer ou se terminer par un tiret ou un trait souligné.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "La valeur \\\"%s\\\" pour le champ de compte \\\"%s\\\" ne correspond pas à l'expression régulière de l'élément de compte",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "La valeur \\\"%s\\\" pour le champ d'inscription \\\"%s\\\" ne correspond pas à l'expression régulière de l'élément d'inscription de l'application \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "La valeur \"%s\" pour le champ de compte \"%s\" ne correspond pas à l'expression régulière de l'élément de compte",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "La valeur \"%s\" pour le champ d'inscription \"%s\" ne correspond pas à l'expression régulière de l'élément d'inscription de l'application \"%s\"",
    "Username already exists": "Nom d'utilisateur existe déjà",
    "Username cannot be an email address": "Nom d'utilisateur ne peut pas être une adresse e-mail",
    "Username cannot contain white spaces": "Nom d'utilisateur ne peut pas contenir d'espaces blancs",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Le nom d'utilisateur prend en charge le format e-mail. De plus, il ne peut contenir que des caractères alphanumériques, des tirets bas ou des traits d'union, ne peut pas avoir de traits d'union ou de tirets bas consécutifs, et ne peut pas commencer ou se terminer par un trait d'union ou un tiret bas. Faites également attention au format de l'e-mail.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Vous avez entré le mauvais mot de passe ou code plusieurs fois, veuillez attendre %d minutes et réessayer",
    "Your IP address: %s has been banned according to the configuration of: ": "Votre adresse IP : %s a été bannie selon la configuration de : ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Votre mot de passe a expiré. Veuillez le réinitialiser en cliquant sur \\\"Mot de passe oublié\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Votre mot de passe a expiré. Veuillez le réinitialiser en cliquant sur \"Mot de passe oublié\"",
    "Your region is not allow to signup by phone": "Votre région n'est pas autorisée à s'inscrire par téléphone",
    "password or code is incorrect": "mot de passe ou code incorrect",
    "password or code is incorrect, you have %s remaining chances": "Le mot de passe ou le code est incorrect, il vous reste %s chances",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Échec de l'importation des groupes",
    "Failed to import users": "Échec de l'importation des utilisateurs",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde %v serait inférieur à la limite de crédit %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde de l'organisation %v serait inférieur à la limite de crédit %v",
    "Missing parameter": "Paramètre manquant",
    "Only admin user can specify user": "Seul un administrateur peut désigner un utilisateur",
    "Please login first": "Veuillez d'abord vous connecter",
+    "The LDAP: %s does not exist": "Le LDAP : %s n'existe pas",
    "The organization: %s should have one application at least": "L'organisation : %s doit avoir au moins une application",
+    "The syncer: %s does not exist": "Le synchroniseur : %s n'existe pas",
    "The user: %s doesn't exist": "L'utilisateur : %s n'existe pas",
+    "The user: %s is not found": "L'utilisateur : %s est introuvable",
+    "User is required for User category transaction": "L'utilisateur est requis pour la transaction de catégorie Utilisateur",
    "Wrong userId": "ID utilisateur incorrect",
    "don't support captchaProvider: ": "ne prend pas en charge captchaProvider: ",
    "this operation is not allowed in demo mode": "cette opération n'est pas autorisée en mode démo",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "L'ajout d'un nouvel utilisateur à l'organisation « built-in » (intégrée) est actuellement désactivé. Veuillez noter : Tous les utilisateurs de l'organisation « built-in » sont des administrateurs globaux dans Casdoor. Consulter la documentation : https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Si vous souhaitez encore créer un utilisateur pour l'organisation « built-in », accédez à la page des paramètres de l'organisation et activez l'option « A le consentement aux privilèges »."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "La permission : \\\"%s\\\" n'existe pas"
+    "The permission: \"%s\" doesn't exist": "La permission : \"%s\" n'existe pas"
+  },
+  "product": {
+    "Product list cannot be empty": "La liste des produits ne peut pas être vide"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Échec de l'initialisation du fournisseur de vérification d'identité",
    "Invalid application id": "Identifiant d'application invalide",
+    "No ID Verification provider configured": "Aucun fournisseur de vérification d'identité configuré",
+    "Provider is not an ID Verification provider": "Le fournisseur n'est pas un fournisseur de vérification d'identité",
    "the provider: %s does not exist": "Le fournisseur : %s n'existe pas"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Destinataires d'e-mail invalides : %s",
    "Invalid phone receivers: %s": "Destinataires de téléphone invalide : %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "session id %s is the current session and cannot be deleted"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "La clé d'objet : %s n'est pas autorisée",
    "The provider type: %s is not supported": "Le type de fournisseur : %s n'est pas pris en charge"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Erreur"
  },
+  "ticket": {
+    "Ticket not found": "Ticket introuvable"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Type_de_subvention : %s n'est pas pris en charge dans cette application",
    "Invalid application or wrong clientSecret": "Application invalide ou clientSecret incorrect",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "Le nom d'affichage ne peut pas être vide",
+    "ID card information and real name are required": "Les informations de la carte d'identité et le nom réel sont requis",
+    "Identity verification failed": "Échec de la vérification d'identité",
    "MFA email is enabled but email is empty": "L'authentification MFA par e-mail est activée mais l'e-mail est vide",
    "MFA phone is enabled but phone number is empty": "L'authentification MFA par téléphone est activée mais le numéro de téléphone est vide",
    "New password cannot contain blank space.": "Le nouveau mot de passe ne peut pas contenir d'espace.",
+    "No application found for user": "Aucune application trouvée pour l'utilisateur",
    "The new password must be different from your current password": "Le nouveau mot de passe doit être différent de votre mot de passe actuel",
+    "User is already verified": "L'utilisateur est déjà vérifié",
    "the user's owner and name should not be empty": "le propriétaire et le nom de l'utilisateur ne doivent pas être vides"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Fournisseur de captcha invalide.",
    "Phone number is invalid in your region %s": "Le numéro de téléphone n'est pas valide dans votre région %s",
+    "The forgot password feature is disabled": "La fonction de mot de passe oublié est désactivée",
    "The verification code has already been used!": "Le code de vérification a déjà été utilisé !",
    "The verification code has not been sent yet!": "Le code de vérification n'a pas encore été envoyé !",
    "Turing test failed.": "Le test de Turing a échoué.",
@@ -196,8 +219,8 @@
    "Unknown type": "Type inconnu",
    "Wrong verification code!": "Mauvais code de vérification !",
    "You should verify your code in %d min!": "Vous devriez vérifier votre code en %d min !",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "veuillez ajouter un fournisseur SMS à la liste \\\"Providers\\\" pour l'application : %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "veuillez ajouter un fournisseur d'e-mail à la liste \\\"Providers\\\" pour l'application : %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "veuillez ajouter un fournisseur SMS à la liste \"Providers\" pour l'application : %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "veuillez ajouter un fournisseur d'e-mail à la liste \"Providers\" pour l'application : %s",
    "the user does not exist, please sign up first": "L'utilisateur n'existe pas, veuillez vous inscrire d'abord"
  },
  "webauthn": {
--- a/i18n/locales/ja/data.json
+++ b/i18n/locales/ja/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "ユーザーの追加に失敗しました",
    "Get init score failed, error: %w": "イニットスコアの取得に失敗しました。エラー：%w",
-    "Please sign out first": "最初にサインアウトしてください",
    "The application does not allow to sign up new account": "アプリケーションは新しいアカウントの登録を許可しません"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "このアプリケーションではメールログインは有効になっていません",
    "The login method: login with face is not enabled for the application": "このアプリケーションでは顔認証ログインは有効になっていません",
    "The login method: login with password is not enabled for the application": "ログイン方法：パスワードでのログインはアプリケーションで有効になっていません",
+    "The order: %s does not exist": "注文：%s は存在しません",
    "The organization: %s does not exist": "組織「%s」は存在しません",
    "The organization: %s has disabled users to signin": "組織: %s はユーザーのサインインを無効にしました",
    "The plan: %s does not exist": "プラン: %sは存在しません",
@@ -57,11 +57,11 @@
    "Face data mismatch": "顔認証データが一致しません",
    "Failed to parse client IP: %s": "クライアント IP「%s」の解析に失敗しました",
    "FirstName cannot be blank": "ファーストネームは空白にできません",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "ゲストユーザーは直接サインインする前に、ユーザー名とパスワードを設定してアカウントをアップグレードする必要があります",
    "Invitation code cannot be blank": "招待コードは空にできません",
    "Invitation code exhausted": "招待コードの使用回数が上限に達しました",
    "Invitation code is invalid": "招待コードが無効です",
    "Invitation code suspended": "招待コードは一時的に無効化されています",
-    "LDAP user name or password incorrect": "Ldapのユーザー名またはパスワードが間違っています",
    "LastName cannot be blank": "姓は空白にできません",
    "Multiple accounts with same uid, please check your ldap server": "同じuidを持つ複数のアカウントがあります。あなたのLDAPサーバーを確認してください",
    "Organization does not exist": "組織は存在しません",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "ユーザーはサインインできません。管理者に連絡してください",
    "The user: %s doesn't exist in LDAP server": "ユーザー「%s」は LDAP サーバーに存在しません",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "ユーザー名には英数字、アンダースコア、ハイフンしか含めることができません。連続したハイフンまたはアンダースコアは不可であり、ハイフンまたはアンダースコアで始まるまたは終わることもできません。",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "アカウントフィールド「%s」の値「%s」がアカウント項目の正規表現に一致しません",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "アプリケーション「%s」のサインアップ項目「%s」の値「%s」が正規表現に一致しません",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "アカウントフィールド「%s」の値「%s」がアカウント項目の正規表現に一致しません",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "アプリケーション「%s」のサインアップ項目「%s」の値「%s」が正規表現に一致しません",
    "Username already exists": "ユーザー名はすでに存在しています",
    "Username cannot be an email address": "ユーザー名には電子メールアドレスを使用できません",
    "Username cannot contain white spaces": "ユーザ名にはスペースを含めることはできません",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "ユーザー名はメール形式もサポートします。ユーザー名は英数字、アンダースコア、またはハイフンのみを含め、連続するハイフンやアンダースコアは使用できません。また、ハイフンまたはアンダースコアで始まったり終わったりすることもできません。メール形式にも注意してください。",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "あなたは間違ったパスワードまたはコードを何度も入力しました。%d 分間待ってから再度お試しください",
    "Your IP address: %s has been banned according to the configuration of: ": "あなたの IP アドレス「%s」は設定によりアクセスが禁止されています: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "パスワードの有効期限が切れています。「パスワードを忘れた方はこちら」をクリックしてリセットしてください",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "パスワードの有効期限が切れています。「パスワードを忘れた方はこちら」をクリックしてリセットしてください",
    "Your region is not allow to signup by phone": "あなたの地域は電話でサインアップすることができません",
    "password or code is incorrect": "パスワードまたはコードが正しくありません",
    "password or code is incorrect, you have %s remaining chances": "パスワードまたはコードが間違っています。あと %s 回の試行機会があります",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "グループのインポートに失敗しました",
    "Failed to import users": "ユーザーのインポートに失敗しました",
+    "Insufficient balance: new balance %v would be below credit limit %v": "残高不足：新しい残高 %v がクレジット制限 %v を下回ります",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "残高不足：新しい組織残高 %v がクレジット制限 %v を下回ります",
    "Missing parameter": "不足しているパラメーター",
    "Only admin user can specify user": "管理者ユーザーのみがユーザーを指定できます",
    "Please login first": "最初にログインしてください",
+    "The LDAP: %s does not exist": "LDAP：%s は存在しません",
    "The organization: %s should have one application at least": "組織「%s」は少なくとも1つのアプリケーションを持っている必要があります",
+    "The syncer: %s does not exist": "同期装置：%s は存在しません",
    "The user: %s doesn't exist": "そのユーザー：%sは存在しません",
+    "The user: %s is not found": "ユーザー：%s が見つかりません",
+    "User is required for User category transaction": "ユーザーカテゴリトランザクションにはユーザーが必要です",
    "Wrong userId": "無効なユーザーIDです",
    "don't support captchaProvider: ": "captchaProviderをサポートしないでください",
    "this operation is not allowed in demo mode": "この操作はデモモードでは許可されていません",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "「built-in」（組み込み）組織への新しいユーザーの追加は現在無効になっています。注意：「built-in」組織のすべてのユーザーは、Casdoor のグローバル管理者です。ドキュメントを参照してください：https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself。「built-in」組織のユーザーを作成したい場合は、組織の設定ページに移動し、「特権同意を持つ」オプションを有効にしてください。"
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "権限「%s」は存在しません"
+    "The permission: \"%s\" doesn't exist": "権限「%s」は存在しません"
+  },
+  "product": {
+    "Product list cannot be empty": "商品リストは空にできません"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "ID認証プロバイダーの初期化に失敗しました",
    "Invalid application id": "アプリケーションIDが無効です",
+    "No ID Verification provider configured": "ID認証プロバイダーが設定されていません",
+    "Provider is not an ID Verification provider": "プロバイダーはID認証プロバイダーではありません",
    "the provider: %s does not exist": "プロバイダー%sは存在しません"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "無効な電子メール受信者：%s",
    "Invalid phone receivers: %s": "電話受信者が無効です：%s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "セッションID %s は現在のセッションであり、削除できません"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "オブジェクトキー %s は許可されていません",
    "The provider type: %s is not supported": "プロバイダータイプ：%sはサポートされていません"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "エラー"
  },
+  "ticket": {
+    "Ticket not found": "チケットが見つかりません"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "grant_type：%sはこのアプリケーションでサポートされていません",
    "Invalid application or wrong clientSecret": "無効なアプリケーションまたは誤ったクライアントシークレットです",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "表示名は空にできません",
+    "ID card information and real name are required": "身分証明書の情報と実名が必要です",
+    "Identity verification failed": "身元確認に失敗しました",
    "MFA email is enabled but email is empty": "MFA メールが有効になっていますが、メールアドレスが空です",
    "MFA phone is enabled but phone number is empty": "MFA 電話番号が有効になっていますが、電話番号が空です",
    "New password cannot contain blank space.": "新しいパスワードにはスペースを含めることはできません。",
+    "No application found for user": "ユーザーのアプリケーションが見つかりません",
    "The new password must be different from your current password": "新しいパスワードは現在のパスワードと異なる必要があります",
+    "User is already verified": "ユーザーは既に認証済みです",
    "the user's owner and name should not be empty": "ユーザーのオーナーと名前は空にできません"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "無効なCAPTCHAプロバイダー。",
    "Phone number is invalid in your region %s": "電話番号はあなたの地域で無効です %s",
+    "The forgot password feature is disabled": "パスワードを忘れた機能は無効になっています",
    "The verification code has already been used!": "この検証コードは既に使用されています！",
    "The verification code has not been sent yet!": "検証コードはまだ送信されていません！",
    "Turing test failed.": "チューリングテストは失敗しました。",
@@ -196,8 +219,8 @@
    "Unknown type": "不明なタイプ",
    "Wrong verification code!": "誤った検証コードです！",
    "You should verify your code in %d min!": "あなたは%d分であなたのコードを確認する必要があります！",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "アプリケーション「%s」の「Providers」リストに SMS プロバイダを追加してください",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "アプリケーション「%s」の「Providers」リストにメールプロバイダを追加してください",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "アプリケーション「%s」の「Providers」リストに SMS プロバイダを追加してください",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "アプリケーション「%s」の「Providers」リストにメールプロバイダを追加してください",
    "the user does not exist, please sign up first": "ユーザーは存在しません。まず登録してください"
  },
  "webauthn": {
--- a/i18n/locales/pl/data.json
+++ b/i18n/locales/pl/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Nie udało się dodać użytkownika",
    "Get init score failed, error: %w": "Pobranie początkowego wyniku nie powiodło się, błąd: %w",
-    "Please sign out first": "Najpierw się wyloguj",
    "The application does not allow to sign up new account": "Aplikacja nie pozwala na rejestrację nowego konta"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "Metoda logowania: logowanie przez email nie jest włączona dla aplikacji",
    "The login method: login with face is not enabled for the application": "Metoda logowania: logowanie przez twarz nie jest włączona dla aplikacji",
    "The login method: login with password is not enabled for the application": "Metoda logowania: logowanie przez hasło nie jest włączone dla aplikacji",
+    "The order: %s does not exist": "Zamówienie: %s nie istnieje",
    "The organization: %s does not exist": "Organizacja: %s nie istnieje",
    "The organization: %s has disabled users to signin": "Organizacja: %s wyłączyła logowanie użytkowników",
    "The plan: %s does not exist": "Plan: %s nie istnieje",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Niezgodność danych twarzy",
    "Failed to parse client IP: %s": "Nie udało się przeanalizować IP klienta: %s",
    "FirstName cannot be blank": "Imię nie może być puste",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Użytkownicy-goście muszą uaktualnić swoje konto, ustawiając nazwę użytkownika i hasło, zanim będą mogli się zalogować bezpośrednio",
    "Invitation code cannot be blank": "Kod zaproszenia nie może być pusty",
    "Invitation code exhausted": "Kod zaproszenia został wykorzystany",
    "Invitation code is invalid": "Kod zaproszenia jest nieprawidłowy",
    "Invitation code suspended": "Kod zaproszenia został zawieszony",
-    "LDAP user name or password incorrect": "Nazwa użytkownika LDAP lub hasło jest nieprawidłowe",
    "LastName cannot be blank": "Nazwisko nie może być puste",
    "Multiple accounts with same uid, please check your ldap server": "Wiele kont z tym samym uid, sprawdź swój serwer ldap",
    "Organization does not exist": "Organizacja nie istnieje",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "Użytkownikowi zabroniono logowania, skontaktuj się z administratorem",
    "The user: %s doesn't exist in LDAP server": "Użytkownik: %s nie istnieje w serwerze LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Nazwa użytkownika może zawierać tylko znaki alfanumeryczne, podkreślenia lub myślniki, nie może mieć kolejnych myślników lub podkreśleń i nie może zaczynać się ani kończyć myślnikiem lub podkreśleniem.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Wartość \\\"%s\\\" dla pola konta \\\"%s\\\" nie pasuje do wyrażenia regularnego elementu konta",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Wartość \\\"%s\\\" dla pola rejestracji \\\"%s\\\" nie pasuje do wyrażenia regularnego elementu rejestracji aplikacji \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "Wartość \"%s\" dla pola konta \"%s\" nie pasuje do wyrażenia regularnego elementu konta",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "Wartość \"%s\" dla pola rejestracji \"%s\" nie pasuje do wyrażenia regularnego elementu rejestracji aplikacji \"%s\"",
    "Username already exists": "Nazwa użytkownika już istnieje",
    "Username cannot be an email address": "Nazwa użytkownika nie może być adresem email",
    "Username cannot contain white spaces": "Nazwa użytkownika nie może zawierać spacji",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Nazwa użytkownika obsługuje format email. Również nazwa użytkownika może zawierać tylko znaki alfanumeryczne, podkreślenia lub myślniki, nie może mieć kolejnych myślników lub podkreśleń i nie może zaczynać się ani kończyć myślnikiem lub podkreśleniem. Zwróć też uwagę na format email.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Wprowadziłeś złe hasło lub kod zbyt wiele razy, poczekaj %d minut i spróbuj ponownie",
    "Your IP address: %s has been banned according to the configuration of: ": "Twój adres IP: %s został zablokowany zgodnie z konfiguracją: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Twoje hasło wygasło. Zresetuj hasło klikając \\\"Zapomniałem hasła\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Twoje hasło wygasło. Zresetuj hasło klikając \"Zapomniałem hasła\"",
    "Your region is not allow to signup by phone": "Twój region nie pozwala na rejestrację przez telefon",
    "password or code is incorrect": "hasło lub kod jest nieprawidłowe",
    "password or code is incorrect, you have %s remaining chances": "hasło lub kod jest nieprawidłowe, masz jeszcze %s prób",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Nie udało się zaimportować grup",
    "Failed to import users": "Nie udało się zaimportować użytkowników",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Niewystarczające saldo: nowe saldo %v byłoby poniżej limitu kredytowego %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Niewystarczające saldo: nowe saldo organizacji %v byłoby poniżej limitu kredytowego %v",
    "Missing parameter": "Brakujący parametr",
    "Only admin user can specify user": "Tylko administrator może wskazać użytkownika",
    "Please login first": "Najpierw się zaloguj",
+    "The LDAP: %s does not exist": "LDAP: %s nie istnieje",
    "The organization: %s should have one application at least": "Organizacja: %s powinna mieć co najmniej jedną aplikację",
+    "The syncer: %s does not exist": "Synchronizer: %s nie istnieje",
    "The user: %s doesn't exist": "Użytkownik: %s nie istnieje",
+    "The user: %s is not found": "Użytkownik: %s nie został znaleziony",
+    "User is required for User category transaction": "Użytkownik jest wymagany do transakcji kategorii użytkownika",
    "Wrong userId": "Nieprawidłowy userId",
    "don't support captchaProvider: ": "nie obsługuje captchaProvider: ",
    "this operation is not allowed in demo mode": "ta operacja nie jest dozwolona w trybie demo",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Dodawanie nowego użytkownika do organizacji „built-in' (wbudowanej) jest obecnie wyłączone. Należy zauważyć, że wszyscy użytkownicy w organizacji „built-in' są globalnymi administratorami w Casdoor. Zobacz dokumentację: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Jeśli nadal chcesz utworzyć użytkownika dla organizacji „built-in', przejdź do strony ustawień organizacji i włącz opcję „Ma zgodę na uprawnienia'."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "Uprawnienie: \\\"%s\\\" nie istnieje"
+    "The permission: \"%s\" doesn't exist": "Uprawnienie: \"%s\" nie istnieje"
+  },
+  "product": {
+    "Product list cannot be empty": "Lista produktów nie może być pusta"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Nie udało się zainicjować dostawcy weryfikacji ID",
    "Invalid application id": "Nieprawidłowe id aplikacji",
+    "No ID Verification provider configured": "Brak skonfigurowanego dostawcy weryfikacji ID",
+    "Provider is not an ID Verification provider": "Dostawca nie jest dostawcą weryfikacji ID",
    "the provider: %s does not exist": "dostawca: %s nie istnieje"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Nieprawidłowi odbiorcy email: %s",
    "Invalid phone receivers: %s": "Nieprawidłowi odbiorcy telefonu: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "identyfikator sesji %s jest bieżącą sesją i nie może być usunięty"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "Klucz obiektu: %s jest niedozwolony",
    "The provider type: %s is not supported": "Typ dostawcy: %s nie jest obsługiwany"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Błąd"
  },
+  "ticket": {
+    "Ticket not found": "Nie znaleziono biletu"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Grant_type: %s nie jest obsługiwany w tej aplikacji",
    "Invalid application or wrong clientSecret": "Nieprawidłowa aplikacja lub błędny clientSecret",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "Nazwa wyświetlana nie może być pusta",
+    "ID card information and real name are required": "Wymagane są informacje z dowodu osobistego i prawdziwe nazwisko",
+    "Identity verification failed": "Weryfikacja tożsamości nie powiodła się",
    "MFA email is enabled but email is empty": "MFA email jest włączone, ale email jest pusty",
    "MFA phone is enabled but phone number is empty": "MFA telefon jest włączony, ale numer telefonu jest pusty",
    "New password cannot contain blank space.": "Nowe hasło nie może zawierać spacji.",
+    "No application found for user": "Nie znaleziono aplikacji dla użytkownika",
    "The new password must be different from your current password": "Nowe hasło musi różnić się od obecnego hasła",
+    "User is already verified": "Użytkownik jest już zweryfikowany",
    "the user's owner and name should not be empty": "właściciel i nazwa użytkownika nie powinny być puste"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Nieprawidłowy dostawca captcha.",
    "Phone number is invalid in your region %s": "Numer telefonu jest nieprawidłowy w twoim regionie %s",
+    "The forgot password feature is disabled": "Funkcja \"Zapomniałem hasła\" jest wyłączona",
    "The verification code has already been used!": "Kod weryfikacyjny został już wykorzystany!",
    "The verification code has not been sent yet!": "Kod weryfikacyjny nie został jeszcze wysłany!",
    "Turing test failed.": "Test Turinga nie powiódł się.",
@@ -196,8 +219,8 @@
    "Unknown type": "Nieznany typ",
    "Wrong verification code!": "Zły kod weryfikacyjny!",
    "You should verify your code in %d min!": "Powinieneś zweryfikować swój kod w ciągu %d min!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "proszę dodać dostawcę SMS do listy \\\"Providers\\\" dla aplikacji: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "proszę dodać dostawcę email do listy \\\"Providers\\\" dla aplikacji: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "proszę dodać dostawcę SMS do listy \"Providers\" dla aplikacji: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "proszę dodać dostawcę email do listy \"Providers\" dla aplikacji: %s",
    "the user does not exist, please sign up first": "użytkownik nie istnieje, najpierw się zarejestruj"
  },
  "webauthn": {
--- a/i18n/locales/pt/data.json
+++ b/i18n/locales/pt/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Falha ao adicionar usuário",
    "Get init score failed, error: %w": "Falha ao obter pontuação inicial, erro: %w",
-    "Please sign out first": "Por favor, saia primeiro",
    "The application does not allow to sign up new account": "O aplicativo não permite a criação de novas contas"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "O método de login com e-mail não está habilitado para o aplicativo",
    "The login method: login with face is not enabled for the application": "O método de login com reconhecimento facial não está habilitado para o aplicativo",
    "The login method: login with password is not enabled for the application": "O método de login com senha não está habilitado para o aplicativo",
+    "The order: %s does not exist": "O pedido: %s não existe",
    "The organization: %s does not exist": "A organização: %s não existe",
    "The organization: %s has disabled users to signin": "A organização: %s desativou o login de usuários",
    "The plan: %s does not exist": "O plano: %s não existe",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Dados faciais não correspondem",
    "Failed to parse client IP: %s": "Falha ao analisar o IP do cliente: %s",
    "FirstName cannot be blank": "O primeiro nome não pode estar em branco",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Usuários convidados devem atualizar suas contas definindo um nome de usuário e senha antes de poderem entrar diretamente",
    "Invitation code cannot be blank": "O código de convite não pode estar em branco",
    "Invitation code exhausted": "O código de convite foi esgotado",
    "Invitation code is invalid": "Código de convite inválido",
    "Invitation code suspended": "Código de convite suspenso",
-    "LDAP user name or password incorrect": "Nome de usuário ou senha LDAP incorretos",
    "LastName cannot be blank": "O sobrenome não pode estar em branco",
    "Multiple accounts with same uid, please check your ldap server": "Múltiplas contas com o mesmo uid, verifique seu servidor LDAP",
    "Organization does not exist": "A organização não existe",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "O usuário está proibido de entrar, entre em contato com o administrador",
    "The user: %s doesn't exist in LDAP server": "O usuário: %s não existe no servidor LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "O nome de usuário pode conter apenas caracteres alfanuméricos, sublinhados ou hífens, não pode ter hífens ou sublinhados consecutivos e não pode começar ou terminar com hífen ou sublinhado.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "O valor \\\"%s\\\" para o campo de conta \\\"%s\\\" não corresponde à expressão regular definida",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "O valor \\\"%s\\\" para o campo de registro \\\"%s\\\" não corresponde à expressão regular definida na aplicação \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "O valor \"%s\" para o campo de conta \"%s\" não corresponde à expressão regular definida",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "O valor \"%s\" para o campo de registro \"%s\" não corresponde à expressão regular definida na aplicação \"%s\"",
    "Username already exists": "O nome de usuário já existe",
    "Username cannot be an email address": "O nome de usuário não pode ser um endereço de e-mail",
    "Username cannot contain white spaces": "O nome de usuário não pode conter espaços em branco",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "O nome de usuário suporta o formato de e-mail. Além disso, pode conter apenas caracteres alfanuméricos, sublinhados ou hífens, não pode ter hífens ou sublinhados consecutivos e não pode começar ou terminar com hífen ou sublinhado. Também preste atenção ao formato do e-mail.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Você digitou a senha ou o código incorretos muitas vezes. Aguarde %d minutos e tente novamente",
    "Your IP address: %s has been banned according to the configuration of: ": "Seu endereço IP: %s foi bloqueado de acordo com a configuração de: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Sua senha expirou. Por favor, redefina-a clicando em \\\"Esqueci a senha\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Sua senha expirou. Por favor, redefina-a clicando em \"Esqueci a senha\"",
    "Your region is not allow to signup by phone": "Sua região não permite cadastro por telefone",
    "password or code is incorrect": "Senha ou código incorreto",
    "password or code is incorrect, you have %s remaining chances": "Senha ou código incorreto, você tem %s tentativas restantes",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Falha ao importar grupos",
    "Failed to import users": "Falha ao importar usuários",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Saldo insuficiente: o novo saldo %v estaria abaixo do limite de crédito %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Saldo insuficiente: o novo saldo da organização %v estaria abaixo do limite de crédito %v",
    "Missing parameter": "Parâmetro ausente",
    "Only admin user can specify user": "Apenas um administrador pode especificar um usuário",
    "Please login first": "Por favor, faça login primeiro",
+    "The LDAP: %s does not exist": "O LDAP: %s não existe",
    "The organization: %s should have one application at least": "A organização: %s deve ter pelo menos um aplicativo",
+    "The syncer: %s does not exist": "O sincronizador: %s não existe",
    "The user: %s doesn't exist": "O usuário: %s não existe",
+    "The user: %s is not found": "O usuário: %s não foi encontrado",
+    "User is required for User category transaction": "Usuário é obrigatório para transação de categoria de usuário",
    "Wrong userId": "ID de usuário incorreto",
    "don't support captchaProvider: ": "captchaProvider não suportado: ",
    "this operation is not allowed in demo mode": "esta operação não é permitida no modo de demonstração",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "A adição de novos usuários à organização 'built-in' está desativada. Observe que todos os usuários nessa organização são administradores globais no Casdoor. Consulte a documentação: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Se ainda desejar criar um usuário, vá até a página de configurações da organização e habilite a opção 'Possui consentimento de privilégios'."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "A permissão: \\\"%s\\\" não existe"
+    "The permission: \"%s\" doesn't exist": "A permissão: \"%s\" não existe"
+  },
+  "product": {
+    "Product list cannot be empty": "A lista de produtos não pode estar vazia"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Falha ao inicializar provedor de verificação de ID",
    "Invalid application id": "ID de aplicativo inválido",
+    "No ID Verification provider configured": "Nenhum provedor de verificação de ID configurado",
+    "Provider is not an ID Verification provider": "Provedor não é um provedor de verificação de ID",
    "the provider: %s does not exist": "O provedor: %s não existe"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Destinatários de e-mail inválidos: %s",
    "Invalid phone receivers: %s": "Destinatários de telefone inválidos: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "ID da sessão %s é a sessão atual e não pode ser excluída"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "A chave de objeto: %s não é permitida",
    "The provider type: %s is not supported": "O tipo de provedor: %s não é suportado"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Erro"
  },
+  "ticket": {
+    "Ticket not found": "Ticket não encontrado"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Grant_type: %s não é suportado neste aplicativo",
    "Invalid application or wrong clientSecret": "Aplicativo inválido ou clientSecret incorreto",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "O nome de exibição não pode estar vazio",
+    "ID card information and real name are required": "Informações do documento de identidade e nome verdadeiro são obrigatórios",
+    "Identity verification failed": "Falha na verificação de identidade",
    "MFA email is enabled but email is empty": "MFA por e-mail está habilitado, mas o e-mail está vazio",
    "MFA phone is enabled but phone number is empty": "MFA por telefone está habilitado, mas o número de telefone está vazio",
    "New password cannot contain blank space.": "A nova senha não pode conter espaços em branco.",
+    "No application found for user": "Nenhum aplicativo encontrado para o usuário",
    "The new password must be different from your current password": "A nova senha deve ser diferente da senha atual",
+    "User is already verified": "Usuário já está verificado",
    "the user's owner and name should not be empty": "O proprietário e o nome do usuário não devem estar vazios"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Provedor de captcha inválido.",
    "Phone number is invalid in your region %s": "Número de telefone inválido na sua região %s",
+    "The forgot password feature is disabled": "A funcionalidade de esqueci a senha está desabilitada",
    "The verification code has already been used!": "O código de verificação já foi utilizado!",
    "The verification code has not been sent yet!": "O código de verificação ainda não foi enviado!",
    "Turing test failed.": "O teste de Turing falhou.",
@@ -196,8 +219,8 @@
    "Unknown type": "Tipo desconhecido",
    "Wrong verification code!": "Código de verificação incorreto!",
    "You should verify your code in %d min!": "Você deve verificar seu código em %d minuto(s)!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "Adicione um provedor de SMS à lista \\\"Providers\\\" do aplicativo: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "Adicione um provedor de e-mail à lista \\\"Providers\\\" do aplicativo: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "Adicione um provedor de SMS à lista \"Providers\" do aplicativo: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "Adicione um provedor de e-mail à lista \"Providers\" do aplicativo: %s",
    "the user does not exist, please sign up first": "O usuário não existe, cadastre-se primeiro"
  },
  "webauthn": {
--- a/i18n/locales/tr/data.json
+++ b/i18n/locales/tr/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Kullanıcı eklenemedi",
    "Get init score failed, error: %w": "Başlangıç puanı alınamadı, hata: %w",
-    "Please sign out first": "Lütfen önce çıkış yapın",
    "The application does not allow to sign up new account": "Uygulama yeni hesap kaydına izin vermiyor"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "Uygulama için e-posta ile giriş yöntemi etkin değil",
