fix: allow admin to update and remove members

fix removing member without permission (#16332 ) (#19275 )
Co-authored-by: Linh Nguyen <55907715+batman0911@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com>
2026-01-08 15:24:14 +00:00 · 2025-05-06 16:41:43 -04:00 · 2025-05-06 15:41:50 +08:00 · 2025-04-28 18:18:54 +08:00 · 2025-04-28 18:15:24 +08:00 · 2025-04-28 17:17:26 +08:00
241 changed files with 4477 additions and 1928 deletions
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@@ -5,6 +5,8 @@ on:
    branches:
      - "main"
      - "deploy/dev"
+      - "deploy/enterprise"
+      - "e-260"
  release:
    types: [published]

--- a/.github/workflows/deploy-enterprise.yml
+++ b/.github/workflows/deploy-enterprise.yml
@@ -0,0 +1,29 @@
+name: Deploy Enterprise
+
+permissions:
+  contents: read
+
+on:
+  workflow_run:
+    workflows: ["Build and Push API & Web"]
+    branches:
+      - "deploy/enterprise"
+    types:
+      - completed
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'deploy/enterprise'
+
+    steps:
+      - name: Deploy to server
+        uses: appleboy/ssh-action@v0.1.8
+        with:
+          host: ${{ secrets.ENTERPRISE_SSH_HOST }}
+          username: ${{ secrets.ENTERPRISE_SSH_USER }}
+          password: ${{ secrets.ENTERPRISE_SSH_PASSWORD }}
+          script: |
+            ${{ vars.ENTERPRISE_SSH_SCRIPT || secrets.ENTERPRISE_SSH_SCRIPT }}
--- a/.markdownlint.json
+++ b/.markdownlint.json
@@ -0,0 +1,3 @@
+{
+    "MD024": false
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,32 @@
+# Changelog
+
+All notable changes to Dify will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.15.7] - 2025-04-27
+
+### Added
+
+- Added support for GPT-4.1 in model providers (#18912)
+- Added support for Amazon Bedrock DeepSeek-R1 model (#18908)
+- Added support for Amazon Bedrock Claude Sonnet 3.7 model (#18788)
+- Refined version compatibility logic in app DSL service
+
+### Fixed
+
+- Fixed issue with creating apps from template categories (#18807, #18868)
+- Fixed DSL version check when creating apps from explore templates (#18872, #18878)
+
+## [0.15.6] - 2025-04-22
+
+### Security
+
+- Fixed clickjacking vulnerability (#18552)
+- Fixed reset password security issue (#18366)
+- Updated reset password token when email code verification succeeds (#18362)
+
+### Fixed
+
+- Fixed Vertex AI Gemini 2.0 Flash 001 schema (#18405)
--- a/api/.env.example
+++ b/api/.env.example
@@ -430,4 +430,7 @@ CREATE_TIDB_SERVICE_JOB_ENABLED=false
 # Maximum number of submitted thread count in a ThreadPool for parallel node execution
 MAX_SUBMIT_COUNT=100
 # Lockout duration in seconds
-LOGIN_LOCKOUT_DURATION=86400
+LOGIN_LOCKOUT_DURATION=86400
+
+# Prevent Clickjacking
+ALLOW_EMBED=false
--- a/api/configs/packaging/init.py
+++ b/api/configs/packaging/init.py
@@ -9,7 +9,7 @@ class PackagingInfo(BaseSettings):

    CURRENT_VERSION: str = Field(
        description="Dify version",
-        default="0.15.3",
+        default="0.15.7",
    )

    COMMIT_SHA: str = Field(
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@@ -2,30 +2,28 @@ import uuid
 from typing import cast

 from flask_login import current_user  # type: ignore
-from flask_restful import Resource, inputs, marshal, marshal_with, reqparse  # type: ignore
+from flask_restful import (Resource, inputs, marshal,  # type: ignore
+                           marshal_with, reqparse)
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import BadRequest, Forbidden, abort

 from controllers.console import api
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    account_initialization_required,
-    cloud_edition_billing_resource_check,
-    enterprise_license_required,
-    setup_required,
-)
+from controllers.console.wraps import (account_initialization_required,
+                                       cloud_edition_billing_resource_check,
+                                       enterprise_license_required,
+                                       setup_required)
 from core.ops.ops_trace_manager import OpsTraceManager
 from extensions.ext_database import db
-from fields.app_fields import (
-    app_detail_fields,
-    app_detail_fields_with_site,
-    app_pagination_fields,
-)
+from fields.app_fields import (app_detail_fields, app_detail_fields_with_site,
+                               app_pagination_fields)
 from libs.login import login_required
 from models import Account, App
 from services.app_dsl_service import AppDslService, ImportMode
 from services.app_service import AppService
+from services.enterprise.enterprise_service import EnterpriseService
+from services.feature_service import FeatureService

 ALLOW_CREATE_APP_MODES = ["chat", "agent-chat", "advanced-chat", "workflow", "completion"]

@@ -67,7 +65,17 @@ class AppListApi(Resource):
        if not app_pagination:
            return {"data": [], "total": 0, "page": 1, "limit": 20, "has_more": False}

-        return marshal(app_pagination, app_pagination_fields)
+        if FeatureService.get_system_features().webapp_auth.enabled:
+            app_ids = [str(app.id) for app in app_pagination.items]
+            res = EnterpriseService.WebAppAuth.batch_get_app_access_mode_by_id(app_ids=app_ids)
+            if len(res) != len(app_ids):
+                raise BadRequest("Invalid app id in webapp auth")
+
+            for app in app_pagination.items:
+                if str(app.id) in res:
+                    app.access_mode = res[str(app.id)].access_mode
+
+        return marshal(app_pagination, app_pagination_fields), 200

    @setup_required
    @login_required
@@ -111,6 +119,10 @@ class AppApi(Resource):

        app_model = app_service.get_app(app_model)

+        if FeatureService.get_system_features().webapp_auth.enabled:
+            app_setting = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=str(app_model.id))
+            app_model.access_mode = app_setting.access_mode
+
        return app_model

    @setup_required
--- a/api/controllers/console/auth/forgot_password.py
+++ b/api/controllers/console/auth/forgot_password.py
@@ -8,7 +8,7 @@ from constants.languages import languages
 from controllers.console import api
 from controllers.console.auth.error import EmailCodeError, InvalidEmailError, InvalidTokenError, PasswordMismatchError
 from controllers.console.error import AccountInFreezeError, AccountNotFound, EmailSendIpLimitError
-from controllers.console.wraps import setup_required
+from controllers.console.wraps import email_password_login_enabled, setup_required
 from events.tenant_event import tenant_was_created
 from extensions.ext_database import db
 from libs.helper import email, extract_remote_ip
@@ -16,12 +16,13 @@ from libs.password import hash_password, valid_password
 from models.account import Account
 from services.account_service import AccountService, TenantService
 from services.errors.account import AccountRegisterError
-from services.errors.workspace import WorkSpaceNotAllowedCreateError
+from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
 from services.feature_service import FeatureService


 class ForgotPasswordSendEmailApi(Resource):
    @setup_required
+    @email_password_login_enabled
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument("email", type=email, required=True, location="json")
@@ -53,6 +54,7 @@ class ForgotPasswordSendEmailApi(Resource):

 class ForgotPasswordCheckApi(Resource):
    @setup_required
+    @email_password_login_enabled
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument("email", type=str, required=True, location="json")
@@ -72,11 +74,20 @@ class ForgotPasswordCheckApi(Resource):
        if args["code"] != token_data.get("code"):
            raise EmailCodeError()

-        return {"is_valid": True, "email": token_data.get("email")}
+        # Verified, revoke the first token
+        AccountService.revoke_reset_password_token(args["token"])
+
+        # Refresh token data by generating a new token
+        _, new_token = AccountService.generate_reset_password_token(
+            user_email, code=args["code"], additional_data={"phase": "reset"}
+        )
+
+        return {"is_valid": True, "email": token_data.get("email"), "token": new_token}


 class ForgotPasswordResetApi(Resource):
    @setup_required
+    @email_password_login_enabled
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument("token", type=str, required=True, nullable=False, location="json")
@@ -95,6 +106,9 @@ class ForgotPasswordResetApi(Resource):

        if reset_data is None:
            raise InvalidTokenError()
+        # Must use token in reset phase
+        if reset_data.get("phase", "") != "reset":
+            raise InvalidTokenError()

        AccountService.revoke_reset_password_token(token)

@@ -127,6 +141,8 @@ class ForgotPasswordResetApi(Resource):
                pass
            except AccountRegisterError as are:
                raise AccountInFreezeError()
+            except WorkspacesLimitExceededError:
+                pass

        return {"result": "success"}

--- a/api/controllers/console/auth/login.py
+++ b/api/controllers/console/auth/login.py
@@ -21,8 +21,9 @@ from controllers.console.error import (
    AccountNotFound,
    EmailSendIpLimitError,
    NotAllowedCreateWorkspace,
+    WorkspacesLimitExceeded,
 )
-from controllers.console.wraps import setup_required
+from controllers.console.wraps import email_password_login_enabled, setup_required
 from events.tenant_event import tenant_was_created
 from libs.helper import email, extract_remote_ip
 from libs.password import valid_password
@@ -30,7 +31,7 @@ from models.account import Account
 from services.account_service import AccountService, RegisterService, TenantService
 from services.billing_service import BillingService
 from services.errors.account import AccountRegisterError
-from services.errors.workspace import WorkSpaceNotAllowedCreateError
+from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
 from services.feature_service import FeatureService


@@ -38,6 +39,7 @@ class LoginApi(Resource):
    """Resource for user login."""

    @setup_required
+    @email_password_login_enabled
    def post(self):
        """Authenticate user and login."""
        parser = reqparse.RequestParser()
@@ -87,10 +89,15 @@ class LoginApi(Resource):
        # SELF_HOSTED only have one workspace
        tenants = TenantService.get_join_tenants(account)
        if len(tenants) == 0:
-            return {
-                "result": "fail",
-                "data": "workspace not found, please contact system admin to invite you to join in a workspace",
-            }
+            system_features = FeatureService.get_system_features()
+
+            if system_features.is_allow_create_workspace and not system_features.license.workspaces.is_available():
+                raise WorkspacesLimitExceeded()
+            else:
+                return {
+                    "result": "fail",
+                    "data": "workspace not found, please contact system admin to invite you to join in a workspace",
+                }

        token_pair = AccountService.login(account=account, ip_address=extract_remote_ip(request))
        AccountService.reset_login_error_rate_limit(args["email"])
@@ -110,6 +117,7 @@ class LogoutApi(Resource):

 class ResetPasswordSendEmailApi(Resource):
    @setup_required
+    @email_password_login_enabled
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument("email", type=email, required=True, location="json")
@@ -196,6 +204,9 @@ class EmailCodeLoginApi(Resource):
        if account:
            tenant = TenantService.get_join_tenants(account)
            if not tenant:
+                workspaces = FeatureService.get_system_features().license.workspaces
+                if not workspaces.is_available():
+                    raise WorkspacesLimitExceeded()
                if not FeatureService.get_system_features().is_allow_create_workspace:
                    raise NotAllowedCreateWorkspace()
                else:
@@ -213,6 +224,8 @@ class EmailCodeLoginApi(Resource):
                return NotAllowedCreateWorkspace()
            except AccountRegisterError as are:
                raise AccountInFreezeError()
+            except WorkspacesLimitExceededError:
+                raise WorkspacesLimitExceeded()
        token_pair = AccountService.login(account, ip_address=extract_remote_ip(request))
        AccountService.reset_login_error_rate_limit(args["email"])
        return {"result": "success", "data": token_pair.model_dump()}
--- a/api/controllers/console/error.py
+++ b/api/controllers/console/error.py
@@ -46,6 +46,18 @@ class NotAllowedCreateWorkspace(BaseHTTPException):
    code = 400


+class WorkspaceMembersLimitExceeded(BaseHTTPException):
+    error_code = "limit_exceeded"
+    description = "Unable to add member because the maximum workspace's member limit was exceeded"
+    code = 400
+
+
+class WorkspacesLimitExceeded(BaseHTTPException):
+    error_code = "limit_exceeded"
+    description = "Unable to create workspace because the maximum workspace limit was exceeded"
+    code = 400
+
+
 class AccountBannedError(BaseHTTPException):
    error_code = "account_banned"
    description = "Account is banned."
--- a/api/controllers/console/explore/error.py
+++ b/api/controllers/console/explore/error.py
@@ -23,3 +23,9 @@ class AppSuggestedQuestionsAfterAnswerDisabledError(BaseHTTPException):
    error_code = "app_suggested_questions_after_answer_disabled"
    description = "Function Suggested questions after answer disabled."
    code = 403
+
+
+class AppAccessDeniedError(BaseHTTPException):
+    error_code = "access_denied"
+    description = "App access denied."
+    code = 403
--- a/api/controllers/console/explore/installed_app.py
+++ b/api/controllers/console/explore/installed_app.py
@@ -1,20 +1,26 @@
+import logging
 from datetime import UTC, datetime
 from typing import Any

 from flask import request
 from flask_login import current_user  # type: ignore
-from flask_restful import Resource, inputs, marshal_with, reqparse  # type: ignore
+from flask_restful import (Resource, inputs, marshal_with,  # type: ignore
+                           reqparse)
 from sqlalchemy import and_
 from werkzeug.exceptions import BadRequest, Forbidden, NotFound

 from controllers.console import api
 from controllers.console.explore.wraps import InstalledAppResource
-from controllers.console.wraps import account_initialization_required, cloud_edition_billing_resource_check
+from controllers.console.wraps import (account_initialization_required,
+                                       cloud_edition_billing_resource_check)
 from extensions.ext_database import db
 from fields.installed_app_fields import installed_app_list_fields
 from libs.login import login_required
 from models import App, InstalledApp, RecommendedApp
 from services.account_service import TenantService
+from services.app_service import AppService
+from services.enterprise.enterprise_service import EnterpriseService
+from services.feature_service import FeatureService


 class InstalledAppsListApi(Resource):
@@ -48,6 +54,23 @@ class InstalledAppsListApi(Resource):
            for installed_app in installed_apps
            if installed_app.app is not None
        ]
+
+        # filter out apps that user doesn't have access to
+        if FeatureService.get_system_features().webapp_auth.enabled:
+            user_id = current_user.id
+            res = []
+            for installed_app in installed_app_list:
+                app_code = AppService.get_app_code_by_id(str(installed_app["app"].id))
+                if EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(
+                    user_id=user_id,
+                    app_code=app_code,
+                ):
+                    res.append(installed_app)
+            installed_app_list = res
+            logging.info(
+                f"installed_app_list: {installed_app_list}, user_id: {user_id}"
+            )
+
        installed_app_list.sort(
            key=lambda app: (
                -app["is_pinned"],
--- a/api/controllers/console/explore/wraps.py
+++ b/api/controllers/console/explore/wraps.py
@@ -4,10 +4,14 @@ from flask_login import current_user  # type: ignore
 from flask_restful import Resource  # type: ignore
 from werkzeug.exceptions import NotFound

+from controllers.console.explore.error import AppAccessDeniedError
 from controllers.console.wraps import account_initialization_required
 from extensions.ext_database import db
 from libs.login import login_required
 from models import InstalledApp
+from services.app_service import AppService
+from services.enterprise.enterprise_service import EnterpriseService
+from services.feature_service import FeatureService


 def installed_app_required(view=None):
@@ -48,6 +52,30 @@ def installed_app_required(view=None):
    return decorator


+def user_allowed_to_access_app(view=None):
+    def decorator(view):
+        @wraps(view)
+        def decorated(installed_app: InstalledApp, *args, **kwargs):
+            feature = FeatureService.get_system_features()
+            if feature.webapp_auth.enabled:
+                app_id = installed_app.app_id
+                app_code = AppService.get_app_code_by_id(app_id)
+                res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(
+                    user_id=str(current_user.id),
+                    app_code=app_code,
+                )
+                if not res:
+                    raise AppAccessDeniedError()
+
+            return view(installed_app, *args, **kwargs)
+
+        return decorated
+    if view:
+        return decorator(view)
+    return decorator
+
+
 class InstalledAppResource(Resource):
    # must be reversed if there are multiple decorators
-    method_decorators = [installed_app_required, account_initialization_required, login_required]
+
+    method_decorators = [user_allowed_to_access_app, installed_app_required, account_initialization_required, login_required]
--- a/api/controllers/console/workspace/members.py
+++ b/api/controllers/console/workspace/members.py
@@ -6,6 +6,7 @@ from flask_restful import Resource, abort, marshal_with, reqparse  # type: ignor
 import services
 from configs import dify_config
 from controllers.console import api
+from controllers.console.error import WorkspaceMembersLimitExceeded
 from controllers.console.wraps import (
    account_initialization_required,
    cloud_edition_billing_resource_check,
@@ -17,6 +18,7 @@ from libs.login import login_required
 from models.account import Account, TenantAccountRole
 from services.account_service import RegisterService, TenantService
 from services.errors.account import AccountAlreadyInTenantError
+from services.feature_service import FeatureService


 class MemberListApi(Resource):
@@ -54,6 +56,12 @@ class MemberInviteEmailApi(Resource):
        inviter = current_user
        invitation_results = []
        console_web_url = dify_config.CONSOLE_WEB_URL
+
+        workspace_members = FeatureService.get_features(tenant_id=inviter.current_tenant.id).workspace_members
+
+        if not workspace_members.is_available(len(invitee_emails)):
+            raise WorkspaceMembersLimitExceeded()
+
        for invitee_email in invitee_emails:
            try:
                token = RegisterService.invite_new_member(
--- a/api/controllers/console/wraps.py
+++ b/api/controllers/console/wraps.py
@@ -39,6 +39,17 @@ def only_edition_cloud(view):
    return decorated


+def only_enterprise_edition(view):
+    @wraps(view)
+    def decorated(*args, **kwargs):
+        if not dify_config.ENTERPRISE_ENABLED:
+            abort(404)
+
+        return view(*args, **kwargs)
+
+    return decorated
+
+
 def only_edition_self_hosted(view):
    @wraps(view)
    def decorated(*args, **kwargs):
@@ -154,3 +165,16 @@ def enterprise_license_required(view):
        return view(*args, **kwargs)

    return decorated
+
+
+def email_password_login_enabled(view):
+    @wraps(view)
+    def decorated(*args, **kwargs):
+        features = FeatureService.get_system_features()
+        if features.enable_email_password_login:
+            return view(*args, **kwargs)
+
+        # otherwise, return 403
+        abort(403)
+
+    return decorated
--- a/api/controllers/inner_api/init.py
+++ b/api/controllers/inner_api/init.py
@@ -5,4 +5,5 @@ from libs.external_api import ExternalApi
 bp = Blueprint("inner_api", __name__, url_prefix="/inner/api")
 api = ExternalApi(bp)

+from . import mail
 from .workspace import workspace
--- a/api/controllers/inner_api/mail.py
+++ b/api/controllers/inner_api/mail.py
@@ -0,0 +1,27 @@
+from flask_restful import (
+    Resource,  # type: ignore
+    reqparse,
+)
+
+from controllers.console.wraps import setup_required
+from controllers.inner_api import api
+from controllers.inner_api.wraps import inner_api_only
+from services.enterprise.mail_service import DifyMail, EnterpriseMailService
+
+
+class EnterpriseMail(Resource):
+    @setup_required
+    @inner_api_only
+    def post(self):
+        parser = reqparse.RequestParser()
+        parser.add_argument("to", type=str, action="append", required=True)
+        parser.add_argument("subject", type=str, required=True)
+        parser.add_argument("body", type=str, required=True)
+        parser.add_argument("substitutions", type=dict, required=False)
+        args = parser.parse_args()
+
+        EnterpriseMailService.send_mail(DifyMail(**args))
+        return {"message": "success"}, 200
+
+
+api.add_resource(EnterpriseMail, "/enterprise/mail")
--- a/api/controllers/web/app.py
+++ b/api/controllers/web/app.py
@@ -1,12 +1,16 @@
-from flask_restful import marshal_with  # type: ignore
+
+from flask import request
+from flask_restful import Resource, marshal_with, reqparse  # type: ignore

 from controllers.common import fields
 from controllers.common import helpers as controller_helpers
 from controllers.web import api
 from controllers.web.error import AppUnavailableError
 from controllers.web.wraps import WebApiResource
+from libs.passport import PassportService
 from models.model import App, AppMode
 from services.app_service import AppService
+from services.enterprise.enterprise_service import EnterpriseService


 class AppParameterApi(WebApiResource):
@@ -42,5 +46,51 @@ class AppMeta(WebApiResource):
        return AppService().get_app_meta(app_model)


+class AppAccessMode(Resource):
+    def get(self):
+        parser = reqparse.RequestParser()
+        parser.add_argument("appId", type=str, required=True, location="args")
+        args = parser.parse_args()
+
+        app_id = args["appId"]
+        res = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id)
+
+        return {"accessMode": res.access_mode}
+
+
+class AppWebAuthPermission(Resource):
+    def get(self):
+        user_id = "visitor"
+        try:
+            auth_header = request.headers.get("Authorization")
+            if auth_header is None:
+                raise
+            if " " not in auth_header:
+                raise
+
+            auth_scheme, tk = auth_header.split(None, 1)
+            auth_scheme = auth_scheme.lower()
+            if auth_scheme != "bearer":
+                raise
+
+            decoded = PassportService().verify(tk)
+            user_id = decoded.get("user_id", "visitor")
+        except Exception as e:
+            pass
+
+        parser = reqparse.RequestParser()
+        parser.add_argument("appId", type=str, required=True, location="args")
+        args = parser.parse_args()
+
+        app_id = args["appId"]
+        app_code = AppService.get_app_code_by_id(app_id)
+
+        res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(str(user_id), app_code)
+        return {"result": res}
+
+
 api.add_resource(AppParameterApi, "/parameters")
 api.add_resource(AppMeta, "/meta")
+# webapp auth apis
+api.add_resource(AppAccessMode, "/webapp/access-mode")
+api.add_resource(AppWebAuthPermission, "/webapp/permission")
--- a/api/controllers/web/error.py
+++ b/api/controllers/web/error.py
@@ -121,9 +121,15 @@ class UnsupportedFileTypeError(BaseHTTPException):
    code = 415


-class WebSSOAuthRequiredError(BaseHTTPException):
+class WebAppAuthRequiredError(BaseHTTPException):
    error_code = "web_sso_auth_required"
-    description = "Web SSO authentication required."
+    description = "Web app authentication required."
+    code = 401
+
+
+class WebAppAuthAccessDeniedError(BaseHTTPException):
+    error_code = "web_app_access_denied"
+    description = "You do not have permission to access this web app."
    code = 401


