Initial plan

authz/authz.go

@@ -69,6 +69,7 @@ p, *, *, GET, /api/get-resources, *, *
 p, *, *, GET, /api/get-records, *, *
 p, *, *, GET, /api/get-product, *, *
 p, *, *, GET, /api/get-products, *, *
+p, *, *, POST, /api/buy-product, *, *
 p, *, *, GET, /api/get-order, *, *
 p, *, *, GET, /api/get-orders, *, *
 p, *, *, GET, /api/get-user-orders, *, *

controllers/product.go

@@ -16,6 +16,8 @@ package controllers
 
 import (
 	"encoding/json"
+	"fmt"
+	"strconv"
 
 	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -149,3 +151,78 @@ func (c *ApiController) DeleteProduct() {
 	c.Data["json"] = wrapActionResponse(object.DeleteProduct(&product))
 	c.ServeJSON()
 }
+
+// BuyProduct
+// @Title BuyProduct (Deprecated)
+// @Tag Product API
+// @Description buy product using the deprecated compatibility endpoint, prefer place-order plus pay-order for new integrations
+// @Param   id             query    string  true   "The id ( owner/name ) of the product"
+// @Param   providerName   query    string  true   "The name of the provider"
+// @Param   pricingName    query    string  false  "The name of the pricing (for subscription)"
+// @Param   planName       query    string  false  "The name of the plan (for subscription)"
+// @Param   userName       query    string  false  "The username to buy product for (admin only)"
+// @Param   paymentEnv     query    string  false  "The payment environment"
+// @Param   customPrice    query    number  false  "Custom price for recharge products"
+// @Success 200 {object} controllers.Response The Response object
+// @router /buy-product [post]
+func (c *ApiController) BuyProduct() {
+	id := c.Ctx.Input.Query("id")
+	host := c.Ctx.Request.Host
+	providerName := c.Ctx.Input.Query("providerName")
+	paymentEnv := c.Ctx.Input.Query("paymentEnv")
+	customPriceStr := c.Ctx.Input.Query("customPrice")
+	if customPriceStr == "" {
+		customPriceStr = "0"
+	}
+
+	customPrice, err := strconv.ParseFloat(customPriceStr, 64)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	pricingName := c.Ctx.Input.Query("pricingName")
+	planName := c.Ctx.Input.Query("planName")
+	paidUserName := c.Ctx.Input.Query("userName")
+
+	owner, _, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var userId string
+	if paidUserName != "" {
+		userId = util.GetId(owner, paidUserName)
+		if userId != c.GetSessionUsername() && !c.IsAdmin() && userId != c.GetPaidUsername() {
+			c.ResponseError(c.T("general:Only admin user can specify user"))
+			return
+		}
+
+		c.SetSession("paidUsername", "")
+	} else {
+		userId = c.GetSessionUsername()
+	}
+	if userId == "" {
+		c.ResponseError(c.T("general:Please login first"))
+		return
+	}
+
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+		return
+	}
+
+	payment, attachInfo, err := object.BuyProduct(id, user, providerName, pricingName, planName, host, paymentEnv, customPrice, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(payment, attachInfo)
+}

controllers/server.go

@@ -110,6 +110,30 @@ func (c *ApiController) UpdateServer() {
 	c.ServeJSON()
 }
 
+// SyncMcpTool
+// @Title SyncMcpTool
+// @Tag Server API
+// @Description sync MCP tools for a server and return sync errors directly
+// @Param   id     query    string  true        "The id ( owner/name ) of the server"
+// @Param   isCleared  query    bool    false       "Whether to clear all tools instead of syncing"
+// @Param   body    body   object.Server  true        "The details of the server"
+// @Success 200 {object} controllers.Response The Response object
+// @router /sync-mcp-tool [post]
+func (c *ApiController) SyncMcpTool() {
+	id := c.Ctx.Input.Query("id")
+	isCleared := c.Ctx.Input.Query("isCleared") == "1"
+
+	var server object.Server
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &server)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.SyncMcpTool(id, &server, isCleared))
+	c.ServeJSON()
+}
+
 // AddServer
 // @Title AddServer
 // @Tag Server API

controllers/server_online.go

@@ -21,7 +21,7 @@ import (
 	"time"
 )
 
-const onlineServerListUrl = "https://remotemcplist.com/api/servers.json"
+const onlineServerListUrl = "https://mcp.casdoor.org/registry.json"
 
 // GetOnlineServers
 // @Title GetOnlineServers

object/application.go

@@ -17,8 +17,6 @@ package object
 import (
 	"errors"
 	"fmt"
-	"regexp"
-	"strings"
 
 	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
@@ -96,6 +94,7 @@ type Application struct {
 	HeaderHtml                   string          `xorm:"mediumtext" json:"headerHtml"`
 	EnablePassword               bool            `json:"enablePassword"`
 	EnableSignUp                 bool            `json:"enableSignUp"`
+	EnableGuestSignin            bool            `json:"enableGuestSignin"`
 	DisableSignin                bool            `json:"disableSignin"`
 	EnableSigninSession          bool            `json:"enableSigninSession"`
 	EnableAutoSignin             bool            `json:"enableAutoSignin"`
@@ -221,192 +220,6 @@ func GetPaginationOrganizationApplications(owner, organization string, offset, l
 	return applications, nil
 }
 
-func getProviderMap(owner string) (m map[string]*Provider, err error) {
-	providers, err := GetProviders(owner)
-	if err != nil {
-		return nil, err
-	}
-
-	m = map[string]*Provider{}
-	for _, provider := range providers {
-		m[provider.Name] = GetMaskedProvider(provider, true)
-	}
-
-	return m, err
-}
-
-func extendApplicationWithProviders(application *Application) (err error) {
-	m, err := getProviderMap(application.Organization)
-	if err != nil {
-		return err
-	}
-
-	for _, providerItem := range application.Providers {
-		if provider, ok := m[providerItem.Name]; ok {
-			providerItem.Provider = provider
-		}
-	}
-
-	return
-}
-
-func extendApplicationWithOrg(application *Application) (err error) {
-	organization, err := getOrganization(application.Owner, application.Organization)
-	application.OrganizationObj = organization
-	return
-}
-
-func extendApplicationWithSigninItems(application *Application) (err error) {
-	if len(application.SigninItems) == 0 {
-		signinItem := &SigninItem{
-			Name:        "Back button",
-			Visible:     true,
-			CustomCss:   ".back-button {\n      top: 65px;\n      left: 15px;\n      position: absolute;\n}\n.back-inner-button{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Languages",
-			Visible:     true,
-			CustomCss:   ".login-languages {\n    top: 55px;\n    right: 5px;\n    position: absolute;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Logo",
-			Visible:     true,
-			CustomCss:   ".login-logo-box {}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Signin methods",
-			Visible:     true,
-			CustomCss:   ".signin-methods {}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Username",
-			Visible:     true,
-			CustomCss:   ".login-username {}\n.login-username-input{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Password",
-			Visible:     true,
-			CustomCss:   ".login-password {}\n.login-password-input{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Verification code",
-			Visible:     true,
-			CustomCss:   ".verification-code {}\n.verification-code-input{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Agreement",
-			Visible:     true,
-			CustomCss:   ".login-agreement {}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Forgot password?",
-			Visible:     true,
-			CustomCss:   ".login-forget-password {\n    display: inline-flex;\n    justify-content: space-between;\n    width: 320px;\n    margin-bottom: 25px;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Login button",
-			Visible:     true,
-			CustomCss:   ".login-button-box {\n    margin-bottom: 5px;\n}\n.login-button {\n    width: 100%;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Signup link",
-			Visible:     true,
-			CustomCss:   ".login-signup-link {\n    margin-bottom: 24px;\n    display: flex;\n    justify-content: end;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Providers",
-			Visible:     true,
-			CustomCss:   ".provider-img {\n      width: 30px;\n      margin: 5px;\n}\n.provider-big-img {\n      margin-bottom: 10px;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-	}
-	for idx, item := range application.SigninItems {
-		if item.Label != "" && item.CustomCss == "" {
-			application.SigninItems[idx].CustomCss = item.Label
-			application.SigninItems[idx].Label = ""
-		}
-	}
-	return
-}
-
-func extendApplicationWithSigninMethods(application *Application) (err error) {
-	if len(application.SigninMethods) == 0 {
-		if application.EnablePassword {
-			signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
-			application.SigninMethods = append(application.SigninMethods, signinMethod)
-		}
-		if application.EnableCodeSignin {
-			signinMethod := &SigninMethod{Name: "Verification code", DisplayName: "Verification code", Rule: "All"}
-			application.SigninMethods = append(application.SigninMethods, signinMethod)
-		}
-		if application.EnableWebAuthn {
-			signinMethod := &SigninMethod{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"}
-			application.SigninMethods = append(application.SigninMethods, signinMethod)
-		}
-
-		signinMethod := &SigninMethod{Name: "Face ID", DisplayName: "Face ID", Rule: "None"}
-		application.SigninMethods = append(application.SigninMethods, signinMethod)
-	}
-
-	if len(application.SigninMethods) == 0 {
-		signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
-		application.SigninMethods = append(application.SigninMethods, signinMethod)
-	}
-
-	return
-}
-
-func extendApplicationWithSignupItems(application *Application) (err error) {
-	if len(application.SignupItems) == 0 {
-		application.SignupItems = []*SignupItem{
-			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},
-			{Name: "Username", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Display name", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Password", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Confirm password", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Email", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Phone", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Agreement", Visible: true, Required: true, Prompted: false, Rule: "None"},
-		}
-	}
-	return
-}
-
 func getApplication(owner string, name string) (*Application, error) {
 	if owner == "" || name == "" {
 		return nil, nil
@@ -559,155 +372,6 @@ func GetApplication(id string) (*Application, error) {
 	return getApplication(owner, name)
 }
 