    "The login method: login with face is not enabled for the application": "Uygulama için yüz ile giriş yöntemi etkin değil",
    "The login method: login with password is not enabled for the application": "Şifre ile giriş yöntemi bu uygulama için etkin değil",
+    "The order: %s does not exist": "Sipariş: %s mevcut değil",
    "The organization: %s does not exist": "Organizasyon: %s mevcut değil",
    "The organization: %s has disabled users to signin": "Organizasyon: %s kullanıcıların oturum açmasını devre dışı bıraktı",
    "The plan: %s does not exist": "Plan: %s mevcut değil",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Yüz verisi uyuşmazlığı",
    "Failed to parse client IP: %s": "İstemci IP'si ayrıştırılamadı: %s",
    "FirstName cannot be blank": "Ad boş olamaz",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Misafir kullanıcılar doğrudan giriş yapabilmek için kullanıcı adı ve şifre belirleyerek hesaplarını yükseltmelidir",
    "Invitation code cannot be blank": "Davet kodu boş olamaz",
    "Invitation code exhausted": "Davet kodu kullanım dışı",
    "Invitation code is invalid": "Davet kodu geçersiz",
    "Invitation code suspended": "Davet kodu askıya alındı",
-    "LDAP user name or password incorrect": "LDAP kullanıcı adı veya şifre yanlış",
    "LastName cannot be blank": "Soyad boş olamaz",
    "Multiple accounts with same uid, please check your ldap server": "Aynı uid'ye sahip birden fazla hesap, lütfen ldap sunucunuzu kontrol edin",
    "Organization does not exist": "Organizasyon bulunamadı",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "Kullanıcı giriş yapmaktan men edildi, lütfen yönetici ile iletişime geçin",
    "The user: %s doesn't exist in LDAP server": "Kullanıcı: %s LDAP sunucusunda mevcut değil",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Kullanıcı adı yalnızca alfanümerik karakterler, alt çizgi veya tire içerebilir, ardışık tire veya alt çizgi içeremez ve tire veya alt çizgi ile başlayamaz veya bitemez.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Hesap alanı \\\"%s\\\" için \\\"%s\\\" değeri, hesap öğesi regex'iyle eşleşmiyor",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Kayıt alanı \\\"%s\\\" için \\\"%s\\\" değeri, \\\"%s\\\" uygulamasının kayıt öğesi regex'iyle eşleşmiyor",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "Hesap alanı \"%s\" için \"%s\" değeri, hesap öğesi regex'iyle eşleşmiyor",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "Kayıt alanı \"%s\" için \"%s\" değeri, \"%s\" uygulamasının kayıt öğesi regex'iyle eşleşmiyor",
    "Username already exists": "Kullanıcı adı zaten var",
    "Username cannot be an email address": "Kullanıcı adı e-posta adresi olamaz",
    "Username cannot contain white spaces": "Kullanıcı adı boşluk içeremez",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Kullanıcı adı e-posta biçimini destekler. Ayrıca kullanıcı adı yalnızca alfanümerik karakterler, alt çizgiler veya tireler içerebilir, ardışık tireler veya alt çizgiler olamaz ve tire veya alt çizgi ile başlayıp bitemez. Ayrıca e-posta biçimine dikkat edin.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Çok fazla hatalı şifre veya kod girdiniz, lütfen %d dakika bekleyin ve tekrar deneyin",
    "Your IP address: %s has been banned according to the configuration of: ": "IP adresiniz: %s, yapılandırmaya göre yasaklandı: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Şifrenizin süresi doldu. Lütfen \\\"Şifremi unuttum\\\"a tıklayarak şifrenizi sıfırlayın",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Şifrenizin süresi doldu. Lütfen \"Şifremi unuttum\"a tıklayarak şifrenizi sıfırlayın",
    "Your region is not allow to signup by phone": "Bölgeniz telefonla kayıt yapmaya izin verilmiyor",
    "password or code is incorrect": "şifre veya kod yanlış",
    "password or code is incorrect, you have %s remaining chances": "şifre veya kod yanlış, %s hakkınız kaldı",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Gruplar içe aktarılamadı",
    "Failed to import users": "Kullanıcılar içe aktarılamadı",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Yetersiz bakiye: yeni bakiye %v kredi limitinin altında olacak %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Yetersiz bakiye: yeni organizasyon bakiyesi %v kredi limitinin altında olacak %v",
    "Missing parameter": "Eksik parametre",
    "Only admin user can specify user": "Yalnızca yönetici kullanıcı kullanıcı belirleyebilir",
    "Please login first": "Lütfen önce giriş yapın",
+    "The LDAP: %s does not exist": "LDAP: %s mevcut değil",
    "The organization: %s should have one application at least": "Organizasyon: %s en az bir uygulamaya sahip olmalı",
+    "The syncer: %s does not exist": "Senkronizasyon: %s mevcut değil",
    "The user: %s doesn't exist": "Kullanıcı: %s bulunamadı",
+    "The user: %s is not found": "Kullanıcı: %s bulunamadı",
+    "User is required for User category transaction": "Kullanıcı kategorisi işlemi için kullanıcı gerekli",
    "Wrong userId": "Yanlış kullanıcı kimliği",
    "don't support captchaProvider: ": "captchaProvider desteklenmiyor: ",
    "this operation is not allowed in demo mode": "bu işlem demo modunda izin verilmiyor",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "'built-in' (yerleşik) organizasyona yeni bir kullanıcı ekleme şu anda devre dışı bırakılmıştır. Not: 'built-in' organizasyonundaki tüm kullanıcılar Casdoor'da genel yöneticilerdir. Belgelere bakın: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Hala 'built-in' organizasyonu için bir kullanıcı oluşturmak isterseniz, organizasyonun ayarları sayfasına gidin ve 'Yetki onayı var' seçeneğini etkinleştirin."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "İzin: \\\"%s\\\" mevcut değil"
+    "The permission: \"%s\" doesn't exist": "İzin: \"%s\" mevcut değil"
+  },
+  "product": {
+    "Product list cannot be empty": "Ürün listesi boş olamaz"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Kimlik Doğrulama sağlayıcısı başlatılamadı",
    "Invalid application id": "Geçersiz uygulama id",
+    "No ID Verification provider configured": "Kimlik Doğrulama sağlayıcısı yapılandırılmamış",
+    "Provider is not an ID Verification provider": "Sağlayıcı bir Kimlik Doğrulama sağlayıcısı değil",
    "the provider: %s does not exist": "provider: %s bulunamadı"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Geçersiz e-posta alıcıları: %s",
    "Invalid phone receivers: %s": "Geçersiz telefon alıcıları: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "oturum kimliği %s geçerli oturumdur ve silinemez"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "objectKey: %s izin verilmiyor",
    "The provider type: %s is not supported": "provider türü: %s desteklenmiyor"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Hata"
  },
+  "ticket": {
+    "Ticket not found": "Bilet bulunamadı"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Grant_type: %s bu uygulamada desteklenmiyor",
    "Invalid application or wrong clientSecret": "Geçersiz uygulama veya yanlış clientSecret",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "Görünen ad boş olamaz",
+    "ID card information and real name are required": "Kimlik kartı bilgileri ve gerçek adı gereklidir",
+    "Identity verification failed": "Kimlik doğrulama başarısız",
    "MFA email is enabled but email is empty": "MFA e-postası etkin ancak e-posta boş",
    "MFA phone is enabled but phone number is empty": "MFA telefonu etkin ancak telefon numarası boş",
    "New password cannot contain blank space.": "Yeni şifre boşluk içeremez.",
+    "No application found for user": "Kullanıcı için uygulama bulunamadı",
    "The new password must be different from your current password": "Yeni şifre mevcut şifrenizden farklı olmalıdır",
+    "User is already verified": "Kullanıcı zaten doğrulanmış",
    "the user's owner and name should not be empty": "kullanıcının sahibi ve adı boş olmamalıdır"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Geçersiz captcha sağlayıcı.",
    "Phone number is invalid in your region %s": "Telefon numaranız bölgenizde geçersiz %s",
+    "The forgot password feature is disabled": "Şifremi unuttum özelliği devre dışı",
    "The verification code has already been used!": "Doğrulama kodu zaten kullanılmış!",
    "The verification code has not been sent yet!": "Doğrulama kodu henüz gönderilmedi!",
    "Turing test failed.": "Turing testi başarısız.",
@@ -196,8 +219,8 @@
    "Unknown type": "Bilinmeyen tür",
    "Wrong verification code!": "Yanlış doğrulama kodu!",
    "You should verify your code in %d min!": "Kodunuzu %d dakika içinde doğrulamalısınız!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "lütfen uygulama için \\\"Sağlayıcılar\\\" listesine bir SMS sağlayıcı ekleyin: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "lütfen uygulama için \\\"Sağlayıcılar\\\" listesine bir E-posta sağlayıcı ekleyin: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "lütfen uygulama için \"Sağlayıcılar\" listesine bir SMS sağlayıcı ekleyin: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "lütfen uygulama için \"Sağlayıcılar\" listesine bir E-posta sağlayıcı ekleyin: %s",
    "the user does not exist, please sign up first": "kullanıcı mevcut değil, lütfen önce kaydolun"
  },
  "webauthn": {
--- a/i18n/locales/uk/data.json
+++ b/i18n/locales/uk/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Не вдалося додати користувача",
    "Get init score failed, error: %w": "Не вдалося отримати початковий бал, помилка: %w",
-    "Please sign out first": "Спочатку вийдіть із системи",
    "The application does not allow to sign up new account": "Додаток не дозволяє реєструвати нові облікові записи"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "Метод входу через email не увімкнено для цього додатка",
    "The login method: login with face is not enabled for the application": "Метод входу через обличчя не увімкнено для цього додатка",
    "The login method: login with password is not enabled for the application": "Метод входу через пароль не увімкнено для цього додатка",
+    "The order: %s does not exist": "Замовлення: %s не існує",
    "The organization: %s does not exist": "Організація: %s не існує",
    "The organization: %s has disabled users to signin": "Організація: %s вимкнула вхід користувачів",
    "The plan: %s does not exist": "План: %s не існує",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Невідповідність даних обличчя",
    "Failed to parse client IP: %s": "Не вдалося розібрати IP клієнта: %s",
    "FirstName cannot be blank": "Ім’я не може бути порожнім",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Гостьові користувачі повинні оновити свій обліковий запис, встановивши ім'я користувача та пароль, перш ніж вони зможуть увійти безпосередньо",
    "Invitation code cannot be blank": "Код запрошення не може бути порожнім",
    "Invitation code exhausted": "Код запрошення вичерпано",
    "Invitation code is invalid": "Код запрошення недійсний",
    "Invitation code suspended": "Код запрошення призупинено",
-    "LDAP user name or password incorrect": "Ім’я користувача або пароль LDAP неправильні",
    "LastName cannot be blank": "Прізвище не може бути порожнім",
    "Multiple accounts with same uid, please check your ldap server": "Кілька облікових записів з однаковим uid, перевірте ваш ldap-сервер",
    "Organization does not exist": "Організація не існує",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "Користувачу заборонено вхід, зверніться до адміністратора",
    "The user: %s doesn't exist in LDAP server": "Користувач: %s не існує на сервері LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Ім’я користувача може містити лише буквено-цифрові символи, підкреслення або дефіси, не може мати послідовні дефіси або підкреслення та не може починатися або закінчуватися дефісом або підкресленням.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Värdet \\\"%s\\\" för kontofältet \\\"%s\\\" matchar inte kontots regex",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Värdet \\\"%s\\\" för registreringsfältet \\\"%s\\\" matchar inte registreringsfältets regex för applikationen \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "Значення \"%s\" для поля облікового запису \"%s\" не відповідає регулярному виразу облікового запису",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "Значення \"%s\" для поля реєстрації \"%s\" не відповідає регулярному виразу поля реєстрації додатка \"%s\"",
    "Username already exists": "Ім’я користувача вже існує",
    "Username cannot be an email address": "Ім’я користувача не може бути email-адресою",
    "Username cannot contain white spaces": "Ім’я користувача не може містити пробіли",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Ім’я користувача підтримує формат email. Також може містити лише буквено-цифрові символи, підкреслення або дефіси, не може мати послідовні дефіси або підкреслення та не може починатися або закінчуватися дефісом або підкресленням. Зверніть увагу на формат email.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Ви ввели неправильний пароль або код забагато разів, зачекайте %d хвилин і спробуйте знову",
    "Your IP address: %s has been banned according to the configuration of: ": "Ваша IP-адреса: %s заблокована відповідно до конфігурації: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Ditt lösenord har gått ut. Återställ det genom att klicka på \\\"Glömt lösenord\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Ваш пароль застарів. Будь ласка, скиньте пароль, натиснувши \"Забув пароль\"",
    "Your region is not allow to signup by phone": "У вашому регіоні реєстрація за телефоном недоступна",
    "password or code is incorrect": "пароль або код неправильний",
    "password or code is incorrect, you have %s remaining chances": "пароль або код неправильний, у вас залишилось %s спроб",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Не вдалося імпортувати групи",
    "Failed to import users": "Не вдалося імпортувати користувачів",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Недостатній баланс: новий баланс %v буде нижче кредитного ліміту %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Недостатній баланс: новий баланс організації %v буде нижче кредитного ліміту %v",
    "Missing parameter": "Відсутній параметр",
    "Only admin user can specify user": "Лише адміністратор може вказати користувача",
    "Please login first": "Спочатку увійдіть",
+    "The LDAP: %s does not exist": "LDAP: %s не існує",
    "The organization: %s should have one application at least": "Організація: %s має мати щонайменше один додаток",
+    "The syncer: %s does not exist": "Синхронізатор: %s не існує",
    "The user: %s doesn't exist": "Користувач: %s не існує",
+    "The user: %s is not found": "Користувач: %s не знайдено",
+    "User is required for User category transaction": "Користувач обов'язковий для транзакції категорії користувача",
    "Wrong userId": "Неправильний userId",
    "don't support captchaProvider: ": "не підтримується captchaProvider: ",
    "this operation is not allowed in demo mode": "ця операція недоступна в демо-режимі",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Додавання нового користувача до організації «built-in» (вбудованої) на даний момент вимкнено. Зауважте: усі користувачі в організації «built-in» є глобальними адміністраторами в Casdoor. Дивіться документацію: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Якщо ви все ще хочете створити користувача для організації «built-in», перейдіть на сторінку налаштувань організації та увімкніть опцію «Має згоду на привілеї»."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "Behörigheten: \\\"%s\\\" finns inte"
+    "The permission: \"%s\" doesn't exist": "Дозвіл: \"%s\" не існує"
+  },
+  "product": {
+    "Product list cannot be empty": "Список товарів не може бути порожнім"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Не вдалося ініціалізувати провайдера верифікації ID",
    "Invalid application id": "Недійсний id додатка",
+    "No ID Verification provider configured": "Провайдер верифікації ID не налаштований",
+    "Provider is not an ID Verification provider": "Провайдер не є провайдером верифікації ID",
    "the provider: %s does not exist": "провайдер: %s не існує"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Недійсні отримувачі Email: %s",
    "Invalid phone receivers: %s": "Недійсні отримувачі телефону: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "ідентифікатор сесії %s є поточною сесією і не може бути видалений"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "objectKey: %s не дозволено",
    "The provider type: %s is not supported": "Тип провайдера: %s не підтримується"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Помилка"
  },
+  "ticket": {
+    "Ticket not found": "Квиток не знайдено"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Grant_type: %s не підтримується в цьому додатку",
    "Invalid application or wrong clientSecret": "Недійсний додаток або неправильний clientSecret",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "Відображуване ім’я не може бути порожнім",
+    "ID card information and real name are required": "Інформація про посвідчення особи та справжнє ім'я обов'язкові",
+    "Identity verification failed": "Верифікація особи не вдалася",
    "MFA email is enabled but email is empty": "MFA email увімкнено, але email порожній",
    "MFA phone is enabled but phone number is empty": "MFA телефон увімкнено, але номер телефону порожній",
    "New password cannot contain blank space.": "Новий пароль не може містити пробіли.",
+    "No application found for user": "Не знайдено додаток для користувача",
    "The new password must be different from your current password": "Новий пароль повинен відрізнятися від поточного пароля",
+    "User is already verified": "Користувач уже верифікований",
    "the user's owner and name should not be empty": "власник ім’я користувача не повинні бути порожніми"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Недійсний провайдер captcha.",
    "Phone number is invalid in your region %s": "Номер телефону недійсний у вашому регіоні %s",
+    "The forgot password feature is disabled": "Функція відновлення пароля вимкнена",
    "The verification code has already been used!": "Код підтвердження вже використано!",
    "The verification code has not been sent yet!": "Код підтвердження ще не надіслано!",
    "Turing test failed.": "Тест Тюрінга не пройдено.",
@@ -196,8 +219,8 @@
    "Unknown type": "Невідомий тип",
    "Wrong verification code!": "Неправильний код підтвердження!",
    "You should verify your code in %d min!": "Ви маєте підтвердити код за %d хв!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "lägg till en SMS-leverantör i listan \\\"Leverantörer\\\" för applikationen: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "lägg till en e-postleverantör i listan \\\"Leverantörer\\\" för applikationen: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "будь ласка, додайте SMS-провайдера до списку \"Провайдери\" для додатка: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "будь ласка, додайте Email-провайдера до списку \"Провайдери\" для додатка: %s",
    "the user does not exist, please sign up first": "користувача не існує, спочатку зареєструйтесь"
  },
  "webauthn": {
--- a/i18n/locales/vi/data.json
+++ b/i18n/locales/vi/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "Không thể thêm người dùng",
    "Get init score failed, error: %w": "Lấy điểm khởi đầu thất bại, lỗi: %w",
-    "Please sign out first": "Vui lòng đăng xuất trước",
    "The application does not allow to sign up new account": "Ứng dụng không cho phép đăng ký tài khoản mới"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "Phương thức đăng nhập bằng email chưa được bật cho ứng dụng",
    "The login method: login with face is not enabled for the application": "Phương thức đăng nhập bằng khuôn mặt chưa được bật cho ứng dụng",
    "The login method: login with password is not enabled for the application": "Phương thức đăng nhập: đăng nhập bằng mật khẩu không được kích hoạt cho ứng dụng",
+    "The order: %s does not exist": "Đơn hàng: %s không tồn tại",
    "The organization: %s does not exist": "Tổ chức: %s không tồn tại",
    "The organization: %s has disabled users to signin": "Tổ chức: %s đã vô hiệu hóa đăng nhập của người dùng",
    "The plan: %s does not exist": "Kế hoạch: %s không tồn tại",
@@ -57,11 +57,11 @@
    "Face data mismatch": "Dữ liệu khuôn mặt không khớp",
    "Failed to parse client IP: %s": "Không thể phân tích IP khách: %s",
    "FirstName cannot be blank": "Tên không được để trống",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Người dùng khách phải nâng cấp tài khoản bằng cách đặt tên người dùng và mật khẩu trước khi có thể đăng nhập trực tiếp",
    "Invitation code cannot be blank": "Mã mời không được để trống",
    "Invitation code exhausted": "Mã mời đã hết",
    "Invitation code is invalid": "Mã mời không hợp lệ",
    "Invitation code suspended": "Mã mời đã bị tạm ngưng",
-    "LDAP user name or password incorrect": "Tên người dùng hoặc mật khẩu Ldap không chính xác",
    "LastName cannot be blank": "Họ không thể để trống",
    "Multiple accounts with same uid, please check your ldap server": "Nhiều tài khoản với cùng một uid, vui lòng kiểm tra máy chủ ldap của bạn",
    "Organization does not exist": "Tổ chức không tồn tại",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "Người dùng bị cấm đăng nhập, vui lòng liên hệ với quản trị viên",
    "The user: %s doesn't exist in LDAP server": "Người dùng: %s không tồn tại trên máy chủ LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Tên người dùng chỉ có thể chứa các ký tự chữ và số, gạch dưới hoặc gạch ngang, không được có hai ký tự gạch dưới hoặc gạch ngang liền kề và không được bắt đầu hoặc kết thúc bằng dấu gạch dưới hoặc gạch ngang.",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "Giá trị \\\"%s\\\" cho trường tài khoản \\\"%s\\\" không khớp với biểu thức chính quy của mục tài khoản",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "Giá trị \\\"%s\\\" cho trường đăng ký \\\"%s\\\" không khớp với biểu thức chính quy của mục đăng ký trong ứng dụng \\\"%s\\\"",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "Giá trị \"%s\" cho trường tài khoản \"%s\" không khớp với biểu thức chính quy của mục tài khoản",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "Giá trị \"%s\" cho trường đăng ký \"%s\" không khớp với biểu thức chính quy của mục đăng ký trong ứng dụng \"%s\"",
    "Username already exists": "Tên đăng nhập đã tồn tại",
    "Username cannot be an email address": "Tên người dùng không thể là địa chỉ email",
    "Username cannot contain white spaces": "Tên người dùng không thể chứa khoảng trắng",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Tên người dùng hỗ trợ định dạng email. Ngoài ra, tên người dùng chỉ có thể chứa ký tự chữ và số, gạch dưới hoặc gạch ngang, không được có gạch ngang hoặc gạch dưới liên tiếp và không được bắt đầu hoặc kết thúc bằng gạch ngang hoặc gạch dưới. Đồng thời lưu ý định dạng email.",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Bạn đã nhập sai mật khẩu hoặc mã quá nhiều lần, vui lòng đợi %d phút và thử lại",
    "Your IP address: %s has been banned according to the configuration of: ": "Địa chỉ IP của bạn: %s đã bị cấm theo cấu hình của: ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "Mật khẩu của bạn đã hết hạn. Vui lòng đặt lại mật khẩu bằng cách nhấp vào \\\"Quên mật khẩu\\\"",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Mật khẩu của bạn đã hết hạn. Vui lòng đặt lại mật khẩu bằng cách nhấp vào \"Quên mật khẩu\"",
    "Your region is not allow to signup by phone": "Vùng của bạn không được phép đăng ký bằng điện thoại",
    "password or code is incorrect": "mật khẩu hoặc mã không đúng",
    "password or code is incorrect, you have %s remaining chances": "Mật khẩu hoặc mã không chính xác, bạn còn %s lần cơ hội",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "Không thể nhập nhóm",
    "Failed to import users": "Không thể nhập người dùng",
+    "Insufficient balance: new balance %v would be below credit limit %v": "Số dư không đủ: số dư mới %v sẽ thấp hơn giới hạn tín dụng %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "Số dư không đủ: số dư tổ chức mới %v sẽ thấp hơn giới hạn tín dụng %v",
    "Missing parameter": "Thiếu tham số",
    "Only admin user can specify user": "Chỉ người dùng quản trị mới có thể chỉ định người dùng",
    "Please login first": "Vui lòng đăng nhập trước",
+    "The LDAP: %s does not exist": "LDAP: %s không tồn tại",
    "The organization: %s should have one application at least": "Tổ chức: %s cần có ít nhất một ứng dụng",
+    "The syncer: %s does not exist": "Bộ đồng bộ: %s không tồn tại",
    "The user: %s doesn't exist": "Người dùng: %s không tồn tại",
+    "The user: %s is not found": "Người dùng: %s không được tìm thấy",
+    "User is required for User category transaction": "Người dùng được yêu cầu cho giao dịch danh mục Người dùng",
    "Wrong userId": "ID người dùng sai",
    "don't support captchaProvider: ": "không hỗ trợ captchaProvider: ",
    "this operation is not allowed in demo mode": "thao tác này không được phép trong chế độ demo",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Thêm người dùng mới vào tổ chức 'built-in' (tích hợp sẵn) hiện đang bị vô hiệu hóa. Lưu ý: Tất cả người dùng trong tổ chức 'built-in' đều là quản trị viên toàn cầu trong Casdoor. Xem tài liệu: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Nếu bạn vẫn muốn tạo người dùng cho tổ chức 'built-in', hãy truy cập trang cài đặt của tổ chức và bật tùy chọn 'Có đồng ý quyền đặc biệt'."
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "Quyền: \\\"%s\\\" không tồn tại"
+    "The permission: \"%s\" doesn't exist": "Quyền: \"%s\" không tồn tại"
+  },
+  "product": {
+    "Product list cannot be empty": "Danh sách sản phẩm không thể trống"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "Không thể khởi tạo nhà cung cấp Xác minh ID",
    "Invalid application id": "Sai ID ứng dụng",
+    "No ID Verification provider configured": "Không có nhà cung cấp Xác minh ID được cấu hình",
+    "Provider is not an ID Verification provider": "Nhà cung cấp không phải là nhà cung cấp Xác minh ID",
    "the provider: %s does not exist": "Nhà cung cấp: %s không tồn tại"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "Người nhận Email không hợp lệ: %s",
    "Invalid phone receivers: %s": "Người nhận điện thoại không hợp lệ: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "id phiên %s là phiên hiện tại và không thể bị xóa"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "Khóa đối tượng: %s không được phép",
    "The provider type: %s is not supported": "Loại nhà cung cấp: %s không được hỗ trợ"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "Lỗi"
  },
+  "ticket": {
+    "Ticket not found": "Không tìm thấy vé"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "Loại cấp phép: %s không được hỗ trợ trong ứng dụng này",
    "Invalid application or wrong clientSecret": "Đơn đăng ký không hợp lệ hoặc sai clientSecret",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "Tên hiển thị không thể trống",
+    "ID card information and real name are required": "Thông tin chứng minh nhân dân và tên thật là bắt buộc",
+    "Identity verification failed": "Xác minh danh tính thất bại",
    "MFA email is enabled but email is empty": "MFA email đã bật nhưng email trống",
    "MFA phone is enabled but phone number is empty": "MFA điện thoại đã bật nhưng số điện thoại trống",
    "New password cannot contain blank space.": "Mật khẩu mới không thể chứa dấu trắng.",
+    "No application found for user": "Không tìm thấy ứng dụng cho người dùng",
    "The new password must be different from your current password": "Mật khẩu mới phải khác với mật khẩu hiện tại của bạn",
+    "User is already verified": "Người dùng đã được xác minh",
    "the user's owner and name should not be empty": "chủ sở hữu và tên người dùng không được để trống"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "Nhà cung cấp captcha không hợp lệ.",
    "Phone number is invalid in your region %s": "Số điện thoại không hợp lệ trong vùng của bạn %s",
+    "The forgot password feature is disabled": "Tính năng quên mật khẩu đã bị tắt",
    "The verification code has already been used!": "Mã xác thực đã được sử dụng!",
    "The verification code has not been sent yet!": "Mã xác thực chưa được gửi!",
    "Turing test failed.": "Kiểm định Turing thất bại.",
@@ -196,8 +219,8 @@
    "Unknown type": "Loại không xác định",
    "Wrong verification code!": "Mã xác thực sai!",
    "You should verify your code in %d min!": "Bạn nên kiểm tra mã của mình trong %d phút!",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "vui lòng thêm nhà cung cấp SMS vào danh sách \\\"Providers\\\" cho ứng dụng: %s",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "vui lòng thêm nhà cung cấp Email vào danh sách \\\"Providers\\\" cho ứng dụng: %s",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "vui lòng thêm nhà cung cấp SMS vào danh sách \"Providers\" cho ứng dụng: %s",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "vui lòng thêm nhà cung cấp Email vào danh sách \"Providers\" cho ứng dụng: %s",
    "the user does not exist, please sign up first": "Người dùng không tồn tại, vui lòng đăng ký trước"
  },
  "webauthn": {
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@@ -2,7 +2,6 @@
  "account": {
    "Failed to add user": "添加用户失败",
    "Get init score failed, error: %w": "初始化分数失败: %w",
-    "Please sign out first": "请先退出登录",
    "The application does not allow to sign up new account": "该应用不允许注册新用户"
  },
  "auth": {
@@ -23,6 +22,7 @@
    "The login method: login with email is not enabled for the application": "该应用禁止采用邮箱登录方式",
    "The login method: login with face is not enabled for the application": "该应用禁止采用人脸登录",
    "The login method: login with password is not enabled for the application": "该应用禁止采用密码登录方式",
+    "The order: %s does not exist": "订单: %s 不存在",
    "The organization: %s does not exist": "组织: %s 不存在",
    "The organization: %s has disabled users to signin": "组织: %s 禁止用户登录",
    "The plan: %s does not exist": "计划: %s不存在",
@@ -35,7 +35,7 @@
    "User's tag: %s is not listed in the application's tags": "用户的标签: %s不在该应用的标签列表中",
    "UserCode Expired": "用户代码已过期",
    "UserCode Invalid": "用户代码无效",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "paid-user %s 没有激活或正在等待订阅并且应用: %s 没有默认值",
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "付费用户 %s 没有激活或待处理的订阅，且应用 %s 没有默认定价",
    "the application for user %s is not found": "未找到用户 %s 的应用程序",
    "the organization: %s is not found": "组织: %s 不存在"
  },
@@ -57,11 +57,11 @@
    "Face data mismatch": "人脸不匹配",
    "Failed to parse client IP: %s": "无法解析客户端 IP 地址: %s",
    "FirstName cannot be blank": "名不可以为空",
+    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "访客用户必须通过设置用户名和密码来升级账户，然后才能直接登录",
    "Invitation code cannot be blank": "邀请码不能为空",
    "Invitation code exhausted": "邀请码使用次数已耗尽",
    "Invitation code is invalid": "邀请码无效",
    "Invitation code suspended": "邀请码已被禁止使用",
-    "LDAP user name or password incorrect": "LDAP密码错误",
    "LastName cannot be blank": "姓不可以为空",
    "Multiple accounts with same uid, please check your ldap server": "多个帐户具有相同的uid，请检查您的 LDAP 服务器",
    "Organization does not exist": "组织不存在",
@@ -83,8 +83,8 @@
    "The user is forbidden to sign in, please contact the administrator": "该用户被禁止登录，请联系管理员",
    "The user: %s doesn't exist in LDAP server": "用户: %s 在LDAP服务器中未找到",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "用户名只能包含字母数字字符、下划线或连字符，不能有连续的连字符或下划线，也不能以连字符或下划线开头或结尾",
-    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "值 \\\"%s\\\"在账户信息字段\\\"%s\\\" 中与应用的账户项正则表达式不匹配",
-    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "值\\\"%s\\\"在注册字段\\\"%s\\\"中与应用\\\"%s\\\"的注册项正则表达式不匹配",
+    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "值 \"%s\"在账户信息字段\"%s\" 中与应用的账户项正则表达式不匹配",
+    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "值\"%s\"在注册字段\"%s\"中与应用\"%s\"的注册项正则表达式不匹配",
    "Username already exists": "用户名已存在",
    "Username cannot be an email address": "用户名不可以是邮箱地址",
    "Username cannot contain white spaces": "用户名禁止包含空格",
@@ -94,7 +94,7 @@
    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "用户名支持电子邮件格式。此外，用户名只能包含字母数字字符、下划线或连字符，不能包含连续的连字符或下划线，也不能以连字符或下划线开头或结尾。同时请注意电子邮件格式。",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "密码错误次数已达上限，请在 %d 分后重试",
    "Your IP address: %s has been banned according to the configuration of: ": "您的IP地址：%s 根据以下配置已被禁止： ",
-    "Your password has expired. Please reset your password by clicking \\\"Forgot password\\\"": "您的密码已过期。请点击 \\\"忘记密码\\\" 以重置密码",
+    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "您的密码已过期。请点击 \"忘记密码\" 以重置密码",
    "Your region is not allow to signup by phone": "所在地区不支持手机号注册",
    "password or code is incorrect": "密码错误",
    "password or code is incorrect, you have %s remaining chances": "密码错误，您还有 %s 次尝试的机会",
@@ -106,11 +106,17 @@
  "general": {
    "Failed to import groups": "导入群组失败",
    "Failed to import users": "导入用户失败",
+    "Insufficient balance: new balance %v would be below credit limit %v": "余额不足：新余额 %v 将低于信用限额 %v",
+    "Insufficient balance: new organization balance %v would be below credit limit %v": "余额不足：新组织余额 %v 将低于信用限额 %v",
    "Missing parameter": "缺少参数",
    "Only admin user can specify user": "仅管理员用户可以指定用户",
    "Please login first": "请先登录",
+    "The LDAP: %s does not exist": "LDAP: %s 不存在",
    "The organization: %s should have one application at least": "组织: %s 应该拥有至少一个应用",
+    "The syncer: %s does not exist": "同步器: %s 不存在",
    "The user: %s doesn't exist": "用户: %s不存在",
+    "The user: %s is not found": "用户: %s 未找到",
+    "User is required for User category transaction": "用户类别交易需要用户",
    "Wrong userId": "错误的 userId",
    "don't support captchaProvider: ": "不支持验证码提供商: ",
    "this operation is not allowed in demo mode": "demo模式下不允许该操作",
@@ -137,10 +143,16 @@
    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "目前，向'built-in'组织添加新用户的功能已禁用。请注意：'built-in'组织中的所有用户均为Casdoor的全局管理员。请参阅文档：https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself。如果您仍希望为built-in组织创建用户，请转到该组织的设置页面并启用“特权同意”选项。"
  },
  "permission": {
-    "The permission: \\\"%s\\\" doesn't exist": "权限: \\\"%s\\\" 不存在"
+    "The permission: \"%s\" doesn't exist": "权限: \"%s\" 不存在"
+  },
+  "product": {
+    "Product list cannot be empty": "产品列表不能为空"
  },
  "provider": {
+    "Failed to initialize ID Verification provider": "初始化身份验证提供商失败",
    "Invalid application id": "无效的应用ID",
+    "No ID Verification provider configured": "未配置身份验证提供商",
+    "Provider is not an ID Verification provider": "提供商不是身份验证提供商",
    "the provider: %s does not exist": "提供商: %s不存在"
  },
  "resource": {
@@ -158,6 +170,9 @@
    "Invalid Email receivers: %s": "无效的邮箱收件人: %s",
    "Invalid phone receivers: %s": "无效的手机短信收信人: %s"
  },
+  "session": {
+    "session id %s is the current session and cannot be deleted": "会话ID %s 是当前会话，无法删除"
+  },
  "storage": {
    "The objectKey: %s is not allowed": "objectKey: %s被禁止",
    "The provider type: %s is not supported": "不支持的提供商类型: %s"
@@ -165,6 +180,9 @@
  "subscription": {
    "Error": "错误"
  },
+  "ticket": {
+    "Ticket not found": "工单未找到"
+  },
  "token": {
    "Grant_type: %s is not supported in this application": "该应用不支持Grant_type: %s",
    "Invalid application or wrong clientSecret": "无效应用或错误的clientSecret",
@@ -174,10 +192,14 @@
  },
  "user": {
    "Display name cannot be empty": "显示名称不可为空",
+    "ID card information and real name are required": "需要身份证信息和真实姓名",
+    "Identity verification failed": "身份验证失败",
    "MFA email is enabled but email is empty": "MFA 电子邮件已启用，但电子邮件为空",
    "MFA phone is enabled but phone number is empty": "MFA 电话已启用，但电话号码为空",
    "New password cannot contain blank space.": "新密码不可以包含空格",
+    "No application found for user": "未找到用户的应用程序",
    "The new password must be different from your current password": "新密码必须与您当前的密码不同",
+    "User is already verified": "用户已验证",
    "the user's owner and name should not be empty": "用户的组织和名称不能为空"
  },
  "util": {
@@ -188,6 +210,7 @@
  "verification": {
    "Invalid captcha provider.": "非法的验证码提供商",
    "Phone number is invalid in your region %s": "您所在地区的电话号码无效 %s",
+    "The forgot password feature is disabled": "忘记密码功能已被禁用",
    "The verification code has already been used!": "验证码已使用过!",
    "The verification code has not been sent yet!": "验证码未发送！",
    "Turing test failed.": "验证码还未发送",
@@ -196,8 +219,8 @@
    "Unknown type": "未知类型",
    "Wrong verification code!": "验证码错误!",
    "You should verify your code in %d min!": "请在 %d 分钟内输入正确验证码",
-    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "请添加一个SMS提供商到应用： %s 的 \\\"提供商 \\\"列表",
-    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "请添加一个Email提供商到应用： %s 的 \\\"提供商 \\\"列表",
+    "please add a SMS provider to the \"Providers\" list for the application: %s": "请添加一个SMS提供商到应用： %s 的 \"提供商 \"列表",
+    "please add an Email provider to the \"Providers\" list for the application: %s": "请添加一个Email提供商到应用： %s 的 \"提供商 \"列表",
    "the user does not exist, please sign up first": "用户不存在，请先注册"
  },
  "webauthn": {
--- a/idp/custom.go
+++ b/idp/custom.go
@@ -31,11 +31,12 @@ type CustomIdProvider struct {
 	Client *http.Client
 	Config *oauth2.Config