--- a/api/controllers/web/login.py
+++ b/api/controllers/web/login.py
@@ -0,0 +1,121 @@
+from flask import request
+from flask_restful import Resource, reqparse
+from jwt import InvalidTokenError  # type: ignore
+from web import api
+from werkzeug.exceptions import BadRequest
+
+import services
+from controllers.console.auth.error import EmailCodeError, EmailOrPasswordMismatchError, InvalidEmailError
+from controllers.console.error import AccountBannedError, AccountNotFound
+from controllers.console.wraps import setup_required
+from libs.helper import email
+from libs.password import valid_password
+from services.account_service import AccountService
+from services.webapp_auth_service import WebAppAuthService
+
+
+class LoginApi(Resource):
+    """Resource for web app email/password login."""
+
+    def post(self):
+        """Authenticate user and login."""
+        parser = reqparse.RequestParser()
+        parser.add_argument("email", type=email, required=True, location="json")
+        parser.add_argument("password", type=valid_password, required=True, location="json")
+        args = parser.parse_args()
+
+        app_code = request.headers.get("X-App-Code")
+        if app_code is None:
+            raise BadRequest("X-App-Code header is missing.")
+
+        try:
+            account = WebAppAuthService.authenticate(args["email"], args["password"])
+        except services.errors.account.AccountLoginError:
+            raise AccountBannedError()
+        except services.errors.account.AccountPasswordError:
+            raise EmailOrPasswordMismatchError()
+        except services.errors.account.AccountNotFoundError:
+            raise AccountNotFound()
+
+        WebAppAuthService._validate_user_accessibility(account=account, app_code=app_code)
+
+        end_user = WebAppAuthService.create_end_user(email=args["email"], app_code=app_code)
+
+        token = WebAppAuthService.login(account=account, app_code=app_code, end_user_id=end_user.id)
+        return {"result": "success", "token": token}
+
+
+# class LogoutApi(Resource):
+#     @setup_required
+#     def get(self):
+#         account = cast(Account, flask_login.current_user)
+#         if isinstance(account, flask_login.AnonymousUserMixin):
+#             return {"result": "success"}
+#         flask_login.logout_user()
+#         return {"result": "success"}
+
+
+class EmailCodeLoginSendEmailApi(Resource):
+    @setup_required
+    def post(self):
+        parser = reqparse.RequestParser()
+        parser.add_argument("email", type=email, required=True, location="json")
+        parser.add_argument("language", type=str, required=False, location="json")
+        args = parser.parse_args()
+
+        if args["language"] is not None and args["language"] == "zh-Hans":
+            language = "zh-Hans"
+        else:
+            language = "en-US"
+
+        account = WebAppAuthService.get_user_through_email(args["email"])
+        if account is None:
+            raise AccountNotFound()
+        else:
+            token = WebAppAuthService.send_email_code_login_email(account=account, language=language)
+
+        return {"result": "success", "data": token}
+
+
+class EmailCodeLoginApi(Resource):
+    @setup_required
+    def post(self):
+        parser = reqparse.RequestParser()
+        parser.add_argument("email", type=str, required=True, location="json")
+        parser.add_argument("code", type=str, required=True, location="json")
+        parser.add_argument("token", type=str, required=True, location="json")
+        args = parser.parse_args()
+
+        user_email = args["email"]
+        app_code = request.headers.get("X-App-Code")
+        if app_code is None:
+            raise BadRequest("X-App-Code header is missing.")
+
+        token_data = WebAppAuthService.get_email_code_login_data(args["token"])
+        if token_data is None:
+            raise InvalidTokenError()
+
+        if token_data["email"] != args["email"]:
+            raise InvalidEmailError()
+
+        if token_data["code"] != args["code"]:
+            raise EmailCodeError()
+
+        WebAppAuthService.revoke_email_code_login_token(args["token"])
+        account = WebAppAuthService.get_user_through_email(user_email)
+        if not account:
+            raise AccountNotFound()
+
+        WebAppAuthService._validate_user_accessibility(account=account, app_code=app_code)
+
+        end_user = WebAppAuthService.create_end_user(email=user_email, app_code=app_code)
+
+        token = WebAppAuthService.login(account=account, app_code=app_code, end_user_id=end_user.id)
+        AccountService.reset_login_error_rate_limit(args["email"])
+        return {"result": "success", "token": token}
+
+
+api.add_resource(LoginApi, "/login")
+# api.add_resource(LogoutApi, "/logout")
+api.add_resource(EmailCodeLoginSendEmailApi, "/email-code-login")
+api.add_resource(EmailCodeLoginApi, "/email-code-login/validity")
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@@ -5,7 +5,7 @@ from flask_restful import Resource  # type: ignore
 from werkzeug.exceptions import NotFound, Unauthorized

 from controllers.web import api
-from controllers.web.error import WebSSOAuthRequiredError
+from controllers.web.error import WebAppAuthRequiredError
 from extensions.ext_database import db
 from libs.passport import PassportService
 from models.model import App, EndUser, Site
@@ -22,10 +22,10 @@ class PassportResource(Resource):
        if app_code is None:
            raise Unauthorized("X-App-Code header is missing.")

-        if system_features.sso_enforced_for_web:
-            app_web_sso_enabled = EnterpriseService.get_app_web_sso_enabled(app_code).get("enabled", False)
-            if app_web_sso_enabled:
-                raise WebSSOAuthRequiredError()
+        if system_features.webapp_auth.enabled:
+            app_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
+            if not app_settings or not app_settings.access_mode == "public":
+                raise WebAppAuthRequiredError()

        # get site from db and check if it is normal
        site = db.session.query(Site).filter(Site.code == app_code, Site.status == "normal").first()
--- a/api/controllers/web/wraps.py
+++ b/api/controllers/web/wraps.py
@@ -4,7 +4,7 @@ from flask import request
 from flask_restful import Resource  # type: ignore
 from werkzeug.exceptions import BadRequest, NotFound, Unauthorized

-from controllers.web.error import WebSSOAuthRequiredError
+from controllers.web.error import WebAppAuthAccessDeniedError, WebAppAuthRequiredError
 from extensions.ext_database import db
 from libs.passport import PassportService
 from models.model import App, EndUser, Site
@@ -57,35 +57,53 @@ def decode_jwt_token():
        if not end_user:
            raise NotFound()

-        _validate_web_sso_token(decoded, system_features, app_code)
+        # for enterprise webapp auth
+        app_web_auth_enabled = False
+        if system_features.webapp_auth.enabled:
+            app_web_auth_enabled = (
+                EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code).access_mode != "public"
+            )
+
+        _validate_webapp_token(decoded, app_web_auth_enabled, system_features.webapp_auth.enabled)
+        _validate_user_accessibility(decoded, app_code, app_web_auth_enabled, system_features.webapp_auth.enabled)

        return app_model, end_user
    except Unauthorized as e:
-        if system_features.sso_enforced_for_web:
-            app_web_sso_enabled = EnterpriseService.get_app_web_sso_enabled(app_code).get("enabled", False)
-            if app_web_sso_enabled:
-                raise WebSSOAuthRequiredError()
+        if system_features.webapp_auth.enabled:
+            app_web_auth_enabled = (
+                EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code).access_mode != "public"
+            )
+            if app_web_auth_enabled:
+                raise WebAppAuthRequiredError()

        raise Unauthorized(e.description)


-def _validate_web_sso_token(decoded, system_features, app_code):
-    app_web_sso_enabled = False
-
-    # Check if SSO is enforced for web, and if the token source is not SSO, raise an error and redirect to SSO login
-    if system_features.sso_enforced_for_web:
-        app_web_sso_enabled = EnterpriseService.get_app_web_sso_enabled(app_code).get("enabled", False)
-        if app_web_sso_enabled:
-            source = decoded.get("token_source")
-            if not source or source != "sso":
-                raise WebSSOAuthRequiredError()
-
-    # Check if SSO is not enforced for web, and if the token source is SSO,
-    # raise an error and redirect to normal passport login
-    if not system_features.sso_enforced_for_web or not app_web_sso_enabled:
+def _validate_webapp_token(decoded, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):
+    # Check if authentication is enforced for web app, and if the token source is not webapp,
+    # raise an error and redirect to login
+    if system_webapp_auth_enabled and app_web_auth_enabled:
        source = decoded.get("token_source")
-        if source and source == "sso":
-            raise Unauthorized("sso token expired.")
+        if not source or source != "webapp":
+            raise WebAppAuthRequiredError()
+
+    # Check if authentication is not enforced for web, and if the token source is webapp,
+    # raise an error and redirect to normal passport login
+    if not system_webapp_auth_enabled or not app_web_auth_enabled:
+        source = decoded.get("token_source")
+        if source and source == "webapp":
+            raise Unauthorized("webapp token expired.")
+
+
+def _validate_user_accessibility(decoded, app_code, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):
+    if system_webapp_auth_enabled and app_web_auth_enabled:
+        # Check if the user is allowed to access the web app
+        user_id = decoded.get("user_id")
+        if not user_id:
+            raise WebAppAuthRequiredError()
+
+        if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):
+            raise WebAppAuthAccessDeniedError()


 class WebApiResource(Resource):
--- a/api/core/agent/cot_agent_runner.py
+++ b/api/core/agent/cot_agent_runner.py
@@ -104,7 +104,6 @@ class CotAgentRunner(BaseAgentRunner, ABC):

            # recalc llm max tokens
            prompt_messages = self._organize_prompt_messages()
-            self.recalc_llm_max_tokens(self.model_config, prompt_messages)
            # invoke model
            chunks = model_instance.invoke_llm(
                prompt_messages=prompt_messages,
--- a/api/core/agent/fc_agent_runner.py
+++ b/api/core/agent/fc_agent_runner.py
@@ -84,7 +84,6 @@ class FunctionCallAgentRunner(BaseAgentRunner):

            # recalc llm max tokens
            prompt_messages = self._organize_prompt_messages()
-            self.recalc_llm_max_tokens(self.model_config, prompt_messages)
            # invoke model
            chunks: Union[Generator[LLMResultChunk, None, None], LLMResult] = model_instance.invoke_llm(
                prompt_messages=prompt_messages,
--- a/api/core/app/apps/agent_chat/app_runner.py
+++ b/api/core/app/apps/agent_chat/app_runner.py
@@ -55,20 +55,6 @@ class AgentChatAppRunner(AppRunner):
        query = application_generate_entity.query
        files = application_generate_entity.files

-        # Pre-calculate the number of tokens of the prompt messages,
-        # and return the rest number of tokens by model context token size limit and max token size limit.
-        # If the rest number of tokens is not enough, raise exception.
-        # Include: prompt template, inputs, query(optional), files(optional)
-        # Not Include: memory, external data, dataset context
-        self.get_pre_calculate_rest_tokens(
-            app_record=app_record,
-            model_config=application_generate_entity.model_conf,
-            prompt_template_entity=app_config.prompt_template,
-            inputs=inputs,
-            files=files,
-            query=query,
-        )
-
        memory = None
        if application_generate_entity.conversation_id:
            # get memory of conversation (read-only)
--- a/api/core/app/apps/base_app_runner.py
+++ b/api/core/app/apps/base_app_runner.py
@@ -15,10 +15,8 @@ from core.app.features.annotation_reply.annotation_reply import AnnotationReplyF
 from core.app.features.hosting_moderation.hosting_moderation import HostingModerationFeature
 from core.external_data_tool.external_data_fetch import ExternalDataFetch
 from core.memory.token_buffer_memory import TokenBufferMemory
-from core.model_manager import ModelInstance
 from core.model_runtime.entities.llm_entities import LLMResult, LLMResultChunk, LLMResultChunkDelta, LLMUsage
 from core.model_runtime.entities.message_entities import AssistantPromptMessage, PromptMessage
-from core.model_runtime.entities.model_entities import ModelPropertyKey
 from core.model_runtime.errors.invoke import InvokeBadRequestError
 from core.moderation.input_moderation import InputModeration
 from core.prompt.advanced_prompt_transform import AdvancedPromptTransform
@@ -31,106 +29,6 @@ if TYPE_CHECKING:


 class AppRunner:
-    def get_pre_calculate_rest_tokens(
-        self,
-        app_record: App,
-        model_config: ModelConfigWithCredentialsEntity,
-        prompt_template_entity: PromptTemplateEntity,
-        inputs: Mapping[str, str],
-        files: Sequence["File"],
-        query: Optional[str] = None,
-    ) -> int:
-        """
-        Get pre calculate rest tokens
-        :param app_record: app record
-        :param model_config: model config entity
-        :param prompt_template_entity: prompt template entity
-        :param inputs: inputs
-        :param files: files
-        :param query: query
-        :return:
-        """
-        # Invoke model
-        model_instance = ModelInstance(
-            provider_model_bundle=model_config.provider_model_bundle, model=model_config.model
-        )
-
-        model_context_tokens = model_config.model_schema.model_properties.get(ModelPropertyKey.CONTEXT_SIZE)
-
-        max_tokens = 0
-        for parameter_rule in model_config.model_schema.parameter_rules:
-            if parameter_rule.name == "max_tokens" or (
-                parameter_rule.use_template and parameter_rule.use_template == "max_tokens"
-            ):
-                max_tokens = (
-                    model_config.parameters.get(parameter_rule.name)
-                    or model_config.parameters.get(parameter_rule.use_template or "")
-                ) or 0
-
-        if model_context_tokens is None:
-            return -1
-
-        if max_tokens is None:
-            max_tokens = 0
-
-        # get prompt messages without memory and context
-        prompt_messages, stop = self.organize_prompt_messages(
-            app_record=app_record,
-            model_config=model_config,
-            prompt_template_entity=prompt_template_entity,
-            inputs=inputs,
-            files=files,
-            query=query,
-        )
-
-        prompt_tokens = model_instance.get_llm_num_tokens(prompt_messages)
-
-        rest_tokens: int = model_context_tokens - max_tokens - prompt_tokens
-        if rest_tokens < 0:
-            raise InvokeBadRequestError(
-                "Query or prefix prompt is too long, you can reduce the prefix prompt, "
-                "or shrink the max token, or switch to a llm with a larger token limit size."
-            )
-
-        return rest_tokens
-
-    def recalc_llm_max_tokens(
-        self, model_config: ModelConfigWithCredentialsEntity, prompt_messages: list[PromptMessage]
-    ):
-        # recalc max_tokens if sum(prompt_token +  max_tokens) over model token limit
-        model_instance = ModelInstance(
-            provider_model_bundle=model_config.provider_model_bundle, model=model_config.model
-        )
-
-        model_context_tokens = model_config.model_schema.model_properties.get(ModelPropertyKey.CONTEXT_SIZE)
-
-        max_tokens = 0
-        for parameter_rule in model_config.model_schema.parameter_rules:
-            if parameter_rule.name == "max_tokens" or (
-                parameter_rule.use_template and parameter_rule.use_template == "max_tokens"
-            ):
-                max_tokens = (
-                    model_config.parameters.get(parameter_rule.name)
-                    or model_config.parameters.get(parameter_rule.use_template or "")
-                ) or 0
-
-        if model_context_tokens is None:
-            return -1
-
-        if max_tokens is None:
-            max_tokens = 0
-
-        prompt_tokens = model_instance.get_llm_num_tokens(prompt_messages)
-
-        if prompt_tokens + max_tokens > model_context_tokens:
-            max_tokens = max(model_context_tokens - prompt_tokens, 16)
-
-            for parameter_rule in model_config.model_schema.parameter_rules:
-                if parameter_rule.name == "max_tokens" or (
-                    parameter_rule.use_template and parameter_rule.use_template == "max_tokens"
-                ):
-                    model_config.parameters[parameter_rule.name] = max_tokens
-
    def organize_prompt_messages(
        self,
        app_record: App,
--- a/api/core/app/apps/chat/app_runner.py
+++ b/api/core/app/apps/chat/app_runner.py
@@ -50,20 +50,6 @@ class ChatAppRunner(AppRunner):
        query = application_generate_entity.query
        files = application_generate_entity.files

-        # Pre-calculate the number of tokens of the prompt messages,
-        # and return the rest number of tokens by model context token size limit and max token size limit.
-        # If the rest number of tokens is not enough, raise exception.
-        # Include: prompt template, inputs, query(optional), files(optional)
-        # Not Include: memory, external data, dataset context
-        self.get_pre_calculate_rest_tokens(
-            app_record=app_record,
-            model_config=application_generate_entity.model_conf,
-            prompt_template_entity=app_config.prompt_template,
-            inputs=inputs,
-            files=files,
-            query=query,
-        )
-
        memory = None
        if application_generate_entity.conversation_id:
            # get memory of conversation (read-only)
@@ -194,9 +180,6 @@ class ChatAppRunner(AppRunner):
        if hosting_moderation_result:
            return

-        # Re-calculate the max tokens if sum(prompt_token +  max_tokens) over model token limit
-        self.recalc_llm_max_tokens(model_config=application_generate_entity.model_conf, prompt_messages=prompt_messages)
-
        # Invoke model
        model_instance = ModelInstance(
            provider_model_bundle=application_generate_entity.model_conf.provider_model_bundle,
--- a/api/core/app/apps/completion/app_runner.py
+++ b/api/core/app/apps/completion/app_runner.py
@@ -43,20 +43,6 @@ class CompletionAppRunner(AppRunner):
        query = application_generate_entity.query
        files = application_generate_entity.files

-        # Pre-calculate the number of tokens of the prompt messages,
-        # and return the rest number of tokens by model context token size limit and max token size limit.
-        # If the rest number of tokens is not enough, raise exception.
-        # Include: prompt template, inputs, query(optional), files(optional)
-        # Not Include: memory, external data, dataset context
-        self.get_pre_calculate_rest_tokens(
-            app_record=app_record,
-            model_config=application_generate_entity.model_conf,
-            prompt_template_entity=app_config.prompt_template,
-            inputs=inputs,
-            files=files,
-            query=query,
-        )
-
        # organize all inputs and template to prompt messages
        # Include: prompt template, inputs, query(optional), files(optional)
        prompt_messages, stop = self.organize_prompt_messages(
@@ -152,9 +138,6 @@ class CompletionAppRunner(AppRunner):
        if hosting_moderation_result:
            return

-        # Re-calculate the max tokens if sum(prompt_token +  max_tokens) over model token limit
-        self.recalc_llm_max_tokens(model_config=application_generate_entity.model_conf, prompt_messages=prompt_messages)
-
        # Invoke model
        model_instance = ModelInstance(
            provider_model_bundle=application_generate_entity.model_conf.provider_model_bundle,
--- a/api/core/memory/token_buffer_memory.py
+++ b/api/core/memory/token_buffer_memory.py
@@ -26,7 +26,7 @@ class TokenBufferMemory:
        self.model_instance = model_instance

    def get_history_prompt_messages(
-        self, max_token_limit: int = 2000, message_limit: Optional[int] = None
+        self, max_token_limit: int = 100000, message_limit: Optional[int] = None
    ) -> Sequence[PromptMessage]:
        """
        Get history prompt messages.
--- a/api/core/model_runtime/model_providers/bedrock/llm/eu.anthropic.claude-3.7-sonnet-v1.yaml
+++ b/api/core/model_runtime/model_providers/bedrock/llm/eu.anthropic.claude-3.7-sonnet-v1.yaml
@@ -0,0 +1,115 @@
+model: us.anthropic.claude-3-7-sonnet-20250219-v1:0
+label:
+  en_US: Claude 3.7 Sonnet(US.Cross Region Inference)
+icon: icon_s_en.svg
+model_type: llm
+features:
+  - agent-thought
+  - vision
+  - tool-call
+  - stream-tool-call
+model_properties:
+  mode: chat
+  context_size: 200000
+# docs: https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-anthropic-claude-messages.html
+parameter_rules:
+  - name: enable_cache
+    label:
+      zh_Hans: 启用提示缓存
+      en_US: Enable Prompt Cache
+    type: boolean
+    required: false
+    default: true
+    help:
+      zh_Hans: 启用提示缓存可以提高性能并降低成本。Claude 3.7 Sonnet支持在system、messages和tools字段中使用缓存检查点。
+      en_US: Enable prompt caching to improve performance and reduce costs. Claude 3.7 Sonnet supports cache checkpoints in system, messages, and tools fields.
+  - name: reasoning_type
+    label:
+      zh_Hans: 推理配置
+      en_US: Reasoning Type
+    type: boolean
+    required: false
+    default: false
+    placeholder:
+      zh_Hans: 设置推理配置
+      en_US: Set reasoning configuration
+    help:
+      zh_Hans: 控制模型的推理能力。启用时，temperature将固定为1且top_p将被禁用。
+      en_US: Controls the model's reasoning capability. When enabled, temperature will be fixed to 1 and top_p will be disabled.
+  - name: reasoning_budget
+    show_on:
+      - variable: reasoning_type
+        value: true
+    label:
+      zh_Hans: 推理预算
+      en_US: Reasoning Budget
+    type: int
+    default: 1024
+    min: 0
+    max: 128000
+    help:
+      zh_Hans: 推理的预算限制（最小1024），必须小于max_tokens。仅在推理类型为enabled时可用。
+      en_US: Budget limit for reasoning (minimum 1024), must be less than max_tokens. Only available when reasoning type is enabled.
+
+  - name: max_tokens
+    use_template: max_tokens
+    required: true
+    label:
+      zh_Hans: 最大token数
+      en_US: Max Tokens
+    type: int
+    default: 8192
+    min: 1
+    max: 128000
+    help:
+      zh_Hans: 停止前生成的最大令牌数。请注意，Anthropic Claude 模型可能会在达到 max_tokens 的值之前停止生成令牌。不同的 Anthropic Claude 模型对此参数具有不同的最大值。
+      en_US: The maximum number of tokens to generate before stopping. Note that Anthropic Claude models might stop generating tokens before reaching the value of max_tokens. Different Anthropic Claude models have different maximum values for this parameter.
+  - name: temperature
+    use_template: temperature
+    required: false
+    label:
+      zh_Hans: 模型温度
+      en_US: Model Temperature
+    type: float
+    default: 1
+    min: 0.0
+    max: 1.0
+    help:
+      zh_Hans: 生成内容的随机性。当推理功能启用时，该值将被固定为1。
+      en_US: The amount of randomness injected into the response. When reasoning is enabled, this value will be fixed to 1.
+  - name: top_p
+    show_on:
+      - variable: reasoning_type
+        value: disabled
+    use_template: top_p
+    label:
+      zh_Hans: Top P
+      en_US: Top P
+    required: false
+    type: float
+    default: 0.999
+    min: 0.000
+    max: 1.000
+    help:
+      zh_Hans: 在核采样中的概率阈值。当推理功能启用时，该参数将被禁用。
+      en_US: The probability threshold in nucleus sampling. When reasoning is enabled, this parameter will be disabled.
+  - name: top_k
+    label:
+      zh_Hans: 取样数量
+      en_US: Top k
+    required: false
+    type: int
+    default: 0
+    min: 0
+    # tip docs from aws has error, max value is 500
+    max: 500
+    help:
+      zh_Hans: 对于每个后续标记，仅从前 K 个选项中进行采样。使用 top_k 删除长尾低概率响应。
+      en_US: Only sample from the top K options for each subsequent token. Use top_k to remove long tail low probability responses.
+  - name: response_format
+    use_template: response_format
+pricing:
+  input: '0.003'
+  output: '0.015'
+  unit: '0.001'
+  currency: USD
--- a/api/core/model_runtime/model_providers/bedrock/llm/llm.py
+++ b/api/core/model_runtime/model_providers/bedrock/llm/llm.py
@@ -58,6 +58,7 @@ class BedrockLargeLanguageModel(LargeLanguageModel):
    # TODO There is invoke issue: context limit on Cohere Model, will add them after fixed.
    CONVERSE_API_ENABLED_MODEL_INFO = [
        {"prefix": "anthropic.claude-v2", "support_system_prompts": True, "support_tool_use": False},
+        {"prefix": "us.deepseek", "support_system_prompts": True, "support_tool_use": False},
        {"prefix": "anthropic.claude-v1", "support_system_prompts": True, "support_tool_use": False},
        {"prefix": "us.anthropic.claude-3", "support_system_prompts": True, "support_tool_use": True},
        {"prefix": "eu.anthropic.claude-3", "support_system_prompts": True, "support_tool_use": True},
--- a/api/core/model_runtime/model_providers/bedrock/llm/us.deepseek-r1.yaml
+++ b/api/core/model_runtime/model_providers/bedrock/llm/us.deepseek-r1.yaml
@@ -0,0 +1,63 @@
+model: us.deepseek.r1-v1:0
+label:
+  en_US: DeepSeek-R1(US.Cross Region Inference)
+icon: icon_s_en.svg
+model_type: llm
+features:
+  - agent-thought
+  - vision
+  - tool-call
+  - stream-tool-call
+model_properties:
+  mode: chat
+  context_size: 32768
+parameter_rules:
+  - name: max_tokens
+    use_template: max_tokens
+    required: true
+    label:
+      zh_Hans: 最大token数
+      en_US: Max Tokens
+    type: int
+    default: 8192
+    min: 1
+    max: 128000
+    help:
+      zh_Hans: 停止前生成的最大令牌数。
+      en_US: The maximum number of tokens to generate before stopping.
+  - name: temperature
+    use_template: temperature
+    required: false
+    label:
+      zh_Hans: 模型温度
+      en_US: Model Temperature
+    type: float
+    default: 1
+    min: 0.0
+    max: 1.0
+    help:
+      zh_Hans: 生成内容的随机性。当推理功能启用时，该值将被固定为1。
+      en_US: The amount of randomness injected into the response. When reasoning is enabled, this value will be fixed to 1.
+  - name: top_p
+    show_on:
+      - variable: reasoning_type
+        value: disabled
+    use_template: top_p
+    label:
+      zh_Hans: Top P
+      en_US: Top P
+    required: false
+    type: float
+    default: 0.999
+    min: 0.000
+    max: 1.000
+    help:
+      zh_Hans: 在核采样中的概率阈值。当推理功能启用时，该参数将被禁用。
+      en_US: The probability threshold in nucleus sampling. When reasoning is enabled, this parameter will be disabled.
+  - name: response_format
+    use_template: response_format
+pricing:
+  input: '0.001'
+  output: '0.005'
+  unit: '0.001'
+  currency: USD
--- a/api/core/model_runtime/model_providers/google/google.py
+++ b/api/core/model_runtime/model_providers/google/google.py
@@ -19,8 +19,8 @@ class GoogleProvider(ModelProvider):
        try:
            model_instance = self.get_model_instance(ModelType.LLM)