-func GetMaskedApplication(application *Application, userId string) *Application {
-	if application == nil {
-		return nil
-	}
-
-	if application.TokenFields == nil {
-		application.TokenFields = []string{}
-	}
-
-	if application.FailedSigninLimit == 0 {
-		application.FailedSigninLimit = DefaultFailedSigninLimit
-	}
-	if application.FailedSigninFrozenTime == 0 {
-		application.FailedSigninFrozenTime = DefaultFailedSigninFrozenTime
-	}
-
-	isOrgUser := false
-	if userId != "" {
-		if isUserIdGlobalAdmin(userId) {
-			return application
-		}
-
-		user, err := GetUser(userId)
-		if err != nil {
-			panic(err)
-		}
-		if user != nil {
-			if user.IsApplicationAdmin(application) {
-				return application
-			}
-
-			if user.Owner == application.Organization {
-				isOrgUser = true
-			}
-		}
-	}
-
-	application.ClientSecret = "***"
-	application.Cert = "***"
-	application.EnablePassword = false
-	application.EnableSigninSession = false
-	application.EnableCodeSignin = false
-	application.EnableSamlCompress = false
-	application.EnableSamlC14n10 = false
-	application.EnableSamlPostBinding = false
-	application.DisableSamlAttributes = false
-	application.EnableWebAuthn = false
-	application.EnableLinkWithEmail = false
-	application.SamlReplyUrl = "***"
-
-	providerItems := []*ProviderItem{}
-	for _, providerItem := range application.Providers {
-		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha" || providerItem.Provider.Category == "SAML" || providerItem.Provider.Category == "Face ID") {
-			providerItems = append(providerItems, providerItem)
-		}
-	}
-	application.Providers = providerItems
-
-	application.GrantTypes = []string{}
-	application.RedirectUris = []string{}
-	application.TokenFormat = "***"
-	application.TokenFields = []string{}
-	application.ExpireInHours = -1
-	application.RefreshExpireInHours = -1
-	application.FailedSigninLimit = -1
-	application.FailedSigninFrozenTime = -1
-
-	if application.OrganizationObj != nil {
-		application.OrganizationObj.MasterPassword = "***"
-		application.OrganizationObj.DefaultPassword = "***"
-		application.OrganizationObj.MasterVerificationCode = "***"
-		application.OrganizationObj.PasswordType = "***"
-		application.OrganizationObj.PasswordSalt = "***"
-		application.OrganizationObj.InitScore = -1
-		application.OrganizationObj.EnableSoftDeletion = false
-
-		if !isOrgUser {
-			application.OrganizationObj.MfaItems = nil
-			if !application.OrganizationObj.IsProfilePublic {
-				application.OrganizationObj.AccountItems = nil
-			}
-		}
-	}
-
-	return application
-}
-
-func GetMaskedApplications(applications []*Application, userId string) []*Application {
-	if isUserIdGlobalAdmin(userId) {
-		return applications
-	}
-
-	for _, application := range applications {
-		application = GetMaskedApplication(application, userId)
-	}
-	return applications
-}
-
-func GetAllowedApplications(applications []*Application, userId string, lang string) ([]*Application, error) {
-	if userId == "" {
-		return nil, errors.New(i18n.Translate(lang, "auth:Unauthorized operation"))
-	}
-
-	if isUserIdGlobalAdmin(userId) {
-		return applications, nil
-	}
-
-	user, err := GetUser(userId)
-	if err != nil {
-		return nil, err
-	}
-	if user == nil {
-		return nil, errors.New(i18n.Translate(lang, "auth:Unauthorized operation"))
-	}
-
-	if user.IsAdmin {
-		return applications, nil
-	}
-
-	res := []*Application{}
-	for _, application := range applications {
-		var allowed bool
-		allowed, err = CheckLoginPermission(userId, application)
-		if err != nil {
-			return nil, err
-		}
-
-		if allowed {
-			res = append(res, application)
-		}
-	}
-	return res, nil
-}
-
-func checkMultipleCaptchaProviders(application *Application, lang string) error {
-	var captchaProviders []string
-	for _, providerItem := range application.Providers {
-		if providerItem.Provider != nil && providerItem.Provider.Category == "Captcha" {
-			captchaProviders = append(captchaProviders, providerItem.Name)
-		}
-	}
-
-	if len(captchaProviders) > 1 {
-		return fmt.Errorf(i18n.Translate(lang, "general:Multiple captcha providers are not allowed in the same application: %s"), strings.Join(captchaProviders, ", "))
-	}
-
-	return nil
-}
-
 func UpdateApplication(id string, application *Application, isGlobalAdmin bool, lang string) (bool, error) {
 	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
 	if err != nil {
@@ -844,205 +508,3 @@ func DeleteApplication(application *Application) (bool, error) {
 
 	return deleteApplication(application)
 }
-
-func (application *Application) GetId() string {
-	return fmt.Sprintf("%s/%s", application.Owner, application.Name)
-}
-
-func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	isValid, err := util.IsValidOrigin(redirectUri)
-	if err != nil {
-		panic(err)
-	}
-	if isValid {
-		return true
-	}
-
-	for _, targetUri := range application.RedirectUris {
-		if targetUri == "" {
-			continue
-		}
-		targetUriRegex := regexp.MustCompile(targetUri)
-		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
-			return true
-		}
-	}
-	return false
-}
-
-func (application *Application) IsPasswordEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnablePassword
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Password" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsPasswordWithLdapEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnablePassword
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Password" && signinMethod.Rule == "All" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsCodeSigninViaEmailEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnableCodeSignin
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Phone only" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsCodeSigninViaSmsEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnableCodeSignin
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Email only" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsLdapEnabled() bool {
-	if len(application.SigninMethods) > 0 {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "LDAP" {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func (application *Application) IsFaceIdEnabled() bool {
-	if len(application.SigninMethods) > 0 {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Face ID" {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func IsOriginAllowed(origin string) (bool, error) {
-	applications, err := GetApplications("")
-	if err != nil {
-		return false, err
-	}
-
-	for _, application := range applications {
-		if application.IsRedirectUriValid(origin) {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-func getApplicationMap(organization string) (map[string]*Application, error) {
-	applicationMap := make(map[string]*Application)
-	applications, err := GetOrganizationApplications("admin", organization)
-	if err != nil {
-		return applicationMap, err
-	}
-
-	for _, application := range applications {
-		applicationMap[application.Name] = application
-	}
-
-	return applicationMap, nil
-}
-
-func ExtendManagedAccountsWithUser(user *User) (*User, error) {
-	if user.ManagedAccounts == nil || len(user.ManagedAccounts) == 0 {
-		return user, nil
-	}
-
-	applicationMap, err := getApplicationMap(user.Owner)
-	if err != nil {
-		return user, err
-	}
-
-	var managedAccounts []ManagedAccount
-	for _, managedAccount := range user.ManagedAccounts {
-		application := applicationMap[managedAccount.Application]
-		if application != nil {
-			managedAccount.SigninUrl = application.SigninUrl
-			managedAccounts = append(managedAccounts, managedAccount)
-		}
-	}
-	user.ManagedAccounts = managedAccounts
-
-	return user, nil
-}
-
-func applicationChangeTrigger(oldName string, newName string) error {
-	session := ormer.Engine.NewSession()
-	defer session.Close()
-
-	err := session.Begin()
-	if err != nil {
-		return err
-	}
-
-	organization := new(Organization)
-	organization.DefaultApplication = newName
-	_, err = session.Where("default_application=?", oldName).Update(organization)
-	if err != nil {
-		return err
-	}
-
-	user := new(User)
-	user.SignupApplication = newName
-	_, err = session.Where("signup_application=?", oldName).Update(user)
-	if err != nil {
-		return err
-	}
-
-	resource := new(Resource)
-	resource.Application = newName
-	_, err = session.Where("application=?", oldName).Update(resource)
-	if err != nil {
-		return err
-	}
-
-	var permissions []*Permission
-	err = ormer.Engine.Find(&permissions)
-	if err != nil {
-		return err
-	}
-	for i := 0; i < len(permissions); i++ {
-		permissionResoureces := permissions[i].Resources
-		for j := 0; j < len(permissionResoureces); j++ {
-			if permissionResoureces[j] == oldName {
-				permissionResoureces[j] = newName
-			}
-		}
-		permissions[i].Resources = permissionResoureces
-		_, err = session.Where("owner=?", permissions[i].Owner).Where("name=?", permissions[i].Name).Update(permissions[i])
-		if err != nil {
-			return err
-		}
-	}
-
-	return session.Commit()
-}