-	UserInfoURL string
-	TokenURL    string
-	AuthURL     string
-	UserMapping map[string]string
-	Scopes      []string
+	UserInfoURL  string
+	TokenURL     string
+	AuthURL      string
+	UserMapping  map[string]string
+	Scopes       []string
+	CodeVerifier string
 }

 func NewCustomIdProvider(idpInfo *ProviderInfo, redirectUrl string) *CustomIdProvider {
@@ -53,6 +54,7 @@ func NewCustomIdProvider(idpInfo *ProviderInfo, redirectUrl string) *CustomIdPro
 	idp.UserInfoURL = idpInfo.UserInfoURL
 	idp.UserMapping = idpInfo.UserMapping

+	idp.CodeVerifier = idpInfo.CodeVerifier
 	return idp
 }

@@ -62,7 +64,11 @@ func (idp *CustomIdProvider) SetHttpClient(client *http.Client) {

 func (idp *CustomIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, idp.Client)
-	return idp.Config.Exchange(ctx, code)
+	var oauth2Opts []oauth2.AuthCodeOption
+	if idp.CodeVerifier != "" {
+		oauth2Opts = append(oauth2Opts, oauth2.VerifierOption(idp.CodeVerifier))
+	}
+	return idp.Config.Exchange(ctx, code, oauth2Opts...)
 }

 func getNestedValue(data map[string]interface{}, path string) (interface{}, error) {
--- a/idp/goth.go
+++ b/idp/goth.go
@@ -87,8 +87,9 @@ import (
 )

 type GothIdProvider struct {
-	Provider goth.Provider
-	Session  goth.Session
+	Provider     goth.Provider
+	Session      goth.Session
+	CodeVerifier string
 }

 func NewGothIdProvider(providerType string, clientId string, clientSecret string, clientId2 string, clientSecret2 string, redirectUrl string, hostUrl string) (*GothIdProvider, error) {
@@ -448,7 +449,13 @@ func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		value = url.Values{}
 		value.Add("code", code)
 		if idp.Provider.Name() == "twitterv2" || idp.Provider.Name() == "fitbit" {
-			value.Add("oauth_verifier", "casdoor-verifier")
+			// Use dynamic code verifier if provided, otherwise fall back to static one
+			verifier := idp.CodeVerifier
+			if verifier == "" {
+				verifier = "casdoor-verifier"
+			}
+			// RFC 7636 PKCE uses 'code_verifier' parameter
+			value.Add("code_verifier", verifier)
 		}
 	}
 	accessToken, err := idp.Session.Authorize(idp.Provider, value)
--- a/idp/provider.go
+++ b/idp/provider.go
@@ -45,6 +45,7 @@ type ProviderInfo struct {
 	HostUrl       string
 	RedirectUrl   string
 	DisableSsl    bool
+	CodeVerifier  string

 	TokenURL    string
 	AuthURL     string
@@ -128,7 +129,9 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error
 	case "Web3Onboard":
 		return NewWeb3OnboardIdProvider(), nil
 	case "Twitter":
-		return NewTwitterIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+		provider := NewTwitterIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		provider.CodeVerifier = idpInfo.CodeVerifier
+		return provider, nil
 	case "Telegram":
 		return NewTelegramIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	default:
--- a/idp/twitter.go
+++ b/idp/twitter.go
@@ -28,8 +28,9 @@ import (
 )

 type TwitterIdProvider struct {
-	Client *http.Client
-	Config *oauth2.Config
+	Client       *http.Client
+	Config       *oauth2.Config
+	CodeVerifier string
 }

 func NewTwitterIdProvider(clientId string, clientSecret string, redirectUrl string) *TwitterIdProvider {
@@ -84,7 +85,12 @@ func (idp *TwitterIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	params := url.Values{}
 	// params.Add("client_id", idp.Config.ClientID)
 	params.Add("redirect_uri", idp.Config.RedirectURL)
-	params.Add("code_verifier", "casdoor-verifier")
+	// Use dynamic code verifier if provided, otherwise fall back to static one
+	verifier := idp.CodeVerifier
+	if verifier == "" {
+		verifier = "casdoor-verifier"
+	}
+	params.Add("code_verifier", verifier)
 	params.Add("code", code)
 	params.Add("grant_type", "authorization_code")
 	req, err := http.NewRequest("POST", "https://api.twitter.com/2/oauth2/token", strings.NewReader(params.Encode()))
--- a/ldap/server.go
+++ b/ldap/server.go
@@ -216,6 +216,16 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 		e.AddAttribute("mobile", message.AttributeValue(user.Phone))
 		e.AddAttribute("sn", message.AttributeValue(user.LastName))
 		e.AddAttribute("givenName", message.AttributeValue(user.FirstName))
+		// Add POSIX attributes for Linux machine login support
+		e.AddAttribute("loginShell", getAttribute("loginShell", user))
+		e.AddAttribute("gecos", getAttribute("gecos", user))
+		// Add SSH public key if available
+		sshKey := getAttribute("sshPublicKey", user)
+		if sshKey != "" {
+			e.AddAttribute("sshPublicKey", sshKey)
+		}
+		// Add objectClass for posixAccount
+		e.AddAttribute("objectClass", "posixAccount")
 		for _, group := range user.Groups {
 			e.AddAttribute(ldapMemberOfAttr, message.AttributeValue(group))
 		}
--- a/ldap/util.go
+++ b/ldap/util.go
@@ -83,6 +83,45 @@ var ldapAttributesMapping = map[string]FieldRelation{
 			return message.AttributeValue(getUserPasswordWithType(user))
 		},
 	},
+	"loginShell": {
+		userField:     "loginShell",
+		notSearchable: true,
+		fieldMapper: func(user *object.User) message.AttributeValue {
+			// Check user properties first, otherwise return default shell
+			if user.Properties != nil {
+				if shell, ok := user.Properties["loginShell"]; ok && shell != "" {
+					return message.AttributeValue(shell)
+				}
+			}
+			return message.AttributeValue("/bin/bash")
+		},
+	},
+	"gecos": {
+		userField:     "gecos",
+		notSearchable: true,
+		fieldMapper: func(user *object.User) message.AttributeValue {
+			// GECOS field typically contains full name and other user info
+			// Format: Full Name,Room Number,Work Phone,Home Phone,Other
+			gecos := user.DisplayName
+			if gecos == "" {
+				gecos = user.Name
+			}
+			return message.AttributeValue(gecos)
+		},
+	},
+	"sshPublicKey": {
+		userField:     "sshPublicKey",
+		notSearchable: true,
+		fieldMapper: func(user *object.User) message.AttributeValue {
+			// Return SSH public key from user properties
+			if user.Properties != nil {
+				if sshKey, ok := user.Properties["sshPublicKey"]; ok && sshKey != "" {
+					return message.AttributeValue(sshKey)
+				}
+			}
+			return message.AttributeValue("")
+		},
+	},
 }

 const ldapMemberOfAttr = "memberOf"
--- a/object/application.go
+++ b/object/application.go
@@ -669,6 +669,21 @@ func GetAllowedApplications(applications []*Application, userId string, lang str
 	return res, nil
 }

+func checkMultipleCaptchaProviders(application *Application, lang string) error {
+	var captchaProviders []string
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider != nil && providerItem.Provider.Category == "Captcha" {
+			captchaProviders = append(captchaProviders, providerItem.Name)
+		}
+	}
+
+	if len(captchaProviders) > 1 {
+		return fmt.Errorf(i18n.Translate(lang, "general:Multiple captcha providers are not allowed in the same application: %s"), strings.Join(captchaProviders, ", "))
+	}
+
+	return nil
+}
+
 func UpdateApplication(id string, application *Application, isGlobalAdmin bool, lang string) (bool, error) {
 	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
 	if err != nil {
@@ -707,6 +722,11 @@ func UpdateApplication(id string, application *Application, isGlobalAdmin bool,
 		return false, fmt.Errorf("only applications belonging to built-in organization can be shared")
 	}

+	err = checkMultipleCaptchaProviders(application, lang)
+	if err != nil {
+		return false, err
+	}
+
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@@ -26,10 +26,35 @@ import (
 	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	goldap "github.com/go-ldap/ldap/v3"
+	"github.com/nyaruka/phonenumbers"
 	"github.com/thanhpk/randstr"
 	"golang.org/x/text/encoding/unicode"
 )

+// formatUserPhone processes phone number for a user based on their CountryCode
+func formatUserPhone(u *User) {
+	if u.Phone == "" {
+		return
+	}
+
+	// 1. Normalize hint (e.g., "China" -> "CN") for the parser
+	countryHint := u.CountryCode
+	if strings.EqualFold(countryHint, "China") {
+		countryHint = "CN"
+	}
+	if len(countryHint) != 2 {
+		countryHint = "" // Only 2-letter codes are valid hints
+	}
+
+	// 2. Try parsing (Strictly using countryHint from LDAP)
+	num, err := phonenumbers.Parse(u.Phone, countryHint)
+
+	if err == nil && num != nil && phonenumbers.IsValidNumber(num) {
+		// Store a clean national number (digits only, without country prefix)
+		u.Phone = fmt.Sprint(num.GetNationalNumber())
+	}
+}
+
 type LdapConn struct {
 	Conn *goldap.Conn
 	IsAD bool
@@ -289,6 +314,7 @@ func AutoAdjustLdapUser(users []LdapUser) []LdapUser {
 			Mobile:      util.ReturnAnyNotEmpty(user.Mobile, user.MobileTelephoneNumber, user.TelephoneNumber),
 			Address:     util.ReturnAnyNotEmpty(user.Address, user.PostalAddress, user.RegisteredAddress),
 			Country:     util.ReturnAnyNotEmpty(user.Country, user.CountryName),
+			CountryName: user.CountryName,
 			Attributes:  user.Attributes,
 		}
 	}
@@ -361,6 +387,7 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 				Avatar:            organization.DefaultAvatar,
 				Email:             syncUser.Email,
 				Phone:             syncUser.Mobile,
+				CountryCode:       syncUser.Country,
 				Address:           []string{syncUser.Address},
 				Region:            util.ReturnAnyNotEmpty(syncUser.Country, syncUser.CountryName),
 				Affiliation:       affiliation,
@@ -369,6 +396,7 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 				Ldap:              syncUser.Uuid,
 				Properties:        syncUser.Attributes,
 			}
+			formatUserPhone(newUser)

 			if ldap.DefaultGroup != "" {
 				newUser.Groups = []string{ldap.DefaultGroup}
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@@ -138,7 +138,7 @@ func GetOidcDiscovery(host string, applicationName string) OidcDiscovery {
 		IntrospectionEndpoint:                  fmt.Sprintf("%s/api/login/oauth/introspect", originBackend),
 		ResponseTypesSupported:                 []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none"},
 		ResponseModesSupported:                 []string{"query", "fragment", "form_post"},
-		GrantTypesSupported:                    []string{"authorization_code", "implicit", "password", "client_credentials", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"},
+		GrantTypesSupported:                    []string{"authorization_code", "implicit", "password", "client_credentials", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code", "urn:ietf:params:oauth:grant-type:token-exchange"},
 		SubjectTypesSupported:                  []string{"public"},
 		IdTokenSigningAlgValuesSupported:       []string{"RS256", "RS512", "ES256", "ES384", "ES512"},
 		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},
--- a/object/order.go
+++ b/object/order.go
@@ -26,6 +26,7 @@ type Order struct {
 	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
+	UpdateTime  string `xorm:"varchar(100)" json:"updateTime"`
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`

 	// Product Info
@@ -43,10 +44,6 @@ type Order struct {
 	// Order State
 	State   string `xorm:"varchar(100)" json:"state"`
 	Message string `xorm:"varchar(2000)" json:"message"`
-
-	// Order Duration
-	StartTime string `xorm:"varchar(100)" json:"startTime"`
-	EndTime   string `xorm:"varchar(100)" json:"endTime"`
 }

 type ProductInfo struct {
@@ -138,6 +135,14 @@ func UpdateOrder(id string, order *Order) (bool, error) {
 		return false, nil
 	}

+	if o.State != order.State {
+		if order.State == "Created" {
+			order.UpdateTime = ""
+		} else {
+			order.UpdateTime = util.GetCurrentTime()
+		}
+	}
+
 	if !slices.Equal(o.Products, order.Products) {
 		existingInfos := make(map[string]ProductInfo, len(o.ProductInfos))
 		for _, info := range o.ProductInfos {
--- a/object/order_pay.go
+++ b/object/order_pay.go
@@ -99,8 +99,7 @@ func PlaceOrder(owner string, reqProductInfos []ProductInfo, user *User) (*Order
 		Currency:     orderCurrency,
 		State:        "Created",
 		Message:      "",
-		StartTime:    util.GetCurrentTime(),
-		EndTime:      "",
+		UpdateTime:   "",
 	}

 	affected, err := AddOrder(order)
@@ -180,6 +179,17 @@ func PayOrder(providerName, host, paymentEnv string, order *Order, lang string)
 			return nil, nil, fmt.Errorf("the plan: %s does not exist", productInfo.PlanName)
 		}

+		// Check if plan restricts user to one subscription
+		if plan.IsExclusive {
+			hasSubscription, err := HasActiveSubscriptionForPlan(owner, user.Name, plan.Name)
+			if err != nil {
+				return nil, nil, err
+			}
+			if hasSubscription {
+				return nil, nil, fmt.Errorf("user already has an active subscription for plan: %s", plan.Name)
+			}
+		}
+
 		sub, err := NewSubscription(owner, user.Name, plan.Name, paymentName, plan.Period)
 		if err != nil {
 			return nil, nil, err
@@ -344,7 +354,7 @@ func PayOrder(providerName, host, paymentEnv string, order *Order, lang string)
 	if provider.Type == "Dummy" || provider.Type == "Balance" {
 		order.State = "Paid"
 		order.Message = "Payment successful"
-		order.EndTime = util.GetCurrentTime()
+		order.UpdateTime = util.GetCurrentTime()
 	}

 	// Update order state first to avoid inconsistency
@@ -371,6 +381,6 @@ func CancelOrder(order *Order) (bool, error) {

 	order.State = "Canceled"
 	order.Message = "Canceled by user"
-	order.EndTime = util.GetCurrentTime()
+	order.UpdateTime = util.GetCurrentTime()
 	return UpdateOrder(order.GetId(), order)
 }
--- a/object/organization.go
+++ b/object/organization.go
@@ -32,6 +32,7 @@ type AccountItem struct {
 	ViewRule   string `json:"viewRule"`
 	ModifyRule string `json:"modifyRule"`
 	Regex      string `json:"regex"`
+	Tab        string `json:"tab"`
 }

 type ThemeData struct {
@@ -88,6 +89,7 @@ type Organization struct {

 	MfaItems           []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
 	MfaRememberInHours int            `json:"mfaRememberInHours"`
+	AccountMenu        string         `xorm:"varchar(20)" json:"accountMenu"`
 	AccountItems       []*AccountItem `xorm:"mediumtext" json:"accountItems"`