-            # Use `gemini-pro` model for validate,
-            model_instance.validate_credentials(model="gemini-pro", credentials=credentials)
+            # Use `gemini-2.0-flash` model for validate,
+            model_instance.validate_credentials(model="gemini-2.0-flash", credentials=credentials)
        except CredentialsValidateFailedError as ex:
            raise ex
        except Exception as ex:
--- a/api/core/model_runtime/model_providers/google/llm/_position.yaml
+++ b/api/core/model_runtime/model_providers/google/llm/_position.yaml
@@ -19,5 +19,3 @@
 - gemini-exp-1206
 - gemini-exp-1121
 - gemini-exp-1114
- gemini-pro
- gemini-pro-vision
--- a/api/core/model_runtime/model_providers/google/llm/gemini-pro-vision.yaml
+++ b/api/core/model_runtime/model_providers/google/llm/gemini-pro-vision.yaml
@@ -1,35 +0,0 @@
-model: gemini-pro-vision
-label:
-  en_US: Gemini Pro Vision
-model_type: llm
-features:
-  - vision
-model_properties:
-  mode: chat
-  context_size: 12288
-parameter_rules:
-  - name: temperature
-    use_template: temperature
-  - name: top_p
-    use_template: top_p
-  - name: top_k
-    label:
-      zh_Hans: 取样数量
-      en_US: Top k
-    type: int
-    help:
-      zh_Hans: 仅从每个后续标记的前 K 个选项中采样。
-      en_US: Only sample from the top K options for each subsequent token.
-    required: false
-  - name: max_tokens_to_sample
-    use_template: max_tokens
-    required: true
-    default: 4096
-    min: 1
-    max: 4096
-pricing:
-  input: '0.00'
-  output: '0.00'
-  unit: '0.000001'
-  currency: USD
-deprecated: true
--- a/api/core/model_runtime/model_providers/google/llm/gemini-pro.yaml
+++ b/api/core/model_runtime/model_providers/google/llm/gemini-pro.yaml
@@ -1,39 +0,0 @@
-model: gemini-pro
-label:
-  en_US: Gemini Pro
-model_type: llm
-features:
-  - agent-thought
-  - tool-call
-  - stream-tool-call
-model_properties:
-  mode: chat
-  context_size: 30720
-parameter_rules:
-  - name: temperature
-    use_template: temperature
-  - name: top_p
-    use_template: top_p
-  - name: top_k
-    label:
-      zh_Hans: 取样数量
-      en_US: Top k
-    type: int
-    help:
-      zh_Hans: 仅从每个后续标记的前 K 个选项中采样。
-      en_US: Only sample from the top K options for each subsequent token.
-    required: false
-  - name: max_tokens_to_sample
-    use_template: max_tokens
-    required: true
-    default: 2048
-    min: 1
-    max: 2048
-  - name: response_format
-    use_template: response_format
-pricing:
-  input: '0.00'
-  output: '0.00'
-  unit: '0.000001'
-  currency: USD
-deprecated: true
--- a/api/core/model_runtime/model_providers/openai/llm/llm.py
+++ b/api/core/model_runtime/model_providers/openai/llm/llm.py
@@ -1057,7 +1057,7 @@ class OpenAILargeLanguageModel(_CommonOpenAI, LargeLanguageModel):
            model = "gpt-4o"

        try:
-            encoding = tiktoken.encoding_for_model(model)
+            encoding = tiktoken.get_encoding(model)
        except KeyError:
            logger.warning("Warning: model not found. Using cl100k_base encoding.")
            model = "cl100k_base"
--- a/api/core/model_runtime/model_providers/vertex_ai/llm/gemini-2.0-flash-001.yaml
+++ b/api/core/model_runtime/model_providers/vertex_ai/llm/gemini-2.0-flash-001.yaml
@@ -5,11 +5,6 @@ model_type: llm
 features:
  - agent-thought
  - vision
-  - tool-call
-  - stream-tool-call
-  - document
-  - video
-  - audio
 model_properties:
  mode: chat
  context_size: 1048576
@@ -20,20 +15,21 @@ parameter_rules:
    use_template: top_p
  - name: top_k
    label:
-      zh_Hans: 取样数量
      en_US: Top k
    type: int
    help:
-      zh_Hans: 仅从每个后续标记的前 K 个选项中采样。
      en_US: Only sample from the top K options for each subsequent token.
    required: false
+  - name: presence_penalty
+    use_template: presence_penalty
+  - name: frequency_penalty
+    use_template: frequency_penalty
  - name: max_output_tokens
    use_template: max_tokens
+    required: true
    default: 8192
    min: 1
    max: 8192
-  - name: json_schema
-    use_template: json_schema
 pricing:
  input: '0.00'
  output: '0.00'
--- a/api/core/rag/extractor/word_extractor.py
+++ b/api/core/rag/extractor/word_extractor.py
@@ -85,7 +85,7 @@ class WordExtractor(BaseExtractor):
            if "image" in rel.target_ref:
                image_count += 1
                if rel.is_external:
-                    url = rel.reltype
+                    url = rel.target_ref
                    response = ssrf_proxy.get(url)
                    if response.status_code == 200:
                        image_ext = mimetypes.guess_extension(response.headers["Content-Type"])
--- a/api/core/tools/provider/_position.yaml
+++ b/api/core/tools/provider/_position.yaml
@@ -77,5 +77,4 @@
 - onebot
 - regex
 - trello
- vanna
 - fal
--- a/api/core/tools/provider/builtin/vanna/_assets/icon.png
+++ b/api/core/tools/provider/builtin/vanna/_assets/icon.png
--- a/api/core/tools/provider/builtin/vanna/tools/vanna.py
+++ b/api/core/tools/provider/builtin/vanna/tools/vanna.py
@@ -1,134 +0,0 @@
-from typing import Any, Union
-
-from vanna.remote import VannaDefault  # type: ignore
-
-from core.tools.entities.tool_entities import ToolInvokeMessage
-from core.tools.errors import ToolProviderCredentialValidationError
-from core.tools.tool.builtin_tool import BuiltinTool
-
-
-class VannaTool(BuiltinTool):
-    def _invoke(
-        self, user_id: str, tool_parameters: dict[str, Any]
-    ) -> Union[ToolInvokeMessage, list[ToolInvokeMessage]]:
-        """
-        invoke tools
-        """
-        # Ensure runtime and credentials
-        if not self.runtime or not self.runtime.credentials:
-            raise ToolProviderCredentialValidationError("Tool runtime or credentials are missing")
-        api_key = self.runtime.credentials.get("api_key", None)
-        if not api_key:
-            raise ToolProviderCredentialValidationError("Please input api key")
-
-        model = tool_parameters.get("model", "")
-        if not model:
-            return self.create_text_message("Please input RAG model")
-
-        prompt = tool_parameters.get("prompt", "")
-        if not prompt:
-            return self.create_text_message("Please input prompt")
-
-        url = tool_parameters.get("url", "")
-        if not url:
-            return self.create_text_message("Please input URL/Host/DSN")
-
-        db_name = tool_parameters.get("db_name", "")
-        username = tool_parameters.get("username", "")
-        password = tool_parameters.get("password", "")
-        port = tool_parameters.get("port", 0)
-
-        base_url = self.runtime.credentials.get("base_url", None)
-        vn = VannaDefault(model=model, api_key=api_key, config={"endpoint": base_url})
-
-        db_type = tool_parameters.get("db_type", "")
-        if db_type in {"Postgres", "MySQL", "Hive", "ClickHouse"}:
-            if not db_name:
-                return self.create_text_message("Please input database name")
-            if not username:
-                return self.create_text_message("Please input username")
-            if port < 1:
-                return self.create_text_message("Please input port")
-
-        schema_sql = "SELECT * FROM INFORMATION_SCHEMA.COLUMNS"
-        match db_type:
-            case "SQLite":
-                schema_sql = "SELECT type, sql FROM sqlite_master WHERE sql is not null"
-                vn.connect_to_sqlite(url)
-            case "Postgres":
-                vn.connect_to_postgres(host=url, dbname=db_name, user=username, password=password, port=port)
-            case "DuckDB":
-                vn.connect_to_duckdb(url=url)
-            case "SQLServer":
-                vn.connect_to_mssql(url)
-            case "MySQL":
-                vn.connect_to_mysql(host=url, dbname=db_name, user=username, password=password, port=port)
-            case "Oracle":
-                vn.connect_to_oracle(user=username, password=password, dsn=url)
-            case "Hive":
-                vn.connect_to_hive(host=url, dbname=db_name, user=username, password=password, port=port)
-            case "ClickHouse":
-                vn.connect_to_clickhouse(host=url, dbname=db_name, user=username, password=password, port=port)
-
-        enable_training = tool_parameters.get("enable_training", False)
-        reset_training_data = tool_parameters.get("reset_training_data", False)
-        if enable_training:
-            if reset_training_data:
-                existing_training_data = vn.get_training_data()
-                if len(existing_training_data) > 0:
-                    for _, training_data in existing_training_data.iterrows():
-                        vn.remove_training_data(training_data["id"])
-
-            ddl = tool_parameters.get("ddl", "")
-            question = tool_parameters.get("question", "")
-            sql = tool_parameters.get("sql", "")
-            memos = tool_parameters.get("memos", "")
-            training_metadata = tool_parameters.get("training_metadata", False)
-
-            if training_metadata:
-                if db_type == "SQLite":
-                    df_ddl = vn.run_sql(schema_sql)
-                    for ddl in df_ddl["sql"].to_list():
-                        vn.train(ddl=ddl)
-                else:
-                    df_information_schema = vn.run_sql(schema_sql)
-                    plan = vn.get_training_plan_generic(df_information_schema)
-                    vn.train(plan=plan)
-
-            if ddl:
-                vn.train(ddl=ddl)
-
-            if sql:
-                if question:
-                    vn.train(question=question, sql=sql)
-                else:
-                    vn.train(sql=sql)
-            if memos:
-                vn.train(documentation=memos)
-
-        #########################################################################################
-        # Due to CVE-2024-5565, we have to disable the chart generation feature
-        # The Vanna library uses a prompt function to present the user with visualized results,
-        # it is possible to alter the prompt using prompt injection and run arbitrary Python code
-        # instead of the intended visualization code.
-        # Specifically - allowing external input to the library’s “ask” method
-        # with "visualize" set to True (default behavior) leads to remote code execution.
-        # Affected versions: <= 0.5.5
-        #########################################################################################
-        allow_llm_to_see_data = tool_parameters.get("allow_llm_to_see_data", False)
-        res = vn.ask(
-            prompt, print_results=False, auto_train=True, visualize=False, allow_llm_to_see_data=allow_llm_to_see_data
-        )
-
-        result = []
-
-        if res is not None:
-            result.append(self.create_text_message(res[0]))
-            if len(res) > 1 and res[1] is not None:
-                result.append(self.create_text_message(res[1].to_markdown()))
-            if len(res) > 2 and res[2] is not None:
-                result.append(
-                    self.create_blob_message(blob=res[2].to_image(format="svg"), meta={"mime_type": "image/svg+xml"})
-                )
-
-        return result
--- a/api/core/tools/provider/builtin/vanna/tools/vanna.yaml
+++ b/api/core/tools/provider/builtin/vanna/tools/vanna.yaml
@@ -1,213 +0,0 @@
-identity:
-  name: vanna
-  author: QCTC
-  label:
-    en_US: Vanna.AI
-    zh_Hans: Vanna.AI
-description:
-  human:
-    en_US: The fastest way to get actionable insights from your database just by asking questions.
-    zh_Hans: 一个基于大模型和RAG的Text2SQL工具。
-  llm: A tool for converting text to SQL.
-parameters:
-  - name: prompt
-    type: string
-    required: true
-    label:
-      en_US: Prompt
-      zh_Hans: 提示词
-      pt_BR: Prompt
-    human_description:
-      en_US: used for generating SQL
-      zh_Hans: 用于生成SQL
-    llm_description: key words for generating SQL
-    form: llm
-  - name: model
-    type: string
-    required: true
-    label:
-      en_US: RAG Model
-      zh_Hans: RAG模型
-    human_description:
-      en_US: RAG Model for your database DDL
-      zh_Hans: 存储数据库训练数据的RAG模型
-    llm_description: RAG Model for generating SQL
-    form: llm
-  - name: db_type
-    type: select
-    required: true
-    options:
-      - value: SQLite
-        label:
-          en_US: SQLite
-          zh_Hans: SQLite
-      - value: Postgres
-        label:
-          en_US: Postgres
-          zh_Hans: Postgres
-      - value: DuckDB
-        label:
-          en_US: DuckDB
-          zh_Hans: DuckDB
-      - value: SQLServer
-        label:
-          en_US: Microsoft SQL Server
-          zh_Hans: 微软 SQL Server
-      - value: MySQL
-        label:
-          en_US: MySQL
-          zh_Hans: MySQL
-      - value: Oracle
-        label:
-          en_US: Oracle
-          zh_Hans: Oracle
-      - value: Hive
-        label:
-          en_US: Hive
-          zh_Hans: Hive
-      - value: ClickHouse
-        label:
-          en_US: ClickHouse
-          zh_Hans: ClickHouse
-    default: SQLite
-    label:
-      en_US: DB Type
-      zh_Hans: 数据库类型
-    human_description:
-      en_US: Database type.
-      zh_Hans: 选择要链接的数据库类型。
-    form: form
-  - name: url
-    type: string
-    required: true
-    label:
-      en_US: URL/Host/DSN
-      zh_Hans: URL/Host/DSN
-    human_description:
-      en_US: Please input depending on DB type, visit https://vanna.ai/docs/ for more specification
-      zh_Hans: 请根据数据库类型，填入对应值，详情参考https://vanna.ai/docs/
-    form: form
-  - name: db_name
-    type: string
-    required: false
-    label:
-      en_US: DB name
-      zh_Hans: 数据库名
-    human_description:
-      en_US: Database name
-      zh_Hans: 数据库名
-    form: form
-  - name: username
-    type: string
-    required: false
-    label:
-      en_US: Username
-      zh_Hans: 用户名
-    human_description:
-      en_US: Username
-      zh_Hans: 用户名
-    form: form
-  - name: password
-    type: secret-input
-    required: false
-    label:
-      en_US: Password
-      zh_Hans: 密码
-    human_description:
-      en_US: Password
-      zh_Hans: 密码
-    form: form
-  - name: port
-    type: number
-    required: false
-    label:
-      en_US: Port
-      zh_Hans: 端口
-    human_description:
-      en_US: Port
-      zh_Hans: 端口
-    form: form
-  - name: ddl
-    type: string
-    required: false
-    label:
-      en_US: Training DDL
-      zh_Hans: 训练DDL
-    human_description:
-      en_US: DDL statements for training data
-      zh_Hans: 用于训练RAG Model的建表语句
-    form: llm
-  - name: question
-    type: string
-    required: false
-    label:
-      en_US: Training Question
-      zh_Hans: 训练问题
-    human_description:
-      en_US: Question-SQL Pairs
-      zh_Hans: Question-SQL中的问题
-    form: llm
-  - name: sql
-    type: string
-    required: false
-    label:
-      en_US: Training SQL
-      zh_Hans: 训练SQL
-    human_description:
-      en_US: SQL queries to your training data
-      zh_Hans: 用于训练RAG Model的SQL语句
-    form: llm
-  - name: memos
-    type: string
-    required: false
-    label:
-      en_US: Training Memos
-      zh_Hans: 训练说明
-    human_description:
-      en_US: Sometimes you may want to add documentation about your business terminology or definitions
-      zh_Hans: 添加更多关于数据库的业务说明
-    form: llm
-  - name: enable_training
-    type: boolean
-    required: false
-    default: false
-    label:
-      en_US: Training Data
-      zh_Hans: 训练数据
-    human_description:
-      en_US: You only need to train once. Do not train again unless you want to add more training data
-      zh_Hans: 训练数据无更新时，训练一次即可
-    form: form
-  - name: reset_training_data
-    type: boolean
-    required: false
-    default: false
-    label:
-      en_US: Reset Training Data
-      zh_Hans: 重置训练数据
-    human_description:
-      en_US: Remove all training data in the current RAG Model
-      zh_Hans: 删除当前RAG Model中的所有训练数据
-    form: form
-  - name: training_metadata
-    type: boolean
-    required: false
-    default: false
-    label:
-      en_US: Training Metadata
-      zh_Hans: 训练元数据
-    human_description:
-      en_US: If enabled, it will attempt to train on the metadata of that database
-      zh_Hans: 是否自动从数据库获取元数据来训练
-    form: form
-  - name: allow_llm_to_see_data
-    type: boolean
-    required: false
-    default: false
-    label:
-      en_US: Whether to allow the LLM to see the data
-      zh_Hans: 是否允许LLM查看数据
-    human_description:
-      en_US: Whether to allow the LLM to see the data
-      zh_Hans: 是否允许LLM查看数据
-    form: form
--- a/api/core/tools/provider/builtin/vanna/vanna.py
+++ b/api/core/tools/provider/builtin/vanna/vanna.py
@@ -1,46 +0,0 @@
-import re
-from typing import Any
-from urllib.parse import urlparse
-
-from core.tools.errors import ToolProviderCredentialValidationError
-from core.tools.provider.builtin.vanna.tools.vanna import VannaTool
-from core.tools.provider.builtin_tool_provider import BuiltinToolProviderController
-
-
-class VannaProvider(BuiltinToolProviderController):
-    def _get_protocol_and_main_domain(self, url):
-        parsed_url = urlparse(url)
-        protocol = parsed_url.scheme
-        hostname = parsed_url.hostname
-        port = f":{parsed_url.port}" if parsed_url.port else ""
-
-        # Check if the hostname is an IP address
-        is_ip = re.match(r"^\d{1,3}(\.\d{1,3}){3}$", hostname) is not None
-
-        # Return the full hostname (with port if present) for IP addresses, otherwise return the main domain
-        main_domain = f"{hostname}{port}" if is_ip else ".".join(hostname.split(".")[-2:]) + port
-        return f"{protocol}://{main_domain}"
-
-    def _validate_credentials(self, credentials: dict[str, Any]) -> None:
-        base_url = credentials.get("base_url")
-        if not base_url:
-            base_url = "https://ask.vanna.ai/rpc"
-        else:
-            base_url = base_url.removesuffix("/")
-        credentials["base_url"] = base_url
-        try:
-            VannaTool().fork_tool_runtime(
-                runtime={
-                    "credentials": credentials,
-                }
-            ).invoke(
-                user_id="",
-                tool_parameters={
-                    "model": "chinook",
-                    "db_type": "SQLite",
-                    "url": f"{self._get_protocol_and_main_domain(credentials['base_url'])}/Chinook.sqlite",
-                    "query": "What are the top 10 customers by sales?",
-                },
-            )
-        except Exception as e:
-            raise ToolProviderCredentialValidationError(str(e))
--- a/api/core/tools/provider/builtin/vanna/vanna.yaml
+++ b/api/core/tools/provider/builtin/vanna/vanna.yaml
@@ -1,35 +0,0 @@
-identity:
-  author: QCTC
-  name: vanna
-  label:
-    en_US: Vanna.AI
-    zh_Hans: Vanna.AI
-  description:
-    en_US: The fastest way to get actionable insights from your database just by asking questions.
-    zh_Hans: 一个基于大模型和RAG的Text2SQL工具。
-  icon: icon.png
-  tags:
-    - utilities
-    - productivity
-credentials_for_provider:
-  api_key:
-    type: secret-input
-    required: true
-    label:
-      en_US: API key
-      zh_Hans: API key
-    placeholder:
-      en_US: Please input your API key
-      zh_Hans: 请输入你的 API key
-      pt_BR: Please input your API key
-    help:
-      en_US: Get your API key from Vanna.AI
-      zh_Hans: 从 Vanna.AI 获取你的 API key
-    url: https://vanna.ai/account/profile
-  base_url:
-    type: text-input
-    required: false
-    label:
-      en_US: Vanna.AI Endpoint Base URL
-    placeholder:
-      en_US: https://ask.vanna.ai/rpc
--- a/api/core/workflow/nodes/code/code_node.py
+++ b/api/core/workflow/nodes/code/code_node.py
@@ -195,7 +195,7 @@ class CodeNode(BaseNode[CodeNodeData]):
            if output_config.type == "object":
                # check if output is object
                if not isinstance(result.get(output_name), dict):
-                    if isinstance(result.get(output_name), type(None)):
+                    if result.get(output_name) is None:
                        transformed_result[output_name] = None
                    else:
                        raise OutputValidationError(
@@ -223,7 +223,7 @@ class CodeNode(BaseNode[CodeNodeData]):
            elif output_config.type == "array[number]":
                # check if array of number available
                if not isinstance(result[output_name], list):
-                    if isinstance(result[output_name], type(None)):
+                    if result[output_name] is None:
                        transformed_result[output_name] = None
                    else:
                        raise OutputValidationError(
@@ -244,7 +244,7 @@ class CodeNode(BaseNode[CodeNodeData]):
            elif output_config.type == "array[string]":
                # check if array of string available
                if not isinstance(result[output_name], list):
-                    if isinstance(result[output_name], type(None)):
+                    if result[output_name] is None:
                        transformed_result[output_name] = None
                    else:
                        raise OutputValidationError(
@@ -265,7 +265,7 @@ class CodeNode(BaseNode[CodeNodeData]):
            elif output_config.type == "array[object]":
                # check if array of object available
                if not isinstance(result[output_name], list):
-                    if isinstance(result[output_name], type(None)):
+                    if result[output_name] is None:
                        transformed_result[output_name] = None
                    else:
                        raise OutputValidationError(
--- a/api/core/workflow/nodes/llm/node.py
+++ b/api/core/workflow/nodes/llm/node.py
@@ -968,14 +968,12 @@ def _handle_memory_chat_mode(
    *,
    memory: TokenBufferMemory | None,
    memory_config: MemoryConfig | None,
-    model_config: ModelConfigWithCredentialsEntity,
+    model_config: ModelConfigWithCredentialsEntity,  # TODO(-LAN-): Needs to remove
 ) -> Sequence[PromptMessage]:
    memory_messages: Sequence[PromptMessage] = []
    # Get messages from memory for chat model
    if memory and memory_config:
-        rest_tokens = _calculate_rest_token(prompt_messages=[], model_config=model_config)
        memory_messages = memory.get_history_prompt_messages(
-            max_token_limit=rest_tokens,
            message_limit=memory_config.window.size if memory_config.window.enabled else None,
        )
    return memory_messages
--- a/api/fields/app_fields.py
+++ b/api/fields/app_fields.py
@@ -63,6 +63,7 @@ app_detail_fields = {
    "created_at": TimestampField,
    "updated_by": fields.String,
    "updated_at": TimestampField,
+    "access_mode": fields.String,
 }

 prompt_config_fields = {
@@ -98,6 +99,7 @@ app_partial_fields = {
    "updated_by": fields.String,
    "updated_at": TimestampField,
    "tags": fields.List(fields.Nested(tag_fields)),
+    "access_mode": fields.String,
 }