object/application_util.go

@@ -0,0 +1,615 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"regexp"
+	"strings"
+
+	"github.com/casdoor/casdoor/i18n"
+	"github.com/casdoor/casdoor/util"
+)
+
+func getProviderMap(owner string) (m map[string]*Provider, err error) {
+	providers, err := GetProviders(owner)
+	if err != nil {
+		return nil, err
+	}
+
+	m = map[string]*Provider{}
+	for _, provider := range providers {
+		m[provider.Name] = GetMaskedProvider(provider, true)
+	}
+
+	return m, err
+}
+
+func extendApplicationWithProviders(application *Application) (err error) {
+	m, err := getProviderMap(application.Organization)
+	if err != nil {
+		return err
+	}
+
+	for _, providerItem := range application.Providers {
+		if provider, ok := m[providerItem.Name]; ok {
+			providerItem.Provider = provider
+		}
+	}
+
+	return
+}
+
+func extendApplicationWithOrg(application *Application) (err error) {
+	organization, err := getOrganization(application.Owner, application.Organization)
+	application.OrganizationObj = organization
+	return
+}
+
+func extendApplicationWithSigninItems(application *Application) (err error) {
+	if len(application.SigninItems) == 0 {
+		signinItem := &SigninItem{
+			Name:        "Back button",
+			Visible:     true,
+			CustomCss:   ".back-button {\n      top: 65px;\n      left: 15px;\n      position: absolute;\n}\n.back-inner-button{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Languages",
+			Visible:     true,
+			CustomCss:   ".login-languages {\n    top: 55px;\n    right: 5px;\n    position: absolute;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Logo",
+			Visible:     true,
+			CustomCss:   ".login-logo-box {}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Signin methods",
+			Visible:     true,
+			CustomCss:   ".signin-methods {}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Username",
+			Visible:     true,
+			CustomCss:   ".login-username {}\n.login-username-input{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Password",
+			Visible:     true,
+			CustomCss:   ".login-password {}\n.login-password-input{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Verification code",
+			Visible:     true,
+			CustomCss:   ".verification-code {}\n.verification-code-input{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Agreement",
+			Visible:     true,
+			CustomCss:   ".login-agreement {}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Forgot password?",
+			Visible:     true,
+			CustomCss:   ".login-forget-password {\n    display: inline-flex;\n    justify-content: space-between;\n    width: 320px;\n    margin-bottom: 25px;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Login button",
+			Visible:     true,
+			CustomCss:   ".login-button-box {\n    margin-bottom: 5px;\n}\n.login-button {\n    width: 100%;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Signup link",
+			Visible:     true,
+			CustomCss:   ".login-signup-link {\n    margin-bottom: 24px;\n    display: flex;\n    justify-content: end;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Providers",
+			Visible:     true,
+			CustomCss:   ".provider-img {\n      width: 30px;\n      margin: 5px;\n}\n.provider-big-img {\n      margin-bottom: 10px;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+	}
+	for idx, item := range application.SigninItems {
+		if item.Label != "" && item.CustomCss == "" {
+			application.SigninItems[idx].CustomCss = item.Label
+			application.SigninItems[idx].Label = ""
+		}
+	}
+	return
+}
+
+func extendApplicationWithSigninMethods(application *Application) (err error) {
+	if len(application.SigninMethods) == 0 {
+		if application.EnablePassword {
+			signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
+			application.SigninMethods = append(application.SigninMethods, signinMethod)
+		}
+		if application.EnableCodeSignin {
+			signinMethod := &SigninMethod{Name: "Verification code", DisplayName: "Verification code", Rule: "All"}
+			application.SigninMethods = append(application.SigninMethods, signinMethod)
+		}
+		if application.EnableWebAuthn {
+			signinMethod := &SigninMethod{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"}
+			application.SigninMethods = append(application.SigninMethods, signinMethod)
+		}
+
+		signinMethod := &SigninMethod{Name: "Face ID", DisplayName: "Face ID", Rule: "None"}
+		application.SigninMethods = append(application.SigninMethods, signinMethod)
+	}
+
+	if len(application.SigninMethods) == 0 {
+		signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
+		application.SigninMethods = append(application.SigninMethods, signinMethod)
+	}
+
+	return
+}
+
+func extendApplicationWithSignupItems(application *Application) (err error) {
+	if len(application.SignupItems) == 0 {
+		application.SignupItems = []*SignupItem{
+			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},
+			{Name: "Username", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Display name", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Password", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Confirm password", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Email", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Phone", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Agreement", Visible: true, Required: true, Prompted: false, Rule: "None"},
+		}
+	}
+	return
+}
+
+func GetMaskedApplication(application *Application, userId string) *Application {
+	if application == nil {
+		return nil
+	}
+
+	if application.TokenFields == nil {
+		application.TokenFields = []string{}
+	}
+
+	if application.FailedSigninLimit == 0 {
+		application.FailedSigninLimit = DefaultFailedSigninLimit
+	}
+	if application.FailedSigninFrozenTime == 0 {
+		application.FailedSigninFrozenTime = DefaultFailedSigninFrozenTime
+	}
+
+	isOrgUser := false
+	if userId != "" {
+		if isUserIdGlobalAdmin(userId) {
+			return application
+		}
+
+		user, err := GetUser(userId)
+		if err != nil {
+			panic(err)
+		}
+		if user != nil {
+			if user.IsApplicationAdmin(application) {
+				return application
+			}
+
+			if user.Owner == application.Organization {
+				isOrgUser = true
+			}
+		}
+	}
+
+	application.ClientSecret = "***"
+	application.Cert = "***"
+	application.EnablePassword = false
+	application.EnableSigninSession = false
+	application.EnableCodeSignin = false
+	application.EnableSamlCompress = false
+	application.EnableSamlC14n10 = false
+	application.EnableSamlPostBinding = false
+	application.DisableSamlAttributes = false
+	application.EnableWebAuthn = false
+	application.EnableLinkWithEmail = false
+	application.SamlReplyUrl = "***"
+
+	providerItems := []*ProviderItem{}
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha" || providerItem.Provider.Category == "SAML" || providerItem.Provider.Category == "Face ID") {
+			providerItems = append(providerItems, providerItem)
+		}
+	}
+	application.Providers = providerItems
+
+	application.GrantTypes = []string{}
+	application.RedirectUris = []string{}
+	application.TokenFormat = "***"
+	application.TokenFields = []string{}
+	application.ExpireInHours = -1
+	application.RefreshExpireInHours = -1
+	application.FailedSigninLimit = -1
+	application.FailedSigninFrozenTime = -1
+
+	if application.OrganizationObj != nil {
+		application.OrganizationObj.MasterPassword = "***"
+		application.OrganizationObj.DefaultPassword = "***"
+		application.OrganizationObj.MasterVerificationCode = "***"
+		application.OrganizationObj.PasswordType = "***"
+		application.OrganizationObj.PasswordSalt = "***"
+		application.OrganizationObj.InitScore = -1
+		application.OrganizationObj.EnableSoftDeletion = false
+
+		if !isOrgUser {
+			application.OrganizationObj.MfaItems = nil
+			if !application.OrganizationObj.IsProfilePublic {