 	OrgBalance      float64 `json:"orgBalance"`
--- a/object/payment.go
+++ b/object/payment.go
@@ -50,7 +50,8 @@ type Payment struct {
 	InvoiceRemark string `xorm:"varchar(100)" json:"invoiceRemark"`
 	InvoiceUrl    string `xorm:"varchar(255)" json:"invoiceUrl"`
 	// Order Info
-	Order      string          `xorm:"varchar(100)" json:"order"`      // Internal order name
+	Order      string          `xorm:"varchar(100)" json:"order"` // Internal order name
+	OrderObj   *Order          `xorm:"-" json:"orderObj,omitempty"`
 	OutOrderId string          `xorm:"varchar(100)" json:"outOrderId"` // External payment provider's order ID
 	PayUrl     string          `xorm:"varchar(2000)" json:"payUrl"`
 	SuccessUrl string          `xorm:"varchar(2000)" json:"successUrl"` // `successUrl` is redirected from `payUrl` after pay success
@@ -70,6 +71,11 @@ func GetPayments(owner string) ([]*Payment, error) {
 		return nil, err
 	}

+	err = ExtendPaymentWithOrder(payments)
+	if err != nil {
+		return nil, err
+	}
+
 	return payments, nil
 }

@@ -80,6 +86,11 @@ func GetUserPayments(owner, user string) ([]*Payment, error) {
 		return nil, err
 	}

+	err = ExtendPaymentWithOrder(payments)
+	if err != nil {
+		return nil, err
+	}
+
 	return payments, nil
 }

@@ -91,9 +102,49 @@ func GetPaginationPayments(owner string, offset, limit int, field, value, sortFi
 		return nil, err
 	}

+	err = ExtendPaymentWithOrder(payments)
+	if err != nil {
+		return nil, err
+	}
+
 	return payments, nil
 }

+func ExtendPaymentWithOrder(payments []*Payment) error {
+	ownerOrdersMap := make(map[string][]string)
+	for _, payment := range payments {
+		if payment.Order != "" {
+			ownerOrdersMap[payment.Owner] = append(ownerOrdersMap[payment.Owner], payment.Order)
+		}
+	}
+
+	ordersMap := make(map[string]*Order)
+	for owner, orderNames := range ownerOrdersMap {
+		if len(orderNames) == 0 {
+			continue
+		}
+		var orders []*Order
+		err := ormer.Engine.In("name", orderNames).Find(&orders, &Order{Owner: owner})
+		if err != nil {
+			return err
+		}
+
+		for _, order := range orders {
+			ordersMap[util.GetId(order.Owner, order.Name)] = order
+		}
+	}
+
+	for _, payment := range payments {
+		if payment.Order != "" {
+			orderId := util.GetId(payment.Owner, payment.Order)
+			if order, ok := ordersMap[orderId]; ok {
+				payment.OrderObj = order
+			}
+		}
+	}
+	return nil
+}
+
 func getPayment(owner string, name string) (*Payment, error) {
 	if owner == "" || name == "" {
 		return nil, nil
@@ -210,18 +261,29 @@ func NotifyPayment(body []byte, owner string, paymentName string, lang string) (
 	}

 	// Check if payment is already in a terminal state to prevent duplicate processing
-	if payment.State == pp.PaymentStatePaid || payment.State == pp.PaymentStateError ||
-		payment.State == pp.PaymentStateCanceled || payment.State == pp.PaymentStateTimeout {
+	if pp.IsTerminalState(payment.State) {
 		return payment, nil
 	}

+	// Determine the new payment state
+	var newState pp.PaymentState
+	var newMessage string
 	if err != nil {
-		payment.State = pp.PaymentStateError
-		payment.Message = err.Error()
+		newState = pp.PaymentStateError
+		newMessage = err.Error()
 	} else {
-		payment.State = notifyResult.PaymentStatus
-		payment.Message = notifyResult.NotifyMessage
+		newState = notifyResult.PaymentStatus
+		newMessage = notifyResult.NotifyMessage
 	}
+
+	// Check if the payment state would actually change
+	// This prevents duplicate webhook events when providers send redundant notifications
+	if payment.State == newState {
+		return payment, nil
+	}
+
+	payment.State = newState
+	payment.Message = newMessage
 	_, err = UpdatePayment(payment.GetId(), payment)
 	if err != nil {
 		return nil, err
@@ -239,16 +301,19 @@ func NotifyPayment(body []byte, owner string, paymentName string, lang string) (
 	if payment.State == pp.PaymentStatePaid {
 		order.State = "Paid"
 		order.Message = "Payment successful"
-		order.EndTime = util.GetCurrentTime()
+		order.UpdateTime = util.GetCurrentTime()
 	} else if payment.State == pp.PaymentStateError {
 		order.State = "PaymentFailed"
 		order.Message = payment.Message
+		order.UpdateTime = util.GetCurrentTime()
 	} else if payment.State == pp.PaymentStateCanceled {
 		order.State = "Canceled"
 		order.Message = "Payment was cancelled"
+		order.UpdateTime = util.GetCurrentTime()
 	} else if payment.State == pp.PaymentStateTimeout {
 		order.State = "Timeout"
 		order.Message = "Payment timed out"
+		order.UpdateTime = util.GetCurrentTime()
 	}
 	_, err = UpdateOrder(order.GetId(), order)
 	if err != nil {
--- a/object/plan.go
+++ b/object/plan.go
@@ -35,6 +35,7 @@ type Plan struct {
 	Product          string   `xorm:"varchar(100)" json:"product"`
 	PaymentProviders []string `xorm:"varchar(100)" json:"paymentProviders"` // payment providers for related product
 	IsEnabled        bool     `json:"isEnabled"`
+	IsExclusive      bool     `json:"isExclusive"` // if true, a user can only have at most one subscription of this plan

 	Role    string   `xorm:"varchar(100)" json:"role"`
 	Options []string `xorm:"-" json:"options"`
--- a/object/record.go
+++ b/object/record.go
@@ -80,7 +80,7 @@ func NewRecord(ctx *context.Context) (*casvisorsdk.Record, error) {
 		return nil, err
 	}

-	if action != "buy-product" {
+	if action != "buy-product" && action != "notify-payment" {
 		resp.Data = nil
 	}

--- a/object/session.go
+++ b/object/session.go
@@ -175,8 +175,10 @@ func DeleteSession(id, curSessionId string) (bool, error) {
 			return false, err
 		}

+		// If session doesn't exist, return success with no rows affected
+		// This is a valid state (e.g., when a user has no active session)
 		if session == nil {
-			return false, fmt.Errorf("session is nil")
+			return false, nil
 		}

 		if slices.Contains(session.SessionId, curSessionId) {
--- a/object/sms.go
+++ b/object/sms.go
@@ -28,6 +28,8 @@ func getSmsClient(provider *Provider) (sender.SmsClient, error) {
 		client, err = sender.NewSmsClient(provider.Type, provider.ClientId, provider.ClientSecret, provider.SignName, provider.TemplateCode, provider.ProviderUrl, provider.AppId)
 	} else if provider.Type == "Custom HTTP SMS" {
 		client, err = newHttpSmsClient(provider.Endpoint, provider.Method, provider.Title, provider.TemplateCode, provider.HttpHeaders, provider.UserMapping, provider.IssuerUrl, provider.EnableProxy)
+	} else if provider.Type == "Alibaba Cloud PNVS SMS" {
+		client, err = newPnvsSmsClient(provider.ClientId, provider.ClientSecret, provider.SignName, provider.TemplateCode, provider.RegionId)
 	} else {
 		client, err = sender.NewSmsClient(provider.Type, provider.ClientId, provider.ClientSecret, provider.SignName, provider.TemplateCode, provider.AppId)
 	}
@@ -48,7 +50,7 @@ func SendSms(provider *Provider, content string, phoneNumbers ...string) error {
 		if provider.AppId != "" {
 			phoneNumbers = append([]string{provider.AppId}, phoneNumbers...)
 		}
-	} else if provider.Type == sender.Aliyun {
+	} else if provider.Type == sender.Aliyun || provider.Type == "Alibaba Cloud PNVS SMS" {
 		for i, number := range phoneNumbers {
 			phoneNumbers[i] = strings.TrimPrefix(number, "+86")
 		}
--- a/object/sms_pnvs.go
+++ b/object/sms_pnvs.go
@@ -0,0 +1,86 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/aliyun/alibaba-cloud-sdk-go/services/dypnsapi"
+)
+
+type PnvsSmsClient struct {
+	template string
+	sign     string
+	core     *dypnsapi.Client
+}
+
+func newPnvsSmsClient(accessId string, accessKey string, sign string, template string, regionId string) (*PnvsSmsClient, error) {
+	if regionId == "" {
+		regionId = "cn-hangzhou"
+	}
+
+	client, err := dypnsapi.NewClientWithAccessKey(regionId, accessId, accessKey)
+	if err != nil {
+		return nil, err
+	}
+
+	pnvsClient := &PnvsSmsClient{
+		template: template,
+		core:     client,
+		sign:     sign,
+	}
+
+	return pnvsClient, nil
+}
+
+func (c *PnvsSmsClient) SendMessage(param map[string]string, targetPhoneNumber ...string) error {
+	if len(targetPhoneNumber) == 0 {
+		return fmt.Errorf("missing parameter: targetPhoneNumber")
+	}
+
+	// PNVS sends to one phone number at a time
+	phoneNumber := targetPhoneNumber[0]
+
+	request := dypnsapi.CreateSendSmsVerifyCodeRequest()
+	request.Scheme = "https"
+	request.PhoneNumber = phoneNumber
+	request.TemplateCode = c.template
+	request.SignName = c.sign
+
+	// TemplateParam is optional for PNVS as it can auto-generate verification codes
+	// But if params are provided, we'll pass them
+	if len(param) > 0 {
+		templateParam, err := json.Marshal(param)
+		if err != nil {
+			return err
+		}
+		request.TemplateParam = string(templateParam)
+	}
+
+	response, err := c.core.SendSmsVerifyCode(request)
+	if err != nil {
+		return err
+	}
+
+	if response.Code != "OK" {
+		if response.Message != "" {
+			return fmt.Errorf(response.Message)
+		}
+		return fmt.Errorf("PNVS SMS send failed with code: %s", response.Code)
+	}
+
+	return nil
+}
--- a/object/subscription.go
+++ b/object/subscription.go
@@ -217,6 +217,26 @@ func GetSubscription(id string) (*Subscription, error) {
 	return getSubscription(owner, name)
 }

+func HasActiveSubscriptionForPlan(owner, userName, planName string) (bool, error) {
+	subscriptions := []*Subscription{}
+	err := ormer.Engine.Find(&subscriptions, &Subscription{Owner: owner, User: userName, Plan: planName})
+	if err != nil {
+		return false, err
+	}
+
+	for _, sub := range subscriptions {
+		err = sub.UpdateState()
+		if err != nil {
+			return false, err
+		}
+		// Check if subscription is active, upcoming, or pending (not expired, error, or suspended)
+		if sub.State == SubStateActive || sub.State == SubStateUpcoming || sub.State == SubStatePending {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 func UpdateSubscription(id string, subscription *Subscription) (bool, error) {
 	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
 	if err != nil {
--- a/object/syncer_activedirectory.go
+++ b/object/syncer_activedirectory.go
@@ -370,3 +370,15 @@ func (p *ActiveDirectorySyncerProvider) adEntryToOriginalUser(entry *goldap.Entr

 	return user
 }
+
+// GetOriginalGroups retrieves all groups from Active Directory (not implemented yet)
+func (p *ActiveDirectorySyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement Active Directory group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *ActiveDirectorySyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement Active Directory user group membership sync
+	return []string{}, nil
+}
--- a/object/syncer_azuread.go
+++ b/object/syncer_azuread.go
@@ -274,3 +274,15 @@ func (p *AzureAdSyncerProvider) getAzureAdOriginalUsers() ([]*OriginalUser, erro

 	return originalUsers, nil
 }
+
+// GetOriginalGroups retrieves all groups from Azure AD (not implemented yet)
+func (p *AzureAdSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement Azure AD group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *AzureAdSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement Azure AD user group membership sync
+	return []string{}, nil
+}
--- a/object/syncer_cron.go
+++ b/object/syncer_cron.go
@@ -60,9 +60,19 @@ func addSyncerJob(syncer *Syncer) error {
 		return err
 	}

+	// Sync groups as well
+	err = syncer.syncGroups()
+	if err != nil {
+		// Log error but don't fail the entire sync
+		fmt.Printf("Warning: syncGroups() error: %s\n", err.Error())
+	}
+
 	schedule := fmt.Sprintf("@every %ds", syncer.SyncInterval)
 	cron := getCronMap(syncer.Name)
-	_, err = cron.AddFunc(schedule, syncer.syncUsersNoError)
+	_, err = cron.AddFunc(schedule, func() {
+		syncer.syncUsersNoError()
+		syncer.syncGroupsNoError()
+	})
 	if err != nil {
 		return err
 	}
--- a/object/syncer_database.go
+++ b/object/syncer_database.go
@@ -164,3 +164,15 @@ func (t dsnConnector) Connect(ctx context.Context) (driver.Conn, error) {
 func (t dsnConnector) Driver() driver.Driver {
 	return t.driver
 }
+
+// GetOriginalGroups retrieves all groups from Database (not implemented yet)
+func (p *DatabaseSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement Database group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *DatabaseSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement Database user group membership sync
+	return []string{}, nil
+}
--- a/object/syncer_dingtalk.go
+++ b/object/syncer_dingtalk.go
@@ -109,6 +109,21 @@ type DingtalkDeptListResp struct {
 	RequestId string `json:"request_id"`
 }

+type DingtalkDepartment struct {
+	DeptId          int64  `json:"dept_id"`
+	Name            string `json:"name"`
+	ParentId        int64  `json:"parent_id"`
+	CreateDeptGroup bool   `json:"create_dept_group"`
+	AutoAddUser     bool   `json:"auto_add_user"`
+}
+
+type DingtalkDeptDetailResp struct {
+	Errcode   int                 `json:"errcode"`
+	Errmsg    string              `json:"errmsg"`
+	Result    *DingtalkDepartment `json:"result"`
+	RequestId string              `json:"request_id"`
+}
+
 // getDingtalkAccessToken gets access token from DingTalk API
 func (p *DingtalkSyncerProvider) getDingtalkAccessToken() (string, error) {
 	// syncer.User should be the appKey
@@ -194,6 +209,34 @@ func (p *DingtalkSyncerProvider) getDingtalkDepartments(accessToken string) ([]i
 	return deptIds, nil
 }

+// getDingtalkDepartmentDetails gets detailed department information
+func (p *DingtalkSyncerProvider) getDingtalkDepartmentDetails(accessToken string, deptId int64) (*DingtalkDepartment, error) {
+	apiUrl := fmt.Sprintf("https://oapi.dingtalk.com/topapi/v2/department/get?access_token=%s",
+		url.QueryEscape(accessToken))
+
+	postData := map[string]interface{}{
+		"dept_id": deptId,
+	}
+
+	data, err := p.postJSON(apiUrl, postData)
+	if err != nil {
+		return nil, err
+	}
+
+	var resp DingtalkDeptDetailResp
+	err = json.Unmarshal(data, &resp)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.Errcode != 0 {
+		return nil, fmt.Errorf("failed to get department details for %d: errcode=%d, errmsg=%s",
+			deptId, resp.Errcode, resp.Errmsg)
+	}
+
+	return resp.Result, nil
+}
+
 // getDingtalkUsersFromDept gets users from a specific department
 func (p *DingtalkSyncerProvider) getDingtalkUsersFromDept(accessToken string, deptId int64) ([]*DingtalkUser, error) {
 	allUsers := []*DingtalkUser{}
@@ -374,6 +417,11 @@ func (p *DingtalkSyncerProvider) dingtalkUserToOriginalUser(dingtalkUser *Dingta
 		Groups:      []string{},
 	}

+	// Add department IDs to Groups field
+	for _, deptId := range dingtalkUser.Department {
+		user.Groups = append(user.Groups, fmt.Sprintf("%d", deptId))
+	}
+
 	// Set IsForbidden based on active status (active=false means user is forbidden)
 	user.IsForbidden = !dingtalkUser.Active

@@ -384,3 +432,73 @@ func (p *DingtalkSyncerProvider) dingtalkUserToOriginalUser(dingtalkUser *Dingta

 	return user
 }
+
+// GetOriginalGroups retrieves all groups (departments) from DingTalk
+func (p *DingtalkSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// Get access token
+	accessToken, err := p.getDingtalkAccessToken()
+	if err != nil {
+		return nil, err
+	}
+
+	// Get all department IDs
+	deptIds, err := p.getDingtalkDepartments(accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get detailed information for each department
+	originalGroups := []*OriginalGroup{}
+	for _, deptId := range deptIds {
+		dept, err := p.getDingtalkDepartmentDetails(accessToken, deptId)
+		if err != nil {
+			// Log error but continue with other departments
+			fmt.Printf("Warning: failed to get details for department %d: %v\n", deptId, err)
+			continue
+		}
+
+		originalGroup := p.dingtalkDepartmentToOriginalGroup(dept)
+		originalGroups = append(originalGroups, originalGroup)
+	}
+
+	return originalGroups, nil
+}
+
+// dingtalkDepartmentToOriginalGroup converts DingTalk department to Casdoor OriginalGroup
+func (p *DingtalkSyncerProvider) dingtalkDepartmentToOriginalGroup(dept *DingtalkDepartment) *OriginalGroup {
+	// Convert department ID to string for group ID
+	deptIdStr := fmt.Sprintf("%d", dept.DeptId)
+
+	return &OriginalGroup{
+		Id:          deptIdStr,
+		Name:        deptIdStr,    // Use ID as name for uniqueness
+		DisplayName: dept.Name,    // Use actual name as display name
+		Description: "",           // DingTalk doesn't provide description
+		Type:        "department", // Mark as department type
+		Manager:     "",           // DingTalk doesn't provide manager in dept details
+		Email:       "",           // DingTalk doesn't provide email for departments
+	}
+}
+
+// GetOriginalUserGroups retrieves the group (department) IDs that a user belongs to
+func (p *DingtalkSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// Get access token
+	accessToken, err := p.getDingtalkAccessToken()
+	if err != nil {
+		return nil, err
+	}
+
+	// Get detailed user information which includes department list
+	user, err := p.getDingtalkUserDetails(accessToken, userId)
+	if err != nil {
+		return nil, err
+	}
+
+	// Convert department IDs to strings
+	groupIds := []string{}
+	for _, deptId := range user.Department {
+		groupIds = append(groupIds, fmt.Sprintf("%d", deptId))
+	}
+
+	return groupIds, nil
+}
--- a/object/syncer_googleworkspace.go
+++ b/object/syncer_googleworkspace.go
@@ -101,6 +101,7 @@ func (p *GoogleWorkspaceSyncerProvider) getAdminService() (*admin.Service, error
 		PrivateKey: []byte(serviceAccount.PrivateKey),
 		Scopes: []string{
 			admin.AdminDirectoryUserReadonlyScope,
+			admin.AdminDirectoryGroupReadonlyScope,
 		},
 		TokenURL: google.JWTTokenURL,
 		Subject:  adminEmail, // Impersonate the admin user
@@ -202,12 +203,189 @@ func (p *GoogleWorkspaceSyncerProvider) getGoogleWorkspaceOriginalUsers() ([]*Or
 		return nil, err
 	}

+	// Get all groups and their members to build a user-to-groups mapping
+	// This avoids N+1 queries by fetching group memberships upfront
+	userGroupsMap, err := p.buildUserGroupsMap(service)
+	if err != nil {
+		fmt.Printf("Warning: failed to fetch group memberships: %v. Users will have no groups assigned.\n", err)
+		userGroupsMap = make(map[string][]string)
+	}
+
 	// Convert Google Workspace users to Casdoor OriginalUser
 	originalUsers := []*OriginalUser{}
 	for _, gwUser := range gwUsers {
 		originalUser := p.googleWorkspaceUserToOriginalUser(gwUser)
+
+		// Assign groups from the pre-built map
+		if groups, exists := userGroupsMap[gwUser.PrimaryEmail]; exists {
+			originalUser.Groups = groups
+		} else {
+			originalUser.Groups = []string{}
+		}
+
 		originalUsers = append(originalUsers, originalUser)
 	}