@@ -170,6 +172,7 @@ app_detail_fields_with_site = {
    "updated_by": fields.String,
    "updated_at": TimestampField,
    "deleted_tools": fields.List(fields.String),
+    "access_mode": fields.String,
 }

 app_site_fields = {
--- a/api/poetry.lock
+++ b/api/poetry.lock
@@ -10473,44 +10473,44 @@ client = ["SQLAlchemy (>=1.4,<3)"]

 [[package]]
 name = "tiktoken"
-version = "0.8.0"
+version = "0.9.0"
 description = "tiktoken is a fast BPE tokeniser for use with OpenAI's models"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 markers = "python_version == \"3.11\" or python_version >= \"3.12\""
 files = [
-    {file = "tiktoken-0.8.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b07e33283463089c81ef1467180e3e00ab00d46c2c4bbcef0acab5f771d6695e"},
-    {file = "tiktoken-0.8.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9269348cb650726f44dd3bbb3f9110ac19a8dcc8f54949ad3ef652ca22a38e21"},
-    {file = "tiktoken-0.8.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:25e13f37bc4ef2d012731e93e0fef21dc3b7aea5bb9009618de9a4026844e560"},
-    {file = "tiktoken-0.8.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f13d13c981511331eac0d01a59b5df7c0d4060a8be1e378672822213da51e0a2"},
-    {file = "tiktoken-0.8.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:6b2ddbc79a22621ce8b1166afa9f9a888a664a579350dc7c09346a3b5de837d9"},
-    {file = "tiktoken-0.8.0-cp310-cp310-win_amd64.whl", hash = "sha256:d8c2d0e5ba6453a290b86cd65fc51fedf247e1ba170191715b049dac1f628005"},
-    {file = "tiktoken-0.8.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d622d8011e6d6f239297efa42a2657043aaed06c4f68833550cac9e9bc723ef1"},
-    {file = "tiktoken-0.8.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:2efaf6199717b4485031b4d6edb94075e4d79177a172f38dd934d911b588d54a"},
-    {file = "tiktoken-0.8.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5637e425ce1fc49cf716d88df3092048359a4b3bbb7da762840426e937ada06d"},
-    {file = "tiktoken-0.8.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9fb0e352d1dbe15aba082883058b3cce9e48d33101bdaac1eccf66424feb5b47"},
-    {file = "tiktoken-0.8.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:56edfefe896c8f10aba372ab5706b9e3558e78db39dd497c940b47bf228bc419"},
-    {file = "tiktoken-0.8.0-cp311-cp311-win_amd64.whl", hash = "sha256:326624128590def898775b722ccc327e90b073714227175ea8febbc920ac0a99"},
-    {file = "tiktoken-0.8.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:881839cfeae051b3628d9823b2e56b5cc93a9e2efb435f4cf15f17dc45f21586"},
-    {file = "tiktoken-0.8.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fe9399bdc3f29d428f16a2f86c3c8ec20be3eac5f53693ce4980371c3245729b"},
-    {file = "tiktoken-0.8.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9a58deb7075d5b69237a3ff4bb51a726670419db6ea62bdcd8bd80c78497d7ab"},
-    {file = "tiktoken-0.8.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2908c0d043a7d03ebd80347266b0e58440bdef5564f84f4d29fb235b5df3b04"},
-    {file = "tiktoken-0.8.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:294440d21a2a51e12d4238e68a5972095534fe9878be57d905c476017bff99fc"},
-    {file = "tiktoken-0.8.0-cp312-cp312-win_amd64.whl", hash = "sha256:d8f3192733ac4d77977432947d563d7e1b310b96497acd3c196c9bddb36ed9db"},
-    {file = "tiktoken-0.8.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:02be1666096aff7da6cbd7cdaa8e7917bfed3467cd64b38b1f112e96d3b06a24"},
-    {file = "tiktoken-0.8.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:c94ff53c5c74b535b2cbf431d907fc13c678bbd009ee633a2aca269a04389f9a"},
-    {file = "tiktoken-0.8.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6b231f5e8982c245ee3065cd84a4712d64692348bc609d84467c57b4b72dcbc5"},
-    {file = "tiktoken-0.8.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4177faa809bd55f699e88c96d9bb4635d22e3f59d635ba6fd9ffedf7150b9953"},
-    {file = "tiktoken-0.8.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:5376b6f8dc4753cd81ead935c5f518fa0fbe7e133d9e25f648d8c4dabdd4bad7"},
-    {file = "tiktoken-0.8.0-cp313-cp313-win_amd64.whl", hash = "sha256:18228d624807d66c87acd8f25fc135665617cab220671eb65b50f5d70fa51f69"},
-    {file = "tiktoken-0.8.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:7e17807445f0cf1f25771c9d86496bd8b5c376f7419912519699f3cc4dc5c12e"},
-    {file = "tiktoken-0.8.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:886f80bd339578bbdba6ed6d0567a0d5c6cfe198d9e587ba6c447654c65b8edc"},
-    {file = "tiktoken-0.8.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6adc8323016d7758d6de7313527f755b0fc6c72985b7d9291be5d96d73ecd1e1"},
-    {file = "tiktoken-0.8.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b591fb2b30d6a72121a80be24ec7a0e9eb51c5500ddc7e4c2496516dd5e3816b"},
-    {file = "tiktoken-0.8.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:845287b9798e476b4d762c3ebda5102be87ca26e5d2c9854002825d60cdb815d"},
-    {file = "tiktoken-0.8.0-cp39-cp39-win_amd64.whl", hash = "sha256:1473cfe584252dc3fa62adceb5b1c763c1874e04511b197da4e6de51d6ce5a02"},
-    {file = "tiktoken-0.8.0.tar.gz", hash = "sha256:9ccbb2740f24542534369c5635cfd9b2b3c2490754a78ac8831d99f89f94eeb2"},
+    {file = "tiktoken-0.9.0-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:586c16358138b96ea804c034b8acf3f5d3f0258bd2bc3b0227af4af5d622e382"},
+    {file = "tiktoken-0.9.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d9c59ccc528c6c5dd51820b3474402f69d9a9e1d656226848ad68a8d5b2e5108"},
+    {file = "tiktoken-0.9.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f0968d5beeafbca2a72c595e8385a1a1f8af58feaebb02b227229b69ca5357fd"},
+    {file = "tiktoken-0.9.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:92a5fb085a6a3b7350b8fc838baf493317ca0e17bd95e8642f95fc69ecfed1de"},
+    {file = "tiktoken-0.9.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:15a2752dea63d93b0332fb0ddb05dd909371ededa145fe6a3242f46724fa7990"},
+    {file = "tiktoken-0.9.0-cp310-cp310-win_amd64.whl", hash = "sha256:26113fec3bd7a352e4b33dbaf1bd8948de2507e30bd95a44e2b1156647bc01b4"},
+    {file = "tiktoken-0.9.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:f32cc56168eac4851109e9b5d327637f15fd662aa30dd79f964b7c39fbadd26e"},
+    {file = "tiktoken-0.9.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:45556bc41241e5294063508caf901bf92ba52d8ef9222023f83d2483a3055348"},
+    {file = "tiktoken-0.9.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:03935988a91d6d3216e2ec7c645afbb3d870b37bcb67ada1943ec48678e7ee33"},
+    {file = "tiktoken-0.9.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8b3d80aad8d2c6b9238fc1a5524542087c52b860b10cbf952429ffb714bc1136"},
+    {file = "tiktoken-0.9.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:b2a21133be05dc116b1d0372af051cd2c6aa1d2188250c9b553f9fa49301b336"},
+    {file = "tiktoken-0.9.0-cp311-cp311-win_amd64.whl", hash = "sha256:11a20e67fdf58b0e2dea7b8654a288e481bb4fc0289d3ad21291f8d0849915fb"},
+    {file = "tiktoken-0.9.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:e88f121c1c22b726649ce67c089b90ddda8b9662545a8aeb03cfef15967ddd03"},
+    {file = "tiktoken-0.9.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a6600660f2f72369acb13a57fb3e212434ed38b045fd8cc6cdd74947b4b5d210"},
+    {file = "tiktoken-0.9.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:95e811743b5dfa74f4b227927ed86cbc57cad4df859cb3b643be797914e41794"},
+    {file = "tiktoken-0.9.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:99376e1370d59bcf6935c933cb9ba64adc29033b7e73f5f7569f3aad86552b22"},
+    {file = "tiktoken-0.9.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:badb947c32739fb6ddde173e14885fb3de4d32ab9d8c591cbd013c22b4c31dd2"},
+    {file = "tiktoken-0.9.0-cp312-cp312-win_amd64.whl", hash = "sha256:5a62d7a25225bafed786a524c1b9f0910a1128f4232615bf3f8257a73aaa3b16"},
+    {file = "tiktoken-0.9.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:2b0e8e05a26eda1249e824156d537015480af7ae222ccb798e5234ae0285dbdb"},
+    {file = "tiktoken-0.9.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:27d457f096f87685195eea0165a1807fae87b97b2161fe8c9b1df5bd74ca6f63"},
+    {file = "tiktoken-0.9.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2cf8ded49cddf825390e36dd1ad35cd49589e8161fdcb52aa25f0583e90a3e01"},
+    {file = "tiktoken-0.9.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cc156cb314119a8bb9748257a2eaebd5cc0753b6cb491d26694ed42fc7cb3139"},
+    {file = "tiktoken-0.9.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:cd69372e8c9dd761f0ab873112aba55a0e3e506332dd9f7522ca466e817b1b7a"},
+    {file = "tiktoken-0.9.0-cp313-cp313-win_amd64.whl", hash = "sha256:5ea0edb6f83dc56d794723286215918c1cde03712cbbafa0348b33448faf5b95"},
+    {file = "tiktoken-0.9.0-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:c6386ca815e7d96ef5b4ac61e0048cd32ca5a92d5781255e13b31381d28667dc"},
+    {file = "tiktoken-0.9.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:75f6d5db5bc2c6274b674ceab1615c1778e6416b14705827d19b40e6355f03e0"},
+    {file = "tiktoken-0.9.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e15b16f61e6f4625a57a36496d28dd182a8a60ec20a534c5343ba3cafa156ac7"},
+    {file = "tiktoken-0.9.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ebcec91babf21297022882344c3f7d9eed855931466c3311b1ad6b64befb3df"},
+    {file = "tiktoken-0.9.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:e5fd49e7799579240f03913447c0cdfa1129625ebd5ac440787afc4345990427"},
+    {file = "tiktoken-0.9.0-cp39-cp39-win_amd64.whl", hash = "sha256:26242ca9dc8b58e875ff4ca078b9a94d2f0813e6a535dcd2205df5d49d927cc7"},
+    {file = "tiktoken-0.9.0.tar.gz", hash = "sha256:d02a5ca6a938e0490e1ff957bc48c8b078c88cb83977be1625b1fd8aac792c5d"},
 ]

 [package.dependencies]
@@ -12389,4 +12389,4 @@ cffi = ["cffi (>=1.11)"]
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "d197cdff507a70323c1d6aca11609188f54970f67715af744fe6def15b7776fd"
+content-hash = "0df8aef68385b6596306fd18af317a835023d648eb5028cd57ec463f176e4c0f"
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -85,7 +85,7 @@ sentry-sdk = { version = "~1.44.1", extras = ["flask"] }
 sqlalchemy = "~2.0.29"
 starlette = "0.41.0"
 tencentcloud-sdk-python-hunyuan = "~3.0.1294"
-tiktoken = "~0.8.0"
+tiktoken = "^0.9.0"
 tokenizers = "~0.15.0"
 transformers = "~4.35.0"
 unstructured = { version = "~0.16.1", extras = ["docx", "epub", "md", "msg", "ppt", "pptx"] }
--- a/api/services/account_service.py
+++ b/api/services/account_service.py
@@ -49,7 +49,7 @@ from services.errors.account import (
    RoleAlreadyAssignedError,
    TenantNotFoundError,
 )
-from services.errors.workspace import WorkSpaceNotAllowedCreateError
+from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
 from services.feature_service import FeatureService
 from tasks.delete_account_task import delete_account_task
 from tasks.mail_account_deletion_task import send_account_deletion_verification_code
@@ -406,10 +406,8 @@ class AccountService:

            raise PasswordResetRateLimitExceededError()

-        code = "".join([str(random.randint(0, 9)) for _ in range(6)])
-        token = TokenManager.generate_token(
-            account=account, email=email, token_type="reset_password", additional_data={"code": code}
-        )
+        code, token = cls.generate_reset_password_token(account_email, account)
+
        send_reset_password_mail_task.delay(
            language=language,
            to=account_email,
@@ -418,6 +416,22 @@ class AccountService:
        cls.reset_password_rate_limiter.increment_rate_limit(account_email)
        return token

+    @classmethod
+    def generate_reset_password_token(
+        cls,
+        email: str,
+        account: Optional[Account] = None,
+        code: Optional[str] = None,
+        additional_data: dict[str, Any] = {},
+    ):
+        if not code:
+            code = "".join([str(random.randint(0, 9)) for _ in range(6)])
+        additional_data["code"] = code
+        token = TokenManager.generate_token(
+            account=account, email=email, token_type="reset_password", additional_data=additional_data
+        )
+        return code, token
+
    @classmethod
    def revoke_reset_password_token(cls, token: str):
        TokenManager.revoke_token(token, "reset_password")
@@ -585,6 +599,10 @@ class TenantService:
        if not FeatureService.get_system_features().is_allow_create_workspace and not is_setup:
            raise WorkSpaceNotAllowedCreateError()

+        workspaces = FeatureService.get_system_features().license.workspaces
+        if not workspaces.is_available():
+            raise WorkspacesLimitExceededError()
+
        if name:
            tenant = TenantService.create_tenant(name=name, is_setup=is_setup)
        else:
@@ -740,8 +758,8 @@ class TenantService:
        """Check member permission"""
        perms = {
            "add": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
-            "remove": [TenantAccountRole.OWNER],
-            "update": [TenantAccountRole.OWNER],
+            "remove": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
+            "update": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
        }
        if action not in {"add", "remove", "update"}:
            raise InvalidActionError("Invalid action.")
@@ -754,13 +772,24 @@ class TenantService:

        if not ta_operator or ta_operator.role not in perms[action]:
            raise NoPermissionError(f"No permission to {action} member.")
+        
+        # Admin cannot remove or update other admin and the owner
+        if action in {"remove", "update"}:
+            if ta_operator.role == TenantAccountRole.ADMIN:
+                if member:
+                    ta_member = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=member.id).first()
+                    if not ta_member or ta_member.role in {TenantAccountRole.OWNER, TenantAccountRole.ADMIN}:
+                        raise NoPermissionError(f"No permission to {action} member.")
+            

    @staticmethod
    def remove_member_from_tenant(tenant: Tenant, account: Account, operator: Account) -> None:
        """Remove member from tenant"""
-        if operator.id == account.id and TenantService.check_member_permission(tenant, operator, account, "remove"):
+        if operator.id == account.id:
            raise CannotOperateSelfError("Cannot operate self.")

+        TenantService.check_member_permission(tenant, operator, account, "remove")
+
        ta = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=account.id).first()
        if not ta:
            raise MemberNotInTenantError("Member not in tenant.")
@@ -875,7 +904,10 @@ class RegisterService:
            if open_id is not None and provider is not None:
                AccountService.link_account_integrate(provider, open_id, account)

-            if FeatureService.get_system_features().is_allow_create_workspace and create_workspace_required:
+            if (FeatureService.get_system_features().is_allow_create_workspace
+                    and create_workspace_required
+                    and FeatureService.get_system_features().license.workspaces.is_available()
+            ):
                tenant = TenantService.create_tenant(f"{account.name}'s Workspace")
                TenantService.create_tenant_member(tenant, account, role="owner")
                account.current_tenant = tenant
--- a/api/services/app_dsl_service.py
+++ b/api/services/app_dsl_service.py
@@ -55,13 +55,19 @@ def _check_version_compatibility(imported_version: str) -> ImportStatus:
    except version.InvalidVersion:
        return ImportStatus.FAILED

-    # Compare major version and minor version
-    if current_ver.major != imported_ver.major or current_ver.minor != imported_ver.minor:
+    # If imported version is newer than current, always return PENDING
+    if imported_ver > current_ver:
        return ImportStatus.PENDING

-    if current_ver.micro != imported_ver.micro:
+    # If imported version is older than current's major, return PENDING
+    if imported_ver.major < current_ver.major:
+        return ImportStatus.PENDING
+
+    # If imported version is older than current's minor, return COMPLETED_WITH_WARNINGS
+    if imported_ver.minor < current_ver.minor:
        return ImportStatus.COMPLETED_WITH_WARNINGS

+    # If imported version equals or is older than current's micro, return COMPLETED
    return ImportStatus.COMPLETED


--- a/api/services/app_service.py
+++ b/api/services/app_service.py
@@ -19,8 +19,10 @@ from core.tools.utils.configuration import ToolParameterConfigurationManager
 from events.app_event import app_was_created
 from extensions.ext_database import db
 from models.account import Account
-from models.model import App, AppMode, AppModelConfig
+from models.model import App, AppMode, AppModelConfig, Site
 from models.tools import ApiToolProvider
+from services.enterprise.enterprise_service import EnterpriseService
+from services.feature_service import FeatureService
 from services.tag_service import TagService
 from tasks.remove_app_and_related_data_task import remove_app_and_related_data_task

@@ -152,6 +154,10 @@ class AppService:

        app_was_created.send(app, account=account)

+        if FeatureService.get_system_features().webapp_auth.enabled:
+            # update web app setting as private
+            EnterpriseService.WebAppAuth.update_app_access_mode(app.id, "private")
+
        return app

    def get_app(self, app: App) -> App:
@@ -308,6 +314,10 @@ class AppService:
        db.session.delete(app)
        db.session.commit()

+        # clean up web app settings
+        if FeatureService.get_system_features().webapp_auth.enabled:
+            EnterpriseService.WebAppAuth.cleanup_webapp(app.id)
+
        # Trigger asynchronous deletion of app and related data
        remove_app_and_related_data_task.delay(tenant_id=app.tenant_id, app_id=app.id)

@@ -374,3 +384,15 @@ class AppService:
                        meta["tool_icons"][tool_name] = {"background": "#252525", "content": "\ud83d\ude01"}

        return meta
+
+    @staticmethod
+    def get_app_code_by_id(app_id: str) -> str:
+        """
+        Get app code by app id
+        :param app_id: app id
+        :return: app code
+        """
+        site = db.session.query(Site).filter(Site.app_id == app_id).first()
+        if not site:
+            raise ValueError(f"App with id {app_id} not found")
+        return str(site.code)
--- a/api/services/enterprise/enterprise_service.py
+++ b/api/services/enterprise/enterprise_service.py
@@ -1,11 +1,91 @@
+
+from pydantic import BaseModel, Field
+
 from services.enterprise.base import EnterpriseRequest


+class WebAppSettings(BaseModel):
+    access_mode: str = Field(
+        description="Access mode for the web app. Can be 'public' or 'private'",
+        default="private",
+        alias="accessMode",
+    )
+
+
 class EnterpriseService:
    @classmethod
    def get_info(cls):
        return EnterpriseRequest.send_request("GET", "/info")

    @classmethod
-    def get_app_web_sso_enabled(cls, app_code):
-        return EnterpriseRequest.send_request("GET", f"/app-sso-setting?appCode={app_code}")
+    def get_workspace_info(cls, tenant_id:str):
+        return EnterpriseRequest.send_request("GET", f"/workspace/{tenant_id}/info")
+
+    class WebAppAuth:
+        @classmethod
+        def is_user_allowed_to_access_webapp(cls, user_id: str, app_code: str) -> bool:
+            params = {"userId": user_id, "appCode": app_code}
+            data = EnterpriseRequest.send_request("GET", "/webapp/permission", params=params)
+
+            return data.get("result", False)
+
+        @classmethod
+        def get_app_access_mode_by_id(cls, app_id: str) -> WebAppSettings:
+            if not app_id:
+                raise ValueError("app_id must be provided.")
+            params = {"appId": app_id}
+            data = EnterpriseRequest.send_request("GET", "/webapp/access-mode/id", params=params)
+            if not data:
+                raise ValueError("No data found.")
+            return WebAppSettings(**data)
+
+        @classmethod
+        def batch_get_app_access_mode_by_id(cls, app_ids: list[str]) -> dict[str, WebAppSettings]:
+            if not app_ids:
+                return {}
+            body = {"appIds": app_ids}
+            data: dict[str, str] = EnterpriseRequest.send_request("POST", "/webapp/access-mode/batch/id", json=body)
+            if not data:
+                raise ValueError("No data found.")
+
+            if not isinstance(data["accessModes"], dict):
+                raise ValueError("Invalid data format.")
+
+            ret = {}
+            for key, value in data["accessModes"].items():
+                curr = WebAppSettings()
+                curr.access_mode = value
+                ret[key] = curr
+
+            return ret
+
+        @classmethod
+        def get_app_access_mode_by_code(cls, app_code: str) -> WebAppSettings:
+            if not app_code:
+                raise ValueError("app_code must be provided.")
+            params = {"appCode": app_code}
+            data = EnterpriseRequest.send_request("GET", "/webapp/access-mode/code", params=params)
+            if not data:
+                raise ValueError("No data found.")
+            return WebAppSettings(**data)
+
+        @classmethod
+        def update_app_access_mode(cls, app_id: str, access_mode: str) -> bool:
+            if not app_id:
+                raise ValueError("app_id must be provided.")
+            if access_mode not in ["public", "private", "private_all"]:
+                raise ValueError("access_mode must be either 'public', 'private', or 'private_all'")
+
+            data = {"appId": app_id, "accessMode": access_mode}
+
+            response = EnterpriseRequest.send_request("POST", "/webapp/access-mode", json=data)
+
+            return response.get("result", False)
+
+        @classmethod
+        def cleanup_webapp(cls, app_id: str):
+            if not app_id:
+                raise ValueError("app_id must be provided.")
+
+            body = {"appId": app_id}
+            EnterpriseRequest.send_request("DELETE", "/webapp/clean", json=body)
--- a/api/services/enterprise/mail_service.py
+++ b/api/services/enterprise/mail_service.py
@@ -0,0 +1,18 @@
+from pydantic import BaseModel
+
+from tasks.mail_enterprise_task import send_enterprise_email_task
+
+
+class DifyMail(BaseModel):
+    to: list[str]
+    subject: str
+    body: str
+    substitutions: dict[str, str] = {}
+
+
+class EnterpriseMailService:
+    @classmethod
+    def send_mail(cls, mail: DifyMail):
+        send_enterprise_email_task.delay(
+            to=mail.to, subject=mail.subject, body=mail.body, substitutions=mail.substitutions
+        )
--- a/api/services/errors/workspace.py
+++ b/api/services/errors/workspace.py
@@ -7,3 +7,7 @@ class WorkSpaceNotAllowedCreateError(BaseServiceError):

 class WorkSpaceNotFoundError(BaseServiceError):
    pass
+
+
+class WorkspacesLimitExceededError(BaseServiceError):
+    pass
--- a/api/services/feature_service.py
+++ b/api/services/feature_service.py
@@ -1,6 +1,6 @@
 from enum import StrEnum