+				application.OrganizationObj.AccountItems = nil
+			}
+		}
+	}
+
+	return application
+}
+
+func GetMaskedApplications(applications []*Application, userId string) []*Application {
+	if isUserIdGlobalAdmin(userId) {
+		return applications
+	}
+
+	for _, application := range applications {
+		application = GetMaskedApplication(application, userId)
+	}
+	return applications
+}
+
+func GetAllowedApplications(applications []*Application, userId string, lang string) ([]*Application, error) {
+	if userId == "" {
+		return nil, errors.New(i18n.Translate(lang, "auth:Unauthorized operation"))
+	}
+
+	if isUserIdGlobalAdmin(userId) {
+		return applications, nil
+	}
+
+	user, err := GetUser(userId)
+	if err != nil {
+		return nil, err
+	}
+	if user == nil {
+		return nil, errors.New(i18n.Translate(lang, "auth:Unauthorized operation"))
+	}
+
+	if user.IsAdmin {
+		return applications, nil
+	}
+
+	res := []*Application{}
+	for _, application := range applications {
+		var allowed bool
+		allowed, err = CheckLoginPermission(userId, application)
+		if err != nil {
+			return nil, err
+		}
+
+		if allowed {
+			res = append(res, application)
+		}
+	}
+	return res, nil
+}
+
+func checkMultipleCaptchaProviders(application *Application, lang string) error {
+	var captchaProviders []string
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider != nil && providerItem.Provider.Category == "Captcha" {
+			captchaProviders = append(captchaProviders, providerItem.Name)
+		}
+	}
+
+	if len(captchaProviders) > 1 {
+		return fmt.Errorf(i18n.Translate(lang, "general:Multiple captcha providers are not allowed in the same application: %s"), strings.Join(captchaProviders, ", "))
+	}
+
+	return nil
+}
+
+func (application *Application) GetId() string {
+	return fmt.Sprintf("%s/%s", application.Owner, application.Name)
+}
+
+func (application *Application) IsRedirectUriValid(redirectUri string) bool {
+	isValid, err := util.IsValidOrigin(redirectUri)
+	if err != nil {
+		panic(err)
+	}
+	if isValid {
+		return true
+	}
+
+	for _, targetUri := range application.RedirectUris {
+		if redirectUriMatchesPattern(redirectUri, targetUri) {
+			return true
+		}
+	}
+	return false
+}
+
+func redirectUriMatchesPattern(redirectUri, targetUri string) bool {
+	if targetUri == "" {
+		return false
+	}
+	if redirectUri == targetUri {
+		return true
+	}
+
+	redirectUriObj, err := url.Parse(redirectUri)
+	if err != nil || redirectUriObj.Host == "" {
+		return false
+	}
+
+	targetUriObj, err := url.Parse(targetUri)
+	if err == nil && targetUriObj.Host != "" {
+		return redirectUriMatchesTarget(redirectUriObj, targetUriObj)
+	}
+
+	withScheme, parseErr := url.Parse("https://" + targetUri)
+	if parseErr == nil && withScheme.Host != "" {
+		redirectHost := redirectUriObj.Hostname()
+		targetHost := withScheme.Hostname()
+		var hostMatches bool
+		if strings.HasPrefix(targetHost, ".") {
+			hostMatches = strings.HasSuffix(redirectHost, targetHost)
+		} else {
+			hostMatches = redirectHost == targetHost || strings.HasSuffix(redirectHost, "."+targetHost)
+		}
+		schemeOk := redirectUriObj.Scheme == "http" || redirectUriObj.Scheme == "https"
+		pathMatches := withScheme.Path == "" || withScheme.Path == "/" || redirectUriObj.Path == withScheme.Path
+		return schemeOk && hostMatches && pathMatches
+	}
+
+	anchoredPattern := "^(?:" + targetUri + ")$"
+	targetUriRegex, err := regexp.Compile(anchoredPattern)
+	return err == nil && targetUriRegex.MatchString(redirectUri)
+}
+
+func redirectUriMatchesTarget(redirectUri, targetUri *url.URL) bool {
+	if redirectUri.Scheme != targetUri.Scheme {
+		return false
+	}
+	if redirectUri.Port() != targetUri.Port() {
+		return false
+	}
+	redirectHost := redirectUri.Hostname()
+	targetHost := targetUri.Hostname()
+	if redirectHost != targetHost && !strings.HasSuffix(redirectHost, "."+targetHost) {
+		return false
+	}
+	if redirectUri.Path != targetUri.Path {
+		return false
+	}
+	return true
+}
+
+func (application *Application) IsPasswordEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnablePassword
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Password" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsPasswordWithLdapEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnablePassword
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Password" && signinMethod.Rule == "All" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsCodeSigninViaEmailEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnableCodeSignin
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Phone only" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsCodeSigninViaSmsEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnableCodeSignin
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Email only" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsLdapEnabled() bool {
+	if len(application.SigninMethods) > 0 {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "LDAP" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (application *Application) IsFaceIdEnabled() bool {
+	if len(application.SigninMethods) > 0 {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Face ID" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func IsOriginAllowed(origin string) (bool, error) {
+	applications, err := GetApplications("")
+	if err != nil {
+		return false, err
+	}
+
+	for _, application := range applications {
+		if application.IsRedirectUriValid(origin) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func getApplicationMap(organization string) (map[string]*Application, error) {
+	applicationMap := make(map[string]*Application)
+	applications, err := GetOrganizationApplications("admin", organization)
+	if err != nil {
+		return applicationMap, err
+	}
+
+	for _, application := range applications {
+		applicationMap[application.Name] = application
+	}
+
+	return applicationMap, nil
+}
+
+func ExtendManagedAccountsWithUser(user *User) (*User, error) {
+	if user.ManagedAccounts == nil || len(user.ManagedAccounts) == 0 {
+		return user, nil
+	}
+
+	applicationMap, err := getApplicationMap(user.Owner)
+	if err != nil {
+		return user, err
+	}
+
+	var managedAccounts []ManagedAccount
+	for _, managedAccount := range user.ManagedAccounts {
+		application := applicationMap[managedAccount.Application]
+		if application != nil {
+			managedAccount.SigninUrl = application.SigninUrl
+			managedAccounts = append(managedAccounts, managedAccount)
+		}
+	}
+	user.ManagedAccounts = managedAccounts
+
+	return user, nil
+}
+
+func applicationChangeTrigger(oldName string, newName string) error {
+	session := ormer.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	organization := new(Organization)
+	organization.DefaultApplication = newName
+	_, err = session.Where("default_application=?", oldName).Update(organization)
+	if err != nil {
+		return err
+	}
+
+	user := new(User)
+	user.SignupApplication = newName
+	_, err = session.Where("signup_application=?", oldName).Update(user)
+	if err != nil {
+		return err
+	}
+
+	resource := new(Resource)
+	resource.Application = newName
+	_, err = session.Where("application=?", oldName).Update(resource)
+	if err != nil {
+		return err
+	}
+
+	var permissions []*Permission
+	err = ormer.Engine.Find(&permissions)
+	if err != nil {
+		return err
+	}
+	for i := 0; i < len(permissions); i++ {
+		permissionResoureces := permissions[i].Resources
+		for j := 0; j < len(permissionResoureces); j++ {
+			if permissionResoureces[j] == oldName {
+				permissionResoureces[j] = newName
+			}
+		}
+		permissions[i].Resources = permissionResoureces
+		_, err = session.Where("owner=?", permissions[i].Owner).Where("name=?", permissions[i].Name).Update(permissions[i])
+		if err != nil {
+			return err
+		}
+	}
+
+	return session.Commit()
+}