 	return originalUsers, nil
 }
+
+// buildUserGroupsMap builds a map of user email to group emails by iterating through all groups
+// and their members. This is more efficient than querying groups for each user individually.
+func (p *GoogleWorkspaceSyncerProvider) buildUserGroupsMap(service *admin.Service) (map[string][]string, error) {
+	userGroupsMap := make(map[string][]string)
+
+	// Get all groups
+	groups, err := p.getGoogleWorkspaceGroups(service)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch groups: %v", err)
+	}
+
+	// For each group, get its members and populate the user-to-groups map
+	for _, group := range groups {
+		members, err := p.getGroupMembers(service, group.Id)
+		if err != nil {
+			fmt.Printf("Warning: failed to get members for group %s: %v\n", group.Email, err)
+			continue
+		}
+
+		// Add this group to each member's group list
+		for _, member := range members {
+			userGroupsMap[member.Email] = append(userGroupsMap[member.Email], group.Email)
+		}
+	}
+
+	return userGroupsMap, nil
+}
+
+// getGroupMembers retrieves all members of a specific group
+func (p *GoogleWorkspaceSyncerProvider) getGroupMembers(service *admin.Service, groupId string) ([]*admin.Member, error) {
+	allMembers := []*admin.Member{}
+	pageToken := ""
+
+	for {
+		call := service.Members.List(groupId).MaxResults(500)
+		if pageToken != "" {
+			call = call.PageToken(pageToken)
+		}
+
+		resp, err := call.Do()
+		if err != nil {
+			return nil, fmt.Errorf("failed to list members: %v", err)
+		}
+
+		allMembers = append(allMembers, resp.Members...)
+
+		// Handle pagination
+		if resp.NextPageToken == "" {
+			break
+		}
+		pageToken = resp.NextPageToken
+	}
+
+	return allMembers, nil
+}
+
+// GetOriginalGroups retrieves all groups from Google Workspace
+func (p *GoogleWorkspaceSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// Get Admin SDK service
+	service, err := p.getAdminService()
+	if err != nil {
+		return nil, err
+	}
+
+	// Get all groups from Google Workspace
+	gwGroups, err := p.getGoogleWorkspaceGroups(service)
+	if err != nil {
+		return nil, err
+	}
+
+	// Convert Google Workspace groups to Casdoor OriginalGroup
+	originalGroups := []*OriginalGroup{}
+	for _, gwGroup := range gwGroups {
+		originalGroup := p.googleWorkspaceGroupToOriginalGroup(gwGroup)
+		originalGroups = append(originalGroups, originalGroup)
+	}
+
+	return originalGroups, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to
+func (p *GoogleWorkspaceSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// Get Admin SDK service
+	service, err := p.getAdminService()
+	if err != nil {
+		return nil, err
+	}
+
+	// Get groups for the user
+	groupIds := []string{}
+	pageToken := ""
+
+	for {
+		call := service.Groups.List().UserKey(userId)
+		if pageToken != "" {
+			call = call.PageToken(pageToken)
+		}
+
+		resp, err := call.Do()
+		if err != nil {
+			return nil, fmt.Errorf("failed to list user groups: %v", err)
+		}
+
+		for _, group := range resp.Groups {
+			groupIds = append(groupIds, group.Email)
+		}
+
+		// Handle pagination
+		if resp.NextPageToken == "" {
+			break
+		}
+		pageToken = resp.NextPageToken
+	}
+
+	return groupIds, nil
+}
+
+// getGoogleWorkspaceGroups gets all groups from Google Workspace using Admin SDK API
+func (p *GoogleWorkspaceSyncerProvider) getGoogleWorkspaceGroups(service *admin.Service) ([]*admin.Group, error) {
+	allGroups := []*admin.Group{}
+	pageToken := ""
+
+	// Get the customer ID (use "my_customer" for the domain)
+	customer := "my_customer"
+
+	for {
+		call := service.Groups.List().Customer(customer).MaxResults(500)
+		if pageToken != "" {
+			call = call.PageToken(pageToken)
+		}
+
+		resp, err := call.Do()
+		if err != nil {
+			return nil, fmt.Errorf("failed to list groups: %v", err)
+		}
+
+		allGroups = append(allGroups, resp.Groups...)
+
+		// Handle pagination
+		if resp.NextPageToken == "" {
+			break
+		}
+		pageToken = resp.NextPageToken
+	}
+
+	return allGroups, nil
+}
+
+// googleWorkspaceGroupToOriginalGroup converts Google Workspace group to Casdoor OriginalGroup
+func (p *GoogleWorkspaceSyncerProvider) googleWorkspaceGroupToOriginalGroup(gwGroup *admin.Group) *OriginalGroup {
+	group := &OriginalGroup{
+		Id:          gwGroup.Id,
+		Name:        gwGroup.Email,
+		DisplayName: gwGroup.Name,
+		Description: gwGroup.Description,
+		Email:       gwGroup.Email,
+	}
+
+	return group
+}
--- a/object/syncer_googleworkspace_test.go
+++ b/object/syncer_googleworkspace_test.go
@@ -0,0 +1,204 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"testing"
+
+	admin "google.golang.org/api/admin/directory/v1"
+)
+
+func TestGoogleWorkspaceUserToOriginalUser(t *testing.T) {
+	provider := &GoogleWorkspaceSyncerProvider{
+		Syncer: &Syncer{},
+	}
+
+	// Test case 1: Full Google Workspace user with all fields
+	gwUser := &admin.User{
+		Id:           "user-123",
+		PrimaryEmail: "john.doe@example.com",
+		Name: &admin.UserName{
+			FullName:   "John Doe",
+			GivenName:  "John",
+			FamilyName: "Doe",
+		},
+		ThumbnailPhotoUrl: "https://example.com/avatar.jpg",
+		Suspended:         false,
+		IsAdmin:           true,
+		CreationTime:      "2024-01-01T00:00:00Z",
+	}
+
+	originalUser := provider.googleWorkspaceUserToOriginalUser(gwUser)
+
+	// Verify basic fields
+	if originalUser.Id != "user-123" {
+		t.Errorf("Expected Id to be 'user-123', got '%s'", originalUser.Id)
+	}
+	if originalUser.Name != "john.doe@example.com" {
+		t.Errorf("Expected Name to be 'john.doe@example.com', got '%s'", originalUser.Name)
+	}
+	if originalUser.Email != "john.doe@example.com" {
+		t.Errorf("Expected Email to be 'john.doe@example.com', got '%s'", originalUser.Email)
+	}
+	if originalUser.DisplayName != "John Doe" {
+		t.Errorf("Expected DisplayName to be 'John Doe', got '%s'", originalUser.DisplayName)
+	}
+	if originalUser.FirstName != "John" {
+		t.Errorf("Expected FirstName to be 'John', got '%s'", originalUser.FirstName)
+	}
+	if originalUser.LastName != "Doe" {
+		t.Errorf("Expected LastName to be 'Doe', got '%s'", originalUser.LastName)
+	}
+	if originalUser.Avatar != "https://example.com/avatar.jpg" {
+		t.Errorf("Expected Avatar to be 'https://example.com/avatar.jpg', got '%s'", originalUser.Avatar)
+	}
+	if originalUser.IsForbidden != false {
+		t.Errorf("Expected IsForbidden to be false for non-suspended user, got %v", originalUser.IsForbidden)
+	}
+	if originalUser.IsAdmin != true {
+		t.Errorf("Expected IsAdmin to be true, got %v", originalUser.IsAdmin)
+	}
+
+	// Test case 2: Suspended Google Workspace user
+	suspendedUser := &admin.User{
+		Id:           "user-456",
+		PrimaryEmail: "jane.doe@example.com",
+		Name: &admin.UserName{
+			FullName: "Jane Doe",
+		},
+		Suspended: true,
+	}
+
+	suspendedOriginalUser := provider.googleWorkspaceUserToOriginalUser(suspendedUser)
+	if suspendedOriginalUser.IsForbidden != true {
+		t.Errorf("Expected IsForbidden to be true for suspended user, got %v", suspendedOriginalUser.IsForbidden)
+	}
+
+	// Test case 3: User with no Name object (should not panic)
+	minimalUser := &admin.User{
+		Id:           "user-789",
+		PrimaryEmail: "bob@example.com",
+	}
+
+	minimalOriginalUser := provider.googleWorkspaceUserToOriginalUser(minimalUser)
+	if minimalOriginalUser.DisplayName != "" {
+		t.Errorf("Expected DisplayName to be empty for minimal user, got '%s'", minimalOriginalUser.DisplayName)
+	}
+
+	// Test case 4: Display name construction from first/last name when FullName is empty
+	noFullNameUser := &admin.User{
+		Id:           "user-101",
+		PrimaryEmail: "alice@example.com",
+		Name: &admin.UserName{
+			GivenName:  "Alice",
+			FamilyName: "Jones",
+		},
+	}
+
+	noFullNameOriginalUser := provider.googleWorkspaceUserToOriginalUser(noFullNameUser)
+	if noFullNameOriginalUser.DisplayName != "Alice Jones" {
+		t.Errorf("Expected DisplayName to be constructed as 'Alice Jones', got '%s'", noFullNameOriginalUser.DisplayName)
+	}
+}
+
+func TestGoogleWorkspaceGroupToOriginalGroup(t *testing.T) {
+	provider := &GoogleWorkspaceSyncerProvider{
+		Syncer: &Syncer{},
+	}
+
+	// Test case 1: Full Google Workspace group with all fields
+	gwGroup := &admin.Group{
+		Id:          "group-123",
+		Email:       "team@example.com",
+		Name:        "Engineering Team",
+		Description: "All engineering staff",
+	}
+
+	originalGroup := provider.googleWorkspaceGroupToOriginalGroup(gwGroup)
+
+	// Verify all fields
+	if originalGroup.Id != "group-123" {
+		t.Errorf("Expected Id to be 'group-123', got '%s'", originalGroup.Id)
+	}
+	if originalGroup.Name != "team@example.com" {
+		t.Errorf("Expected Name to be 'team@example.com', got '%s'", originalGroup.Name)
+	}
+	if originalGroup.DisplayName != "Engineering Team" {
+		t.Errorf("Expected DisplayName to be 'Engineering Team', got '%s'", originalGroup.DisplayName)
+	}
+	if originalGroup.Description != "All engineering staff" {
+		t.Errorf("Expected Description to be 'All engineering staff', got '%s'", originalGroup.Description)
+	}
+	if originalGroup.Email != "team@example.com" {
+		t.Errorf("Expected Email to be 'team@example.com', got '%s'", originalGroup.Email)
+	}
+
+	// Test case 2: Minimal group
+	minimalGroup := &admin.Group{
+		Id:    "group-456",
+		Email: "minimal@example.com",
+	}
+
+	minimalOriginalGroup := provider.googleWorkspaceGroupToOriginalGroup(minimalGroup)
+	if minimalOriginalGroup.DisplayName != "" {
+		t.Errorf("Expected DisplayName to be empty for minimal group, got '%s'", minimalOriginalGroup.DisplayName)
+	}
+	if minimalOriginalGroup.Description != "" {
+		t.Errorf("Expected Description to be empty for minimal group, got '%s'", minimalOriginalGroup.Description)
+	}
+}
+
+func TestGetSyncerProviderGoogleWorkspace(t *testing.T) {
+	syncer := &Syncer{
+		Type: "Google Workspace",
+		Host: "admin@example.com",
+	}
+
+	provider := GetSyncerProvider(syncer)
+
+	if _, ok := provider.(*GoogleWorkspaceSyncerProvider); !ok {
+		t.Errorf("Expected GoogleWorkspaceSyncerProvider for type 'Google Workspace', got %T", provider)
+	}
+}
+
+func TestGoogleWorkspaceSyncerProviderEmptyMethods(t *testing.T) {
+	provider := &GoogleWorkspaceSyncerProvider{
+		Syncer: &Syncer{},
+	}
+
+	// Test AddUser returns error
+	_, err := provider.AddUser(&OriginalUser{})
+	if err == nil {
+		t.Error("Expected AddUser to return error for read-only syncer")
+	}
+
+	// Test UpdateUser returns error
+	_, err = provider.UpdateUser(&OriginalUser{})
+	if err == nil {
+		t.Error("Expected UpdateUser to return error for read-only syncer")
+	}
+
+	// Test Close returns no error
+	err = provider.Close()
+	if err != nil {
+		t.Errorf("Expected Close to return nil, got error: %v", err)
+	}
+
+	// Test InitAdapter returns no error
+	err = provider.InitAdapter()
+	if err != nil {
+		t.Errorf("Expected InitAdapter to return nil, got error: %v", err)
+	}
+}
--- a/object/syncer_group.go
+++ b/object/syncer_group.go
@@ -0,0 +1,121 @@
+// Copyright 2025 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+)
+
+func (syncer *Syncer) getOriginalGroups() ([]*OriginalGroup, error) {
+	provider := GetSyncerProvider(syncer)
+	return provider.GetOriginalGroups()
+}
+
+func (syncer *Syncer) createGroupFromOriginalGroup(originalGroup *OriginalGroup) *Group {
+	group := &Group{
+		Owner:       syncer.Organization,
+		Name:        originalGroup.Name,
+		CreatedTime: util.GetCurrentTime(),
+		UpdatedTime: util.GetCurrentTime(),
+		DisplayName: originalGroup.DisplayName,
+		Type:        originalGroup.Type,
+		Manager:     originalGroup.Manager,
+		IsEnabled:   true,
+		IsTopGroup:  true,
+	}
+
+	if originalGroup.Email != "" {
+		group.ContactEmail = originalGroup.Email
+	}
+
+	return group
+}
+
+func (syncer *Syncer) syncGroups() error {
+	fmt.Printf("Running syncGroups()..\n")
+
+	// Get existing groups from Casdoor
+	groups, err := GetGroups(syncer.Organization)
+	if err != nil {
+		line := fmt.Sprintf("[%s] %s\n", util.GetCurrentTime(), err.Error())
+		_, err2 := updateSyncerErrorText(syncer, line)
+		if err2 != nil {
+			panic(err2)
+		}
+		return err
+	}
+
+	// Get groups from the external system
+	oGroups, err := syncer.getOriginalGroups()
+	if err != nil {
+		line := fmt.Sprintf("[%s] %s\n", util.GetCurrentTime(), err.Error())
+		_, err2 := updateSyncerErrorText(syncer, line)
+		if err2 != nil {
+			panic(err2)
+		}
+		return err
+	}
+
+	fmt.Printf("Groups: %d, oGroups: %d\n", len(groups), len(oGroups))
+
+	// Create a map of existing groups by name
+	myGroups := map[string]*Group{}
+	for _, group := range groups {
+		myGroups[group.Name] = group
+	}
+
+	// Sync groups from external system to Casdoor
+	newGroups := []*Group{}
+	for _, oGroup := range oGroups {
+		if _, ok := myGroups[oGroup.Name]; !ok {
+			newGroup := syncer.createGroupFromOriginalGroup(oGroup)
+			fmt.Printf("New group: %v\n", newGroup)
+			newGroups = append(newGroups, newGroup)
+		} else {
+			// Group already exists, could update it here if needed
+			existingGroup := myGroups[oGroup.Name]
+
+			// Update group display name and other fields if they've changed
+			if existingGroup.DisplayName != oGroup.DisplayName {
+				existingGroup.DisplayName = oGroup.DisplayName
+				existingGroup.UpdatedTime = util.GetCurrentTime()
+				_, err = UpdateGroup(existingGroup.GetId(), existingGroup)
+				if err != nil {
+					fmt.Printf("Failed to update group %s: %v\n", existingGroup.Name, err)
+				} else {
+					fmt.Printf("Updated group: %s\n", existingGroup.Name)
+				}
+			}
+		}
+	}
+
+	if len(newGroups) != 0 {
+		_, err = AddGroupsInBatch(newGroups)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (syncer *Syncer) syncGroupsNoError() {
+	err := syncer.syncGroups()
+	if err != nil {
+		fmt.Printf("syncGroupsNoError() error: %s\n", err.Error())
+	}
+}
--- a/object/syncer_interface.go
+++ b/object/syncer_interface.go
@@ -14,6 +14,17 @@

 package object

+// OriginalGroup represents a group from an external system
+type OriginalGroup struct {
+	Id          string
+	Name        string
+	DisplayName string
+	Description string
+	Type        string
+	Manager     string
+	Email       string
+}
+
 // SyncerProvider defines the interface that all syncer implementations must satisfy.
 // Different syncer types (Database, Keycloak, WeCom, Azure AD) implement this interface.
 type SyncerProvider interface {
@@ -23,6 +34,12 @@ type SyncerProvider interface {
 	// GetOriginalUsers retrieves all users from the external system
 	GetOriginalUsers() ([]*OriginalUser, error)

+	// GetOriginalGroups retrieves all groups from the external system
+	GetOriginalGroups() ([]*OriginalGroup, error)
+
+	// GetOriginalUserGroups retrieves the group IDs that a user belongs to
+	GetOriginalUserGroups(userId string) ([]string, error)
+
 	// AddUser adds a new user to the external system
 	AddUser(user *OriginalUser) (bool, error)

--- a/object/syncer_keycloak.go
+++ b/object/syncer_keycloak.go
@@ -29,3 +29,15 @@ func (p *KeycloakSyncerProvider) GetOriginalUsers() ([]*OriginalUser, error) {

 // Note: Keycloak-specific user mapping is handled in syncer_util.go
 // via getOriginalUsersFromMap which checks syncer.Type == "Keycloak"
+
+// GetOriginalGroups retrieves all groups from Keycloak (not implemented yet)
+func (p *KeycloakSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement Keycloak group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *KeycloakSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement Keycloak user group membership sync
+	return []string{}, nil
+}
--- a/object/syncer_lark.go
+++ b/object/syncer_lark.go
@@ -414,3 +414,15 @@ func (p *LarkSyncerProvider) larkUserToOriginalUser(larkUser *LarkUser) *Origina

 	return user
 }
+
+// GetOriginalGroups retrieves all groups from Lark (not implemented yet)
+func (p *LarkSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement Lark group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *LarkSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement Lark user group membership sync
+	return []string{}, nil
+}
--- a/object/syncer_okta.go
+++ b/object/syncer_okta.go
@@ -296,3 +296,15 @@ func (p *OktaSyncerProvider) getOktaOriginalUsers() ([]*OriginalUser, error) {

 	return originalUsers, nil
 }
+
+// GetOriginalGroups retrieves all groups from Okta (not implemented yet)
+func (p *OktaSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement Okta group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *OktaSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement Okta user group membership sync
+	return []string{}, nil
+}
--- a/object/syncer_scim.go
+++ b/object/syncer_scim.go
@@ -335,3 +335,15 @@ func (p *SCIMSyncerProvider) scimUserToOriginalUser(scimUser *SCIMUser) *Origina

 	return user
 }
+
+// GetOriginalGroups retrieves all groups from SCIM (not implemented yet)
+func (p *SCIMSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement SCIM group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *SCIMSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement SCIM user group membership sync
+	return []string{}, nil
+}
--- a/object/syncer_wecom.go
+++ b/object/syncer_wecom.go
@@ -303,3 +303,15 @@ func (p *WecomSyncerProvider) wecomUserToOriginalUser(wecomUser *WecomUser) *Ori

 	return user
 }
+
+// GetOriginalGroups retrieves all groups from WeCom (not implemented yet)
+func (p *WecomSyncerProvider) GetOriginalGroups() ([]*OriginalGroup, error) {
+	// TODO: Implement WeCom group sync
+	return []*OriginalGroup{}, nil
+}
+
+// GetOriginalUserGroups retrieves the group IDs that a user belongs to (not implemented yet)
+func (p *WecomSyncerProvider) GetOriginalUserGroups(userId string) ([]string, error) {
+	// TODO: Implement WeCom user group membership sync
+	return []string{}, nil
+}
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@@ -18,6 +18,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"strings"
 	"sync"
 	"time"

@@ -209,7 +210,7 @@ func GetOAuthCode(userId string, clientId string, provider string, signinMethod
 	}, nil
 }

-func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, nonce string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string) (interface{}, error) {
+func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, nonce string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string, subjectToken string, subjectTokenType string, audience string) (interface{}, error) {
 	application, err := GetApplicationByClientId(clientId)
 	if err != nil {
 		return nil, err
@@ -244,6 +245,8 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 		token, tokenError, err = GetImplicitToken(application, username, scope, nonce, host)
 	case "urn:ietf:params:oauth:grant-type:device_code":
 		token, tokenError, err = GetImplicitToken(application, username, scope, nonce, host)
+	case "urn:ietf:params:oauth:grant-type:token-exchange": // Token Exchange Grant (RFC 8693)
+		token, tokenError, err = GetTokenExchangeToken(application, clientSecret, subjectToken, subjectTokenType, audience, scope, host)
 	case "refresh_token":
 		refreshToken2, err := RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
 		if err != nil {
@@ -963,6 +966,183 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 	return token, nil, nil
 }

+// GetTokenExchangeToken
+// Token Exchange Grant (RFC 8693)
+// Exchanges a subject token for a new token with different audience or scope
+func GetTokenExchangeToken(application *Application, clientSecret string, subjectToken string, subjectTokenType string, audience string, scope string, host string) (*Token, *TokenError, error) {
+	// Verify client secret
+	if application.ClientSecret != clientSecret {
+		return nil, &TokenError{
+			Error:            InvalidClient,
+			ErrorDescription: "client_secret is invalid",
+		}, nil
+	}
+
+	// Validate subject_token parameter
+	if subjectToken == "" {
+		return nil, &TokenError{
+			Error:            InvalidRequest,
+			ErrorDescription: "subject_token is required",
+		}, nil
+	}
+
+	// Validate subject_token_type parameter
+	// RFC 8693 defines standard token type identifiers
+	if subjectTokenType == "" {
+		subjectTokenType = "urn:ietf:params:oauth:token-type:access_token" // Default to access_token
+	}
+
+	// Support common token types
+	supportedTokenTypes := []string{
+		"urn:ietf:params:oauth:token-type:access_token",
+		"urn:ietf:params:oauth:token-type:jwt",
+		"urn:ietf:params:oauth:token-type:id_token",
+	}
+
+	isValidTokenType := false
+	for _, tokenType := range supportedTokenTypes {
+		if subjectTokenType == tokenType {
+			isValidTokenType = true
+			break
+		}
+	}
+
+	if !isValidTokenType {
+		return nil, &TokenError{
+			Error:            InvalidRequest,
+			ErrorDescription: fmt.Sprintf("unsupported subject_token_type: %s", subjectTokenType),
+		}, nil
+	}
+
+	// Get certificate for token validation
+	cert, err := getCertByApplication(application)
+	if err != nil {
+		return nil, nil, err
+	}
+	if cert == nil {
+		return nil, &TokenError{
+			Error:            EndpointError,
+			ErrorDescription: fmt.Sprintf("cert: %s cannot be found", application.Cert),
+		}, nil
+	}
+
+	// Parse and validate the subject token
+	var subjectOwner, subjectName, subjectScope string
+	if application.TokenFormat == "JWT-Standard" {
+		standardClaims, err := ParseStandardJwtToken(subjectToken, cert)
+		if err != nil {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: fmt.Sprintf("invalid subject_token: %s", err.Error()),
+			}, nil
+		}
+		subjectOwner = standardClaims.Owner
+		subjectName = standardClaims.Name
+		subjectScope = standardClaims.Scope
+	} else {
+		claims, err := ParseJwtToken(subjectToken, cert)
+		if err != nil {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: fmt.Sprintf("invalid subject_token: %s", err.Error()),
+			}, nil
+		}
+		subjectOwner = claims.Owner
+		subjectName = claims.Name
+		subjectScope = claims.Scope
+	}
+
+	// Get the user from the subject token
+	user, err := getUser(subjectOwner, subjectName)
+	if err != nil {
+		return nil, nil, err
+	}
+	if user == nil {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: fmt.Sprintf("user from subject_token does not exist: %s", util.GetId(subjectOwner, subjectName)),
+		}, nil
+	}
+
+	if user.IsForbidden {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
+		}, nil
+	}
+
+	// Handle scope parameter
+	// If scope is not provided, use the scope from the subject token
+	// If scope is provided, it should be a subset of the subject token's scope (downscoping)
+	if scope == "" {
+		scope = subjectScope
+	} else {
+		// Validate scope downscoping (basic implementation)
+		// In a production environment, you would implement more sophisticated scope validation
+		if subjectScope != "" {
+			subjectScopes := strings.Split(subjectScope, " ")
+			requestedScopes := strings.Split(scope, " ")
+			for _, requestedScope := range requestedScopes {
+				if requestedScope == "" {
+					continue // Skip empty strings
+				}
+				found := false
+				for _, existingScope := range subjectScopes {
+					if existingScope != "" && requestedScope == existingScope {
+						found = true
+						break
+					}
+				}
+				if !found {
+					return nil, &TokenError{
+						Error:            InvalidScope,
+						ErrorDescription: fmt.Sprintf("requested scope '%s' is not in subject token's scope", requestedScope),
+					}, nil
+				}
+			}
+		}
+	}
+
+	// Extend user with roles and permissions
+	err = ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Generate new JWT token
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", scope, host)
+	if err != nil {
+		return nil, &TokenError{
+			Error:            EndpointError,
+			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
+		}, nil
+	}
+
+	// Create token object
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         tokenName,
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: user.Owner,
+		User:         user.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    int(application.ExpireInHours * float64(hourSeconds)),
+		Scope:        scope,
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+
+	_, err = AddToken(token)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return token, nil, nil
+}
+
 func GetAccessTokenByUser(user *User, host string) (string, error) {
 	application, err := GetApplicationByUser(user)
 	if err != nil {
--- a/object/user.go
+++ b/object/user.go
@@ -689,6 +689,15 @@ func GetMaskedUser(user *User, isAdminOrSelf bool, errs ...error) (*User, error)
 		if user.OriginalRefreshToken != "" {
 			user.OriginalRefreshToken = "***"
 		}
+		// Mask per-provider OAuth tokens in Properties
+		if user.Properties != nil {
+			for key := range user.Properties {
+				// More specific pattern matching to avoid masking unrelated properties
+				if strings.HasPrefix(key, "oauth_") && (strings.HasSuffix(key, "_accessToken") || strings.HasSuffix(key, "_refreshToken")) {
+					user.Properties[key] = "***"
+				}
+			}
+		}
 	}

 	if user.ManagedAccounts != nil {
--- a/object/user_util.go
+++ b/object/user_util.go
@@ -184,9 +184,32 @@ func getUserExtraProperty(user *User, providerType, key string) (string, error)
 	return extra[key], nil
 }

+// getOAuthTokenPropertyKey returns the property key for storing OAuth tokens
+func getOAuthTokenPropertyKey(providerType string, tokenType string) string {
+	return fmt.Sprintf("oauth_%s_%s", providerType, tokenType)
+}
+
+// GetUserOAuthAccessToken retrieves the OAuth access token for a specific provider
+func GetUserOAuthAccessToken(user *User, providerType string) string {
+	return getUserProperty(user, getOAuthTokenPropertyKey(providerType, "accessToken"))
+}
+
+// GetUserOAuthRefreshToken retrieves the OAuth refresh token for a specific provider
+func GetUserOAuthRefreshToken(user *User, providerType string) string {
+	return getUserProperty(user, getOAuthTokenPropertyKey(providerType, "refreshToken"))
+}
+
 func SetUserOAuthProperties(organization *Organization, user *User, providerType string, userInfo *idp.UserInfo, token *oauth2.Token, userMapping ...map[string]string) (bool, error) {
 	// Store the original OAuth provider token if available
 	if token != nil && token.AccessToken != "" {
+		// Store tokens per provider in Properties map
+		setUserProperty(user, getOAuthTokenPropertyKey(providerType, "accessToken"), token.AccessToken)
+
+		if token.RefreshToken != "" {
+			setUserProperty(user, getOAuthTokenPropertyKey(providerType, "refreshToken"), token.RefreshToken)
+		}
+
+		// Also update the legacy fields for backward compatibility
 		user.OriginalToken = token.AccessToken
 		user.OriginalRefreshToken = token.RefreshToken
 	}
@@ -918,6 +941,8 @@ func StringArrayToStruct[T any](stringArray [][]string) ([]*T, error) {
 				err = setReflectAttr[[]MfaAccount](&fv, v)
 			case reflect.TypeOf([]webauthn.Credential{}):
 				err = setReflectAttr[[]webauthn.Credential](&fv, v)
+			case reflect.TypeOf(map[string]string{}):
+				err = setReflectAttr[map[string]string](&fv, v)
 			}

 			if err != nil {
--- a/pp/provider.go
+++ b/pp/provider.go
@@ -24,6 +24,12 @@ const (
 	PaymentStateError    PaymentState = "Error"
 )