-from pydantic import BaseModel, ConfigDict
+from pydantic import BaseModel, ConfigDict, Field

 from configs import dify_config
 from services.billing_service import BillingService
@@ -22,6 +22,32 @@ class LimitationModel(BaseModel):
    limit: int = 0


+class LicenseLimitationModel(BaseModel):
+    """
+    - enabled: whether this limit is enforced
+    - size: current usage count
+    - limit: maximum allowed count; 0 means unlimited
+    """
+
+    enabled: bool = Field(False, description="Whether this limit is currently active")
+    size: int = Field(0, description="Number of resources already consumed")
+    limit: int = Field(0, description="Maximum number of resources allowed; 0 means no limit")
+
+    def is_available(self, required: int = 1) -> bool:
+        """
+        Determine whether the requested amount can be allocated.
+
+        Returns True if:
+         - this limit is not active, or
+         - the limit is zero (unlimited), or
+         - there is enough remaining quota.
+        """
+        if not self.enabled or self.limit == 0:
+            return True
+
+        return (self.limit - self.size) >= required
+
+
 class LicenseStatus(StrEnum):
    NONE = "none"
    INACTIVE = "inactive"
@@ -34,6 +60,27 @@ class LicenseStatus(StrEnum):
 class LicenseModel(BaseModel):
    status: LicenseStatus = LicenseStatus.NONE
    expired_at: str = ""
+    workspaces: LicenseLimitationModel = LicenseLimitationModel(enabled=False, size=0, limit=0)
+
+
+class BrandingModel(BaseModel):
+    enabled: bool = False
+    application_title: str = ""
+    login_page_logo: str = ""
+    workspace_logo: str = ""
+    favicon: str = ""
+
+
+class WebAppAuthSSOModel(BaseModel):
+    protocol: str = ""
+
+
+class WebAppAuthModel(BaseModel):
+    enabled: bool = False
+    allow_sso: bool = False
+    sso_config: WebAppAuthSSOModel = WebAppAuthSSOModel()
+    allow_email_code_login: bool = False
+    allow_email_password_login: bool = False


 class FeatureModel(BaseModel):
@@ -47,6 +94,8 @@ class FeatureModel(BaseModel):
    can_replace_logo: bool = False
    model_load_balancing_enabled: bool = False
    dataset_operator_enabled: bool = False
+    webapp_copyright_enabled: bool = False
+    workspace_members: LicenseLimitationModel = LicenseLimitationModel(enabled=False, size=0, limit=0)

    # pydantic configs
    model_config = ConfigDict(protected_namespaces=())
@@ -55,9 +104,6 @@ class FeatureModel(BaseModel):
 class SystemFeatureModel(BaseModel):
    sso_enforced_for_signin: bool = False
    sso_enforced_for_signin_protocol: str = ""
-    sso_enforced_for_web: bool = False
-    sso_enforced_for_web_protocol: str = ""
-    enable_web_sso_switch_component: bool = False
    enable_email_code_login: bool = False
    enable_email_password_login: bool = True
    enable_social_oauth_login: bool = False
@@ -65,6 +111,8 @@ class SystemFeatureModel(BaseModel):
    is_allow_create_workspace: bool = False
    is_email_setup: bool = False
    license: LicenseModel = LicenseModel()
+    branding: BrandingModel = BrandingModel()
+    webapp_auth: WebAppAuthModel = WebAppAuthModel()


 class FeatureService:
@@ -77,6 +125,10 @@ class FeatureService:
        if dify_config.BILLING_ENABLED and tenant_id:
            cls._fulfill_params_from_billing_api(features, tenant_id)

+        if dify_config.ENTERPRISE_ENABLED:
+            features.webapp_copyright_enabled = True
+            cls._fulfill_params_from_workspace_info(features, tenant_id)
+
        return features

    @classmethod
@@ -86,8 +138,8 @@ class FeatureService:
        cls._fulfill_system_params_from_env(system_features)

        if dify_config.ENTERPRISE_ENABLED:
-            system_features.enable_web_sso_switch_component = True
-
+            system_features.branding.enabled = True
+            system_features.webapp_auth.enabled = True
            cls._fulfill_params_from_enterprise(system_features)

        return system_features
@@ -107,6 +159,14 @@ class FeatureService:
        features.model_load_balancing_enabled = dify_config.MODEL_LB_ENABLED
        features.dataset_operator_enabled = dify_config.DATASET_OPERATOR_ENABLED

+    @classmethod
+    def _fulfill_params_from_workspace_info(cls, features: FeatureModel, tenant_id: str):
+        workspace_info = EnterpriseService.get_workspace_info(tenant_id)
+        if "WorkspaceMembers" in workspace_info:
+            features.workspace_members.size = workspace_info["WorkspaceMembers"]["used"]
+            features.workspace_members.limit = workspace_info["WorkspaceMembers"]["limit"]
+            features.workspace_members.enabled = workspace_info["WorkspaceMembers"]["enabled"]
+
    @classmethod
    def _fulfill_params_from_billing_api(cls, features: FeatureModel, tenant_id: str):
        billing_info = BillingService.get_info(tenant_id)
@@ -115,6 +175,9 @@ class FeatureService:
        features.billing.subscription.plan = billing_info["subscription"]["plan"]
        features.billing.subscription.interval = billing_info["subscription"]["interval"]

+        if features.billing.subscription.plan != "sandbox":
+            features.webapp_copyright_enabled = True
+
        if "members" in billing_info:
            features.members.size = billing_info["members"]["size"]
            features.members.limit = billing_info["members"]["limit"]
@@ -145,38 +208,53 @@ class FeatureService:
            features.model_load_balancing_enabled = billing_info["model_load_balancing_enabled"]

    @classmethod
-    def _fulfill_params_from_enterprise(cls, features):
+    def _fulfill_params_from_enterprise(cls, features: SystemFeatureModel):
        enterprise_info = EnterpriseService.get_info()

-        if "sso_enforced_for_signin" in enterprise_info:
-            features.sso_enforced_for_signin = enterprise_info["sso_enforced_for_signin"]
+        if "SSOEnforcedForSignin" in enterprise_info:
+            features.sso_enforced_for_signin = enterprise_info["SSOEnforcedForSignin"]

-        if "sso_enforced_for_signin_protocol" in enterprise_info:
-            features.sso_enforced_for_signin_protocol = enterprise_info["sso_enforced_for_signin_protocol"]
+        if "SSOEnforcedForSigninProtocol" in enterprise_info:
+            features.sso_enforced_for_signin_protocol = enterprise_info["SSOEnforcedForSigninProtocol"]

-        if "sso_enforced_for_web" in enterprise_info:
-            features.sso_enforced_for_web = enterprise_info["sso_enforced_for_web"]
+        if "EnableEmailCodeLogin" in enterprise_info:
+            features.enable_email_code_login = enterprise_info["EnableEmailCodeLogin"]

-        if "sso_enforced_for_web_protocol" in enterprise_info:
-            features.sso_enforced_for_web_protocol = enterprise_info["sso_enforced_for_web_protocol"]
+        if "EnableEmailPasswordLogin" in enterprise_info:
+            features.enable_email_password_login = enterprise_info["EnableEmailPasswordLogin"]

-        if "enable_email_code_login" in enterprise_info:
-            features.enable_email_code_login = enterprise_info["enable_email_code_login"]
+        if "IsAllowRegister" in enterprise_info:
+            features.is_allow_register = enterprise_info["IsAllowRegister"]

-        if "enable_email_password_login" in enterprise_info:
-            features.enable_email_password_login = enterprise_info["enable_email_password_login"]
+        if "IsAllowCreateWorkspace" in enterprise_info:
+            features.is_allow_create_workspace = enterprise_info["IsAllowCreateWorkspace"]

-        if "is_allow_register" in enterprise_info:
-            features.is_allow_register = enterprise_info["is_allow_register"]
+        if "Branding" in enterprise_info:
+            features.branding.application_title = enterprise_info["Branding"].get("applicationTitle", "")
+            features.branding.login_page_logo = enterprise_info["Branding"].get("loginPageLogo", "")
+            features.branding.workspace_logo = enterprise_info["Branding"].get("workspaceLogo", "")
+            features.branding.favicon = enterprise_info["Branding"].get("favicon", "")

-        if "is_allow_create_workspace" in enterprise_info:
-            features.is_allow_create_workspace = enterprise_info["is_allow_create_workspace"]
+        if "WebAppAuth" in enterprise_info:
+            features.webapp_auth.allow_sso = enterprise_info["WebAppAuth"].get("allowSso", False)
+            features.webapp_auth.allow_email_code_login = enterprise_info["WebAppAuth"].get(
+                "allowEmailCodeLogin", False
+            )
+            features.webapp_auth.allow_email_password_login = enterprise_info["WebAppAuth"].get(
+                "allowEmailPasswordLogin", False
+            )
+            features.webapp_auth.sso_config.protocol = enterprise_info.get("SSOEnforcedForWebProtocol", "")

-        if "license" in enterprise_info:
-            license_info = enterprise_info["license"]
+        if "License" in enterprise_info:
+            license_info = enterprise_info["License"]

            if "status" in license_info:
                features.license.status = LicenseStatus(license_info.get("status", LicenseStatus.INACTIVE))

-            if "expired_at" in license_info:
-                features.license.expired_at = license_info["expired_at"]
+            if "expiredAt" in license_info:
+                features.license.expired_at = license_info["expiredAt"]
+
+            if "workspaces" in license_info:
+                features.license.workspaces.enabled = license_info["workspaces"]["enabled"]
+                features.license.workspaces.limit = license_info["workspaces"]["limit"]
+                features.license.workspaces.size = license_info["workspaces"]["used"]
--- a/api/services/webapp_auth_service.py
+++ b/api/services/webapp_auth_service.py
@@ -0,0 +1,137 @@
+import random
+from datetime import UTC, datetime, timedelta
+from typing import Any, Optional, cast
+
+from werkzeug.exceptions import NotFound, Unauthorized
+
+from configs import dify_config
+from controllers.web.error import WebAppAuthAccessDeniedError
+from extensions.ext_database import db
+from libs.helper import TokenManager
+from libs.passport import PassportService
+from libs.password import compare_password
+from models.account import Account, AccountStatus
+from models.model import App, EndUser, Site
+from services.enterprise.enterprise_service import EnterpriseService
+from services.errors.account import AccountLoginError, AccountNotFoundError, AccountPasswordError
+from services.feature_service import FeatureService
+from tasks.mail_email_code_login import send_email_code_login_mail_task
+
+
+class WebAppAuthService:
+    """Service for web app authentication."""
+
+    @staticmethod
+    def authenticate(email: str, password: str) -> Account:
+        """authenticate account with email and password"""
+
+        account = Account.query.filter_by(email=email).first()
+        if not account:
+            raise AccountNotFoundError()
+
+        if account.status == AccountStatus.BANNED.value:
+            raise AccountLoginError("Account is banned.")
+
+        if account.password is None or not compare_password(password, account.password, account.password_salt):
+            raise AccountPasswordError("Invalid email or password.")
+
+        return cast(Account, account)
+
+    @classmethod
+    def login(cls, account: Account, app_code: str, end_user_id: str) -> str:
+        site = db.session.query(Site).filter(Site.code == app_code).first()
+        if not site:
+            raise NotFound("Site not found.")
+
+        access_token = cls._get_account_jwt_token(account=account, site=site, end_user_id=end_user_id)
+
+        return access_token
+
+    @classmethod
+    def get_user_through_email(cls, email: str):
+        account = db.session.query(Account).filter(Account.email == email).first()
+        if not account:
+            return None
+
+        if account.status == AccountStatus.BANNED.value:
+            raise Unauthorized("Account is banned.")
+
+        return account
+
+    @classmethod
+    def send_email_code_login_email(
+        cls, account: Optional[Account] = None, email: Optional[str] = None, language: Optional[str] = "en-US"
+    ):
+        email = account.email if account else email
+        if email is None:
+            raise ValueError("Email must be provided.")
+
+        code = "".join([str(random.randint(0, 9)) for _ in range(6)])
+        token = TokenManager.generate_token(
+            account=account, email=email, token_type="webapp_email_code_login", additional_data={"code": code}
+        )
+        send_email_code_login_mail_task.delay(
+            language=language,
+            to=account.email if account else email,
+            code=code,
+        )
+
+        return token
+
+    @classmethod
+    def get_email_code_login_data(cls, token: str) -> Optional[dict[str, Any]]:
+        return TokenManager.get_token_data(token, "webapp_email_code_login")
+
+    @classmethod
+    def revoke_email_code_login_token(cls, token: str):
+        TokenManager.revoke_token(token, "webapp_email_code_login")
+
+    @classmethod
+    def create_end_user(cls, app_code, email) -> EndUser:
+        site = db.session.query(Site).filter(Site.code == app_code).first()
+        app_model = db.session.query(App).filter(App.id == site.app_id).first()
+        end_user = EndUser(
+            tenant_id=app_model.tenant_id,
+            app_id=app_model.id,
+            type="browser",
+            is_anonymous=False,
+            session_id=email,
+            name="enterpriseuser",
+            external_user_id="enterpriseuser",
+        )
+        db.session.add(end_user)
+        db.session.commit()
+
+        return end_user
+
+    @classmethod
+    def _validate_user_accessibility(cls, account: Account, app_code: str):
+        """Check if the user is allowed to access the app."""
+        system_features = FeatureService.get_system_features()
+        if system_features.webapp_auth.enabled:
+            app_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
+
+            if (
+                app_settings.access_mode != "public"
+                and not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(account.id, app_code=app_code)
+            ):
+                raise WebAppAuthAccessDeniedError()
+
+    @classmethod
+    def _get_account_jwt_token(cls, account: Account, site: Site, end_user_id: str) -> str:
+        exp_dt = datetime.now(UTC) + timedelta(hours=dify_config.WebAppSessionTimeoutInHours * 24)
+        exp = int(exp_dt.timestamp())
+
+        payload = {
+            "iss": site.id,
+            "sub": "Web API Passport",
+            "app_id": site.app_id,
+            "app_code": site.code,
+            "user_id": account.id,
+            "end_user_id": end_user_id,
+            "token_source": "webapp",
+            "exp": exp,
+        }
+
+        token: str = PassportService().issue(payload)
+        return token
--- a/api/tasks/mail_email_code_login.py
+++ b/api/tasks/mail_email_code_login.py
@@ -6,6 +6,7 @@ from celery import shared_task  # type: ignore
 from flask import render_template

 from extensions.ext_mail import mail
+from services.feature_service import FeatureService


@shared_task(queue="mail")
@@ -25,10 +26,24 @@ def send_email_code_login_mail_task(language: str, to: str, code: str):
    # send email code login mail using different languages
    try:
        if language == "zh-Hans":
-            html_content = render_template("email_code_login_mail_template_zh-CN.html", to=to, code=code)
+            template = "email_code_login_mail_template_zh-CN.html"
+            system_features = FeatureService.get_system_features()
+            if system_features.branding.enabled:
+                application_title = system_features.branding.application_title
+                template = "without-brand/email_code_login_mail_template_zh-CN.html"
+                html_content = render_template(template, to=to, code=code, application_title=application_title)
+            else:
+                html_content = render_template(template, to=to, code=code)
            mail.send(to=to, subject="邮箱验证码", html=html_content)
        else:
-            html_content = render_template("email_code_login_mail_template_en-US.html", to=to, code=code)
+            template = "email_code_login_mail_template_en-US.html"
+            system_features = FeatureService.get_system_features()
+            if system_features.branding.enabled:
+                application_title = system_features.branding.application_title
+                template = "without-brand/email_code_login_mail_template_en-US.html"
+                html_content = render_template(template, to=to, code=code, application_title=application_title)
+            else:
+                html_content = render_template(template, to=to, code=code)
            mail.send(to=to, subject="Email Code", html=html_content)

        end_at = time.perf_counter()
--- a/api/tasks/mail_enterprise_task.py
+++ b/api/tasks/mail_enterprise_task.py
@@ -0,0 +1,33 @@
+import logging
+import time
+
+import click
+from celery import shared_task  # type: ignore
+from flask import render_template_string
+
+from extensions.ext_mail import mail
+
+
+@shared_task(queue="mail")
+def send_enterprise_email_task(to, subject, body, substitutions):
+    if not mail.is_inited():
+        return
+
+    logging.info(click.style("Start enterprise mail to {} with subject {}".format(to, subject), fg="green"))
+    start_at = time.perf_counter()
+
+    try:
+        html_content = render_template_string(body, **substitutions)
+
+        if isinstance(to, list):
+            for t in to:
+                mail.send(to=t, subject=subject, html=html_content)
+        else:
+            mail.send(to=to, subject=subject, html=html_content)
+
+        end_at = time.perf_counter()
+        logging.info(
+            click.style("Send enterprise mail to {} succeeded: latency: {}".format(to, end_at - start_at), fg="green")
+        )
+    except Exception:
+        logging.exception("Send enterprise mail to {} failed".format(to))
--- a/api/tasks/mail_invite_member_task.py
+++ b/api/tasks/mail_invite_member_task.py
@@ -7,6 +7,7 @@ from flask import render_template

 from configs import dify_config
 from extensions.ext_mail import mail
+from services.feature_service import FeatureService


@shared_task(queue="mail")
@@ -33,23 +34,45 @@ def send_invite_member_mail_task(language: str, to: str, token: str, inviter_nam
    try:
        url = f"{dify_config.CONSOLE_WEB_URL}/activate?token={token}"
        if language == "zh-Hans":
-            html_content = render_template(
-                "invite_member_mail_template_zh-CN.html",
-                to=to,
-                inviter_name=inviter_name,
-                workspace_name=workspace_name,
-                url=url,
-            )
-            mail.send(to=to, subject="立即加入 Dify 工作空间", html=html_content)
+            template = "invite_member_mail_template_zh-CN.html"
+            system_features = FeatureService.get_system_features()
+            if system_features.branding.enabled:
+                application_title = system_features.branding.application_title
+                template = "without-brand/invite_member_mail_template_zh-CN.html"
+                html_content = render_template(
+                    template,
+                    to=to,
+                    inviter_name=inviter_name,
+                    workspace_name=workspace_name,
+                    url=url,
+                    application_title=application_title,
+                )
+                mail.send(to=to, subject=f"立即加入 {application_title} 工作空间", html=html_content)
+            else:
+                html_content = render_template(
+                    template, to=to, inviter_name=inviter_name, workspace_name=workspace_name, url=url
+                )
+                mail.send(to=to, subject="立即加入 Dify 工作空间", html=html_content)
        else:
-            html_content = render_template(
-                "invite_member_mail_template_en-US.html",
-                to=to,
-                inviter_name=inviter_name,
-                workspace_name=workspace_name,
-                url=url,
-            )
-            mail.send(to=to, subject="Join Dify Workspace Now", html=html_content)
+            template = "invite_member_mail_template_en-US.html"
+            system_features = FeatureService.get_system_features()
+            if system_features.branding.enabled:
+                application_title = system_features.branding.application_title
+                template = "without-brand/invite_member_mail_template_en-US.html"
+                html_content = render_template(
+                    template,
+                    to=to,
+                    inviter_name=inviter_name,
+                    workspace_name=workspace_name,
+                    url=url,
+                    application_title=application_title,
+                )
+                mail.send(to=to, subject=f"Join {application_title} Workspace Now", html=html_content)
+            else:
+                html_content = render_template(
+                    template, to=to, inviter_name=inviter_name, workspace_name=workspace_name, url=url
+                )
+                mail.send(to=to, subject="Join Dify Workspace Now", html=html_content)

        end_at = time.perf_counter()
        logging.info(
--- a/api/tasks/mail_reset_password_task.py
+++ b/api/tasks/mail_reset_password_task.py
@@ -6,6 +6,7 @@ from celery import shared_task  # type: ignore
 from flask import render_template

 from extensions.ext_mail import mail
+from services.feature_service import FeatureService