object/application_util_test.go

@@ -0,0 +1,79 @@
+// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import "testing"
+
+func TestRedirectUriMatchesPattern(t *testing.T) {
+	tests := []struct {
+		redirectUri string
+		targetUri   string
+		want        bool
+	}{
+		// Exact match
+		{"https://login.example.com/callback", "https://login.example.com/callback", true},
+
+		// Full URL pattern: exact host
+		{"https://login.example.com/callback", "https://login.example.com/callback", true},
+		{"https://login.example.com/other", "https://login.example.com/callback", false},
+
+		// Full URL pattern: subdomain of configured host
+		{"https://def.abc.com/callback", "abc.com", true},
+		{"https://def.abc.com/callback", ".abc.com", true},
+		{"https://def.abc.com/callback", ".abc.com/", true},
+		{"https://deep.app.example.com/callback", "https://example.com/callback", true},
+
+		// Full URL pattern: unrelated host must not match
+		{"https://evil.com/callback", "https://example.com/callback", false},
+		// Suffix collision: evilexample.com must not match example.com
+		{"https://evilexample.com/callback", "https://example.com/callback", false},
+
+		// Full URL pattern: scheme mismatch
+		{"http://app.example.com/callback", "https://example.com/callback", false},
+
+		// Full URL pattern: path mismatch
+		{"https://app.example.com/other", "https://example.com/callback", false},
+
+		// Scheme-less pattern: exact host
+		{"https://login.example.com/callback", "login.example.com/callback", true},
+		{"http://login.example.com/callback", "login.example.com/callback", true},
+
+		// Scheme-less pattern: subdomain of configured host
+		{"https://app.login.example.com/callback", "login.example.com/callback", true},
+
+		// Scheme-less pattern: unrelated host must not match
+		{"https://evil.com/callback", "login.example.com/callback", false},
+
+		// Scheme-less pattern: query-string injection must not match
+		{"https://evil.com/?r=https://login.example.com/callback", "login.example.com/callback", false},
+		{"https://evil.com/page?redirect=https://login.example.com/callback", "login.example.com/callback", false},
+
+		// Scheme-less pattern: path mismatch
+		{"https://login.example.com/other", "login.example.com/callback", false},
+
+		// Scheme-less pattern: non-http scheme must not match
+		{"ftp://login.example.com/callback", "login.example.com/callback", false},
+
+		// Empty target
+		{"https://login.example.com/callback", "", false},
+	}
+
+	for _, tt := range tests {
+		got := redirectUriMatchesPattern(tt.redirectUri, tt.targetUri)
+		if got != tt.want {
+			t.Errorf("redirectUriMatchesPattern(%q, %q) = %v, want %v", tt.redirectUri, tt.targetUri, got, tt.want)
+		}
+	}
+}

object/ldap_conn.go

@@ -878,12 +878,12 @@ func (ldap *Ldap) buildAuthFilterString(user *User) string {
 	}
 
 	if len(ldap.FilterFields) == 0 {
-		return fmt.Sprintf("(&%s(uid=%s))", baseFilter, user.Name)
+		return fmt.Sprintf("(&%s(uid=%s))", baseFilter, goldap.EscapeFilter(user.Name))
 	}
 
 	filter := fmt.Sprintf("(&%s(|", baseFilter)
 	for _, field := range ldap.FilterFields {
-		filter = fmt.Sprintf("%s(%s=%s)", filter, field, user.getFieldFromLdapAttribute(field))
+		filter = fmt.Sprintf("%s(%s=%s)", filter, field, goldap.EscapeFilter(user.getFieldFromLdapAttribute(field)))
 	}
 	filter = fmt.Sprintf("%s))", filter)
 

object/log_provider.go

@@ -64,12 +64,7 @@ func startLogCollector(provider *Provider) {
 		delete(runningCollectors, id)
 	}
 
-	tag := provider.Title
-	if tag == "" {
-		tag = "casdoor"
-	}
-
-	lp, err := log.NewSystemLogProvider(tag)
+	lp, err := log.GetLogProvider(provider.Type, provider.Host, provider.Port, provider.Title)
 	if err != nil {
 		return
 	}

object/product.go

@@ -257,6 +257,26 @@ func (product *Product) getProvider(providerName string) (*Provider, error) {
 	return provider, nil
 }
 
+func BuyProduct(id string, user *User, providerName, pricingName, planName, host, paymentEnv string, customPrice float64, lang string) (payment *Payment, attachInfo map[string]interface{}, err error) {
+	owner, productName, err := util.GetOwnerAndNameFromIdWithError(id)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	order, err := PlaceOrder(owner, []ProductInfo{{
+		Name:        productName,
+		Price:       customPrice,
+		Quantity:    1,
+		PricingName: pricingName,
+		PlanName:    planName,
+	}}, user)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return PayOrder(providerName, host, paymentEnv, order, lang)
+}
+
 func ExtendProductWithProviders(product *Product) error {
 	if product == nil {
 		return nil

object/saml_sp.go

@@ -21,13 +21,10 @@ import (
 	"encoding/pem"
 	"fmt"
 	"net/url"
-	"regexp"
-	"strings"
-
-	"github.com/casdoor/casdoor/idp"
-	"github.com/mitchellh/mapstructure"
 
 	"github.com/casdoor/casdoor/i18n"
+	"github.com/casdoor/casdoor/idp"
+	"github.com/mitchellh/mapstructure"
 	saml2 "github.com/russellhaering/gosaml2"
 	dsig "github.com/russellhaering/goxmldsig"
 )
@@ -113,7 +110,7 @@ func GenerateSamlRequest(id, relayState, host, lang string) (auth string, method
 func buildSp(provider *Provider, samlResponse string, host string) (*saml2.SAMLServiceProvider, error) {
 	_, origin := getOriginFromHost(host)
 
-	certStore, err := buildSpCertificateStore(provider, samlResponse)
+	certStore, err := buildSpCertificateStore(provider)
 	if err != nil {
 		return nil, err
 	}
@@ -152,15 +149,10 @@ func buildSpKeyStore() (dsig.X509KeyStore, error) {
 	}, nil
 }
 
-func buildSpCertificateStore(provider *Provider, samlResponse string) (certStore dsig.MemoryX509CertificateStore, err error) {
-	certEncodedData := ""
-	if samlResponse != "" {
-		certEncodedData, err = getCertificateFromSamlResponse(samlResponse, provider.Type)
-		if err != nil {
-			return
-		}
-	} else if provider.IdP != "" {
-		certEncodedData = provider.IdP
+func buildSpCertificateStore(provider *Provider) (certStore dsig.MemoryX509CertificateStore, err error) {
+	certEncodedData := provider.IdP
+	if certEncodedData == "" {
+		return dsig.MemoryX509CertificateStore{}, fmt.Errorf("the IdP certificate of provider: %s is empty", provider.Name)
 	}
 
 	var certData []byte
@@ -186,30 +178,3 @@ func buildSpCertificateStore(provider *Provider, samlResponse string) (certStore
 	}
 	return certStore, nil
 }
-
-func getCertificateFromSamlResponse(samlResponse string, providerType string) (string, error) {
-	de, err := base64.StdEncoding.DecodeString(samlResponse)
-	if err != nil {
-		return "", err
-	}
-	var (
-		expression string
-		deStr      = strings.Replace(string(de), "\n", "", -1)
-		tagMap     = map[string]string{
-			"Aliyun IDaaS": "ds",
-			"Keycloak":     "dsig",
-		}
-	)
-	tag := tagMap[providerType]
-	if tag == "" {
-		// <ds:X509Certificate>...</ds:X509Certificate>
-		// <dsig:X509Certificate>...</dsig:X509Certificate>
-		// <X509Certificate>...</X509Certificate>
-		// ...
-		expression = "<[^>]*:?X509Certificate>([\\s\\S]*?)<[^>]*:?X509Certificate>"
-	} else {
-		expression = fmt.Sprintf("<%s:X509Certificate>([\\s\\S]*?)</%s:X509Certificate>", tag, tag)
-	}
-	res := regexp.MustCompile(expression).FindStringSubmatch(deStr)
-	return res[1], nil
-}

object/server.go

@@ -72,16 +72,23 @@ func GetServer(id string) (*Server, error) {
 
 func UpdateServer(id string, server *Server) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromIdNoCheck(id)
-	if s, err := getServer(owner, name); err != nil {
+	oldServer, err := getServer(owner, name)
+	if err != nil {
 		return false, err
-	} else if s == nil {
+	}
+	if oldServer == nil {
 		return false, nil
 	}
 
+	if server.Token == "" {
+		server.Token = oldServer.Token
+	}
+
 	server.UpdatedTime = util.GetCurrentTime()
 
-	syncServerTools(server)
-	_, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(server)
+	_ = syncServerTools(server)
+
+	_, err = ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(server)
 	if err != nil {
 		return false, err
 	}
@@ -89,25 +96,66 @@ func UpdateServer(id string, server *Server) (bool, error) {
 	return true, nil
 }
 