+// IsTerminalState checks if a payment state is terminal (cannot transition to other states)
+func IsTerminalState(state PaymentState) bool {
+	return state == PaymentStatePaid || state == PaymentStateError ||
+		state == PaymentStateCanceled || state == PaymentStateTimeout
+}
+
 const (
 	PaymentEnvWechatBrowser = "WechatBrowser"
 )
--- a/swagger/swagger.json
+++ b/swagger/swagger.json
@@ -850,6 +850,69 @@
                }
            }
        },
+        "/api/add-ticket": {
+            "post": {
+                "tags": [
+                    "Ticket API"
+                ],
+                "description": "add ticket",
+                "operationId": "ApiController.AddTicket",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the ticket",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Ticket"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/add-ticket-message": {
+            "post": {
+                "tags": [
+                    "Ticket API"
+                ],
+                "description": "add a message to a ticket",
+                "operationId": "ApiController.AddTicketMessage",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the ticket",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The message to add",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.TicketMessage"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/add-token": {
            "post": {
                "tags": [
@@ -1707,6 +1770,34 @@
                }
            }
        },
+        "/api/delete-ticket": {
+            "post": {
+                "tags": [
+                    "Ticket API"
+                ],
+                "description": "delete ticket",
+                "operationId": "ApiController.DeleteTicket",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the ticket",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Ticket"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/delete-token": {
            "post": {
                "tags": [
@@ -1891,6 +1982,23 @@
                }
            }
        },
+        "/api/exit-impersonation-user": {
+            "post": {
+                "tags": [
+                    "User API"
+                ],
+                "description": "clear impersonation info for current session",
+                "operationId": "ApiController.ExitImpersonateUser",
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/faceid-signin-begin": {
            "get": {
                "tags": [
@@ -1996,6 +2104,81 @@
                }
            }
        },
+        "/api/get-all-actions": {
+            "get": {
+                "tags": [
+                    "Enforcer API"
+                ],
+                "description": "Get all actions for a user (Casbin API)",
+                "operationId": "ApiController.GetAllActions",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "userId",
+                        "description": "user id like built-in/admin",
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/get-all-objects": {
+            "get": {
+                "tags": [
+                    "Enforcer API"
+                ],
+                "description": "Get all objects for a user (Casbin API)",
+                "operationId": "ApiController.GetAllObjects",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "userId",
+                        "description": "user id like built-in/admin",
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/get-all-roles": {
+            "get": {
+                "tags": [
+                    "Enforcer API"
+                ],
+                "description": "Get all roles for a user (Casbin API)",
+                "operationId": "ApiController.GetAllRoles",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "userId",
+                        "description": "user id like built-in/admin",
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/get-app-login": {
            "get": {
                "tags": [
@@ -3843,6 +4026,61 @@
                }
            }
        },
+        "/api/get-ticket": {
+            "get": {
+                "tags": [
+                    "Ticket API"
+                ],
+                "description": "get ticket",
+                "operationId": "ApiController.GetTicket",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the ticket",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/object.Ticket"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/get-tickets": {
+            "get": {
+                "tags": [
+                    "Ticket API"
+                ],
+                "description": "get tickets",
+                "operationId": "ApiController.GetTickets",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "owner",
+                        "description": "The owner of tickets",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/object.Ticket"
+                            }
+                        }
+                    }
+                }
+            }
+        },
        "/api/get-token": {
            "get": {
                "tags": [
@@ -4299,6 +4537,32 @@
                }
            }
        },
+        "/api/impersonation-user": {
+            "post": {
+                "tags": [
+                    "User API"
+                ],
+                "description": "set impersonation user for current admin session",
+                "operationId": "ApiController.ImpersonateUser",
+                "parameters": [
+                    {
+                        "in": "formData",
+                        "name": "username",
+                        "description": "The username to impersonate (owner/name)",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/invoice-payment": {
            "post": {
                "tags": [
@@ -5219,8 +5483,16 @@
                "tags": [
                    "Login API"
                ],
-                "description": "logout the current user from all applications",
+                "description": "logout the current user from all applications or current session only",
                "operationId": "ApiController.SsoLogout",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "logoutAll",
+                        "description": "Whether to logout from all sessions. Accepted values: 'true', '1', or empty (default: true). Any other value means false.",
+                        "type": "string"
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "The Response object",
@@ -5234,8 +5506,16 @@
                "tags": [
                    "Login API"
                ],
-                "description": "logout the current user from all applications",
+                "description": "logout the current user from all applications or current session only",
                "operationId": "ApiController.SsoLogout",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "logoutAll",
+                        "description": "Whether to logout from all sessions. Accepted values: 'true', '1', or empty (default: true). Any other value means false.",
+                        "type": "string"
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "The Response object",
@@ -6082,6 +6362,41 @@
                }
            }
        },
+        "/api/update-ticket": {
+            "post": {
+                "tags": [
+                    "Ticket API"
+                ],
+                "description": "update ticket",
+                "operationId": "ApiController.UpdateTicket",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the ticket",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the ticket",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Ticket"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/update-token": {
            "post": {
                "tags": [
@@ -6564,14 +6879,18 @@
        }
    },
    "definitions": {
-        "217748.\u003cnil\u003e.string": {
+        "232967.\u003cnil\u003e.string": {
            "title": "string",
            "type": "object"
        },
-        "217806.string.string": {
+        "233025.string.string": {
            "title": "string",
            "type": "object"
        },
+        "McpResponse": {
+            "title": "McpResponse",
+            "type": "object"
+        },
        "Response": {
            "title": "Response",
            "type": "object"
@@ -6763,6 +7082,9 @@
                "regex": {
                    "type": "string"
                },
+                "tab": {
+                    "type": "string"
+                },
                "viewRule": {
                    "type": "string"
                },
@@ -6814,6 +7136,33 @@
                }
            }
        },
+        "object.Address": {
+            "title": "Address",
+            "type": "object",
+            "properties": {
+                "city": {
+                    "type": "string"
+                },
+                "line1": {
+                    "type": "string"
+                },
+                "line2": {
+                    "type": "string"
+                },
+                "region": {
+                    "type": "string"
+                },
+                "state": {
+                    "type": "string"
+                },
+                "tag": {
+                    "type": "string"
+                },
+                "zipCode": {
+                    "type": "string"
+                }
+            }
+        },
        "object.Application": {
            "title": "Application",
            "type": "object",
@@ -6837,6 +7186,10 @@
                    "type": "integer",
                    "format": "int64"
                },
+                "cookieExpireInHours": {
+                    "type": "integer",
+                    "format": "int64"
+                },
                "createdTime": {
                    "type": "string"
                },
@@ -6870,6 +7223,9 @@
                "enablePassword": {
                    "type": "boolean"
                },
+                "enableSamlAssertionSignature": {
+                    "type": "boolean"
+                },
                "enableSamlC14n10": {
                    "type": "boolean"
                },
@@ -7822,9 +8178,6 @@
                "displayName": {
                    "type": "string"
                },
-                "endTime": {
-                    "type": "string"
-                },
                "message": {
                    "type": "string"
                },
@@ -7837,18 +8190,15 @@
                "payment": {
                    "type": "string"
                },
-                "planName": {
-                    "type": "string"
-                },
                "price": {
                    "type": "number",
                    "format": "double"
                },
-                "pricingName": {
-                    "type": "string"
-                },
-                "productName": {
-                    "type": "string"
+                "productInfos": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.ProductInfo"
+                    }
                },
                "products": {
                    "type": "array",
@@ -7856,10 +8206,10 @@
                        "type": "string"
                    }
                },
-                "startTime": {
+                "state": {
                    "type": "string"
                },
-                "state": {
+                "updateTime": {
                    "type": "string"
                },
                "user": {
@@ -7877,6 +8227,9 @@
                        "$ref": "#/definitions/object.AccountItem"
                    }
                },
+                "accountMenu": {
+                    "type": "string"
+                },
                "balanceCredit": {
                    "type": "number",
                    "format": "double"
@@ -8090,9 +8443,6 @@
                "invoiceUrl": {
                    "type": "string"
                },
-                "isRecharge": {
-                    "type": "boolean"
-                },
                "message": {
                    "type": "string"
                },
@@ -8102,6 +8452,9 @@
                "order": {
                    "type": "string"
                },
+                "orderObj": {
+                    "$ref": "#/definitions/object.Order"
+                },
                "outOrderId": {
                    "type": "string"
                },
@@ -8127,10 +8480,13 @@
                    "type": "number",
                    "format": "double"
                },
-                "productDisplayName": {
-                    "type": "string"
+                "products": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                },
-                "productName": {
+                "productsDisplayName": {
                    "type": "string"
                },
                "provider": {
@@ -8142,9 +8498,6 @@
                "successUrl": {
                    "type": "string"
                },
-                "tag": {
-                    "type": "string"
-                },
                "type": {
                    "type": "string"
                },
@@ -8402,6 +8755,47 @@
                }
            }
        },
+        "object.ProductInfo": {
+            "title": "ProductInfo",
+            "type": "object",
+            "properties": {
+                "currency": {
+                    "type": "string"
+                },
+                "detail": {
+                    "type": "string"
+                },
+                "displayName": {
+                    "type": "string"
+                },
+                "image": {
+                    "type": "string"
+                },
+                "isRecharge": {
+                    "type": "boolean"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "owner": {
+                    "type": "string"
+                },
+                "planName": {
+                    "type": "string"
+                },
+                "price": {
+                    "type": "number",
+                    "format": "double"
+                },
+                "pricingName": {
+                    "type": "string"
+                },
+                "quantity": {
+                    "type": "integer",
+                    "format": "int64"
+                }
+            }
+        },
        "object.PrometheusInfo": {
            "title": "PrometheusInfo",
            "type": "object",
@@ -8482,6 +8876,9 @@
                "emailRegex": {
                    "type": "string"
                },
+                "enablePkce": {
+                    "type": "boolean"
+                },
                "enableProxy": {
                    "type": "boolean"
                },
@@ -9024,6 +9421,63 @@
                }
            }
        },
+        "object.Ticket": {
+            "title": "Ticket",
+            "type": "object",
+            "properties": {
+                "content": {
+                    "type": "string"
+                },
+                "createdTime": {
+                    "type": "string"
+                },
+                "displayName": {
+                    "type": "string"
+                },
+                "messages": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.TicketMessage"
+                    }
+                },
+                "name": {
+                    "type": "string"
+                },
+                "owner": {
+                    "type": "string"
+                },
+                "state": {
+                    "type": "string"
+                },
+                "title": {
+                    "type": "string"
+                },
+                "updatedTime": {
+                    "type": "string"
+                },
+                "user": {
+                    "type": "string"
+                }
+            }
+        },
+        "object.TicketMessage": {
+            "title": "TicketMessage",
+            "type": "object",
+            "properties": {
+                "author": {
+                    "type": "string"
+                },
+                "isAdmin": {
+                    "type": "boolean"
+                },
+                "text": {
+                    "type": "string"
+                },
+                "timestamp": {
+                    "type": "string"
+                }
+            }
+        },
        "object.Token": {
            "title": "Token",
            "type": "object",
@@ -9132,7 +9586,7 @@
                    "type": "string"
                },
                "category": {
-                    "type": "string"
+                    "$ref": "#/definitions/object.TransactionCategory"
                },
                "createdTime": {
                    "type": "string"
@@ -9159,7 +9613,7 @@
                    "type": "string"
                },
                "state": {
-                    "$ref": "#/definitions/pp.PaymentState"
+                    "type": "string"
                },
                "subtype": {
                    "type": "string"
@@ -9175,6 +9629,15 @@
                }
            }
        },
+        "object.TransactionCategory": {
+            "title": "TransactionCategory",
+            "type": "string",
+            "enum": [
+                "TransactionCategoryPurchase = \"Purchase\"",
+                "TransactionCategoryRecharge = \"Recharge\""
+            ],
+            "example": "Purchase"
+        },
        "object.User": {
            "title": "User",
            "type": "object",
@@ -9194,6 +9657,12 @@
                        "type": "string"
                    }
                },
+                "addresses": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.Address"
+                    }
+                },
                "adfs": {
                    "type": "string"
                },
@@ -9256,6 +9725,12 @@
                "box": {
                    "type": "string"
                },
+                "cart": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.ProductInfo"
+                    }
+                },
                "casdoor": {
                    "type": "string"
                },
@@ -9569,10 +10044,10 @@
                "onedrive": {
                    "type": "string"
                },
-                "originalToken": {
+                "originalRefreshToken": {
                    "type": "string"
                },
-                "originalRefreshToken": {
+                "originalToken": {
                    "type": "string"
                },
                "oura": {
@@ -9828,7 +10303,7 @@
            "type": "object",
            "properties": {
                "aliases": {
-                    "$ref": "#/definitions/217748.\u003cnil\u003e.string"
+                    "$ref": "#/definitions/232967.\u003cnil\u003e.string"
                },
                "links": {
                    "type": "array",
@@ -9837,7 +10312,7 @@
                    }
                },
                "properties": {
-                    "$ref": "#/definitions/217806.string.string"
+                    "$ref": "#/definitions/233025.string.string"
                },
                "subject": {
                    "type": "string"
--- a/swagger/swagger.yml
+++ b/swagger/swagger.yml
@@ -548,6 +548,47 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/add-ticket:
+    post:
+      tags:
+      - Ticket API
+      description: add ticket
+      operationId: ApiController.AddTicket
+      parameters:
+      - in: body
+        name: body
+        description: The details of the ticket
+        required: true
+        schema:
+          $ref: '#/definitions/object.Ticket'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
+  /api/add-ticket-message:
+    post:
+      tags:
+      - Ticket API
+      description: add a message to a ticket
+      operationId: ApiController.AddTicketMessage
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the ticket
+        required: true
+        type: string
+      - in: body
+        name: body
+        description: The message to add
+        required: true
+        schema:
+          $ref: '#/definitions/object.TicketMessage'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/add-token:
    post:
      tags:
@@ -1099,6 +1140,24 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/delete-ticket:
+    post:
+      tags:
+      - Ticket API
+      description: delete ticket
+      operationId: ApiController.DeleteTicket
+      parameters:
+      - in: body
+        name: body
+        description: The details of the ticket
+        required: true
+        schema:
+          $ref: '#/definitions/object.Ticket'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/delete-token:
    post:
      tags:
@@ -1218,6 +1277,17 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/exit-impersonation-user:
+    post:
+      tags:
+      - User API
+      description: clear impersonation info for current session
+      operationId: ApiController.ExitImpersonateUser
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/faceid-signin-begin:
    get:
      tags:
@@ -1287,6 +1357,54 @@ paths:
            type: array
            items:
              $ref: '#/definitions/object.Adapter'
+  /api/get-all-actions:
+    get:
+      tags:
+      - Enforcer API
+      description: Get all actions for a user (Casbin API)
+      operationId: ApiController.GetAllActions
+      parameters:
+      - in: query
+        name: userId
+        description: user id like built-in/admin
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
+  /api/get-all-objects:
+    get:
+      tags:
+      - Enforcer API
+      description: Get all objects for a user (Casbin API)
+      operationId: ApiController.GetAllObjects
+      parameters:
+      - in: query
+        name: userId
+        description: user id like built-in/admin
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
+  /api/get-all-roles:
+    get:
+      tags:
+      - Enforcer API
+      description: Get all roles for a user (Casbin API)
+      operationId: ApiController.GetAllRoles
+      parameters:
+      - in: query
+        name: userId
+        description: user id like built-in/admin
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/get-app-login:
    get:
      tags:
@@ -2498,6 +2616,42 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/util.SystemInfo'
+  /api/get-ticket:
+    get:
+      tags:
+      - Ticket API
+      description: get ticket
+      operationId: ApiController.GetTicket
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the ticket
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Ticket'
+  /api/get-tickets:
+    get:
+      tags:
+      - Ticket API
+      description: get tickets
+      operationId: ApiController.GetTickets
+      parameters:
+      - in: query
+        name: owner
+        description: The owner of tickets
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/object.Ticket'
  /api/get-token:
    get:
      tags:
@@ -2797,6 +2951,23 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/impersonation-user:
+    post:
+      tags:
+      - User API
+      description: set impersonation user for current admin session
+      operationId: ApiController.ImpersonateUser
+      parameters:
+      - in: formData
+        name: username
+        description: The username to impersonate (owner/name)
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/invoice-payment:
    post:
      tags:
@@ -3406,8 +3577,13 @@ paths:
    get:
      tags:
      - Login API
-      description: logout the current user from all applications
+      description: logout the current user from all applications or current session only
      operationId: ApiController.SsoLogout
+      parameters:
+      - in: query
+        name: logoutAll
+        description: 'Whether to logout from all sessions. Accepted values: ''true'', ''1'', or empty (default: true). Any other value means false.'
+        type: string
      responses:
        "200":
          description: The Response object
@@ -3416,8 +3592,13 @@ paths:
    post:
      tags:
      - Login API
-      description: logout the current user from all applications
+      description: logout the current user from all applications or current session only
      operationId: ApiController.SsoLogout
+      parameters:
+      - in: query
+        name: logoutAll
+        description: 'Whether to logout from all sessions. Accepted values: ''true'', ''1'', or empty (default: true). Any other value means false.'
+        type: string
      responses:
        "200":
          description: The Response object
@@ -3971,6 +4152,29 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/update-ticket:
+    post:
+      tags:
+      - Ticket API
+      description: update ticket
+      operationId: ApiController.UpdateTicket
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the ticket
+        required: true
+        type: string
+      - in: body
+        name: body
+        description: The details of the ticket
+        required: true
+        schema:
+          $ref: '#/definitions/object.Ticket'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/update-token:
    post:
      tags:
@@ -4286,12 +4490,15 @@ paths:
          schema:
            $ref: '#/definitions/controllers.Response'
 definitions:
-  217748.<nil>.string:
+  232967.<nil>.string:
    title: string
    type: object
-  217806.string.string:
+  233025.string.string:
    title: string
    type: object
+  McpResponse:
+    title: McpResponse
+    type: object
  Response:
    title: Response
    type: object
@@ -4423,6 +4630,8 @@ definitions:
        type: string
      regex:
        type: string
+      tab:
+        type: string
      viewRule:
        type: string
      visible:
@@ -4456,6 +4665,24 @@ definitions:
        type: boolean
      user:
        type: string
+  object.Address:
+    title: Address
+    type: object
+    properties:
+      city:
+        type: string
+      line1:
+        type: string
+      line2:
+        type: string
+      region:
+        type: string
+      state:
+        type: string
+      tag:
+        type: string
+      zipCode:
+        type: string
  object.Application:
    title: Application
    type: object
@@ -4473,6 +4700,9 @@ definitions:
      codeResendTimeout:
        type: integer
        format: int64
+      cookieExpireInHours:
+        type: integer
+        format: int64
      createdTime:
        type: string
      defaultGroup:
@@ -4495,6 +4725,8 @@ definitions:
        type: boolean
      enablePassword:
        type: boolean
+      enableSamlAssertionSignature:
+        type: boolean
      enableSamlC14n10:
        type: boolean
      enableSamlCompress:
@@ -5136,8 +5368,6 @@ definitions:
        type: string
      displayName:
        type: string
-      endTime:
-        type: string
      message:
        type: string
      name:
@@ -5146,23 +5376,21 @@ definitions:
        type: string
      payment:
        type: string
-      planName:
-        type: string
      price:
        type: number
        format: double
-      pricingName:
-        type: string
-      productName:
-        type: string
+      productInfos:
+        type: array
+        items:
+          $ref: '#/definitions/object.ProductInfo'
      products:
        type: array
        items:
          type: string
-      startTime:
-        type: string
      state:
        type: string
+      updateTime:
+        type: string
      user:
        type: string
  object.Organization:
@@ -5173,6 +5401,8 @@ definitions:
        type: array
        items:
          $ref: '#/definitions/object.AccountItem'
+      accountMenu:
+        type: string
      balanceCredit:
        type: number
        format: double
@@ -5317,14 +5547,14 @@ definitions:
        type: string
      invoiceUrl:
        type: string
-      isRecharge:
-        type: boolean
      message:
        type: string
      name:
        type: string
      order:
        type: string
+      orderObj:
+        $ref: '#/definitions/object.Order'
      outOrderId:
        type: string
      owner:
@@ -5342,9 +5572,11 @@ definitions:
      price:
        type: number
        format: double
-      productDisplayName:
-        type: string
-      productName:
+      products:
+        type: array
+        items:
+          type: string
+      productsDisplayName:
        type: string
      provider:
        type: string
@@ -5352,8 +5584,6 @@ definitions:
        $ref: '#/definitions/pp.PaymentState'
      successUrl:
        type: string
-      tag:
-        type: string
      type:
        type: string
      user:
@@ -5526,6 +5756,34 @@ definitions:
        type: string
      tag:
        type: string
+  object.ProductInfo:
+    title: ProductInfo
+    type: object
+    properties:
+      currency:
+        type: string
+      detail:
+        type: string
+      displayName:
+        type: string
+      image:
+        type: string
+      isRecharge:
+        type: boolean
+      name:
+        type: string
+      owner:
+        type: string
+      planName:
+        type: string
+      price:
+        type: number
+        format: double
+      pricingName:
+        type: string
+      quantity:
+        type: integer
+        format: int64
  object.PrometheusInfo:
    title: PrometheusInfo
    type: object
@@ -5581,6 +5839,8 @@ definitions:
        type: string
      emailRegex:
        type: string
+      enablePkce:
+        type: boolean
      enableProxy:
        type: boolean
      enableSignAuthnRequest:
@@ -5945,6 +6205,44 @@ definitions:
        type: boolean
      themeType:
        type: string
+  object.Ticket:
+    title: Ticket
+    type: object
+    properties:
+      content:
+        type: string
+      createdTime:
+        type: string
+      displayName:
+        type: string
+      messages:
+        type: array
+        items:
+          $ref: '#/definitions/object.TicketMessage'
+      name:
+        type: string
+      owner:
+        type: string
+      state:
+        type: string
+      title:
+        type: string
+      updatedTime:
+        type: string
+      user:
+        type: string
+  object.TicketMessage:
+    title: TicketMessage
+    type: object
+    properties:
+      author:
+        type: string
+      isAdmin:
+        type: boolean
+      text:
+        type: string
+      timestamp:
+        type: string
  object.Token:
    title: Token
    type: object
@@ -6020,7 +6318,7 @@ definitions:
      application:
        type: string
      category:
-        type: string
+        $ref: '#/definitions/object.TransactionCategory'
      createdTime:
        type: string
      currency:
@@ -6038,7 +6336,7 @@ definitions:
      provider:
        type: string
      state:
-        $ref: '#/definitions/pp.PaymentState'
+        type: string
      subtype:
        type: string
      tag:
@@ -6047,6 +6345,13 @@ definitions:
        type: string
      user:
        type: string
+  object.TransactionCategory:
+    title: TransactionCategory
+    type: string
+    enum:
+    - TransactionCategoryPurchase = "Purchase"
+    - TransactionCategoryRecharge = "Recharge"
+    example: Purchase
  object.User:
    title: User
    type: object
@@ -6061,6 +6366,10 @@ definitions:
        type: array
        items:
          type: string
+      addresses:
+        type: array
+        items:
+          $ref: '#/definitions/object.Address'
      adfs:
        type: string
      affiliation:
@@ -6103,6 +6412,10 @@ definitions:
        type: string
      box:
        type: string
+      cart:
+        type: array
+        items:
+          $ref: '#/definitions/object.ProductInfo'
      casdoor:
        type: string
      cloudfoundry:
@@ -6312,10 +6625,10 @@ definitions:
        type: string
      onedrive:
        type: string
-      originalToken:
-        type: string
      originalRefreshToken:
        type: string
+      originalToken:
+        type: string
      oura:
        type: string
      owner:
@@ -6486,13 +6799,13 @@ definitions:
    type: object
    properties:
      aliases:
-        $ref: '#/definitions/217748.<nil>.string'
+        $ref: '#/definitions/232967.<nil>.string'
      links:
        type: array
        items:
          $ref: '#/definitions/object.WebFingerLink'
      properties:
-        $ref: '#/definitions/217806.string.string'
+        $ref: '#/definitions/233025.string.string'
      subject:
        type: string
  object.WebFingerLink:
--- a/web/src/AdapterEditPage.js
+++ b/web/src/AdapterEditPage.js
@@ -158,7 +158,7 @@ class AdapterEditPage extends React.Component {
            <React.Fragment>
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                  {Setting.getLabel(i18next.t("provider:Type"), i18next.t("provider:Type - Tooltip"))} :
+                  {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
                </Col>
                <Col span={22} >
                  <Select virtual={false} disabled={Setting.builtInObject(this.state.adapter)} style={{width: "100%"}} value={this.state.adapter.type} onChange={(value => {
--- a/web/src/AdapterListPage.js
+++ b/web/src/AdapterListPage.js
@@ -134,7 +134,7 @@ class AdapterListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("provider:Type"),
+        title: i18next.t("general:Type"),
        dataIndex: "type",
        key: "type",
        width: "100px",
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@@ -870,11 +870,11 @@ class ApplicationEditPage extends React.Component {
        <React.Fragment>
          <Row style={{marginTop: "10px"}} >
            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("general:Providers"), i18next.t("general:Providers - Tooltip"))} :
+              {Setting.getLabel(i18next.t("application:Providers"), i18next.t("general:Providers - Tooltip"))} :
            </Col>
            <Col span={21} >
              <ProviderTable
-                title={i18next.t("general:Providers")}
+                title={i18next.t("application:Providers")}
                table={this.state.application.providers}
                providers={this.state.providers}
                application={this.state.application}
--- a/web/src/ApplicationListPage.js
+++ b/web/src/ApplicationListPage.js
@@ -208,7 +208,7 @@ class ApplicationListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("general:Providers"),
+        title: i18next.t("application:Providers"),
        dataIndex: "providers",
        key: "providers",
        ...this.getColumnSearchProps("providers"),
--- a/web/src/BaseListPage.js
+++ b/web/src/BaseListPage.js
@@ -132,7 +132,7 @@ class BaseListPage extends React.Component {
            {i18next.t("general:Search")}
          </Button>
          <Button onClick={() => this.handleReset(clearFilters)} size="small" style={{width: 90}}>
-            {i18next.t("general:Reset")}
+            {i18next.t("forget:Reset")}
          </Button>
          <Button
            type="link"
--- a/web/src/CartListPage.js
+++ b/web/src/CartListPage.js
@@ -22,6 +22,7 @@ import * as ProductBackend from "./backend/ProductBackend";
 import i18next from "i18next";
 import BaseListPage from "./BaseListPage";
 import PopconfirmModal from "./common/modal/PopconfirmModal";
+import {QuantityStepper} from "./common/product/CartControls";

 class CartListPage extends BaseListPage {
  constructor(props) {
@@ -30,6 +31,7 @@ class CartListPage extends BaseListPage {
      ...this.state,
      data: [],
      user: null,
+      updatingCartItems: {},
      isPlacingOrder: false,
      loading: false,
      pagination: {
@@ -40,6 +42,8 @@ class CartListPage extends BaseListPage {
      searchText: "",
      searchedColumn: "",
    };
+
+    this.updatingCartItemsRef = {};
  }

  clearCart() {
@@ -90,6 +94,9 @@ class CartListPage extends BaseListPage {
      .then((res) => {
        if (res.status === "ok") {
          const order = res.data;
+          const user = Setting.deepCopy(this.state.user);
+          user.cart = [];
+          UserBackend.updateUser(user.owner, user.name, user);
          Setting.showMessage("success", i18next.t("product:Order created successfully"));
          Setting.goToLink(`/orders/${order.owner}/${order.name}/pay`);
        } else {
@@ -132,6 +139,66 @@ class CartListPage extends BaseListPage {
      });
  }

+  updateCartItemQuantity(record, newQuantity) {
+    if (newQuantity < 1) {
+      return;
+    }
+
+    const itemKey = `${record.name}-${record.price}-${record.pricingName || ""}-${record.planName || ""}`;
+    if (this.updatingCartItemsRef?.[itemKey]) {
+      return;
+    }
+
+    this.updatingCartItemsRef[itemKey] = true;
+
+    const user = Setting.deepCopy(this.state.user);
+    const index = user.cart.findIndex(item => item.name === record.name && item.price === record.price && (item.pricingName || "") === (record.pricingName || "") && (item.planName || "") === (record.planName || ""));
+    if (index === -1) {
+      delete this.updatingCartItemsRef[itemKey];
+      return;
+    }
+
+    if (index !== -1) {
+      user.cart[index].quantity = newQuantity;
+
+      const newData = [...this.state.data];
+      const dataIndex = newData.findIndex(item => item.name === record.name && item.price === record.price && (item.pricingName || "") === (record.pricingName || "") && (item.planName || "") === (record.planName || ""));
+      if (dataIndex !== -1) {
+        newData[dataIndex].quantity = newQuantity;
+        this.setState({data: newData});
+      }
+
+      this.setState(prevState => ({
+        updatingCartItems: {
+          ...(prevState.updatingCartItems || {}),
+          [itemKey]: true,
+        },
+      }));
+
+      UserBackend.updateUser(user.owner, user.name, user)
+        .then((res) => {
+          if (res.status === "ok") {
+            this.setState({user: user});
+          } else {
+            Setting.showMessage("error", res.msg);
+            this.fetch();
+          }
+        })
+        .catch(error => {
+          Setting.showMessage("error", `${i18next.t("general:Failed to connect to server")}: ${error}`);
+          this.fetch();
+        })
+        .finally(() => {
+          delete this.updatingCartItemsRef[itemKey];
+          this.setState(prevState => {
+            const updatingCartItems = {...(prevState.updatingCartItems || {})};
+            delete updatingCartItems[itemKey];
+            return {updatingCartItems};
+          });
+        });
+    }
+  }
+
  renderTable(carts) {
    const isEmpty = carts === undefined || carts === null || carts.length === 0;
    const owner = this.state.user?.owner || this.props.account.owner;
@@ -183,7 +250,7 @@ class CartListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("product:Price"),
+        title: i18next.t("order:Price"),
        dataIndex: "price",
        key: "price",
        width: "160px",
@@ -227,8 +294,22 @@ class CartListPage extends BaseListPage {
        title: i18next.t("product:Quantity"),
        dataIndex: "quantity",
        key: "quantity",
-        width: "120px",
+        width: "100px",
        sorter: true,
+        render: (text, record) => {
+          const itemKey = `${record.name}-${record.price}-${record.pricingName || ""}-${record.planName || ""}`;
+          const isUpdating = this.state.updatingCartItems?.[itemKey] === true;
+          return (
+            <QuantityStepper
+              value={text}
+              min={1}
+              onIncrease={() => this.updateCartItemQuantity(record, text + 1)}
+              onDecrease={() => this.updateCartItemQuantity(record, text - 1)}
+              onChange={null}
+              disabled={isUpdating}
+            />
+          );
+        },
      },
      {
        title: i18next.t("general:Action"),
@@ -240,7 +321,7 @@ class CartListPage extends BaseListPage {
          return (
            <div style={{display: "flex", flexWrap: "wrap", gap: "8px"}}>
              <Button type="primary" onClick={() => this.props.history.push(`/products/${owner}/${record.name}/buy`)}>
-                {i18next.t("product:Detail")}
+                {i18next.t("general:Detail")}
              </Button>
              <PopconfirmModal
                title={i18next.t("general:Sure to delete") + `: ${record.name} ?`}
@@ -338,13 +419,28 @@ class CartListPage extends BaseListPage {

          const fullCartData = await Promise.all(productPromises);

+          const sortedData = [...fullCartData];
+          if (params.sortField && params.sortOrder) {
+            sortedData.sort((a, b) => {
+              const aValue = a[params.sortField];
+              const bValue = b[params.sortField];
+
+              if (aValue === bValue) {
+                return 0;
+              }
+
+              const comparison = aValue > bValue ? 1 : -1;
+              return params.sortOrder === "ascend" ? comparison : -comparison;
+            });
+          }
+
          this.setState({
            loading: false,
-            data: fullCartData,
+            data: sortedData,
            user: res.data,
            pagination: {
              ...params.pagination,
-              total: fullCartData.length,
+              total: sortedData.length,
            },
            searchText: params.searchText,
            searchedColumn: params.searchedColumn,
--- a/web/src/CertEditPage.js
+++ b/web/src/CertEditPage.js
@@ -149,7 +149,7 @@ class CertEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Type"), i18next.t("cert:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.cert.type} onChange={(value => {
--- a/web/src/CertListPage.js
+++ b/web/src/CertListPage.js
@@ -147,7 +147,7 @@ class CertListPage extends BaseListPage {
        sorter: true,
      },
      {
-        title: i18next.t("provider:Type"),
+        title: i18next.t("general:Type"),
        dataIndex: "type",
        key: "type",
        filterMultiple: false,
--- a/web/src/FormEditPage.js
+++ b/web/src/FormEditPage.js
@@ -93,7 +93,7 @@ class FormEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}}>
          <Col style={{marginTop: "5px"}} span={Setting.isMobile() ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
          </Col>
          <Col span={22}>
            <Select
@@ -115,7 +115,7 @@ class FormEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}}>
          <Col style={{marginTop: "5px"}} span={Setting.isMobile() ? 22 : 2}>
-            {Setting.getLabel(i18next.t("user:Tag"), i18next.t("user:Tag - Tooltip"))} :
+            {Setting.getLabel(i18next.t("user:Tag"), i18next.t("product:Tag - Tooltip"))} :
          </Col>
          <Col span={22}>
            <Input value={this.state.form.tag} onChange={e => {
--- a/web/src/GroupEditPage.js
+++ b/web/src/GroupEditPage.js
@@ -148,7 +148,7 @@ class GroupEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select style={{width: "100%"}}
--- a/web/src/GroupListPage.js
+++ b/web/src/GroupListPage.js
@@ -92,7 +92,7 @@ class GroupListPage extends BaseListPage {
  uploadFile(info) {
    const {status, msg} = info;
    if (status === "ok") {
-      Setting.showMessage("success", "Groups uploaded successfully, refreshing the page");
+      Setting.showMessage("success", i18next.t("general:Successfully saved"));
      const {pagination} = this.state;
      this.fetch({pagination});
    } else if (status === "error") {
--- a/web/src/LdapEditPage.js
+++ b/web/src/LdapEditPage.js
@@ -218,7 +218,7 @@ class LdapEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}}>
          <Col style={{lineHeight: "32px", textAlign: "right", paddingRight: "25px"}} span={3}>
-            {Setting.getLabel(i18next.t("ldap:Admin"), i18next.t("ldap:Admin - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Admin"), i18next.t("ldap:Admin - Tooltip"))} :
          </Col>
          <Col span={21}>
            <Input value={this.state.ldap.username} onChange={e => {
--- a/web/src/ManagementPage.js
+++ b/web/src/ManagementPage.js
@@ -188,7 +188,7 @@ function ManagementPage(props) {
    };

    return (
-      <Dropdown key="/rightDropDown" menu={{items, onClick}} >
+      <Dropdown key="/rightDropDown" menu={{items, onClick}} placement="bottomRight" >
        <div className="rightDropDown">
          {
            renderAvatar()
@@ -320,7 +320,7 @@ function ManagementPage(props) {

    res.push(Setting.getItem(<Link style={{color: textColor}} to="/applications">{i18next.t("general:Identity")}</Link>, "/identity", <LockTwoTone twoToneColor={twoToneColor} />, [
      Setting.getItem(<Link to="/applications">{i18next.t("general:Applications")}</Link>, "/applications"),
-      Setting.getItem(<Link to="/providers">{i18next.t("general:Providers")}</Link>, "/providers"),
+      Setting.getItem(<Link to="/providers">{i18next.t("application:Providers")}</Link>, "/providers"),
      Setting.getItem(<Link to="/resources">{i18next.t("general:Resources")}</Link>, "/resources"),
      Setting.getItem(<Link to="/certs">{i18next.t("general:Certs")}</Link>, "/certs"),
    ]));
--- a/web/src/OrderEditPage.js
+++ b/web/src/OrderEditPage.js
@@ -158,7 +158,7 @@ class OrderEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {i18next.t("order:Products")}:
+            {i18next.t("general:Products")}:
          </Col>
          <Col span={22} >
            <Select
@@ -195,7 +195,7 @@ class OrderEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {i18next.t("order:Payment")}:
+            {i18next.t("general:Payment")}:
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.order.payment} disabled={isViewMode} onChange={(value) => {
@@ -231,7 +231,7 @@ class OrderEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {i18next.t("general:Message")}:
+            {i18next.t("payment:Message")}:
          </Col>
          <Col span={22} >
            <Input value={this.state.order.message} onChange={e => {
@@ -239,26 +239,6 @@ class OrderEditPage extends React.Component {
            }} />
          </Col>
        </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {i18next.t("order:Start time")}:
-          </Col>
-          <Col span={22} >
-            <Input value={this.state.order.startTime} onChange={e => {
-              this.updateOrderField("startTime", e.target.value);
-            }} />
-          </Col>
-        </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {i18next.t("order:End time")}:
-          </Col>
-          <Col span={22} >
-            <Input value={this.state.order.endTime} onChange={e => {
-              this.updateOrderField("endTime", e.target.value);
-            }} />
-          </Col>
-        </Row>
      </Card>
    );
  }
--- a/web/src/OrderListPage.js
+++ b/web/src/OrderListPage.js
@@ -14,7 +14,7 @@

 import React from "react";
 import {Link} from "react-router-dom";
-import {Button, List, Table, Tooltip} from "antd";
+import {Button, Col, List, Row, Table, Tooltip} from "antd";
 import moment from "moment";
 import * as Setting from "./Setting";
 import * as OrderBackend from "./backend/OrderBackend";
@@ -37,8 +37,6 @@ class OrderListPage extends BaseListPage {
      payment: "",
      state: "Created",
      message: "",
-      startTime: moment().format(),
-      endTime: "",
    };
  }