@shared_task(queue="mail")
@@ -25,11 +26,27 @@ def send_reset_password_mail_task(language: str, to: str, code: str):
    # send reset password mail using different languages
    try:
        if language == "zh-Hans":
-            html_content = render_template("reset_password_mail_template_zh-CN.html", to=to, code=code)
-            mail.send(to=to, subject="设置您的 Dify 密码", html=html_content)
+            template = "reset_password_mail_template_zh-CN.html"
+            system_features = FeatureService.get_system_features()
+            if system_features.branding.enabled:
+                application_title = system_features.branding.application_title
+                template = "without-brand/reset_password_mail_template_zh-CN.html"
+                html_content = render_template(template, to=to, code=code, application_title=application_title)
+                mail.send(to=to, subject=f"设置您的 {application_title} 密码", html=html_content)
+            else:
+                html_content = render_template(template, to=to, code=code)
+                mail.send(to=to, subject="设置您的 Dify 密码", html=html_content)
        else:
-            html_content = render_template("reset_password_mail_template_en-US.html", to=to, code=code)
-            mail.send(to=to, subject="Set Your Dify Password", html=html_content)
+            template = "reset_password_mail_template_en-US.html"
+            system_features = FeatureService.get_system_features()
+            if system_features.branding.enabled:
+                application_title = system_features.branding.application_title
+                template = "without-brand/reset_password_mail_template_en-US.html"
+                html_content = render_template(template, to=to, code=code, application_title=application_title)
+                mail.send(to=to, subject=f"Set Your {application_title} Password", html=html_content)
+            else:
+                html_content = render_template(template, to=to, code=code)
+                mail.send(to=to, subject="Set Your Dify Password", html=html_content)

        end_at = time.perf_counter()
        logging.info(
--- a/api/templates/without-brand/email_code_login_mail_template_en-US.html
+++ b/api/templates/without-brand/email_code_login_mail_template_en-US.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <style>
+      body {
+        font-family: 'Arial', sans-serif;
+        line-height: 16pt;
+        color: #101828;
+        background-color: #e9ebf0;
+        margin: 0;
+        padding: 0;
+      }
+      .container {
+        width: 600px;
+        height: 360px;
+        margin: 40px auto;
+        padding: 36px 48px;
+        background-color: #fcfcfd;
+        border-radius: 16px;
+        border: 1px solid #ffffff;
+        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
+      }
+      .header {
+        margin-bottom: 24px;
+      }
+      .header img {
+        max-width: 100px;
+        height: auto;
+      }
+      .title {
+        font-weight: 600;
+        font-size: 24px;
+        line-height: 28.8px;
+      }
+      .description {
+        font-size: 13px;
+        line-height: 16px;
+        color: #676f83;
+        margin-top: 12px;
+      }
+      .code-content {
+        padding: 16px 32px;
+        text-align: center;
+        border-radius: 16px;
+        background-color: #f2f4f7;
+        margin: 16px auto;
+      }
+      .code {
+        line-height: 36px;
+        font-weight: 700;
+        font-size: 30px;
+      }
+      .tips {
+        line-height: 16px;
+        color: #676f83;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <p class="title">Your login code for {{application_title}}</p>
+      <p class="description">Copy and paste this code, this code will only be valid for the next 5 minutes.</p>
+      <div class="code-content">
+        <span class="code">{{code}}</span>
+      </div>
+      <p class="tips">If you didn't request a login, don't worry. You can safely ignore this email.</p>
+    </div>
+  </body>
+</html>
--- a/api/templates/without-brand/email_code_login_mail_template_zh-CN.html
+++ b/api/templates/without-brand/email_code_login_mail_template_zh-CN.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <style>
+      body {
+        font-family: 'Arial', sans-serif;
+        line-height: 16pt;
+        color: #101828;
+        background-color: #e9ebf0;
+        margin: 0;
+        padding: 0;
+      }
+      .container {
+        width: 600px;
+        height: 360px;
+        margin: 40px auto;
+        padding: 36px 48px;
+        background-color: #fcfcfd;
+        border-radius: 16px;
+        border: 1px solid #ffffff;
+        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
+      }
+      .header {
+        margin-bottom: 24px;
+      }
+      .header img {
+        max-width: 100px;
+        height: auto;
+      }
+      .title {
+        font-weight: 600;
+        font-size: 24px;
+        line-height: 28.8px;
+      }
+      .description {
+        font-size: 13px;
+        line-height: 16px;
+        color: #676f83;
+        margin-top: 12px;
+      }
+      .code-content {
+        padding: 16px 32px;
+        text-align: center;
+        border-radius: 16px;
+        background-color: #f2f4f7;
+        margin: 16px auto;
+      }
+      .code {
+        line-height: 36px;
+        font-weight: 700;
+        font-size: 30px;
+      }
+      .tips {
+        line-height: 16px;
+        color: #676f83;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <p class="title">{{application_title}} 的登录验证码</p>
+      <p class="description">复制并粘贴此验证码，注意验证码仅在接下来的 5 分钟内有效。</p>
+      <div class="code-content">
+        <span class="code">{{code}}</span>
+      </div>
+      <p class="tips">如果您没有请求登录，请不要担心。您可以安全地忽略此电子邮件。</p>
+    </div>
+  </body>
+</html>
--- a/api/templates/without-brand/invite_member_mail_template_en-US.html
+++ b/api/templates/without-brand/invite_member_mail_template_en-US.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <style>
+        body {
+            font-family: 'Arial', sans-serif;
+            line-height: 16pt;
+            color: #374151;
+            background-color: #E5E7EB;
+            margin: 0;
+            padding: 0;
+        }
+        .container {
+            width: 100%;
+            max-width: 560px;
+            margin: 40px auto;
+            padding: 20px;
+            background-color: #F3F4F6;
+            border-radius: 8px;
+            box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
+        }
+        .header {
+            text-align: center;
+            margin-bottom: 20px;
+        }
+        .header img {
+            max-width: 100px;
+            height: auto;
+        }
+        .button {
+            display: inline-block;
+            padding: 12px 24px;
+            background-color: #2970FF;
+            color: white;
+            text-decoration: none;
+            border-radius: 4px;
+            text-align: center;
+            transition: background-color 0.3s ease;
+        }
+        .button:hover {
+            background-color: #265DD4;
+        }
+        .footer {
+            font-size: 0.9em;
+            color: #777777;
+            margin-top: 30px;
+        }
+        .content {
+            margin-top: 20px;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="content">
+            <p>Dear {{ to }},</p>
+            <p>{{ inviter_name }} is pleased to invite you to join our workspace on {{application_title}}, a platform specifically designed for LLM application development. On {{application_title}}, you can explore, create, and collaborate to build and operate AI applications.</p>
+            <p>Click the button below to log in to {{application_title}} and join the workspace.</p>
+            <p style="text-align: center;"><a style="color: #fff; text-decoration: none" class="button" href="{{ url }}">Login Here</a></p>
+        </div>
+        <div class="footer">
+            <p>Best regards,</p>
+            <p>{{application_title}} Team</p>
+            <p>Please do not reply directly to this email; it is automatically sent by the system.</p>
+        </div>
+    </div>
+</body>
+
+</html>
--- a/api/templates/without-brand/invite_member_mail_template_zh-CN.html
+++ b/api/templates/without-brand/invite_member_mail_template_zh-CN.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <style>
+        body {
+            font-family: 'Arial', sans-serif;
+            line-height: 16pt;
+            color: #374151;
+            background-color: #E5E7EB;
+            margin: 0;
+            padding: 0;
+        }
+        .container {
+            width: 100%;
+            max-width: 560px;
+            margin: 40px auto;
+            padding: 20px;
+            background-color: #F3F4F6;
+            border-radius: 8px;
+            box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
+        }
+        .header {
+            text-align: center;
+            margin-bottom: 20px;
+        }
+        .header img {
+            max-width: 100px;
+            height: auto;
+        }
+        .button {
+            display: inline-block;
+            padding: 12px 24px;
+            background-color: #2970FF;
+            color: white;
+            text-decoration: none;
+            border-radius: 4px;
+            text-align: center;
+            transition: background-color 0.3s ease;
+        }
+        .button:hover {
+            background-color: #265DD4;
+        }
+        .footer {
+            font-size: 0.9em;
+            color: #777777;
+            margin-top: 30px;
+        }
+        .content {
+            margin-top: 20px;
+        }
+    </style>
+</head>
+
+<body>
+    <div class="container">
+        <div class="content">
+            <p>尊敬的 {{ to }}，</p>
+            <p>{{ inviter_name }} 现邀请您加入我们在 {{application_title}} 的工作区，这是一个专为 LLM 应用开发而设计的平台。在 {{application_title}} 上，您可以探索、创造和合作，构建和运营 AI 应用。</p>
+            <p>点击下方按钮即可登录 {{application_title}} 并且加入空间。</p>
+            <p style="text-align: center;"><a style="color: #fff; text-decoration: none" class="button" href="{{ url }}">在此登录</a></p>
+        </div>
+        <div class="footer">
+            <p>此致，</p>
+            <p>{{application_title}} 团队</p>
+            <p>请不要直接回复此电子邮件；由系统自动发送。</p>
+        </div>
+    </div>
+</body>
+</html>
--- a/api/templates/without-brand/reset_password_mail_template_en-US.html
+++ b/api/templates/without-brand/reset_password_mail_template_en-US.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <style>
+      body {
+        font-family: 'Arial', sans-serif;
+        line-height: 16pt;
+        color: #101828;
+        background-color: #e9ebf0;
+        margin: 0;
+        padding: 0;
+      }
+      .container {
+        width: 600px;
+        height: 360px;
+        margin: 40px auto;
+        padding: 36px 48px;
+        background-color: #fcfcfd;
+        border-radius: 16px;
+        border: 1px solid #ffffff;
+        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
+      }
+      .header {
+        margin-bottom: 24px;
+      }
+      .header img {
+        max-width: 100px;
+        height: auto;
+      }
+      .title {
+        font-weight: 600;
+        font-size: 24px;
+        line-height: 28.8px;
+      }
+      .description {
+        font-size: 13px;
+        line-height: 16px;
+        color: #676f83;
+        margin-top: 12px;
+      }
+      .code-content {
+        padding: 16px 32px;
+        text-align: center;
+        border-radius: 16px;
+        background-color: #f2f4f7;
+        margin: 16px auto;
+      }
+      .code {
+        line-height: 36px;
+        font-weight: 700;
+        font-size: 30px;
+      }
+      .tips {
+        line-height: 16px;
+        color: #676f83;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+        <p class="title">Set your {{application_title}} password</p>
+      <p class="description">Copy and paste this code, this code will only be valid for the next 5 minutes.</p>
+      <div class="code-content">
+        <span class="code">{{code}}</span>
+      </div>
+        <p class="tips">If you didn't request, don't worry. You can safely ignore this email.</p>
+    </div>
+  </body>
+</html>
--- a/api/templates/without-brand/reset_password_mail_template_zh-CN.html
+++ b/api/templates/without-brand/reset_password_mail_template_zh-CN.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <style>
+      body {
+        font-family: 'Arial', sans-serif;
+        line-height: 16pt;
+        color: #101828;
+        background-color: #e9ebf0;
+        margin: 0;
+        padding: 0;
+      }
+      .container {
+        width: 600px;
+        height: 360px;
+        margin: 40px auto;
+        padding: 36px 48px;
+        background-color: #fcfcfd;
+        border-radius: 16px;
+        border: 1px solid #ffffff;
+        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
+      }
+      .header {
+        margin-bottom: 24px;
+      }
+      .header img {
+        max-width: 100px;
+        height: auto;
+      }
+      .title {
+        font-weight: 600;
+        font-size: 24px;
+        line-height: 28.8px;
+      }
+      .description {
+        font-size: 13px;
+        line-height: 16px;
+        color: #676f83;
+        margin-top: 12px;
+      }
+      .code-content {
+        padding: 16px 32px;
+        text-align: center;
+        border-radius: 16px;
+        background-color: #f2f4f7;
+        margin: 16px auto;
+      }
+      .code {
+        line-height: 36px;
+        font-weight: 700;
+        font-size: 30px;
+      }
+      .tips {
+        line-height: 16px;
+        color: #676f83;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+        <p class="title">设置您的 {{application_title}} 账户密码</p>
+      <p class="description">复制并粘贴此验证码，注意验证码仅在接下来的 5 分钟内有效。</p>
+      <div class="code-content">
+        <span class="code">{{code}}</span>
+      </div>
+        <p class="tips">如果您没有请求，请不要担心。您可以安全地忽略此电子邮件。</p>
+    </div>
+  </body>
+</html>
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -932,3 +932,6 @@ MAX_SUBMIT_COUNT=100

 # The maximum number of top-k value for RAG.
 TOP_K_MAX_VALUE=10
+
+# Prevent Clickjacking
+ALLOW_EMBED=false
--- a/docker/docker-compose-template.yaml
+++ b/docker/docker-compose-template.yaml
@@ -1,8 +1,8 @@
-x-shared-env: &shared-api-worker-env
+x-shared-env: &shared-api-worker-env 
 services:
  # API service
  api:
-    image: langgenius/dify-api:0.15.3
+    image: langgenius/dify-api:0.15.7
    restart: always
    environment:
      # Use the shared environment variables.
@@ -25,7 +25,7 @@ services:
  # worker service
  # The Celery worker for processing the queue.
  worker:
-    image: langgenius/dify-api:0.15.3
+    image: langgenius/dify-api:0.15.7
    restart: always
    environment:
      # Use the shared environment variables.
@@ -47,7 +47,7 @@ services:

  # Frontend web application.
  web:
-    image: langgenius/dify-web:0.15.3
+    image: langgenius/dify-web:0.15.7
    restart: always
    environment:
      CONSOLE_API_URL: ${CONSOLE_API_URL:-}
@@ -56,6 +56,7 @@ services:
      NEXT_TELEMETRY_DISABLED: ${NEXT_TELEMETRY_DISABLED:-0}
      TEXT_GENERATION_TIMEOUT_MS: ${TEXT_GENERATION_TIMEOUT_MS:-60000}
      CSP_WHITELIST: ${CSP_WHITELIST:-}
+      ALLOW_EMBED: ${ALLOW_EMBED:-false}
      TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-}
      INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH: ${INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH:-}

@@ -98,7 +99,7 @@ services:

  # The DifySandbox
  sandbox:
-    image: langgenius/dify-sandbox:0.2.10
+    image: langgenius/dify-sandbox:0.2.11
    restart: always
    environment:
      # The DifySandbox configurations
--- a/docker/docker-compose.middleware.yaml
+++ b/docker/docker-compose.middleware.yaml
@@ -43,7 +43,7 @@ services:

  # The DifySandbox
  sandbox:
-    image: langgenius/dify-sandbox:0.2.10
+    image: langgenius/dify-sandbox:0.2.11
    restart: always
    environment:
      # The DifySandbox configurations
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -389,11 +389,12 @@ x-shared-env: &shared-api-worker-env
  CREATE_TIDB_SERVICE_JOB_ENABLED: ${CREATE_TIDB_SERVICE_JOB_ENABLED:-false}
  MAX_SUBMIT_COUNT: ${MAX_SUBMIT_COUNT:-100}
  TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-10}
+  ALLOW_EMBED: ${ALLOW_EMBED:-false}

 services:
  # API service
  api:
-    image: langgenius/dify-api:0.15.3
+    image: langgenius/dify-api:0.15.7
    restart: always
    environment:
      # Use the shared environment variables.
@@ -416,7 +417,7 @@ services:
  # worker service
  # The Celery worker for processing the queue.
  worker:
-    image: langgenius/dify-api:0.15.3
+    image: langgenius/dify-api:0.15.7
    restart: always
    environment:
      # Use the shared environment variables.
@@ -438,7 +439,7 @@ services:

  # Frontend web application.
  web:
-    image: langgenius/dify-web:0.15.3
+    image: langgenius/dify-web:0.15.7
    restart: always
    environment:
      CONSOLE_API_URL: ${CONSOLE_API_URL:-}
@@ -447,6 +448,7 @@ services:
      NEXT_TELEMETRY_DISABLED: ${NEXT_TELEMETRY_DISABLED:-0}
      TEXT_GENERATION_TIMEOUT_MS: ${TEXT_GENERATION_TIMEOUT_MS:-60000}
      CSP_WHITELIST: ${CSP_WHITELIST:-}
+      ALLOW_EMBED: ${ALLOW_EMBED:-false}
      TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-}
      INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH: ${INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH:-}

@@ -489,7 +491,7 @@ services:

  # The DifySandbox
  sandbox:
-    image: langgenius/dify-sandbox:0.2.10
+    image: langgenius/dify-sandbox:0.2.11
    restart: always
    environment:
      # The DifySandbox configurations
--- a/web/.env.example
+++ b/web/.env.example
@@ -31,3 +31,6 @@ NEXT_PUBLIC_TOP_K_MAX_VALUE=10

 # The maximum number of tokens for segmentation
 NEXT_PUBLIC_INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH=4000
+
+# Default is not allow to embed into iframe to prevent Clickjacking: https://owasp.org/www-community/attacks/Clickjacking
+NEXT_PUBLIC_ALLOW_EMBED=
--- a/web/app/(commonLayout)/app/(appDetailLayout)/[appId]/layout.tsx
+++ b/web/app/(commonLayout)/app/(appDetailLayout)/[appId]/layout.tsx
@@ -15,23 +15,30 @@ import {
 } from '@remixicon/react'
 import { useTranslation } from 'react-i18next'
 import { useShallow } from 'zustand/react/shallow'
-import { useContextSelector } from 'use-context-selector'
 import s from './style.module.css'
 import cn from '@/utils/classnames'
 import { useStore } from '@/app/components/app/store'
 import AppSideBar from '@/app/components/app-sidebar'
 import type { NavIcon } from '@/app/components/app-sidebar/navLink'
-import { fetchAppDetail, fetchAppSSO } from '@/service/apps'
-import AppContext, { useAppContext } from '@/context/app-context'
+import { fetchAppDetail } from '@/service/apps'
+import { useAppContext } from '@/context/app-context'
 import Loading from '@/app/components/base/loading'
 import useBreakpoints, { MediaType } from '@/hooks/use-breakpoints'
 import type { App } from '@/types/app'
+import { useGlobalPublicStore } from '@/context/global-public-context'

 export type IAppDetailLayoutProps = {
  children: React.ReactNode
  params: { appId: string }
 }

+type NavigationType = {
+  name: string
+  href: string
+  icon: NavIcon
+  selectedIcon: NavIcon
+}
+
 const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
  const {
    children,
@@ -50,13 +57,8 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
  })))
  const [isLoadingAppDetail, setIsLoadingAppDetail] = useState(false)
  const [appDetailRes, setAppDetailRes] = useState<App | null>(null)
-  const [navigation, setNavigation] = useState<Array<{
-    name: string
-    href: string
-    icon: NavIcon
-    selectedIcon: NavIcon
-  }>>([])
-  const systemFeatures = useContextSelector(AppContext, state => state.systemFeatures)
+  const [navigation, setNavigation] = useState<Array<NavigationType>>([])
+  const { systemFeatures } = useGlobalPublicStore()

  const getNavigations = useCallback((appId: string, isCurrentWorkspaceEditor: boolean, mode: string) => {
    const navs = [
@@ -98,7 +100,11 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {

  useEffect(() => {
    if (appDetail) {
-      document.title = `${(appDetail.name || 'App')} - Dify`
+      if (systemFeatures.branding.enabled)
+        document.title = `${(appDetail.name || 'App')} - ${systemFeatures.branding.application_title}`
+      else
+        document.title = `${(appDetail.name || 'App')} - Dify`
+
      const localeMode = localStorage.getItem('app-detail-collapse-or-expand') || 'expand'
      const mode = isMobile ? 'collapse' : 'expand'
      setAppSiderbarExpand(isMobile ? mode : localeMode)
@@ -106,7 +112,7 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
      // if ((appDetail.mode === 'advanced-chat' || appDetail.mode === 'workflow') && (pathname).endsWith('workflow'))
      //   setAppSiderbarExpand('collapse')
    }
-  }, [appDetail, isMobile])
+  }, [appDetail, isMobile, pathname, setAppSiderbarExpand, systemFeatures])

  useEffect(() => {
    setAppDetail()
@@ -138,15 +144,10 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
      router.replace(`/app/${appId}/configuration`)
    }
    else {
-      setAppDetail({ ...res, enable_sso: false })
-      setNavigation(getNavigations(appId, isCurrentWorkspaceEditor, res.mode))
-      if (systemFeatures.enable_web_sso_switch_component && canIEditApp) {
-        fetchAppSSO({ appId }).then((ssoRes) => {
-          setAppDetail({ ...res, enable_sso: ssoRes.enabled })
-        })
-      }
+      setAppDetail({ ...res })
+      setNavigation(getNavigations(appId, isCurrentWorkspaceEditor, res.mode) as Array<NavigationType>)
    }
-  }, [appDetailRes, appId, getNavigations, isCurrentWorkspaceEditor, isLoadingAppDetail, isLoadingCurrentWorkspace, pathname, router, setAppDetail, systemFeatures.enable_web_sso_switch_component])
+  }, [appDetailRes, appId, getNavigations, isCurrentWorkspaceEditor, isLoadingAppDetail, isLoadingCurrentWorkspace, pathname, router, setAppDetail])

  useUnmount(() => {
    setAppDetail()
--- a/web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/cardView.tsx
+++ b/web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/cardView.tsx
@@ -2,25 +2,22 @@
 import type { FC } from 'react'
 import React from 'react'
 import { useTranslation } from 'react-i18next'
-import { useContext, useContextSelector } from 'use-context-selector'
+import { useContext } from 'use-context-selector'
 import AppCard from '@/app/components/app/overview/appCard'
 import Loading from '@/app/components/base/loading'
 import { ToastContext } from '@/app/components/base/toast'
 import {
  fetchAppDetail,
-  fetchAppSSO,
-  updateAppSSO,
  updateAppSiteAccessToken,
  updateAppSiteConfig,
  updateAppSiteStatus,
 } from '@/service/apps'
-import type { App, AppSSO } from '@/types/app'
+import type { App } from '@/types/app'
 import type { UpdateAppSiteCodeResponse } from '@/models/app'
 import { asyncRunSafe } from '@/utils'
 import { NEED_REFRESH_APP_LIST_KEY } from '@/config'
 import type { IAppCardProps } from '@/app/components/app/overview/appCard'
 import { useStore as useAppStore } from '@/app/components/app/store'
-import AppContext from '@/context/app-context'

 export type ICardViewProps = {
  appId: string
@@ -31,18 +28,11 @@ const CardView: FC<ICardViewProps> = ({ appId }) => {
  const { notify } = useContext(ToastContext)
  const appDetail = useAppStore(state => state.appDetail)
  const setAppDetail = useAppStore(state => state.setAppDetail)
-  const systemFeatures = useContextSelector(AppContext, state => state.systemFeatures)

  const updateAppDetail = async () => {
    try {
      const res = await fetchAppDetail({ url: '/apps', id: appId })
-      if (systemFeatures.enable_web_sso_switch_component) {
-        const ssoRes = await fetchAppSSO({ appId })
-        setAppDetail({ ...res, enable_sso: ssoRes.enabled })
-      }
-      else {
-        setAppDetail({ ...res })
-      }
+      setAppDetail({ ...res })
    }
    catch (error) { console.error(error) }
  }
@@ -93,16 +83,6 @@ const CardView: FC<ICardViewProps> = ({ appId }) => {
    if (!err)
      localStorage.setItem(NEED_REFRESH_APP_LIST_KEY, '1')

-    if (systemFeatures.enable_web_sso_switch_component) {
-      const [sso_err] = await asyncRunSafe<AppSSO>(
-        updateAppSSO({ id: appId, enabled: Boolean(params.enable_sso) }) as Promise<AppSSO>,
-      )
-      if (sso_err) {
-        handleCallbackResult(sso_err)
-        return
-      }
-    }
-
    handleCallbackResult(err)
  }

--- a/web/app/(commonLayout)/app/(appDetailLayout)/layout.tsx
+++ b/web/app/(commonLayout)/app/(appDetailLayout)/layout.tsx
@@ -2,7 +2,9 @@
 import type { FC } from 'react'
 import React, { useEffect } from 'react'
 import { useRouter } from 'next/navigation'
+import { useTranslation } from 'react-i18next'
 import { useAppContext } from '@/context/app-context'
+import useDocumentTitle from '@/hooks/use-document-title'

 export type IAppDetail = {
  children: React.ReactNode
@@ -11,11 +13,13 @@ export type IAppDetail = {
 const AppDetail: FC<IAppDetail> = ({ children }) => {
  const router = useRouter()
  const { isCurrentWorkspaceDatasetOperator } = useAppContext()
+  const { t } = useTranslation()
+  useDocumentTitle(t('common.menus.appDetail'))

  useEffect(() => {
    if (isCurrentWorkspaceDatasetOperator)
      return router.replace('/datasets')
-  }, [isCurrentWorkspaceDatasetOperator])
+  }, [isCurrentWorkspaceDatasetOperator, router])

  return (
    <>
--- a/web/app/(commonLayout)/apps/AppCard.tsx
+++ b/web/app/(commonLayout)/apps/AppCard.tsx
@@ -4,7 +4,7 @@ import { useContext, useContextSelector } from 'use-context-selector'
 import { useRouter } from 'next/navigation'
 import { useCallback, useEffect, useState } from 'react'
 import { useTranslation } from 'react-i18next'
-import { RiMoreFill } from '@remixicon/react'
+import { RiBuildingLine, RiGlobalLine, RiLockLine, RiMoreFill } from '@remixicon/react'
 import s from './style.module.css'
 import cn from '@/utils/classnames'
 import type { App } from '@/types/app'
@@ -31,6 +31,9 @@ import DSLExportConfirmModal from '@/app/components/workflow/dsl-export-confirm-
 import { fetchWorkflowDraft } from '@/service/workflow'
 import { fetchInstalledAppList } from '@/service/explore'
 import { AppTypeIcon } from '@/app/components/app/type-selector'
+import Tooltip from '@/app/components/base/tooltip'
+import AccessControl from '@/app/components/app/app-access-control'
+import { AccessMode } from '@/models/access-control'

 export type AppCardProps = {
  app: App
@@ -53,6 +56,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
  const [showDuplicateModal, setShowDuplicateModal] = useState(false)
  const [showSwitchModal, setShowSwitchModal] = useState<boolean>(false)
  const [showConfirmDelete, setShowConfirmDelete] = useState(false)
+  const [showAccessControl, setShowAccessControl] = useState(false)
  const [secretEnvList, setSecretEnvList] = useState<EnvironmentVariable[]>([])

  const onConfirmDelete = useCallback(async () => {
@@ -71,7 +75,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
      })
    }
    setShowConfirmDelete(false)
-  }, [app.id])
+  }, [app.id, mutateApps, notify, onPlanInfoChanged, onRefresh, t])

  const onEdit: CreateAppModalProps['onConfirm'] = useCallback(async ({
    name,
@@ -175,6 +179,13 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
    setShowSwitchModal(false)
  }