-func syncServerTools(server *Server) {
-	if server.Tools == nil {
-		server.Tools = []*Tool{}
+func SyncMcpTool(id string, server *Server, isCleared bool) (bool, error) {
+	owner, name := util.GetOwnerAndNameFromIdNoCheck(id)
+
+	if isCleared {
+		server.Tools = nil
+		server.UpdatedTime = util.GetCurrentTime()
+		_, err := ormer.Engine.ID(core.PK{owner, name}).Cols("tools", "updated_time").Update(server)
+		if err != nil {
+			return false, err
+		}
+		return true, nil
+	}
+
+	oldServer, err := getServer(owner, name)
+	if err != nil {
+		return false, err
+	}
+	if oldServer == nil {
+		return false, nil
+	}
+
+	if server.Token == "" {
+		server.Token = oldServer.Token
+	}
+
+	server.UpdatedTime = util.GetCurrentTime()
+
+	err = syncServerTools(server)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(server)
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+func syncServerTools(server *Server) error {
+	oldTools := server.Tools
+	if oldTools == nil {
+		oldTools = []*Tool{}
 	}
 
 	tools, err := mcp.GetServerTools(server.Owner, server.Name, server.Url, server.Token)
 	if err != nil {
-		return
+		return err
 	}
 
 	var newTools []*Tool
 	for _, tool := range tools {
-		oldToolIndex := slices.IndexFunc(server.Tools, func(oldTool *Tool) bool {
+		oldToolIndex := slices.IndexFunc(oldTools, func(oldTool *Tool) bool {
 			return oldTool.Name == tool.Name
 		})
 
 		isAllowed := true
 		if oldToolIndex != -1 {
-			isAllowed = server.Tools[oldToolIndex].IsAllowed
+			isAllowed = oldTools[oldToolIndex].IsAllowed
 		}
 
 		newTool := Tool{
@@ -118,6 +166,7 @@ func syncServerTools(server *Server) {
 	}
 
 	server.Tools = newTools
+	return nil
 }
 
 func AddServer(server *Server) (bool, error) {

object/token_oauth.go

@@ -310,11 +310,11 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 	case "client_credentials": // Client Credentials Grant
 		token, tokenError, err = GetClientCredentialsToken(application, clientSecret, scope, host)
 	case "token", "id_token": // Implicit Grant
-		token, tokenError, err = GetImplicitToken(application, username, scope, nonce, host)
+		token, tokenError, err = GetImplicitToken(application, username, password, scope, nonce, host)
 	case "urn:ietf:params:oauth:grant-type:jwt-bearer":
 		token, tokenError, err = GetJwtBearerToken(application, assertion, scope, nonce, host)
 	case "urn:ietf:params:oauth:grant-type:device_code":
-		token, tokenError, err = GetImplicitToken(application, username, scope, nonce, host)
+		token, tokenError, err = GetImplicitToken(application, username, password, scope, nonce, host)
 	case "urn:ietf:params:oauth:grant-type:token-exchange": // Token Exchange Grant (RFC 8693)
 		token, tokenError, err = GetTokenExchangeToken(application, clientSecret, subjectToken, subjectTokenType, audience, scope, host)
 	case "refresh_token":
@@ -756,6 +756,24 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 
 	// Handle guest user creation
 	if code == "guest-user" {
+		if application.Organization == "built-in" {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: "guest signin is not allowed for built-in organization",
+			}, nil
+		}
+		if !application.EnableGuestSignin {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: "guest signin is not enabled for this application",
+			}, nil
+		}
+		if !application.EnableSignUp {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: "sign up is not enabled for this application",
+			}, nil
+		}
 		return createGuestUserToken(application, clientSecret, verifier)
 	}
 
@@ -970,9 +988,9 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 	return token, nil, nil
 }
 
-// GetImplicitToken
-// Implicit flow
-func GetImplicitToken(application *Application, username string, scope string, nonce string, host string) (*Token, *TokenError, error) {
+// mintImplicitToken mints a token for an already-authenticated user.
+// Callers must verify user identity before calling this function.
+func mintImplicitToken(application *Application, username string, scope string, nonce string, host string) (*Token, *TokenError, error) {
 	expandedScope, ok := IsScopeValidAndExpand(scope, application)
 	if !ok {
 		return nil, &TokenError{
@@ -1006,6 +1024,41 @@ func GetImplicitToken(application *Application, username string, scope string, n
 	return token, nil, nil
 }
 
+// GetImplicitToken
+// Implicit flow - requires password verification before minting a token
+func GetImplicitToken(application *Application, username string, password string, scope string, nonce string, host string) (*Token, *TokenError, error) {
+	user, err := GetUserByFields(application.Organization, username)
+	if err != nil {
+		return nil, nil, err
+	}
+	if user == nil {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "the user does not exist",
+		}, nil
+	}
+
+	if user.Ldap != "" {
+		err = CheckLdapUserPassword(user, password, "en")
+	} else {
+		if user.Password == "" {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: "OAuth users cannot use implicit grant type, please use authorization code flow",
+			}, nil
+		}
+		err = CheckPassword(user, password, "en")
+	}
+	if err != nil {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: fmt.Sprintf("invalid username or password: %s", err.Error()),
+		}, nil
+	}
+
+	return mintImplicitToken(application, username, scope, nonce, host)
+}
+
 // GetJwtBearerToken
 // RFC 7523
 func GetJwtBearerToken(application *Application, assertion string, scope string, nonce string, host string) (*Token, *TokenError, error) {
@@ -1024,7 +1077,8 @@ func GetJwtBearerToken(application *Application, assertion string, scope string,
 		}, nil
 	}
 
-	return GetImplicitToken(application, claims.Subject, scope, nonce, host)
+	// JWT assertion has already been validated above; skip password re-verification
+	return mintImplicitToken(application, claims.Subject, scope, nonce, host)
 }
 
 func ValidateJwtAssertion(clientAssertion string, application *Application, host string) (bool, *Claims, error) {
@@ -1236,6 +1290,67 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 	return token, nil, nil
 }
 
+// parseAndValidateSubjectToken validates a subject_token for RFC 8693 token exchange.
+// It uses the ISSUING application's certificate (not the requesting client's) and
+// enforces audience binding to prevent cross-client token reuse.
+func parseAndValidateSubjectToken(subjectToken string, requestingClientId string) (owner, name, scope string, tokenErr *TokenError, err error) {
+	unverifiedToken, err := ParseJwtTokenWithoutValidation(subjectToken)
+	if err != nil {
+		return "", "", "", &TokenError{Error: InvalidGrant, ErrorDescription: fmt.Sprintf("invalid subject_token: %s", err.Error())}, nil
+	}
+
+	unverifiedClaims, ok := unverifiedToken.Claims.(*Claims)
+	if !ok || unverifiedClaims.Azp == "" {
+		return "", "", "", &TokenError{Error: InvalidGrant, ErrorDescription: "subject_token is missing the azp claim"}, nil
+	}
+
+	issuingApp, err := GetApplicationByClientId(unverifiedClaims.Azp)
+	if err != nil {
+		return "", "", "", nil, err
+	}
+	if issuingApp == nil {
+		return "", "", "", &TokenError{Error: InvalidGrant, ErrorDescription: fmt.Sprintf("subject_token issuing application not found: %s", unverifiedClaims.Azp)}, nil
+	}
+
+	cert, err := getCertByApplication(issuingApp)
+	if err != nil {
+		return "", "", "", nil, err
+	}
+	if cert == nil {
+		return "", "", "", &TokenError{Error: EndpointError, ErrorDescription: fmt.Sprintf("cert for issuing application %s cannot be found", unverifiedClaims.Azp)}, nil
+	}
+
+	if issuingApp.TokenFormat == "JWT-Standard" {
+		standardClaims, err := ParseStandardJwtToken(subjectToken, cert)
+		if err != nil {
+			return "", "", "", &TokenError{Error: InvalidGrant, ErrorDescription: fmt.Sprintf("invalid subject_token: %s", err.Error())}, nil
+		}
+		return standardClaims.Owner, standardClaims.Name, standardClaims.Scope, nil, nil
+	}
+
+	claims, err := ParseJwtToken(subjectToken, cert)
+	if err != nil {
+		return "", "", "", &TokenError{Error: InvalidGrant, ErrorDescription: fmt.Sprintf("invalid subject_token: %s", err.Error())}, nil
+	}
+
+	// Audience binding: requesting client must be the issuer itself or appear in token's aud.
+	// Prevents an attacker from exchanging App A's token to obtain an App B token (RFC 8693 §2.1).
+	if issuingApp.ClientId != requestingClientId {
+		audienceMatched := false
+		for _, aud := range claims.Audience {
+			if aud == requestingClientId {
+				audienceMatched = true
+				break
+			}
+		}
+		if !audienceMatched {
+			return "", "", "", &TokenError{Error: InvalidGrant, ErrorDescription: fmt.Sprintf("subject_token audience does not include the requesting client '%s'", requestingClientId)}, nil
+		}
+	}
+
+	return claims.Owner, claims.Name, claims.Scope, nil, nil
+}
+
 // GetTokenExchangeToken
 // Token Exchange Grant (RFC 8693)
 // Exchanges a subject token for a new token with different audience or scope
@@ -1284,42 +1399,12 @@ func GetTokenExchangeToken(application *Application, clientSecret string, subjec
 		}, nil
 	}
 