@@ -139,13 +137,13 @@ class OrderListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("order:Products"),
+        title: i18next.t("general:Products"),
        dataIndex: "products",
        key: "products",
        ...this.getColumnSearchProps("products"),
        render: (text, record, index) => {
-          const products = record?.products || [];
-          if (products.length === 0) {
+          const productInfos = record?.productInfos || [];
+          if (productInfos.length === 0) {
            return `(${i18next.t("general:empty")})`;
          }
          return (
@@ -153,22 +151,37 @@ class OrderListPage extends BaseListPage {
              <List
                size="small"
                locale={{emptyText: " "}}
-                dataSource={products}
+                dataSource={productInfos}
                style={{
                  paddingTop: 8,
                  paddingBottom: 8,
                }}
-                renderItem={(productName, i) => {
+                renderItem={(productInfo, i) => {
+                  const price = productInfo.price || 0;
+                  const number = productInfo.quantity || 1;
+                  const currency = record.currency || "USD";
+                  const productName = productInfo.displayName || productInfo.name;
                  return (
                    <List.Item>
-                      <div style={{display: "inline"}}>
-                        <Tooltip placement="topLeft" title={i18next.t("general:Edit")}>
-                          <Button style={{marginRight: "5px"}} icon={<EditOutlined />} size="small" onClick={() => Setting.goToLinkSoft(this, `/products/${record.owner}/${productName}`)} />
-                        </Tooltip>
-                        <Link to={`/products/${record.owner}/${productName}`}>
-                          {productName}
-                        </Link>
-                      </div>
+                      <Row style={{width: "100%"}} wrap={false} gutter={[12, 0]}>
+                        <Col flex="auto" style={{minWidth: 0}}>
+                          <div style={{display: "flex", alignItems: "center", minWidth: 0}}>
+                            <Tooltip placement="topLeft" title={i18next.t("general:Edit")}>
+                              <Button style={{marginRight: "5px"}} icon={<EditOutlined />} size="small" onClick={() => Setting.goToLinkSoft(this, `/products/${record.owner}/${productInfo.name}`)} />
+                            </Tooltip>
+                            <Tooltip placement="topLeft" title={productName}>
+                              <Link to={`/products/${record.owner}/${productInfo.name}`} style={{display: "inline-block", maxWidth: "100%", minWidth: 0, overflow: "hidden", textOverflow: "ellipsis", whiteSpace: "nowrap"}}>
+                                {productName}
+                              </Link>
+                            </Tooltip>
+                          </div>
+                        </Col>
+                        <Col flex="none" style={{whiteSpace: "nowrap"}}>
+                          <span style={{color: "#666"}}>
+                            {Setting.getCurrencySymbol(currency)}{price} ({Setting.getCurrencyText(currency)}) × {number}
+                          </span>
+                        </Col>
+                      </Row>
                    </List.Item>
                  );
                }}
@@ -224,29 +237,6 @@ class OrderListPage extends BaseListPage {
        sorter: true,
        ...this.getColumnSearchProps("state"),
      },
-      {
-        title: i18next.t("general:Start time"),
-        dataIndex: "startTime",
-        key: "startTime",
-        width: "160px",
-        sorter: true,
-        render: (text, record, index) => {
-          return Setting.getFormattedDate(text);
-        },
-      },
-      {
-        title: i18next.t("general:End time"),
-        dataIndex: "endTime",
-        key: "endTime",
-        width: "160px",
-        sorter: true,
-        render: (text, record, index) => {
-          if (text === "") {
-            return "(empty)";
-          }
-          return Setting.getFormattedDate(text);
-        },
-      },
      {
        title: i18next.t("general:Action"),
        dataIndex: "",
--- a/web/src/OrderPayPage.js
+++ b/web/src/OrderPayPage.js
@@ -233,7 +233,7 @@ class OrderPayPage extends React.Component {
            <img src={product?.image} alt={Setting.getLanguageText(product?.displayName)} height={90} style={{objectFit: "contain"}} />
          </Descriptions.Item>

-          <Descriptions.Item label={i18next.t("product:Price")} span={1}>
+          <Descriptions.Item label={i18next.t("order:Price")} span={1}>
            <span style={{fontSize: 18, fontWeight: "bold"}}>
              {this.getProductPrice(product)}
            </span>
@@ -245,7 +245,7 @@ class OrderPayPage extends React.Component {
          </Descriptions.Item>

          {product?.detail && (
-            <Descriptions.Item label={i18next.t("product:Detail")} span={2}>
+            <Descriptions.Item label={i18next.t("general:Detail")} span={2}>
              <span style={{fontSize: 16}}>{Setting.getLanguageText(product?.detail)}</span>
            </Descriptions.Item>
          )}
@@ -267,6 +267,17 @@ class OrderPayPage extends React.Component {
  render() {
    const {order, productInfos} = this.state;

+    const updateTime = order?.updateTime || "";
+    const state = order?.state || "";
+    const updateTimeMap = {
+      Paid: i18next.t("order:Payment time"),
+      Canceled: i18next.t("order:Cancel time"),
+      PaymentFailed: i18next.t("order:Payment failed time"),
+      Timeout: i18next.t("order:Timeout time"),
+    };
+    const updateTimeLabel = updateTimeMap[state] || i18next.t("general:Updated time");
+    const shouldShowUpdateTime = state !== "Created" && updateTime !== "";
+
    if (!order || !productInfos) {
      return null;
    }
@@ -275,7 +286,7 @@ class OrderPayPage extends React.Component {
      <div className="login-content">
        <Spin spinning={this.state.isProcessingPayment} size="large" tip={i18next.t("product:Processing payment...")} style={{paddingTop: "10%"}} >
          <div style={{marginBottom: "20px"}}>
-            <Descriptions title={<span style={Setting.isMobile() ? {fontSize: 18} : {fontSize: 24}}>{i18next.t("general:Order")}</span>} bordered column={3}>
+            <Descriptions title={<span style={Setting.isMobile() ? {fontSize: 18} : {fontSize: 24}}>{i18next.t("application:Order")}</span>} bordered column={3}>
              <Descriptions.Item label={i18next.t("general:ID")} span={3}>
                <span style={{fontSize: 16}}>
                  {order.name}
@@ -291,6 +302,13 @@ class OrderPayPage extends React.Component {
                  {Setting.getFormattedDate(order.createdTime)}
                </span>
              </Descriptions.Item>
+              {shouldShowUpdateTime && (
+                <Descriptions.Item label={updateTimeLabel}>
+                  <span style={{fontSize: 16}}>
+                    {Setting.getFormattedDate(updateTime)}
+                  </span>
+                </Descriptions.Item>
+              )}
              <Descriptions.Item label={i18next.t("general:User")}>
                <span style={{fontSize: 16}}>
                  {order.user}
@@ -307,14 +325,14 @@ class OrderPayPage extends React.Component {
          </div>

          <div>
-            <Descriptions title={<span style={Setting.isMobile() ? {fontSize: 18} : {fontSize: 24}}>{i18next.t("order:Payment")}</span>} bordered column={3}>
-              <Descriptions.Item label={i18next.t("product:Price")} span={3}>
+            <Descriptions title={<span style={Setting.isMobile() ? {fontSize: 18} : {fontSize: 24}}>{i18next.t("general:Payment")}</span>} bordered column={3}>
+              <Descriptions.Item label={i18next.t("order:Price")} span={3}>
                <span style={{fontSize: 28, color: "red", fontWeight: "bold"}}>
                  {this.getPrice(order)}
                </span>
              </Descriptions.Item>
              {!this.state.isViewMode && (
-                <Descriptions.Item label={i18next.t("product:Pay")} span={3}>
+                <Descriptions.Item label={i18next.t("order:Pay")} span={3}>
                  {this.renderPaymentMethods()}
                </Descriptions.Item>
              )}
--- a/web/src/OrganizationEditPage.js
+++ b/web/src/OrganizationEditPage.js
@@ -407,7 +407,7 @@ class OrganizationEditPage extends React.Component {
              }}
              filterOption={(input, option) => (option?.text ?? "").toLowerCase().includes(input.toLowerCase())}
            >
-              {Setting.getCountryCodeOption({name: i18next.t("organization:All"), code: "All", phone: 0})}
+              {Setting.getCountryCodeOption({name: i18next.t("general:All"), code: "All", phone: 0})}
              {
                Setting.getCountryCodeData().map((country) => Setting.getCountryCodeOption(country))
              }
@@ -481,7 +481,7 @@ class OrganizationEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("organization:Tags"), i18next.t("organization:Tags - Tooltip"))} :
+            {Setting.getLabel(i18next.t("organization:Tags"), i18next.t("application:Tags - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select virtual={false} mode="tags" style={{width: "100%"}} value={this.state.organization.tags} onChange={(value => {this.updateOrganizationField("tags", value);})}>
@@ -678,6 +678,16 @@ class OrganizationEditPage extends React.Component {
            />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("organization:Account menu"), i18next.t("organization:Account menu - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} style={{width: "100%"}} value={this.state.organization.accountMenu || "Horizontal"} onChange={(value => {this.updateOrganizationField("accountMenu", value);})}
+              options={[{value: "Horizontal", label: i18next.t("application:Horizontal")}, {value: "Vertical", label: i18next.t("application:Vertical")}].map(item => Setting.getOption(item.label, item.value))}
+            />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("organization:Account items"), i18next.t("organization:Account items - Tooltip"))} :
@@ -817,7 +827,7 @@ class OrganizationEditPage extends React.Component {
          this.state.organization !== null ? this.renderOrganization() : null
        }
        {this.state.mode !== "add" && this.state.transactions.length > 0 ? (
-          <Card size="small" title={i18next.t("transaction:Transactions")} style={{marginTop: "20px"}} type="inner">
+          <Card size="small" title={i18next.t("general:Transactions")} style={{marginTop: "20px"}} type="inner">
            <TransactionTable transactions={this.state.transactions} includeUser={true} />
          </Card>
        ) : null}
--- a/web/src/PaymentEditPage.js
+++ b/web/src/PaymentEditPage.js
@@ -232,7 +232,7 @@ class PaymentEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Type"), i18next.t("payment:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Input disabled={true} value={this.state.payment.type} onChange={e => {
@@ -242,7 +242,7 @@ class PaymentEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("payment:Products"), i18next.t("payment:Products - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Products"), i18next.t("payment:Products - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select
@@ -265,7 +265,7 @@ class PaymentEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("product:Price"), i18next.t("product:Price - Tooltip"))} :
+            {Setting.getLabel(i18next.t("order:Price"), i18next.t("plan:Price - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Input disabled={true} value={this.state.payment.price} onChange={e => {
@@ -456,7 +456,7 @@ class PaymentEditPage extends React.Component {
    }

    if (!Setting.isValidEmail(this.state.payment.personEmail)) {
-      return i18next.t("signup:The input is not valid Email!");
+      return i18next.t("login:The input is not valid Email!");
    }

    if (!Setting.isValidPhone(this.state.payment.personPhone)) {
--- a/web/src/PaymentListPage.js
+++ b/web/src/PaymentListPage.js
@@ -161,7 +161,7 @@ class PaymentListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("provider:Type"),
+        title: i18next.t("general:Type"),
        dataIndex: "type",
        key: "type",
        width: "140px",
@@ -175,13 +175,13 @@ class PaymentListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("order:Products"),
+        title: i18next.t("general:Products"),
        dataIndex: "products",
        key: "products",
        ...this.getColumnSearchProps("products"),
        render: (text, record, index) => {
-          const products = record?.products || [];
-          if (products.length === 0) {
+          const productInfos = record?.orderObj?.productInfos || [];
+          if (productInfos.length === 0) {
            return `(${i18next.t("general:empty")})`;
          }
          return (
@@ -189,21 +189,26 @@ class PaymentListPage extends BaseListPage {
              <List
                size="small"
                locale={{emptyText: " "}}
-                dataSource={products}
+                dataSource={productInfos}
                style={{
                  paddingTop: 8,
                  paddingBottom: 8,
                }}
-                renderItem={(productName, i) => {
+                renderItem={(productInfo, i) => {
+                  const price = productInfo.price * (productInfo.quantity || 1);
+                  const currency = record.currency || "USD";
                  return (
                    <List.Item>
                      <div style={{display: "inline"}}>
                        <Tooltip placement="topLeft" title={i18next.t("general:Edit")}>
-                          <Button style={{marginRight: "5px"}} icon={<EditOutlined />} size="small" onClick={() => Setting.goToLinkSoft(this, `/products/${record.owner}/${productName}`)} />
+                          <Button style={{marginRight: "5px"}} icon={<EditOutlined />} size="small" onClick={() => Setting.goToLinkSoft(this, `/products/${record.owner}/${productInfo.name}`)} />
                        </Tooltip>
-                        <Link to={`/products/${record.owner}/${productName}`}>
-                          {productName}
+                        <Link to={`/products/${record.owner}/${productInfo.name}`}>
+                          {productInfo.displayName || productInfo.name}
                        </Link>
+                        <span style={{marginLeft: "8px", color: "#666"}}>
+                          {Setting.getPriceDisplay(price, currency)}
+                        </span>
                      </div>
                    </List.Item>
                  );
@@ -214,7 +219,7 @@ class PaymentListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("product:Price"),
+        title: i18next.t("order:Price"),
        dataIndex: "price",
        key: "price",
        width: "160px",
--- a/web/src/PermissionEditPage.js
+++ b/web/src/PermissionEditPage.js
@@ -271,7 +271,7 @@ class PermissionEditPage extends React.Component {
            <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.permission.users}
              onChange={(value => {this.updatePermissionField("users", value);})}
              options={[
-                Setting.getOption(i18next.t("organization:All"), "*"),
+                Setting.getOption(i18next.t("general:All"), "*"),
                ...this.state.users.map((user) => Setting.getOption(`${user.owner}/${user.name}`, `${user.owner}/${user.name}`)),
              ]}
            />
@@ -285,7 +285,7 @@ class PermissionEditPage extends React.Component {
            <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.permission.groups}
              onChange={(value => {this.updatePermissionField("groups", value);})}
              options={[
-                Setting.getOption(i18next.t("organization:All"), "*"),
+                Setting.getOption(i18next.t("general:All"), "*"),
                ...this.state.groups.map((group) => Setting.getOption(`${group.owner}/${group.name}`, `${group.owner}/${group.name}`)),
              ]}
            />
@@ -299,7 +299,7 @@ class PermissionEditPage extends React.Component {
            <Select disabled={!this.hasRoleDefinition(this.state.model)} placeholder={this.hasRoleDefinition(this.state.model) ? "" : "This field is disabled because the model is empty or it doesn't support RBAC (in another word, doesn't contain [role_definition])"} virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.permission.roles}
              onChange={(value => {this.updatePermissionField("roles", value);})}
              options={[
-                Setting.getOption(i18next.t("organization:All"), "*"),
+                Setting.getOption(i18next.t("general:All"), "*"),
                ...this.state.roles.filter(roles => (roles.owner !== this.state.roles.owner || roles.name !== this.state.roles.name)).map((permission) => Setting.getOption(`${permission.owner}/${permission.name}`, `${permission.owner}/${permission.name}`)),
              ]}
            />
@@ -315,7 +315,7 @@ class PermissionEditPage extends React.Component {
                this.updatePermissionField("domains", value);
              })}
              options={[
-                Setting.getOption(i18next.t("organization:All"), "*"),
+                Setting.getOption(i18next.t("general:All"), "*"),
                ...this.state.permission.domains.filter(domain => domain !== "*").map((domain) => Setting.getOption(domain, domain)),
              ]}
            />
@@ -349,7 +349,7 @@ class PermissionEditPage extends React.Component {
              options={this.state.permission.resourceType === "API" ? Setting.getApiPaths().map((option, index) => {
                return Setting.getOption(option, option);
              }) : [
-                Setting.getOption(i18next.t("organization:All"), "*"),
+                Setting.getOption(i18next.t("general:All"), "*"),
                ...this.state.resources.map((resource) => Setting.getOption(`${resource.name}`, `${resource.name}`)),
              ]}
            />
@@ -369,7 +369,7 @@ class PermissionEditPage extends React.Component {
            ] : [
              {value: "Read", name: i18next.t("permission:Read")},
              {value: "Write", name: i18next.t("permission:Write")},
-              {value: "Admin", name: i18next.t("permission:Admin")},
+              {value: "Admin", name: i18next.t("general:Admin")},
            ].map((item) => Setting.getOption(item.name, item.value))}
            />
          </Col>
--- a/web/src/PermissionListPage.js
+++ b/web/src/PermissionListPage.js
@@ -337,7 +337,7 @@ class PermissionListPage extends BaseListPage {
            case "Write":
              return i18next.t("permission:Write");
            case "Admin":
-              return i18next.t("permission:Admin");
+              return i18next.t("general:Admin");
            default:
              return null;
            }
--- a/web/src/PlanEditPage.js
+++ b/web/src/PlanEditPage.js
@@ -201,7 +201,7 @@ class PlanEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("plan:Price"), i18next.t("plan:Price - Tooltip"))} :
+            {Setting.getLabel(i18next.t("order:Price"), i18next.t("plan:Price - Tooltip"))} :
          </Col>
          <Col span={22} >
            <InputNumber value={this.state.plan.price} disabled={isViewMode} onChange={value => {
@@ -260,6 +260,16 @@ class PlanEditPage extends React.Component {
            }} />
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("plan:Is exclusive"), i18next.t("plan:Is exclusive - Tooltip"))} :
+          </Col>
+          <Col span={1} >
+            <Switch checked={this.state.plan.isExclusive} disabled={isViewMode} onChange={checked => {
+              this.updatePlanField("isExclusive", checked);
+            }} />
+          </Col>
+        </Row>
      </Card>
    );
  }
--- a/web/src/PlanListPage.js
+++ b/web/src/PlanListPage.js
@@ -130,7 +130,7 @@ class PlanListPage extends BaseListPage {
        ...this.getColumnSearchProps("displayName"),
      },
      {
-        title: i18next.t("plan:Price"),
+        title: i18next.t("order:Price"),
        dataIndex: "price",
        key: "price",
        width: "160px",
@@ -154,7 +154,7 @@ class PlanListPage extends BaseListPage {
        ...this.getColumnSearchProps("role"),
        render: (text, record, index) => {
          return (
-            <Link to={`/roles/${record.owner}/${text}`}>
+            <Link to={`/roles/${text}`}>
              {text}
            </Link>
          );
--- a/web/src/ProductBuyPage.js
+++ b/web/src/ProductBuyPage.js
@@ -21,6 +21,7 @@ import * as PricingBackend from "./backend/PricingBackend";
 import * as OrderBackend from "./backend/OrderBackend";
 import * as UserBackend from "./backend/UserBackend";
 import * as Setting from "./Setting";
+import {FloatingCartButton, QuantityStepper} from "./common/product/CartControls";

 class ProductBuyPage extends React.Component {
  constructor(props) {
@@ -40,6 +41,8 @@ class ProductBuyPage extends React.Component {
      isPlacingOrder: false,
      isAddingToCart: false,
      customPrice: 100,
+      buyQuantity: params.get("quantity") ? parseInt(params.get("quantity"), 10) : 1,
+      cartItemCount: 0,
    };
  }

@@ -58,6 +61,22 @@ class ProductBuyPage extends React.Component {
  UNSAFE_componentWillMount() {
    this.getProduct();
    this.getPaymentEnv();
+    this.getCartItemCount();
+  }
+
+  getCartItemCount() {
+    if (!this.props.account) {
+      return;
+    }
+    const userOwner = this.props.account.owner;
+    const userName = this.props.account.name;
+    UserBackend.getUser(userOwner, userName).then((res) => {
+      if (res.status === "ok" && res.data.cart) {
+        this.setState({
+          cartItemCount: res.data.cart.length,
+        });
+      }
+    });
  }

  setStateAsync(state) {
@@ -175,9 +194,10 @@ class ProductBuyPage extends React.Component {
          }

          const existingItemIndex = cart.findIndex(item => item.name === product.name && item.price === actualPrice && (item.pricingName || "") === pricingName && (item.planName || "") === planName);
+          const quantityToAdd = this.state.buyQuantity;

          if (existingItemIndex !== -1) {
-            cart[existingItemIndex].quantity += 1;
+            cart[existingItemIndex].quantity = (cart[existingItemIndex].quantity ?? 1) + quantityToAdd;
          } else {
            const newProductInfo = {
              name: product.name,
@@ -185,7 +205,7 @@ class ProductBuyPage extends React.Component {
              currency: product.currency,
              pricingName: pricingName,
              planName: planName,
-              quantity: 1,
+              quantity: quantityToAdd,
            };
            cart.push(newProductInfo);
          }
@@ -195,6 +215,9 @@ class ProductBuyPage extends React.Component {
            .then((res) => {
              if (res.status === "ok") {
                Setting.showMessage("success", i18next.t("general:Successfully added"));
+                this.setState({
+                  cartItemCount: cart.length,
+                });
              } else {
                Setting.showMessage("error", res.msg);
              }
@@ -230,7 +253,7 @@ class ProductBuyPage extends React.Component {
      price: product.isRecharge ? customPrice : product.price,
      pricingName: pricingName,
      planName: planName,
-      quantity: 1,
+      quantity: this.state.buyQuantity,
    }];

    OrderBackend.placeOrder(product.owner, productInfos, this.state.userName ?? "")
@@ -322,22 +345,35 @@ class ProductBuyPage extends React.Component {
    const isAmountZero = product.isRecharge && (this.state.customPrice === 0 || this.state.customPrice === null);

    return (
-      <div style={{display: "flex", justifyContent: "center", alignItems: "center", gap: "20px"}}>
+      <div style={{display: "flex", justifyContent: "center", alignItems: "center", gap: "25px"}}>
+        <QuantityStepper
+          value={this.state.buyQuantity}
+          min={1}
+          onIncrease={() => this.setState(prevState => ({buyQuantity: prevState.buyQuantity + 1}))}
+          onDecrease={() => this.setState(prevState => ({buyQuantity: Math.max(1, prevState.buyQuantity - 1)}))}
+          onChange={(val) => this.setState({buyQuantity: val || 1})}
+          disabled={isRechargeUnpurchasable || this.state.isAddingToCart || isAmountZero}
+          style={{
+            height: "50px",
+            fontSize: "18px",
+            width: "140px",
+          }}
+        />
        <Button
-          type="primary"
+          type="default"
          size="large"
          style={{
            height: "50px",
            fontSize: "18px",
            borderRadius: "30px",
-            paddingLeft: "60px",
-            paddingRight: "60px",
+            paddingLeft: "40px",
+            paddingRight: "40px",
          }}
-          onClick={() => this.placeOrder(product)}
-          disabled={this.state.isPlacingOrder || isRechargeUnpurchasable || isAmountZero}
-          loading={this.state.isPlacingOrder}
+          onClick={() => this.addToCart(product)}
+          disabled={isRechargeUnpurchasable || this.state.isAddingToCart || isAmountZero}
+          loading={this.state.isAddingToCart}
        >
-          {i18next.t("order:Place Order")}
+          {i18next.t("product:Add to cart")}
        </Button>
        <Button
          type="primary"
@@ -346,14 +382,14 @@ class ProductBuyPage extends React.Component {
            height: "50px",
            fontSize: "18px",
            borderRadius: "30px",
-            paddingLeft: "30px",
-            paddingRight: "30px",
+            paddingLeft: "40px",
+            paddingRight: "40px",
          }}
-          onClick={() => this.addToCart(product)}
-          disabled={isRechargeUnpurchasable || this.state.isAddingToCart || isAmountZero}
-          loading={this.state.isAddingToCart}
+          onClick={() => this.placeOrder(product)}
+          disabled={this.state.isPlacingOrder || isRechargeUnpurchasable || isAmountZero}
+          loading={this.state.isPlacingOrder}
        >
-          {i18next.t("product:Add to cart")}
+          {i18next.t("general:Place Order")}
        </Button>
      </div>
    );
@@ -369,6 +405,10 @@ class ProductBuyPage extends React.Component {

    return (
      <div className="login-content">
+        <FloatingCartButton
+          itemCount={this.state.cartItemCount}
+          onClick={() => this.props.history.push("/cart")}
+        />
        <Spin spinning={this.state.isPlacingOrder} size="large" tip={i18next.t("product:Placing order...")} style={{paddingTop: "10%"}} >
          <Descriptions title={<span style={Setting.isMobile() ? {fontSize: 20} : {fontSize: 28}}>{i18next.t("product:Buy Product")}</span>} bordered>
            <Descriptions.Item label={i18next.t("general:Name")} span={3}>
@@ -376,7 +416,7 @@ class ProductBuyPage extends React.Component {
                {Setting.getLanguageText(product?.displayName)}
              </span>
            </Descriptions.Item>
-            <Descriptions.Item label={i18next.t("product:Detail")}><span style={{fontSize: 16}}>{Setting.getLanguageText(product?.detail)}</span></Descriptions.Item>
+            <Descriptions.Item label={i18next.t("general:Detail")}><span style={{fontSize: 16}}>{Setting.getLanguageText(product?.detail)}</span></Descriptions.Item>
            <Descriptions.Item label={i18next.t("user:Tag")}><span style={{fontSize: 16}}>{product?.tag}</span></Descriptions.Item>
            <Descriptions.Item label={i18next.t("product:SKU")}><span style={{fontSize: 16}}>{product?.name}</span></Descriptions.Item>
            <Descriptions.Item label={i18next.t("product:Image")} span={3}>
@@ -384,12 +424,12 @@ class ProductBuyPage extends React.Component {
            </Descriptions.Item>
            {
              product.isRecharge ? (
-                <Descriptions.Item span={3} label={i18next.t("product:Price")}>
+                <Descriptions.Item span={3} label={i18next.t("order:Price")}>
                  {this.renderRechargeInput(product)}
                </Descriptions.Item>
              ) : (
                <React.Fragment>
-                  <Descriptions.Item label={i18next.t("product:Price")}>
+                  <Descriptions.Item label={i18next.t("order:Price")}>
                    <span style={{fontSize: 28, color: "red", fontWeight: "bold"}}>
                      {
                        this.getPrice(product)
@@ -401,7 +441,7 @@ class ProductBuyPage extends React.Component {
                </React.Fragment>
              )
            }
-            <Descriptions.Item label={i18next.t("order:Place Order")} span={3}>
+            <Descriptions.Item label={i18next.t("general:Place Order")} span={3}>
              <div style={{display: "flex", justifyContent: "center", alignItems: "center", minHeight: "80px"}}>
                {placeOrderButton}
              </div>
--- a/web/src/ProductEditPage.js
+++ b/web/src/ProductEditPage.js
@@ -182,7 +182,7 @@ class ProductEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("product:Detail"), i18next.t("product:Detail - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Detail"), i18next.t("product:Detail - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Input value={this.state.product.detail} disabled={isViewMode} onChange={e => {
@@ -266,7 +266,7 @@ class ProductEditPage extends React.Component {
          ) : (
            <Row style={{marginTop: "20px"}} >
              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                {Setting.getLabel(i18next.t("product:Price"), i18next.t("product:Price - Tooltip"))} :
+                {Setting.getLabel(i18next.t("order:Price"), i18next.t("plan:Price - Tooltip"))} :
              </Col>
              <Col span={22} >
                <InputNumber value={this.state.product.price} disabled={isViewMode || isCreatedByPlan} onChange={value => {
--- a/web/src/ProductListPage.js
+++ b/web/src/ProductListPage.js
@@ -153,7 +153,7 @@ class ProductListPage extends BaseListPage {
        ...this.getColumnSearchProps("tag"),
      },
      {
-        title: i18next.t("product:Price"),
+        title: i18next.t("order:Price"),
        dataIndex: "price",
        key: "price",
        width: "160px",
--- a/web/src/ProductStorePage.js
+++ b/web/src/ProductStorePage.js
@@ -18,6 +18,7 @@ import * as Setting from "./Setting";
 import * as ProductBackend from "./backend/ProductBackend";
 import * as UserBackend from "./backend/UserBackend";
 import i18next from "i18next";
+import {FloatingCartButton, QuantityStepper} from "./common/product/CartControls";

 const {Text, Title} = Typography;