+  const onUpdateAccessControl = useCallback(() => {
+    if (onRefresh)
+      onRefresh()
+    mutateApps()
+    setShowAccessControl(false)
+  }, [onRefresh, mutateApps, setShowAccessControl])
+
  const Operations = (props: HtmlContentProps) => {
    const onMouseLeave = async () => {
      props.onClose?.()
@@ -209,6 +220,12 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
      e.preventDefault()
      setShowConfirmDelete(true)
    }
+    const onClickAccessControl = async (e: React.MouseEvent<HTMLButtonElement>) => {
+      e.stopPropagation()
+      props.onClick?.()
+      e.preventDefault()
+      setShowAccessControl(true)
+    }
    const onClickInstalledApp = async (e: React.MouseEvent<HTMLButtonElement>) => {
      e.stopPropagation()
      props.onClick?.()
@@ -252,6 +269,14 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
          <span className={s.actionName}>{t('app.openInExplore')}</span>
        </button>
        <Divider className="!my-1" />
+        {
+          isCurrentWorkspaceEditor && <>
+            <button className={s.actionItem} onClick={onClickAccessControl}>
+              <span className={s.actionName}>{t('app.accessControl')}</span>
+            </button>
+            <Divider />
+          </>
+        }
        <div
          className={cn(s.actionItem, s.deleteActionItem, 'group')}
          onClick={onClickDelete}
@@ -278,7 +303,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
        }}
        className='relative h-[160px] group col-span-1 bg-components-card-bg border-[1px] border-solid border-components-card-border rounded-xl shadow-sm inline-flex flex-col transition-all duration-200 ease-in-out cursor-pointer hover:shadow-lg'
      >
-        <div className='flex pt-[14px] px-[14px] pb-3 h-[66px] items-center gap-3 grow-0 shrink-0'>
+        <div className='flex p-4 pb-3 h-[68px] items-start gap-3 grow-0 shrink-0'>
          <div className='relative shrink-0'>
            <AppIcon
              size="large"
@@ -301,6 +326,17 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
              {app.mode === 'completion' && <div className='truncate'>{t('app.types.completion').toUpperCase()}</div>}
            </div>
          </div>
+          <div className='shrink-0 w-5 h-5 flex items-center justify-center'>
+            {app.access_mode === AccessMode.PUBLIC && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.anyone')}>
+              <RiGlobalLine className='text-text-accent w-4 h-4' />
+            </Tooltip>}
+            {app.access_mode === AccessMode.SPECIFIC_GROUPS_MEMBERS && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.specific')}>
+              <RiLockLine className='text-text-quaternary w-4 h-4' />
+            </Tooltip>}
+            {app.access_mode === AccessMode.ORGANIZATION && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.organization')}>
+              <RiBuildingLine className='text-text-quaternary w-4 h-4' />
+            </Tooltip>}
+          </div>
        </div>
        <div className='title-wrapper h-[90px] px-[14px] text-xs leading-normal text-text-tertiary'>
          <div
@@ -357,7 +393,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
                  popupClassName={
                    (app.mode === 'completion' || app.mode === 'chat')
                      ? '!w-[256px] translate-x-[-224px]'
-                      : '!w-[160px] translate-x-[-128px]'
+                      : '!w-[216px] translate-x-[-128px]'
                  }
                  className={'h-fit !z-20'}
                />
@@ -418,6 +454,9 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
          onClose={() => setSecretEnvList([])}
        />
      )}
+      {showAccessControl && (
+        <AccessControl app={app} onConfirm={onUpdateAccessControl} onClose={() => setShowAccessControl(false)} />
+      )}
    </>
  )
 }
--- a/web/app/(commonLayout)/apps/Apps.tsx
+++ b/web/app/(commonLayout)/apps/Apps.tsx
@@ -85,7 +85,6 @@ const Apps = () => {
  ]

  useEffect(() => {
-    document.title = `${t('common.menus.apps')} -  Dify`
    if (localStorage.getItem(NEED_REFRESH_APP_LIST_KEY) === '1') {
      localStorage.removeItem(NEED_REFRESH_APP_LIST_KEY)
      mutate()
--- a/web/app/(commonLayout)/apps/page.tsx
+++ b/web/app/(commonLayout)/apps/page.tsx
@@ -1,21 +1,20 @@
 'use client'
-import { useContextSelector } from 'use-context-selector'
 import { useTranslation } from 'react-i18next'
 import { RiDiscordFill, RiGithubFill } from '@remixicon/react'
 import Link from 'next/link'
 import style from '../list.module.css'
 import Apps from './Apps'
-import AppContext from '@/context/app-context'
-import { LicenseStatus } from '@/types/feature'
+import { useGlobalPublicStore } from '@/context/global-public-context'
+import useDocumentTitle from '@/hooks/use-document-title'

 const AppList = () => {
  const { t } = useTranslation()
-  const systemFeatures = useContextSelector(AppContext, v => v.systemFeatures)
-
+  const { systemFeatures } = useGlobalPublicStore()
+  useDocumentTitle(t('common.menus.apps'))
  return (
    <div className='relative flex flex-col overflow-y-auto bg-background-body shrink-0 h-0 grow'>
      <Apps />
-      {systemFeatures.license.status === LicenseStatus.NONE && <footer className='px-12 py-6 grow-0 shrink-0'>
+      {!systemFeatures.branding.enabled && <footer className='px-12 py-6 grow-0 shrink-0'>
        <h3 className='text-xl font-semibold leading-tight text-gradient'>{t('app.join')}</h3>
        <p className='mt-1 system-sm-regular text-text-tertiary'>{t('app.communityIntro')}</p>
        <div className='flex items-center gap-2 mt-3'>
--- a/web/app/(commonLayout)/datasets/(datasetDetailLayout)/[datasetId]/layout.tsx
+++ b/web/app/(commonLayout)/datasets/(datasetDetailLayout)/[datasetId]/layout.tsx
@@ -31,6 +31,7 @@ import { getLocaleOnClient } from '@/i18n'
 import { useAppContext } from '@/context/app-context'
 import Tooltip from '@/app/components/base/tooltip'
 import LinkedAppsPanel from '@/app/components/base/linked-apps-panel'
+import useDocumentTitle from '@/hooks/use-document-title'

 export type IAppDetailLayoutProps = {
  children: React.ReactNode
@@ -186,11 +187,7 @@ const DatasetDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
    }
    return baseNavigation
  }, [datasetRes?.provider, datasetId, t])
-
-  useEffect(() => {
-    if (datasetRes)
-      document.title = `${datasetRes.name || 'Dataset'} - Dify`
-  }, [datasetRes])
+  useDocumentTitle(`${datasetRes?.name || 'Dataset'}`)

  const setAppSiderbarExpand = useStore(state => state.setAppSiderbarExpand)

--- a/web/app/(commonLayout)/datasets/Container.tsx
+++ b/web/app/(commonLayout)/datasets/Container.tsx
@@ -29,9 +29,11 @@ import { useTabSearchParams } from '@/hooks/use-tab-searchparams'
 import { useStore as useTagStore } from '@/app/components/base/tag-management/store'
 import { useAppContext } from '@/context/app-context'
 import { useExternalApiPanel } from '@/context/external-api-panel-context'
+import { useGlobalPublicStore } from '@/context/global-public-context'

 const Container = () => {
  const { t } = useTranslation()
+  const { systemFeatures } = useGlobalPublicStore()
  const router = useRouter()
  const { currentWorkspace, isCurrentWorkspaceOwner } = useAppContext()
  const showTagManagementModal = useTagStore(s => s.showTagManagementModal)
@@ -123,7 +125,7 @@ const Container = () => {
      {activeTab === 'dataset' && (
        <>
          <Datasets containerRef={containerRef} tags={tagIDs} keywords={searchKeywords} includeAll={includeAll} />
-          <DatasetFooter />
+          {!systemFeatures.branding.enabled && <DatasetFooter />}
          {showTagManagementModal && (
            <TagManagementModal type='knowledge' show={showTagManagementModal} />
          )}
--- a/web/app/(commonLayout)/datasets/Datasets.tsx
+++ b/web/app/(commonLayout)/datasets/Datasets.tsx
@@ -3,7 +3,6 @@
 import { useEffect, useRef } from 'react'
 import useSWRInfinite from 'swr/infinite'
 import { debounce } from 'lodash-es'
-import { useTranslation } from 'react-i18next'
 import NewDatasetCard from './NewDatasetCard'
 import DatasetCard from './DatasetCard'
 import type { DataSetListResponse, FetchDatasetsParams } from '@/models/datasets'
@@ -57,11 +56,8 @@ const Datasets = ({
  const loadingStateRef = useRef(false)
  const anchorRef = useRef<HTMLAnchorElement>(null)

-  const { t } = useTranslation()
-
  useEffect(() => {
    loadingStateRef.current = isLoading
-    document.title = `${t('dataset.knowledge')} - Dify`
  }, [isLoading])

  useEffect(() => {
@@ -80,7 +76,7 @@ const Datasets = ({

  return (
    <nav className='grid content-start grid-cols-1 gap-4 px-12 pt-2 sm:grid-cols-2 md:grid-cols-3 lg:grid-cols-4 grow shrink-0'>
-      { isCurrentWorkspaceEditor && <NewDatasetCard ref={anchorRef} /> }
+      {isCurrentWorkspaceEditor && <NewDatasetCard ref={anchorRef} />}
      {data?.map(({ data: datasets }) => datasets.map(dataset => (
        <DatasetCard key={dataset.id} dataset={dataset} onSuccess={mutate} />),
      ))}
--- a/web/app/(commonLayout)/datasets/page.tsx
+++ b/web/app/(commonLayout)/datasets/page.tsx
@@ -1,11 +1,12 @@
+'use client'
+import { useTranslation } from 'react-i18next'
 import Container from './Container'
+import useDocumentTitle from '@/hooks/use-document-title'

-const AppList = async () => {
+const AppList = () => {
+  const { t } = useTranslation()
+  useDocumentTitle(t('common.menus.datasets'))
  return <Container />
 }

-export const metadata = {
-  title: 'Datasets - Dify',
-}
-
 export default AppList
--- a/web/app/(commonLayout)/datasets/template/template.en.mdx
+++ b/web/app/(commonLayout)/datasets/template/template.en.mdx
@@ -6,7 +6,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
 <div>
  ### Authentication

-  Service API of Dify authenticates using an `API-Key`.
+  Service API authenticates using an `API-Key`.

  It is suggested that developers store the `API-Key` in the backend instead of sharing or storing it in the client side to avoid the leakage of the `API-Key`, which may lead to property loss.

--- a/web/app/(commonLayout)/datasets/template/template.zh.mdx
+++ b/web/app/(commonLayout)/datasets/template/template.zh.mdx
@@ -6,7 +6,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
 <div>
  ### 鉴权

-  Dify Service API 使用 `API-Key` 进行鉴权。
+  Service API 使用 `API-Key` 进行鉴权。

  建议开发者把 `API-Key` 放在后端存储，而非分享或者放在客户端存储，以免 `API-Key` 泄露，导致财产损失。

--- a/web/app/(commonLayout)/explore/layout.tsx
+++ b/web/app/(commonLayout)/explore/layout.tsx
@@ -1,11 +1,13 @@
-import type { FC } from 'react'
+'use client'
+import type { FC, PropsWithChildren } from 'react'
 import React from 'react'
+import { useTranslation } from 'react-i18next'
 import ExploreClient from '@/app/components/explore'
-export type IAppDetail = {
-  children: React.ReactNode
-}
+import useDocumentTitle from '@/hooks/use-document-title'

-const AppDetail: FC<IAppDetail> = ({ children }) => {
+const ExploreLayout: FC<PropsWithChildren> = ({ children }) => {
+  const { t } = useTranslation()
+  useDocumentTitle(t('common.menus.explore'))
  return (
    <ExploreClient>
      {children}
@@ -13,4 +15,4 @@ const AppDetail: FC<IAppDetail> = ({ children }) => {
  )
 }

-export default React.memo(AppDetail)
+export default React.memo(ExploreLayout)
--- a/web/app/(commonLayout)/layout.tsx
+++ b/web/app/(commonLayout)/layout.tsx
@@ -30,9 +30,4 @@ const Layout = ({ children }: { children: ReactNode }) => {
    </>
  )
 }
-
-export const metadata = {
-  title: 'Dify',
-}
-
 export default Layout
--- a/web/app/(commonLayout)/tools/page.tsx
+++ b/web/app/(commonLayout)/tools/page.tsx
@@ -1,22 +1,16 @@
 'use client'
 import type { FC } from 'react'
 import { useRouter } from 'next/navigation'
-import { useTranslation } from 'react-i18next'
 import React, { useEffect } from 'react'
+import { useTranslation } from 'react-i18next'
 import ToolProviderList from '@/app/components/tools/provider-list'
 import { useAppContext } from '@/context/app-context'
-
-const Layout: FC = () => {
-  const { t } = useTranslation()
+import useDocumentTitle from '@/hooks/use-document-title'
+const ToolsList: FC = () => {
  const router = useRouter()
  const { isCurrentWorkspaceDatasetOperator } = useAppContext()
-
-  useEffect(() => {
-    if (typeof window !== 'undefined')
-      document.title = `${t('tools.title')} - Dify`
-    if (isCurrentWorkspaceDatasetOperator)
-      return router.replace('/datasets')
-  }, [isCurrentWorkspaceDatasetOperator, router, t])
+  const { t } = useTranslation()
+  useDocumentTitle(t('common.menus.tools'))

  useEffect(() => {
    if (isCurrentWorkspaceDatasetOperator)
@@ -25,4 +19,4 @@ const Layout: FC = () => {

  return <ToolProviderList />
 }
-export default React.memo(Layout)
+export default React.memo(ToolsList)
--- a/web/app/(shareLayout)/webapp-signin/page.tsx
+++ b/web/app/(shareLayout)/webapp-signin/page.tsx
@@ -1,14 +1,21 @@
 'use client'
 import { useRouter, useSearchParams } from 'next/navigation'
 import type { FC } from 'react'
-import React, { useEffect } from 'react'
+import React, { useCallback, useEffect } from 'react'
+import { useTranslation } from 'react-i18next'
+import { RiDoorLockLine } from '@remixicon/react'
 import cn from '@/utils/classnames'
 import Toast from '@/app/components/base/toast'
-import { fetchSystemFeatures, fetchWebOAuth2SSOUrl, fetchWebOIDCSSOUrl, fetchWebSAMLSSOUrl } from '@/service/share'
+import { fetchWebOAuth2SSOUrl, fetchWebOIDCSSOUrl, fetchWebSAMLSSOUrl } from '@/service/share'
 import { setAccessToken } from '@/app/components/share/utils'
+import { useGlobalPublicStore } from '@/context/global-public-context'
+import { SSOProtocol } from '@/types/feature'
 import Loading from '@/app/components/base/loading'
+import AppUnavailable from '@/app/components/base/app-unavailable'

 const WebSSOForm: FC = () => {
+  const { t } = useTranslation()
+  const systemFeatures = useGlobalPublicStore(s => s.systemFeatures)
  const searchParams = useSearchParams()
  const router = useRouter()

@@ -23,15 +30,15 @@ const WebSSOForm: FC = () => {
    })
  }

-  const getAppCodeFromRedirectUrl = () => {
+  const getAppCodeFromRedirectUrl = useCallback(() => {
    const appCode = redirectUrl?.split('/').pop()
    if (!appCode)
      return null

    return appCode
-  }
+  }, [redirectUrl])

-  const processTokenAndRedirect = async () => {
+  const processTokenAndRedirect = useCallback(async () => {
    const appCode = getAppCodeFromRedirectUrl()
    if (!appCode || !tokenFromUrl || !redirectUrl) {
      showErrorToast('redirect url or app code or token is invalid.')
@@ -40,48 +47,47 @@ const WebSSOForm: FC = () => {

    await setAccessToken(appCode, tokenFromUrl)
    router.push(redirectUrl)
-  }
+  }, [getAppCodeFromRedirectUrl, redirectUrl, router, tokenFromUrl])

-  const handleSSOLogin = async (protocol: string) => {
+  const handleSSOLogin = useCallback(async () => {
    const appCode = getAppCodeFromRedirectUrl()
    if (!appCode || !redirectUrl) {
      showErrorToast('redirect url or app code is invalid.')
      return
    }

-    switch (protocol) {
-      case 'saml': {
+    switch (systemFeatures.webapp_auth.sso_config.protocol) {
+      case SSOProtocol.SAML: {
        const samlRes = await fetchWebSAMLSSOUrl(appCode, redirectUrl)
        router.push(samlRes.url)
        break
      }
-      case 'oidc': {
+      case SSOProtocol.OIDC: {
        const oidcRes = await fetchWebOIDCSSOUrl(appCode, redirectUrl)
        router.push(oidcRes.url)
        break
      }
-      case 'oauth2': {
+      case SSOProtocol.OAuth2: {
        const oauth2Res = await fetchWebOAuth2SSOUrl(appCode, redirectUrl)
        router.push(oauth2Res.url)
        break
      }
+      case '':
+        break
      default:
        showErrorToast('SSO protocol is not supported.')
    }
-  }
+  }, [getAppCodeFromRedirectUrl, redirectUrl, router, systemFeatures.webapp_auth.sso_config.protocol])

  useEffect(() => {
    const init = async () => {
-      const res = await fetchSystemFeatures()
-      const protocol = res.sso_enforced_for_web_protocol
-
      if (message) {
        showErrorToast(message)
        return
      }

      if (!tokenFromUrl) {
-        await handleSSOLogin(protocol)
+        await handleSSOLogin()
        return
      }

@@ -89,15 +95,45 @@ const WebSSOForm: FC = () => {
    }

    init()
-  }, [message, tokenFromUrl]) // Added dependencies to useEffect
+  }, [message, processTokenAndRedirect, tokenFromUrl, handleSSOLogin])
+  if (tokenFromUrl)
+    return <div className='flex items-center justify-center h-full'><Loading /></div>
+  if (message) {
+    return <div className='flex items-center justify-center h-full'>
+      <AppUnavailable code={'App Unavailable'} unknownReason={message} />
+    </div>
+  }

-  return (
-    <div className="flex items-center justify-center h-full">
-      <div className={cn('flex flex-col items-center w-full grow justify-center', 'px-6', 'md:px-[108px]')}>
-        <Loading type='area' />
+  if (systemFeatures.webapp_auth.enabled) {
+    if (systemFeatures.webapp_auth.allow_sso) {
+      return (
+        <div className="flex items-center justify-center h-full">
+          <div className={cn('flex flex-col items-center w-full grow justify-center', 'px-6', 'md:px-[108px]')}>
+            <Loading />
+          </div>
+        </div>
+      )
+    }
+    return <div className="flex items-center justify-center h-full">
+      <div className="p-4 rounded-lg bg-gradient-to-r from-workflow-workflow-progress-bg-1 to-workflow-workflow-progress-bg-2">
+        <div className='flex items-center justify-center w-10 h-10 rounded-xl bg-components-card-bg shadow shadows-shadow-lg mb-2'>
+          <RiDoorLockLine className='w-5 h-5' />
+        </div>
+        <p className='system-sm-medium text-text-primary'>{t('login.webapp.noLoginMethod')}</p>
+        <p className='system-xs-regular text-text-tertiary mt-1'>{t('login.webapp.noLoginMethodTip')}</p>
+      </div>
+      <div className="relative my-2 py-2">
+        <div className="absolute inset-0 flex items-center" aria-hidden="true">
+          <div className='bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent h-px w-full'></div>
+        </div>
      </div>
    </div>
-  )
+  }
+  else {
+    return <div className="flex items-center justify-center h-full">
+      <p className='system-xs-regular text-text-tertiary'>{t('login.webapp.disabled')}</p>
+    </div>
+  }
 }

 export default React.memo(WebSSOForm)
--- a/web/app/account/account-page/index.tsx
+++ b/web/app/account/account-page/index.tsx
@@ -16,6 +16,7 @@ import { ToastContext } from '@/app/components/base/toast'
 import AppIcon from '@/app/components/base/app-icon'
 import { IS_CE_EDITION } from '@/config'
 import Input from '@/app/components/base/input'
+import { useGlobalPublicStore } from '@/context/global-public-context'

 const titleClassName = `
  system-sm-semibold text-text-secondary
@@ -28,7 +29,7 @@ const validPassword = /^(?=.*[a-zA-Z])(?=.*\d).{8,}$/

 export default function AccountPage() {
  const { t } = useTranslation()
-  const { systemFeatures } = useAppContext()
+  const { systemFeatures } = useGlobalPublicStore()
  const { mutateUserProfile, userProfile, apps } = useAppContext()
  const { notify } = useContext(ToastContext)
  const [editNameModalVisible, setEditNameModalVisible] = useState(false)
@@ -133,7 +134,7 @@ export default function AccountPage() {
        <h4 className='title-2xl-semi-bold text-text-primary'>{t('common.account.myAccount')}</h4>
      </div>
      <div className='mb-8 p-6 rounded-xl flex items-center bg-gradient-to-r from-background-gradient-bg-fill-chat-bg-2 to-background-gradient-bg-fill-chat-bg-1'>
-        <AvatarWithEdit avatar={userProfile.avatar_url} name={userProfile.name} onSave={ mutateUserProfile } size={64} />
+        <AvatarWithEdit avatar={userProfile.avatar_url} name={userProfile.name} onSave={mutateUserProfile} size={64} />
        <div className='ml-4'>
          <p className='system-xl-semibold text-text-primary'>{userProfile.name}</p>
          <p className='system-xs-regular text-text-tertiary'>{userProfile.email}</p>
--- a/web/app/account/header.tsx
+++ b/web/app/account/header.tsx
@@ -5,9 +5,11 @@ import { useRouter } from 'next/navigation'
 import Button from '../components/base/button'
 import Avatar from './avatar'
 import LogoSite from '@/app/components/base/logo/logo-site'
+import { useGlobalPublicStore } from '@/context/global-public-context'

 const Header = () => {
  const { t } = useTranslation()
+  const { systemFeatures } = useGlobalPublicStore()
  const router = useRouter()