-	// Get certificate for token validation
-	cert, err := getCertByApplication(application)
+	subjectOwner, subjectName, subjectScope, tokenError, err := parseAndValidateSubjectToken(subjectToken, application.ClientId)
 	if err != nil {
 		return nil, nil, err
 	}
-	if cert == nil {
-		return nil, &TokenError{
-			Error:            EndpointError,
-			ErrorDescription: fmt.Sprintf("cert: %s cannot be found", application.Cert),
-		}, nil
-	}
-
-	// Parse and validate the subject token
-	var subjectOwner, subjectName, subjectScope string
-	if application.TokenFormat == "JWT-Standard" {
-		standardClaims, err := ParseStandardJwtToken(subjectToken, cert)
-		if err != nil {
-			return nil, &TokenError{
-				Error:            InvalidGrant,
-				ErrorDescription: fmt.Sprintf("invalid subject_token: %s", err.Error()),
-			}, nil
-		}
-		subjectOwner = standardClaims.Owner
-		subjectName = standardClaims.Name
-		subjectScope = standardClaims.Scope
-	} else {
-		claims, err := ParseJwtToken(subjectToken, cert)
-		if err != nil {
-			return nil, &TokenError{
-				Error:            InvalidGrant,
-				ErrorDescription: fmt.Sprintf("invalid subject_token: %s", err.Error()),
-			}, nil
-		}
-		subjectOwner = claims.Owner
-		subjectName = claims.Name
-		subjectScope = claims.Scope
+	if tokenError != nil {
+		return nil, tokenError, nil
 	}
 
 	// Get the user from the subject token

routers/router.go

@@ -137,6 +137,7 @@ func InitAPI() {
 	web.Router("/api/sync-intranet-servers", &controllers.ApiController{}, "POST:SyncIntranetServers")
 	web.Router("/api/get-server", &controllers.ApiController{}, "GET:GetServer")
 	web.Router("/api/update-server", &controllers.ApiController{}, "POST:UpdateServer")
+	web.Router("/api/sync-mcp-tool", &controllers.ApiController{}, "POST:SyncMcpTool")
 	web.Router("/api/add-server", &controllers.ApiController{}, "POST:AddServer")
 	web.Router("/api/delete-server", &controllers.ApiController{}, "POST:DeleteServer")
 	web.Router("/api/server/:owner/:name", &controllers.ApiController{}, "POST:ProxyServer")
@@ -245,6 +246,7 @@ func InitAPI() {
 	web.Router("/api/update-product", &controllers.ApiController{}, "POST:UpdateProduct")
 	web.Router("/api/add-product", &controllers.ApiController{}, "POST:AddProduct")
 	web.Router("/api/delete-product", &controllers.ApiController{}, "POST:DeleteProduct")
+	web.Router("/api/buy-product", &controllers.ApiController{}, "POST:BuyProduct")
 
 	web.Router("/api/get-orders", &controllers.ApiController{}, "GET:GetOrders")
 	web.Router("/api/get-user-orders", &controllers.ApiController{}, "GET:GetUserOrders")

swagger/swagger.json

@@ -1138,6 +1138,70 @@
                 }
             }
         },
+        "/api/buy-product": {
+            "post": {
+                "tags": [
+                    "Product API"
+                ],
+                "description": "buy product using the deprecated compatibility endpoint, prefer place-order plus pay-order for new integrations",
+                "operationId": "ApiController.BuyProduct",
+                "deprecated": true,
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the product",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "query",
+                        "name": "providerName",
+                        "description": "The name of the provider",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "query",
+                        "name": "pricingName",
+                        "description": "The name of the pricing (for subscription)",
+                        "type": "string"
+                    },
+                    {
+                        "in": "query",
+                        "name": "planName",
+                        "description": "The name of the plan (for subscription)",
+                        "type": "string"
+                    },
+                    {
+                        "in": "query",
+                        "name": "userName",
+                        "description": "The username to buy product for (admin only)",
+                        "type": "string"
+                    },
+                    {
+                        "in": "query",
+                        "name": "paymentEnv",
+                        "description": "The payment environment",
+                        "type": "string"
+                    },
+                    {
+                        "in": "query",
+                        "name": "customPrice",
+                        "description": "Custom price for recharge products",
+                        "type": "number"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
         "/api/delete-adapter": {
             "post": {
                 "tags": [
@@ -10488,4 +10552,4 @@
             "in": "header"
         }
     }
-}
+}

swagger/swagger.yml

@@ -734,6 +734,49 @@ paths:
           description: The Response object
           schema:
             $ref: '#/definitions/object.Userinfo'
+  /api/buy-product:
+    post:
+      tags:
+      - Product API
+      description: buy product using the deprecated compatibility endpoint, prefer place-order plus pay-order for new integrations
+      operationId: ApiController.BuyProduct
+      deprecated: true
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the product
+        required: true
+        type: string
+      - in: query
+        name: providerName
+        description: The name of the provider
+        required: true
+        type: string
+      - in: query
+        name: pricingName
+        description: The name of the pricing (for subscription)
+        type: string
+      - in: query
+        name: planName
+        description: The name of the plan (for subscription)
+        type: string
+      - in: query
+        name: userName
+        description: The username to buy product for (admin only)
+        type: string
+      - in: query
+        name: paymentEnv
+        description: The payment environment
+        type: string
+      - in: query
+        name: customPrice
+        description: Custom price for recharge products
+        type: number
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
   /api/delete-adapter:
     post:
       tags:

web/src/ApplicationEditPage.js

@@ -594,6 +594,20 @@ class ApplicationEditPage extends React.Component {
               }} />
             </Col>
           </Row>
+          {
+            this.state.application.organization !== "built-in" ? (
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+                  {Setting.getLabel(i18next.t("application:Enable guest signin"), i18next.t("application:Enable guest signin - Tooltip"))} :
+                </Col>
+                <Col span={1} >
+                  <Switch checked={this.state.application.enableGuestSignin} onChange={checked => {
+                    this.updateApplicationField("enableGuestSignin", checked);
+                  }} />
+                </Col>
+              </Row>
+            ) : null
+          }
           <Row style={{marginTop: "20px"}} >
             <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
               {Setting.getLabel(i18next.t("application:Enable exclusive signin"), i18next.t("application:Enable exclusive signin - Tooltip"))} :

web/src/ServerEditPage.js

@@ -120,6 +120,38 @@ class ServerEditPage extends React.Component {
       });
   }
 