@@ -30,14 +31,57 @@ class ProductStorePage extends React.Component {
      products: [],
      loading: true,
      addingToCartProducts: [],
+      productQuantities: {},
+      cartItemCount: 0,
    };
  }

  componentDidMount() {
+    if (!this.props.account) {
+      return;
+    }
+
    this.getProducts();
+    this.getCartItemCount();
+  }
+
+  componentDidUpdate(prevProps) {
+    if (!prevProps.account && this.props.account) {
+      this.getProducts();
+      this.getCartItemCount();
+    }
+  }
+
+  getCartItemCount() {
+    if (!this.props.account) {
+      return;
+    }
+
+    const userOwner = this.props.account.owner;
+    const userName = this.props.account.name;
+    UserBackend.getUser(userOwner, userName).then((res) => {
+      if (res.status === "ok" && res.data.cart) {
+        this.setState({
+          cartItemCount: res.data.cart.length,
+        });
+      }
+    });
+  }
+
+  updateProductQuantity(productName, value) {
+    this.setState(prevState => ({
+      productQuantities: {
+        ...prevState.productQuantities,
+        [productName]: value,
+      },
+    }));
  }

  getProducts() {
+    if (!this.props.account) {
+      return;
+    }
+
    const pageSize = 100; // Max products to display in the store
    const owner = Setting.isDefaultOrganizationSelected(this.props.account) ? "" : Setting.getRequestOrganization(this.props.account);
    this.setState({loading: true});
@@ -85,9 +129,10 @@ class ProductStorePage extends React.Component {
          }

          const existingItemIndex = cart.findIndex(item => item.name === product.name && item.price === product.price);
+          const quantityToAdd = this.state.productQuantities[product.name] || 1;

          if (existingItemIndex !== -1) {
-            cart[existingItemIndex].quantity += 1;
+            cart[existingItemIndex].quantity = (cart[existingItemIndex].quantity ?? 1) + quantityToAdd;
          } else {
            const newCartProductInfo = {
              name: product.name,
@@ -95,7 +140,7 @@ class ProductStorePage extends React.Component {
              currency: product.currency,
              pricingName: "",
              planName: "",
-              quantity: 1,
+              quantity: quantityToAdd,
            };
            cart.push(newCartProductInfo);
          }
@@ -105,6 +150,9 @@ class ProductStorePage extends React.Component {
            .then((res) => {
              if (res.status === "ok") {
                Setting.showMessage("success", i18next.t("general:Successfully added"));
+                this.setState({
+                  cartItemCount: cart.length,
+                });
              } else {
                Setting.showMessage("error", res.msg);
              }
@@ -127,11 +175,14 @@ class ProductStorePage extends React.Component {
  }

  handleBuyProduct(product) {
-    this.props.history.push(`/products/${product.owner}/${product.name}/buy`);
+    const quantity = this.state.productQuantities[product.name] || 1;
+    this.props.history.push(`/products/${product.owner}/${product.name}/buy?quantity=${quantity}`);
  }

  renderProductCard(product) {
    const isAdding = this.state.addingToCartProducts.includes(product.name);
+    const quantity = this.state.productQuantities[product.name] || 1;
+
    return (
      <Col xs={24} sm={12} md={8} lg={6} key={`${product.owner}/${product.name}`} style={{marginBottom: "20px"}}>
        <Card
@@ -149,6 +200,40 @@ class ProductStorePage extends React.Component {
          }
          actions={[
            <div key="actions" style={{display: "flex", justifyContent: "center", gap: "10px", width: "100%", padding: "0 10px"}} onClick={(e) => e.stopPropagation()}>
+              {!product.isRecharge && (
+                <>
+                  <QuantityStepper
+                    value={quantity}
+                    min={1}
+                    onIncrease={() => this.updateProductQuantity(product.name, quantity + 1)}
+                    onDecrease={() => this.updateProductQuantity(product.name, Math.max(1, quantity - 1))}
+                    onChange={(val) => this.updateProductQuantity(product.name, val || 1)}
+                    disabled={isAdding}
+                    style={{
+                      height: "45px",
+                      fontSize: "16px",
+                      width: "120px",
+                    }}
+                  />
+                  <Button
+                    key="add"
+                    type="default"
+                    onClick={(e) => {
+                      e.stopPropagation();
+                      this.addToCart(product);
+                    }}
+                    style={{
+                      width: "150px",
+                      height: "45px",
+                      fontSize: "16px",
+                    }}
+                    disabled={isAdding}
+                    loading={isAdding}
+                  >
+                    {i18next.t("product:Add to cart")}
+                  </Button>
+                </>
+              )}
              <Button
                key="buy"
                type="primary"
@@ -156,23 +241,14 @@ class ProductStorePage extends React.Component {
                  e.stopPropagation();
                  this.handleBuyProduct(product);
                }}
+                style={{
+                  width: "150px",
+                  height: "45px",
+                  fontSize: "16px",
+                }}
              >
                {i18next.t("product:Buy")}
              </Button>
-              {!product.isRecharge && (
-                <Button
-                  key="add"
-                  type="primary"
-                  onClick={(e) => {
-                    e.stopPropagation();
-                    this.addToCart(product);
-                  }}
-                  disabled={isAdding}
-                  loading={isAdding}
-                >
-                  {i18next.t("product:Add to cart")}
-                </Button>
-              )}
            </div>,
          ]}
          bodyStyle={{flex: 1, display: "flex", flexDirection: "column"}}
@@ -253,6 +329,10 @@ class ProductStorePage extends React.Component {
  render() {
    return (
      <div>
+        <FloatingCartButton
+          itemCount={this.state.cartItemCount}
+          onClick={() => this.props.history.push("/cart")}
+        />
        <Row gutter={[16, 16]}>
          {this.state.loading ? (
            <Col span={24}>
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@@ -257,7 +257,7 @@ class ProviderEditPage extends React.Component {
        <Input value={this.state.provider.userMapping.affiliation} onChange={e => {
          this.updateUserMappingField("affiliation", e.target.value);
        }} />
-        {Setting.getLabel(i18next.t("user:Title"), i18next.t("user:Title - Tooltip"))} :
+        {Setting.getLabel(i18next.t("general:Title"), i18next.t("general:Title - Tooltip"))} :
        <Input value={this.state.provider.userMapping.title} onChange={e => {
          this.updateUserMappingField("title", e.target.value);
        }} />
@@ -319,7 +319,7 @@ class ProviderEditPage extends React.Component {
      return Setting.getLabel(i18next.t("signup:Username"), i18next.t("signup:Username - Tooltip"));
    case "SMS":
      if (provider.type === "Volc Engine SMS" || provider.type === "Amazon SNS" || provider.type === "Baidu Cloud SMS") {
-        return Setting.getLabel(i18next.t("provider:Access key"), i18next.t("provider:Access key - Tooltip"));
+        return Setting.getLabel(i18next.t("general:Access key"), i18next.t("general:Access key - Tooltip"));
      } else if (provider.type === "Huawei Cloud SMS") {
        return Setting.getLabel(i18next.t("provider:App key"), i18next.t("provider:App key - Tooltip"));
      } else if (provider.type === "UCloud SMS") {
@@ -331,19 +331,19 @@ class ProviderEditPage extends React.Component {
      }
    case "Captcha":
      if (provider.type === "Aliyun Captcha") {
-        return Setting.getLabel(i18next.t("provider:Access key"), i18next.t("provider:Access key - Tooltip"));
+        return Setting.getLabel(i18next.t("general:Access key"), i18next.t("general:Access key - Tooltip"));
      } else {
        return Setting.getLabel(i18next.t("provider:Site key"), i18next.t("provider:Site key - Tooltip"));
      }
    case "Notification":
      if (provider.type === "DingTalk") {
-        return Setting.getLabel(i18next.t("provider:Access key"), i18next.t("provider:Access key - Tooltip"));
+        return Setting.getLabel(i18next.t("general:Access key"), i18next.t("general:Access key - Tooltip"));
      } else {
        return Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"));
      }
    case "ID Verification":
      if (provider.type === "Alibaba Cloud") {
-        return Setting.getLabel(i18next.t("provider:Access key"), i18next.t("provider:Access key - Tooltip"));
+        return Setting.getLabel(i18next.t("general:Access key"), i18next.t("general:Access key - Tooltip"));
      } else {
        return Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"));
      }
@@ -751,7 +751,7 @@ class ProviderEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Type"), i18next.t("provider:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} showSearch value={this.state.provider.type} onChange={(value => {
@@ -816,7 +816,7 @@ class ProviderEditPage extends React.Component {
                        }}>
                          {
                            [
-                              {id: "Normal", name: i18next.t("provider:Normal")},
+                              {id: "Normal", name: i18next.t("application:Normal")},
                              {id: "Silent", name: i18next.t("provider:Silent")},
                            ].map((method, index) => <Option key={index} value={method.id}>{method.name}</Option>)
                          }
@@ -880,7 +880,7 @@ class ProviderEditPage extends React.Component {
                    </Row>
                    <Row style={{marginTop: "20px"}} >
                      <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                        {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("provider:Scope - Tooltip"))}
+                        {Setting.getLabel(i18next.t("provider:Scope"), i18next.t("cert:Scope - Tooltip"))}
                      </Col>
                      <Col span={22} >
                        <Input value={this.state.provider.scopes} onChange={e => {
@@ -1127,7 +1127,7 @@ class ProviderEditPage extends React.Component {
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {["Casdoor"].includes(this.state.provider.type) ?
-                    Setting.getLabel(i18next.t("general:Provider"), i18next.t("provider:Provider - Tooltip"))
+                    Setting.getLabel(i18next.t("general:Provider"), i18next.t("general:Provider - Tooltip"))
                    : Setting.getLabel(i18next.t("provider:Bucket"), i18next.t("provider:Bucket - Tooltip"))} :
                </Col>
                <Col span={22} >
@@ -1173,7 +1173,7 @@ class ProviderEditPage extends React.Component {
                </Col>
              </Row>
            ) : null}
-            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo", "Casdoor", "CUCloud OSS", "MinIO", "CUCloud"].includes(this.state.provider.type) ? (
+            {["AWS S3", "Tencent Cloud COS", "Qiniu Cloud Kodo", "Casdoor", "CUCloud OSS", "MinIO", "CUCloud", "Alibaba Cloud PNVS SMS"].includes(this.state.provider.type) ? (
              <Row style={{marginTop: "20px"}} >
                <Col style={{marginTop: "5px"}} span={2}>
                  {["Casdoor"].includes(this.state.provider.type) ?
@@ -1758,7 +1758,7 @@ class ProviderEditPage extends React.Component {
                    copy(`${authConfig.serverUrl}/api/acs`);
                    Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
                  }}>
-                    {i18next.t("provider:Copy")}
+                    {i18next.t("general:Copy")}
                  </Button>
                </Col>
              </Row>
@@ -1774,7 +1774,7 @@ class ProviderEditPage extends React.Component {
                    copy(`${authConfig.serverUrl}/api/acs`);
                    Setting.showMessage("success", i18next.t("general:Copied to clipboard successfully"));
                  }}>
-                    {i18next.t("provider:Copy")}
+                    {i18next.t("general:Copy")}
                  </Button>
                </Col>
              </Row>
--- a/web/src/ProviderListPage.js
+++ b/web/src/ProviderListPage.js
@@ -158,7 +158,7 @@ class ProviderListPage extends BaseListPage {
        sorter: true,
      },
      {
-        title: i18next.t("provider:Type"),
+        title: i18next.t("general:Type"),
        dataIndex: "type",
        key: "type",
        width: "110px",
@@ -243,7 +243,7 @@ class ProviderListPage extends BaseListPage {
        <Table scroll={{x: "max-content"}} columns={filteredColumns} dataSource={providers} rowKey={(record) => `${record.owner}/${record.name}`} size="middle" bordered pagination={paginationProps}
          title={() => (
            <div>
-              {i18next.t("general:Providers")}&nbsp;&nbsp;&nbsp;&nbsp;
+              {i18next.t("application:Providers")}&nbsp;&nbsp;&nbsp;&nbsp;
              <Button id="add-button" type="primary" size="small" onClick={this.addProvider.bind(this)}>{i18next.t("general:Add")}</Button>
            </div>
          )}
--- a/web/src/ResourceListPage.js
+++ b/web/src/ResourceListPage.js
@@ -189,7 +189,7 @@ class ResourceListPage extends BaseListPage {
      //   sorter: (a, b) => a.fileName.localeCompare(b.fileName),
      // },
      {
-        title: i18next.t("provider:Type"),
+        title: i18next.t("general:Type"),
        dataIndex: "fileType",
        key: "fileType",
        width: "80px",
--- a/web/src/Setting.js
+++ b/web/src/Setting.js
@@ -498,11 +498,11 @@ export const GetTranslatedUserItems = () => {
    {name: "Location", label: i18next.t("user:Location")},
    {name: "Address", label: i18next.t("user:Address")},
    {name: "Affiliation", label: i18next.t("user:Affiliation")},
-    {name: "Title", label: i18next.t("user:Title")},
+    {name: "Title", label: i18next.t("general:Title")},
    {name: "ID card type", label: i18next.t("user:ID card type")},
    {name: "ID card", label: i18next.t("user:ID card")},
    {name: "ID card info", label: i18next.t("user:ID card info")},
-    {name: "Real name", label: i18next.t("user:Real name")},
+    {name: "Real name", label: i18next.t("application:Real name")},
    {name: "ID verification", label: i18next.t("user:ID verification")},
    {name: "Homepage", label: i18next.t("user:Homepage")},
    {name: "Bio", label: i18next.t("user:Bio")},
@@ -514,7 +514,7 @@ export const GetTranslatedUserItems = () => {
    {name: "Balance", label: i18next.t("user:Balance")},
    {name: "Balance currency", label: i18next.t("organization:Balance currency")},
    {name: "Balance credit", label: i18next.t("organization:Balance credit")},
-    {name: "Transactions", label: i18next.t("transaction:Transactions")},
+    {name: "Transactions", label: i18next.t("general:Transactions")},
    {name: "Score", label: i18next.t("user:Score")},
    {name: "Karma", label: i18next.t("user:Karma")},
    {name: "Ranking", label: i18next.t("user:Ranking")},
@@ -531,10 +531,10 @@ export const GetTranslatedUserItems = () => {
    {name: "Is deleted", label: i18next.t("user:Is deleted")},
    {name: "Need update password", label: i18next.t("user:Need update password")},
    {name: "IP whitelist", label: i18next.t("general:IP whitelist")},
-    {name: "Multi-factor authentication", label: i18next.t("user:Multi-factor authentication")},
+    {name: "Multi-factor authentication", label: i18next.t("mfa:Multi-factor authentication")},
    {name: "WebAuthn credentials", label: i18next.t("user:WebAuthn credentials")},
    {name: "Managed accounts", label: i18next.t("user:Managed accounts")},
-    {name: "Face ID", label: i18next.t("user:Face ID")},
+    {name: "Face ID", label: i18next.t("login:Face ID")},
    {name: "MFA accounts", label: i18next.t("user:MFA accounts")},
    {name: "MFA items", label: i18next.t("general:MFA items")},
  ];
@@ -1293,6 +1293,7 @@ export function getProviderTypeOptions(category) {
    return (
      [
        {id: "Aliyun SMS", name: "Alibaba Cloud SMS"},
+        {id: "Alibaba Cloud PNVS SMS", name: "Alibaba Cloud PNVS SMS"},
        {id: "Amazon SNS", name: "Amazon SNS"},
        {id: "Azure ACS", name: "Azure ACS"},
        {id: "Custom HTTP SMS", name: "Custom HTTP SMS"},
@@ -2231,7 +2232,7 @@ export function createFormAndSubmit(url, params) {
 export function getFormTypeOptions() {
  return [
    {id: "users", name: "general:Users"},
-    {id: "providers", name: "general:Providers"},
+    {id: "providers", name: "application:Providers"},
    {id: "applications", name: "general:Applications"},
    {id: "organizations", name: "general:Organizations"},
  ];
@@ -2263,7 +2264,7 @@ export function getFormTypeItems(formType) {
      {name: "createdTime", label: "general:Created time", visible: true, width: "180"},
      {name: "displayName", label: "general:Display name", visible: true, width: "150"},
      {name: "category", label: "provider:Category", visible: true, width: "110"},
-      {name: "type", label: "provider:Type", visible: true, width: "110"},
+      {name: "type", label: "general:Type", visible: true, width: "110"},
      {name: "clientId", label: "provider:Client ID", visible: true, width: "100"},
      {name: "providerUrl", label: "provider:Provider URL", visible: true, width: "150"},
    ];
@@ -2274,7 +2275,7 @@ export function getFormTypeItems(formType) {
      {name: "displayName", label: "general:Display name", visible: true, width: "150"},
      {name: "logo", label: "Logo", visible: true, width: "200"},
      {name: "organization", label: "general:Organization", visible: true, width: "150"},
-      {name: "providers", label: "general:Providers", visible: true, width: "500"},
+      {name: "providers", label: "application:Providers", visible: true, width: "500"},
    ];
  } else if (formType === "organizations") {
    return [
--- a/web/src/SubscriptionEditPage.js
+++ b/web/src/SubscriptionEditPage.js
@@ -287,7 +287,7 @@ class SubscriptionEditPage extends React.Component {
              this.updateSubscriptionField("state", value);
            })}
            options={[
-              {value: "Pending", name: i18next.t("subscription:Pending")},
+              {value: "Pending", name: i18next.t("permission:Pending")},
              {value: "Active", name: i18next.t("subscription:Active")},
              {value: "Upcoming", name: i18next.t("subscription:Upcoming")},
              {value: "Expired", name: i18next.t("subscription:Expired")},
--- a/web/src/SubscriptionListPage.js
+++ b/web/src/SubscriptionListPage.js
@@ -131,14 +131,14 @@ class SubscriptionListPage extends BaseListPage {
        ...this.getColumnSearchProps("displayName"),
      },
      {
-        title: i18next.t("subscription:Period"),
+        title: i18next.t("plan:Period"),
        dataIndex: "period",
        key: "period",
        width: "140px",
        ...this.getColumnSearchProps("period"),
      },
      {
-        title: i18next.t("general:Start time"),
+        title: i18next.t("subscription:Start time"),
        dataIndex: "startTime",
        key: "startTime",
        width: "140px",
@@ -148,7 +148,7 @@ class SubscriptionListPage extends BaseListPage {
        },
      },
      {
-        title: i18next.t("general:End time"),
+        title: i18next.t("subscription:End time"),
        dataIndex: "endTime",
        key: "endTime",
        width: "140px",
@@ -165,7 +165,7 @@ class SubscriptionListPage extends BaseListPage {
        ...this.getColumnSearchProps("plan"),
        render: (text, record, index) => {
          return (
-            <Link to={`/plans/${record.owner}/${text}`}>
+            <Link to={`/plans/${text}`}>
              {text}
            </Link>
          );
@@ -179,7 +179,7 @@ class SubscriptionListPage extends BaseListPage {
        ...this.getColumnSearchProps("user"),
        render: (text, record, index) => {
          return (
-            <Link to={`/users/${record.owner}/${text}`}>
+            <Link to={`/users/${text}`}>
              {text}
            </Link>
          );
@@ -193,7 +193,7 @@ class SubscriptionListPage extends BaseListPage {
        ...this.getColumnSearchProps("payment"),
        render: (text, record, index) => {
          return (
-            <Link to={`/payments/${record.owner}/${text}`}>
+            <Link to={`/payments/${text}`}>
              {text}
            </Link>
          );
@@ -209,7 +209,7 @@ class SubscriptionListPage extends BaseListPage {
        render: (text, record, index) => {
          switch (text) {
          case "Pending":
-            return Setting.getTag("processing", i18next.t("subscription:Pending"), <ExclamationCircleOutlined />);
+            return Setting.getTag("processing", i18next.t("permission:Pending"), <ExclamationCircleOutlined />);
          case "Active":
            return Setting.getTag("success", i18next.t("subscription:Active"), <SyncOutlined spin />);
          case "Upcoming":
--- a/web/src/SyncerEditPage.js
+++ b/web/src/SyncerEditPage.js
@@ -753,7 +753,7 @@ class SyncerEditPage extends React.Component {
        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Type"), i18next.t("provider:Type - Tooltip"))} :
+            {Setting.getLabel(i18next.t("general:Type"), i18next.t("cert:Type - Tooltip"))} :
          </Col>
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.syncer.type} onChange={(value => {
@@ -906,7 +906,7 @@ class SyncerEditPage extends React.Component {
          this.state.syncer.type === "WeCom" || this.state.syncer.type === "Azure AD" || this.state.syncer.type === "Google Workspace" || this.state.syncer.type === "DingTalk" || this.state.syncer.type === "Lark" || this.state.syncer.type === "Okta" || this.state.syncer.type === "SCIM" ? null : (
            <Row style={{marginTop: "20px"}} >
              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                {Setting.getLabel(this.state.syncer.type === "Active Directory" ? i18next.t("syncer:Base DN") : i18next.t("syncer:Database"), i18next.t("syncer:Database - Tooltip"))} :
+                {Setting.getLabel(this.state.syncer.type === "Active Directory" ? i18next.t("ldap:Base DN") : i18next.t("syncer:Database"), i18next.t("syncer:Database - Tooltip"))} :
              </Col>
              <Col span={22} >
                <Input value={this.state.syncer.database} onChange={e => {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
IsAurora6	f590992f28	feat: update i18n translations (#5021 )	2026-02-09 00:05:08 +08:00
Yang Luo	80f9db0fa2	feat: move captcha provider validation from frontend filter to backend check (#5019 )	2026-02-08 02:16:47 +08:00
Yang Luo	0748661d2a	feat: store OAuth tokens per provider instead of single originalToken field (#5016 )	2026-02-08 01:22:24 +08:00
Yang Luo	83552ed143	feat: fix renderRightDropdown() scrollbar UI bug	2026-02-08 00:45:46 +08:00
Yang Luo	8cb8541f96	feat: add Plan.IsExclusive field for single subscription enforcement (#5004 )	2026-02-07 01:23:22 +08:00
Yang Luo	5b646a726c	fix: fix format issue in DuplicateInfo	2026-02-07 00:51:11 +08:00
Yang Luo	19b9586670	fix: fix broken links for role/plan/user/payment columns (#4999 )	2026-02-07 00:46:36 +08:00
Yang Luo	73f8d19c5f	fix: de-duplicate i18n translation keys in frontend and backend (#4997 )	2026-02-07 00:35:46 +08:00
Yang Luo	04da531df3	fix: sync all i18n strings	2026-02-07 00:18:07 +08:00
Yang Luo	d97558051d	fix: add duplicate key detection tests for i18n JSON files (#4994 )	2026-02-07 00:17:53 +08:00
Yang Luo	ac55355290	fix: deduplicate the i18n strings	2026-02-06 21:42:10 +08:00
Yang Luo	a2da380be4	feat: add organization sync to DingTalk syncer (#4989 )	2026-02-06 20:39:31 +08:00
IsAurora6	ecf8039c5d	feat: Add cart icon to ProductStore/ProductBuy and quantity controls to ProductStore/ProductBuy/CartList. (#4984 )	2026-02-05 23:07:22 +08:00
Yang Luo	0a6948034c	feat: add OAuth 2.0 Token Exchange (RFC 8693) support (#4981 )	2026-02-05 19:12:39 +08:00
Yang Luo	442f8fb19e	feat: fix DeleteSession to handle missing sessions gracefully (#4979 )	2026-02-05 15:41:15 +08:00
Yang Luo	b771add9e3	feat: auto-redirect OAuth signup to callback URL (#4941 )	2026-02-05 15:18:33 +08:00
Yang Luo	df8e9fceea	feat: disable /forget API when "Forgot Password?" signin item is hidden (#4977 )	2026-02-04 23:04:00 +08:00
Yang Luo	d674f0c33d	feat: update Swagger docs	2026-02-03 21:34:38 +08:00
buzaslan129	1e1b5273d9	feat: expose get-all-* Casbin endpoints in Swagger (#4952 )	2026-02-03 21:32:50 +08:00
IsAurora6	cf5e88915c	feat: The order.products display is divided into two parts. Remove the "startTime" and "endTime", and add an updateTime field. (#4968 )	2026-02-03 21:12:27 +08:00
Yang Luo	c8973e6c9e	feat: add Cloud PNVS SMS provider (#4964 )	2026-02-03 02:00:08 +08:00
Yang Luo	87ea451561	feat: support group sync in Google Workspace syncer (#4962 )	2026-02-03 01:58:28 +08:00
Yang Luo	8f32779b42	feat: fix invitation code group assignment for OAuth provider signup (#4961 )	2026-02-03 01:23:36 +08:00
Yang Luo	aba471b4e8	feat: install lsof in ALLINONE Docker image (#4958 )	2026-02-02 23:51:49 +08:00
DacongDA	72b70c3b03	feat: use sqlite DB instead of mariadb for all-in-one Docker image (#4949 )	2026-02-02 00:13:14 +08:00
DacongDA	a1c56894c7	feat: add tabs to user edit page (#4945 )	2026-02-01 14:01:28 +08:00
Yang Luo	a9ae9394c7	feat: add Linux machine login via LDAP with POSIX attributes (#4944 )	2026-01-31 22:37:29 +08:00
Yang Luo	5f0fa5f23e	feat: fix properties field xlsx import issue in user list page (#4943 )	2026-01-31 01:49:36 +08:00
Yang Luo	f99aa047a9	feat: add Org.AccountItems.Tab field to have tabs in user edit page (#4892 )	2026-01-30 21:56:35 +08:00
Yang Luo	1d22b7ebd0	feat: prevent duplicate webhook events from redundant payment notifications (#4936 )	2026-01-30 21:56:09 +08:00
IsAurora6	d147053329	feat: Optimize the display of the products column on the order and payment, adjust the color of the “Add to Cart” button. (#4933 )	2026-01-30 14:03:15 +08:00
IsAurora6	0f8cd92be4	feat: resolve returnUrl redirection failure of UserEditPage (#4931 )	2026-01-29 09:37:47 +08:00
DacongDA	7ea6f1296d	feat: fix i18n/generate.go bug in handling "\" (#4930 )	2026-01-28 23:35:23 +08:00
Yang Luo	db8c649f5e	feat: include payment status in notify-payment webhook payload (#4929 )	2026-01-28 19:59:10 +08:00
DacongDA	a06d003589	feat: make codeChallenge dynamic for custom OAuth provider (#4924 )	2026-01-28 17:56:28 +08:00
Jacob	33298e44d4	feat(ldap-sync): support syncing phone country code and formatting mobile number (#4919 )	2026-01-28 14:09:52 +08:00