+  syncMcpTool() {
+    const server = Setting.deepCopy(this.state.server);
+    ServerBackend.syncMcpTool(this.state.owner, this.state.serverName, server)
+      .then((res) => {
+        if (res.status === "ok") {
+          Setting.showMessage("success", i18next.t("general:Successfully modified"));
+          this.getServer();
+        } else {
+          Setting.showMessage("error", `${i18next.t("general:Failed to update")}: ${res.msg}`);
+        }
+      })
+      .catch(error => {
+        Setting.showMessage("error", `${i18next.t("general:Failed to connect to server")}: ${error}`);
+      });
+  }
+
+  clearMcpTool() {
+    const server = Setting.deepCopy(this.state.server);
+    ServerBackend.syncMcpTool(this.state.owner, this.state.serverName, server, true)
+      .then((res) => {
+        if (res.status === "ok") {
+          Setting.showMessage("success", i18next.t("general:Successfully modified"));
+          this.getServer();
+        } else {
+          Setting.showMessage("error", `${i18next.t("general:Failed to update")}: ${res.msg}`);
+        }
+      })
+      .catch(error => {
+        Setting.showMessage("error", `${i18next.t("general:Failed to connect to server")}: ${error}`);
+      });
+  }
+
   deleteServer() {
     ServerBackend.deleteServer(this.state.server)
       .then((res) => {
@@ -214,6 +246,8 @@ class ServerEditPage extends React.Component {
             {Setting.getLabel(i18next.t("general:Tool"), i18next.t("general:Tool - Tooltip"))} :
           </Col>
           <Col span={22} >
+            {this.state.mode !== "add" ? <Button type="primary" style={{marginBottom: "5px"}} onClick={() => this.syncMcpTool()}>{i18next.t("general:Sync")}</Button> : null}
+            {this.state.mode !== "add" ? <Button style={{marginBottom: "5px", marginLeft: "10px"}} onClick={() => this.clearMcpTool()}>{i18next.t("general:Clear")}</Button> : null}
             <ToolTable
               tools={this.state.server?.tools || []}
               onUpdateTable={(value) => {this.updateServerField("tools", value);}}

web/src/ServerStorePage.js

@@ -29,7 +29,7 @@ class ServerStorePage extends React.Component {
       onlineServerList: [],
       creatingOnlineServerId: "",
       onlineNameFilter: "",
-      onlineTagFilter: [],
+      onlineCategoryFilter: [],
     };
   }
 
@@ -41,7 +41,7 @@ class ServerStorePage extends React.Component {
     this.setState({
       onlineListLoading: true,
       onlineNameFilter: "",
-      onlineTagFilter: [],
+      onlineCategoryFilter: [],
     });
 
     ServerBackend.getOnlineServers()
@@ -72,16 +72,17 @@ class ServerStorePage extends React.Component {
   createServerFromOnline = (onlineServer) => {
     const owner = Setting.getRequestOrganization(this.props.account);
     const serverName = this.getOnlineServerName(onlineServer);
-    const serverUrl = onlineServer.production;
+    const serverUrl = onlineServer.endpoint;
 
     if (!serverUrl) {
       Setting.showMessage("error", i18next.t("server:Production endpoint is empty"));
       return;
     }
 
+    const randomName = Setting.getRandomName();
     const newServer = {
       owner: owner,
-      name: serverName,
+      name: serverName + randomName,
       createdTime: moment().format(),
       displayName: onlineServer.name || serverName,
       url: serverUrl,
@@ -107,20 +108,27 @@ class ServerStorePage extends React.Component {
 
   normalizeOnlineServers = (onlineServers) => {
     return onlineServers.map((server, index) => {
-      const rawTags = Array.isArray(server?.tags) ? server.tags : [];
+      const categoriesRaw = [server?.category].filter((category) => typeof category === "string" && category.trim() !== "");
 
       return {
         id: server.id ?? `${server.name ?? "server"}-${index}`,
         name: server.name ?? "",
         nameText: (server.name ?? "").toLowerCase(),
-        tagsRaw: rawTags,
-        tagsLower: rawTags.map((tag) => tag.toLowerCase()),
-        production: server.endpoints?.production ?? "",
+        categoriesRaw: categoriesRaw,
+        categoriesLower: categoriesRaw.map((category) => category.toLowerCase()),
+        endpoint: server.endpoints?.production ?? server.endpoint ?? "",
         description: server.description ?? "",
-        authentication: server?.authentication?.type,
-        website: server?.maintainer?.website,
+        website: server?.maintainer?.website ?? server?.website,
       };
-    }).filter(server => server.production.startsWith("http"));
+    }).filter(server => server.endpoint.startsWith("http"));
+  };
+
+  getWebsiteUrl = (website) => {
+    if (!website) {
+      return "";
+    }
+
+    return /^https?:\/\//i.test(website) ? website : `https://${website}`;
   };
 
   getOnlineServersFromResponse = (data) => {
@@ -139,19 +147,19 @@ class ServerStorePage extends React.Component {
     return [];
   };
 
-  getOnlineTagOptions = () => {
-    const tags = this.state.onlineServerList.flatMap((server) => server.tagsRaw || []);
-    return [...new Set(tags)].sort((a, b) => a.localeCompare(b)).map((tag) => ({label: tag, value: tag.toLowerCase()}));
+  getOnlineCategoryOptions = () => {
+    const categories = this.state.onlineServerList.flatMap((server) => server.categoriesRaw || []);
+    return [...new Set(categories)].sort((a, b) => a.localeCompare(b)).map((category) => ({label: category, value: category.toLowerCase()}));
   };
 
   getFilteredOnlineServers = () => {
     const nameFilter = this.state.onlineNameFilter.trim().toLowerCase();
-    const tagFilter = this.state.onlineTagFilter;
+    const categoryFilter = this.state.onlineCategoryFilter;
 
     return this.state.onlineServerList.filter((server) => {
       const nameMatched = !nameFilter || server.nameText.includes(nameFilter);
-      const tagMatched = tagFilter.length === 0 || tagFilter.some((tag) => server.tagsLower.includes(tag));
-      return nameMatched && tagMatched;
+      const categoryMatched = categoryFilter.length === 0 || categoryFilter.some((category) => server.categoriesLower.includes(category));
+      return nameMatched && categoryMatched;
     });
   };
 
@@ -180,19 +188,23 @@ class ServerStorePage extends React.Component {
             <Text type="secondary">{server.description || "-"}</Text>
           </div>
           <div style={{marginBottom: "8px"}}>
-            <Text strong>{i18next.t("application:Authentication")}: </Text>
-            <Text>{server.authentication || "-"}</Text>
+            <Text strong>{i18next.t("general:Url")}: </Text>
+            {server.website ? (
+              <a target="_blank" rel="noreferrer" href={this.getWebsiteUrl(server.endpoint)}>{server.endpoint}</a>
+            ) : (
+              <Text>-</Text>
+            )}
           </div>
           <div style={{marginBottom: "8px"}}>
             <Text strong>{i18next.t("general:Website")}: </Text>
             {server.website ? (
-              <a target="_blank" rel="noreferrer" href={`https://${server.website}`}>{server.website}</a>
+              <a target="_blank" rel="noreferrer" href={this.getWebsiteUrl(server.website)}>{server.website}</a>
             ) : (
               <Text>-</Text>
             )}
           </div>
           <div>
-            {(server.tagsRaw || []).map((tag) => <Tag key={`${server.id}-${tag}`}>{tag}</Tag>)}
+            {(server.categoriesRaw || []).map((category) => <Tag key={`${server.id}-${category}`}>{category}</Tag>)}
           </div>
         </Card>
       </Col>
@@ -214,13 +226,13 @@ class ServerStorePage extends React.Component {
           <Select
             mode="multiple"
             allowClear
-            placeholder={i18next.t("general:Tag")}
-            value={this.state.onlineTagFilter}
-            onChange={(values) => this.setState({onlineTagFilter: values})}
-            options={this.getOnlineTagOptions()}
+            placeholder={i18next.t("general:Category")}
+            value={this.state.onlineCategoryFilter}
+            onChange={(values) => this.setState({onlineCategoryFilter: values})}
+            options={this.getOnlineCategoryOptions()}
             style={{minWidth: "260px"}}
           />
-          <Button onClick={() => this.setState({onlineNameFilter: "", onlineTagFilter: []})}>
+          <Button onClick={() => this.setState({onlineNameFilter: "", onlineCategoryFilter: []})}>
             {i18next.t("general:Clear")}
           </Button>
           <Button onClick={this.fetchOnlineServers}>

web/src/backend/ServerBackend.js

@@ -44,6 +44,15 @@ export function updateServer(owner, name, server) {
   }).then(res => res.json());
 }
 
+export function syncMcpTool(owner, name, server, isCleared = false) {
+  const newServer = Setting.deepCopy(server);
+  return fetch(`${Setting.ServerUrl}/api/sync-mcp-tool?id=${owner}/${encodeURIComponent(name)}&isCleared=${isCleared ? "1" : "0"}`, {
+    method: "POST",
+    credentials: "include",
+    body: JSON.stringify(newServer),
+  }).then(res => res.json());
+}
+
 export function addServer(server) {
   const newServer = Setting.deepCopy(server);
   return fetch(`${Setting.ServerUrl}/api/add-server`, {