  const back = () => {
@@ -25,7 +27,7 @@ const Header = () => {
      <div className='flex items-center flex-shrink-0 gap-3'>
        <Button className='gap-2 py-2 px-3 system-sm-medium' onClick={back}>
          <RiRobot2Line className='w-4 h-4' />
-          <p>{t('common.account.studio')}</p>
+          <p>{!systemFeatures.branding.enabled && 'Dify '}{t('common.account.studio')}</p>
          <RiArrowRightUpLine className='w-4 h-4' />
        </Button>
        <div className='w-[1px] h-4 bg-divider-regular' />
--- a/web/app/account/layout.tsx
+++ b/web/app/account/layout.tsx
@@ -32,9 +32,4 @@ const Layout = ({ children }: { children: ReactNode }) => {
    </>
  )
 }
-
-export const metadata = {
-  title: 'Dify',
-}
-
 export default Layout
--- a/web/app/account/page.tsx
+++ b/web/app/account/page.tsx
@@ -1,6 +1,11 @@
+'use client'
+import { useTranslation } from 'react-i18next'
 import AccountPage from './account-page'
+import useDocumentTitle from '@/hooks/use-document-title'

 export default function Account() {
+  const { t } = useTranslation()
+  useDocumentTitle(t('common.menus.account'))
  return <div className='max-w-[640px] w-full mx-auto pt-12 px-6'>
    <AccountPage />
  </div>
--- a/web/app/activate/activateForm.tsx
+++ b/web/app/activate/activateForm.tsx
@@ -7,8 +7,10 @@ import Button from '@/app/components/base/button'

 import { invitationCheck } from '@/service/common'
 import Loading from '@/app/components/base/loading'
+import useDocumentTitle from '@/hooks/use-document-title'

 const ActivateForm = () => {
+  useDocumentTitle('')
  const router = useRouter()
  const { t } = useTranslation()
  const searchParams = useSearchParams()
--- a/web/app/activate/page.tsx
+++ b/web/app/activate/page.tsx
@@ -1,10 +1,13 @@
+'use client'
 import React from 'react'
 import Header from '../signin/_header'
 import style from '../signin/page.module.css'
 import ActivateForm from './activateForm'
 import cn from '@/utils/classnames'
+import { useGlobalPublicStore } from '@/context/global-public-context'

 const Activate = () => {
+  const { systemFeatures } = useGlobalPublicStore()
  return (
    <div className={cn(
      style.background,
@@ -21,9 +24,9 @@ const Activate = () => {
      }>
        <Header />
        <ActivateForm />
-        <div className='px-8 py-6 text-sm font-normal text-gray-500'>
+        {!systemFeatures.branding.enabled && <div className='px-8 py-6 text-sm font-normal text-gray-500'>
          © {new Date().getFullYear()} LangGenius, Inc. All rights reserved.
-        </div>
+        </div>}
      </div>
    </div>
  )
--- a/web/app/components/app-sidebar/app-info.tsx
+++ b/web/app/components/app-sidebar/app-info.tsx
@@ -5,6 +5,7 @@ import { RiArrowDownSLine } from '@remixicon/react'
 import React, { useCallback, useState } from 'react'
 import AppIcon from '../base/app-icon'
 import SwitchAppModal from '../app/switch-app-modal'
+import AccessControl from '../app/app-access-control'
 import s from './style.module.css'
 import cn from '@/utils/classnames'
 import {
@@ -18,7 +19,7 @@ import { useStore as useAppStore } from '@/app/components/app/store'
 import { ToastContext } from '@/app/components/base/toast'
 import AppsContext, { useAppContext } from '@/context/app-context'
 import { useProviderContext } from '@/context/provider-context'
-import { copyApp, deleteApp, exportAppConfig, updateAppInfo } from '@/service/apps'
+import { copyApp, deleteApp, exportAppConfig, fetchAppDetail, updateAppInfo } from '@/service/apps'
 import DuplicateAppModal from '@/app/components/app/duplicate-modal'
 import type { DuplicateAppModalProps } from '@/app/components/app/duplicate-modal'
 import CreateAppModal from '@/app/components/explore/create-app-modal'
@@ -50,6 +51,7 @@ const AppInfo = ({ expand }: IAppInfoProps) => {
  const [showSwitchTip, setShowSwitchTip] = useState<string>('')
  const [showSwitchModal, setShowSwitchModal] = useState<boolean>(false)
  const [showImportDSLModal, setShowImportDSLModal] = useState<boolean>(false)
+  const [showAccessControl, setShowAccessControl] = useState<boolean>(false)
  const [secretEnvList, setSecretEnvList] = useState<EnvironmentVariable[]>([])

  const mutateApps = useContextSelector(
@@ -175,7 +177,20 @@ const AppInfo = ({ expand }: IAppInfoProps) => {
      })
    }
    setShowConfirmDelete(false)
-  }, [appDetail, mutateApps, notify, onPlanInfoChanged, replace, t])
+  }, [appDetail, mutateApps, notify, onPlanInfoChanged, replace, setAppDetail, t])
+
+  const handleClickAccessControl = useCallback(() => {
+    if (!appDetail)
+      return
+    setShowAccessControl(true)
+    setOpen(false)
+  }, [appDetail])
+  const handleAccessControlUpdate = useCallback(() => {
+    fetchAppDetail({ url: '/apps', id: appDetail!.id }).then((res) => {
+      setAppDetail(res)
+      setShowAccessControl(false)
+    })
+  }, [appDetail, setAppDetail])

  const { isCurrentWorkspaceEditor } = useAppContext()

@@ -374,6 +389,10 @@ const AppInfo = ({ expand }: IAppInfoProps) => {
                  </div>
                )
              }
+              <Divider />
+              <div className='h-9 py-2 px-3 mx-1 flex items-center hover:bg-gray-50 rounded-lg cursor-pointer' onClick={handleClickAccessControl}>
+                <span className='text-gray-700 text-sm leading-5'>{t('app.accessControl')}</span>
+              </div>
              <Divider className="!my-1" />
              <div className='group h-9 py-2 px-3 mx-1 flex items-center hover:bg-red-50 rounded-lg cursor-pointer' onClick={() => {
                setOpen(false)
@@ -466,6 +485,11 @@ const AppInfo = ({ expand }: IAppInfoProps) => {
            onClose={() => setSecretEnvList([])}
          />
        )}
+        {
+          showAccessControl && <AccessControl app={appDetail}
+            onConfirm={handleAccessControlUpdate}
+            onClose={() => { setShowAccessControl(false) }} />
+        }
      </div>
    </PortalToFollowElem>
  )
--- a/web/app/components/app-sidebar/index.tsx
+++ b/web/app/components/app-sidebar/index.tsx
@@ -17,7 +17,7 @@ export type IAppDetailNavProps = {
  desc: string
  isExternal?: boolean
  icon: string
-  icon_background: string
+  icon_background: string | null
  navigation: Array<{
    name: string
    href: string
--- a/web/app/components/app/app-access-control/access-control-dialog.tsx
+++ b/web/app/components/app/app-access-control/access-control-dialog.tsx
@@ -0,0 +1,61 @@
+import { Fragment, useCallback } from 'react'
+import type { ReactNode } from 'react'
+import { Dialog, Transition } from '@headlessui/react'
+import { RiCloseLine } from '@remixicon/react'
+import cn from '@/utils/classnames'
+
+type DialogProps = {
+  className?: string
+  children: ReactNode
+  show: boolean
+  onClose?: () => void
+}
+
+const AccessControlDialog = ({
+  className,
+  children,
+  show,
+  onClose,
+}: DialogProps) => {
+  const close = useCallback(() => {
+    onClose?.()
+  }, [onClose])
+  return (
+    <Transition appear show={show} as={Fragment}>
+      <Dialog as="div" open={true} className="relative z-20" onClose={() => null}>
+        <Transition.Child
+          as={Fragment}
+          enter="ease-out duration-300"
+          enterFrom="opacity-0"
+          enterTo="opacity-100"
+          leave="ease-in duration-200"
+          leaveFrom="opacity-100"
+          leaveTo="opacity-0"
+        >
+          <div className="fixed inset-0 bg-background-overlay bg-opacity-25" />
+        </Transition.Child>
+
+        <div className="fixed inset-0 flex items-center justify-center">
+          <Transition.Child
+            as={Fragment}
+            enter="ease-out duration-300"
+            enterFrom="opacity-0 scale-95"
+            enterTo="opacity-100 scale-100"
+            leave="ease-in duration-200"
+            leaveFrom="opacity-100 scale-100"
+            leaveTo="opacity-0 scale-95"
+          >
+            <Dialog.Panel className={cn('w-[600px] min-h-[323px] h-auto bg-components-panel-bg shadow-xl rounded-2xl transition-all transform relative p-0 overflow-y-auto', className)}>
+              <div onClick={() => close()} className="absolute top-5 right-5 w-8 h-8 flex items-center justify-center cursor-pointer z-10">
+                <RiCloseLine className='w-5 h-5' />
+              </div>
+              {children}
+            </Dialog.Panel>
+          </Transition.Child>
+        </div>
+      </Dialog>
+    </Transition >
+  )
+}
+
+export default AccessControlDialog
--- a/web/app/components/app/app-access-control/access-control-item.tsx
+++ b/web/app/components/app/app-access-control/access-control-item.tsx
@@ -0,0 +1,30 @@
+'use client'
+import type { FC, PropsWithChildren } from 'react'
+import useAccessControlStore from '../../../../context/access-control-store'
+import type { AccessMode } from '@/models/access-control'
+
+type AccessControlItemProps = PropsWithChildren<{
+  type: AccessMode
+}>
+
+const AccessControlItem: FC<AccessControlItemProps> = ({ type, children }) => {
+  const { currentMenu, setCurrentMenu } = useAccessControlStore(s => ({ currentMenu: s.currentMenu, setCurrentMenu: s.setCurrentMenu }))
+  if (currentMenu !== type) {
+    return <div
+      className="rounded-[10px] border-[1px] cursor-pointer
+      border-components-option-card-option-border bg-components-option-card-option-bg
+      hover:border-components-option-card-option-border-hover hover:bg-components-option-card-option-bg-hover"
+      onClick={() => setCurrentMenu(type)} >
+      {children}
+    </div>
+  }
+
+  return <div className="rounded-[10px] border-[1.5px]
+  border-components-option-card-option-selected-border bg-components-option-card-option-selected-bg shadow-sm">
+    {children}
+  </div>
+}
+
+AccessControlItem.displayName = 'AccessControlItem'
+
+export default AccessControlItem
--- a/web/app/components/app/app-access-control/add-member-or-group-pop.tsx
+++ b/web/app/components/app/app-access-control/add-member-or-group-pop.tsx
@@ -0,0 +1,204 @@
+'use client'
+import { RiAddCircleFill, RiArrowRightSLine, RiOrganizationChart } from '@remixicon/react'
+import { useTranslation } from 'react-i18next'
+import { useCallback, useEffect, useRef, useState } from 'react'
+import { useDebounce } from 'ahooks'
+import { FloatingOverlay } from '@floating-ui/react'
+import Avatar from '../../base/avatar'
+import Button from '../../base/button'
+import Checkbox from '../../base/checkbox'
+import Input from '../../base/input'
+import { PortalToFollowElem, PortalToFollowElemContent, PortalToFollowElemTrigger } from '../../base/portal-to-follow-elem'
+import Loading from '../../base/loading'
+import useAccessControlStore from '../../../../context/access-control-store'
+import classNames from '@/utils/classnames'
+import { useSearchForWhiteListCandidates } from '@/service/access-control'
+import type { AccessControlAccount, AccessControlGroup, Subject, SubjectAccount, SubjectGroup } from '@/models/access-control'
+import { SubjectType } from '@/models/access-control'
+import { useSelector } from '@/context/app-context'
+
+export default function AddMemberOrGroupDialog() {
+  const { t } = useTranslation()
+  const [open, setOpen] = useState(false)
+  const [keyword, setKeyword] = useState('')
+  const selectedGroupsForBreadcrumb = useAccessControlStore(s => s.selectedGroupsForBreadcrumb)
+  const debouncedKeyword = useDebounce(keyword, { wait: 500 })
+
+  const lastAvailableGroup = selectedGroupsForBreadcrumb[selectedGroupsForBreadcrumb.length - 1]
+  const { isLoading, isFetchingNextPage, fetchNextPage, data } = useSearchForWhiteListCandidates({ keyword: debouncedKeyword, groupId: lastAvailableGroup?.id, resultsPerPage: 10 }, open)
+  const handleKeywordChange = (e: React.ChangeEvent<HTMLInputElement>) => {
+    setKeyword(e.target.value)
+  }
+
+  const anchorRef = useRef<HTMLDivElement>(null)
+  useEffect(() => {
+    const hasMore = data?.pages?.[0].hasMore ?? false
+    let observer: IntersectionObserver | undefined
+    if (anchorRef.current) {
+      observer = new IntersectionObserver((entries) => {
+        if (entries[0].isIntersecting && !isLoading && hasMore)
+          fetchNextPage()
+      }, { rootMargin: '20px' })
+      observer.observe(anchorRef.current)
+    }
+    return () => observer?.disconnect()
+  }, [isLoading, fetchNextPage, anchorRef, data])
+
+  return <PortalToFollowElem open={open} onOpenChange={setOpen} offset={{ crossAxis: 300 }} placement='bottom-end'>
+    <PortalToFollowElemTrigger asChild>
+      <Button variant='ghost-accent' size='small' className='shrink-0 flex items-center gap-x-0.5' onClick={() => setOpen(!open)}>
+        <RiAddCircleFill className='w-4 h-4' />
+        <span>{t('common.operation.add')}</span>
+      </Button>
+    </PortalToFollowElemTrigger>
+    {open && <FloatingOverlay />}
+    <PortalToFollowElemContent className='z-[25]'>
+      <div className='w-[400px] max-h-[400px] relative overflow-y-auto flex flex-col border-[0.5px] border-components-panel-border rounded-xl bg-components-panel-bg-blur backdrop-blur-[5px] shadow-lg'>
+        <div className='p-2 pb-0.5 sticky top-0 bg-components-panel-bg-blur backdrop-blur-[5px] z-1'>
+          <Input value={keyword} onChange={handleKeywordChange} showLeftIcon placeholder={t('app.accessControlDialog.operateGroupAndMember.searchPlaceholder') as string} />
+        </div>
+        {
+          isLoading
+            ? <div className='p-1'><Loading /></div>
+            : (data?.pages?.length ?? 0) > 0
+              ? <>
+                <div className='flex items-center h-7 px-2 py-0.5'>
+                  <SelectedGroupsBreadCrumb />
+                </div>
+                <div className='p-1'>
+                  {renderGroupOrMember(data?.pages ?? [])}
+                  {isFetchingNextPage && <Loading />}
+                </div>
+                <div ref={anchorRef} className='h-0'> </div>
+              </>
+              : <div className='flex items-center justify-center h-7 px-2 py-0.5'>
+                <span className='system-xs-regular text-text-tertiary'>{t('app.accessControlDialog.operateGroupAndMember.noResult')}</span>
+              </div>
+        }
+      </div>
+    </PortalToFollowElemContent>
+  </PortalToFollowElem>
+}
+
+type GroupOrMemberData = { subjects: Subject[]; currPage: number }[]
+function renderGroupOrMember(data: GroupOrMemberData) {
+  return data?.map((page) => {
+    return <div key={`search_group_member_page_${page.currPage}`}>
+      {page.subjects?.map((item, index) => {
+        if (item.subjectType === SubjectType.GROUP)
+          return <GroupItem key={index} group={(item as SubjectGroup).groupData} />
+        return <MemberItem key={index} member={(item as SubjectAccount).accountData} />
+      })}
+    </div>
+  }) ?? null
+}
+
+function SelectedGroupsBreadCrumb() {
+  const selectedGroupsForBreadcrumb = useAccessControlStore(s => s.selectedGroupsForBreadcrumb)
+  const setSelectedGroupsForBreadcrumb = useAccessControlStore(s => s.setSelectedGroupsForBreadcrumb)
+  const { t } = useTranslation()
+
+  const handleBreadCrumbClick = useCallback((index: number) => {
+    const newGroups = selectedGroupsForBreadcrumb.slice(0, index + 1)
+    setSelectedGroupsForBreadcrumb(newGroups)
+  }, [setSelectedGroupsForBreadcrumb, selectedGroupsForBreadcrumb])
+  const handleReset = useCallback(() => {
+    setSelectedGroupsForBreadcrumb([])
+  }, [setSelectedGroupsForBreadcrumb])
+  return <div className='flex items-center h-7 px-2 py-0.5 gap-x-0.5'>
+    <span className={classNames('system-xs-regular text-text-tertiary', selectedGroupsForBreadcrumb.length > 0 && 'text-text-accent cursor-pointer')} onClick={handleReset}>{t('app.accessControlDialog.operateGroupAndMember.allMembers')}</span>
+    {selectedGroupsForBreadcrumb.map((group, index) => {
+      return <div key={index} className='flex items-center gap-x-0.5 text-text-tertiary system-xs-regular'>
+        <span>/</span>
+        <span className={index === selectedGroupsForBreadcrumb.length - 1 ? '' : 'text-text-accent cursor-pointer'} onClick={() => handleBreadCrumbClick(index)}>{group.name}</span>
+      </div>
+    })}
+  </div>
+}
+
+type GroupItemProps = {
+  group: AccessControlGroup
+}
+function GroupItem({ group }: GroupItemProps) {
+  const { t } = useTranslation()
+  const specificGroups = useAccessControlStore(s => s.specificGroups)
+  const setSpecificGroups = useAccessControlStore(s => s.setSpecificGroups)
+  const selectedGroupsForBreadcrumb = useAccessControlStore(s => s.selectedGroupsForBreadcrumb)
+  const setSelectedGroupsForBreadcrumb = useAccessControlStore(s => s.setSelectedGroupsForBreadcrumb)
+  const isChecked = specificGroups.some(g => g.id === group.id)
+  const handleCheckChange = useCallback(() => {
+    if (!isChecked) {
+      const newGroups = [...specificGroups, group]
+      setSpecificGroups(newGroups)
+    }
+    else {
+      const newGroups = specificGroups.filter(g => g.id !== group.id)
+      setSpecificGroups(newGroups)
+    }
+  }, [specificGroups, setSpecificGroups, group, isChecked])
+
+  const handleExpandClick = useCallback(() => {
+    setSelectedGroupsForBreadcrumb([...selectedGroupsForBreadcrumb, group])
+  }, [selectedGroupsForBreadcrumb, setSelectedGroupsForBreadcrumb, group])
+  return <BaseItem>
+    <Checkbox checked={isChecked} className='w-4 h-4 shrink-0' onCheck={handleCheckChange} />
+    <div className='flex item-center grow'>
+      <div className='w-5 h-5 rounded-full bg-components-icon-bg-blue-solid overflow-hidden mr-2'>
+        <div className='w-full h-full flex items-center justify-center bg-access-app-icon-mask-bg'>
+          <RiOrganizationChart className='w-[14px] h-[14px] text-components-avatar-shape-fill-stop-0' />
+        </div>
+      </div>
+      <p className='system-sm-medium text-text-secondary mr-1'>{group.name}</p>
+      <p className='system-xs-regular text-text-tertiary'>{group.groupSize}</p>
+    </div>
+    <Button size="small" disabled={isChecked} variant='ghost-accent'
+      className='py-1 px-1.5 shrink-0 flex items-center justify-between' onClick={handleExpandClick}>
+      <span className='px-[3px]'>{t('app.accessControlDialog.operateGroupAndMember.expand')}</span>
+      <RiArrowRightSLine className='w-4 h-4' />
+    </Button>
+  </BaseItem>
+}
+
+type MemberItemProps = {
+  member: AccessControlAccount
+}
+function MemberItem({ member }: MemberItemProps) {
+  const currentUser = useSelector(s => s.userProfile)
+  const { t } = useTranslation()
+  const specificMembers = useAccessControlStore(s => s.specificMembers)
+  const setSpecificMembers = useAccessControlStore(s => s.setSpecificMembers)
+  const isChecked = specificMembers.some(m => m.id === member.id)
+  const handleCheckChange = useCallback(() => {
+    if (!isChecked) {
+      const newMembers = [...specificMembers, member]
+      setSpecificMembers(newMembers)
+    }
+    else {
+      const newMembers = specificMembers.filter(m => m.id !== member.id)
+      setSpecificMembers(newMembers)
+    }
+  }, [specificMembers, setSpecificMembers, member, isChecked])
+  return <BaseItem className='pr-3'>
+    <Checkbox checked={isChecked} className='w-4 h-4 shrink-0' onCheck={handleCheckChange} />
+    <div className='flex items-center grow'>
+      <div className='w-5 h-5 rounded-full bg-components-icon-bg-blue-solid overflow-hidden mr-2'>
+        <div className='w-full h-full flex items-center justify-center bg-access-app-icon-mask-bg'>
+          <Avatar className='w-[14px] h-[14px]' textClassName='text-[12px]' avatar={null} name={member.name} />
+        </div>
+      </div>
+      <p className='system-sm-medium text-text-secondary mr-1'>{member.name}</p>
+      {currentUser.email === member.email && <p className='system-xs-regular text-text-tertiary'>({t('common.you')})</p>}
+    </div>
+    <p className='system-xs-regular text-text-quaternary'>{member.email}</p>
+  </BaseItem>
+}
+
+type BaseItemProps = {
+  className?: string
+  children: React.ReactNode
+}
+function BaseItem({ children, className }: BaseItemProps) {
+  return <div className={classNames('p-1 pl-2 flex items-center space-x-2 hover:rounded-lg hover:bg-state-base-hover cursor-pointer', className)}>
+    {children}
+  </div>
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
GareArc	85b4386a02	fix: allow admin to update and remove members	2025-05-06 16:41:43 -04:00
Xiyuan Chen	1c2e8e1ce7	fix removing member without permission (#16332 ) (#19275 ) Co-authored-by: Linh Nguyen <55907715+batman0911@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com>	2025-05-06 15:41:50 +08:00
Garfield Dai	33d2c9d2ca	Merge branch 'release/0.15-support' into e-260	2025-04-28 18:18:54 +08:00
Zixuan Cheng	4fa3d78ed8	Revert "feat : add GPT4.1 in the model providers" (#19002 )	2025-04-28 18:15:24 +08:00
Garfield Dai	849994d35e	Merge tag '0.15.7' into e-260 0.15.7	2025-04-28 17:17:26 +08:00
NFish	2fce4a338c	fix: get realtime groups and members data every time user open the di… (#18988 )	2025-04-28 17:01:07 +08:00
-LAN-	5f7f851b17	fix: Refines None checks in result transformation Simplifies the code by replacing type checks for None with direct comparisons, improving readability and consistency in handling None values during output validation. Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-04-28 15:40:14 +08:00
-LAN-	559ab46ee1	fix: Removes redundant token calculations and updates dependencies Eliminates unnecessary pre-calculation of token limits and recalculation of max tokens across multiple app runners, simplifying the logic for prompt handling. Updates tiktoken library from version 0.8.0 to 0.9.0 for improved tokenization performance. Increases default token limit in TokenBufferMemory to accommodate larger prompt messages. These changes streamline the token management process and leverage the latest improvements in the tiktoken library. Fixes potential token overflow issues and prepares the system for handling larger inputs more efficiently. Relates to internal optimization tasks. Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-04-28 15:39:12 +08:00
-LAN-	df98223c8c	chore: Updates to version 0.15.7 with new model support Adds support for GPT-4.1 and Amazon Bedrock DeepSeek-R1 models. Fixes issues with app creation from template categories and DSL version checks. Updates version numbers in configuration files and Docker setup to 0.15.7 for consistency. Addresses issues #18807, #18868, #18872, #18878, and #18912. Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-04-28 14:19:07 +08:00
Zixuan Cheng	144f9507f8	feat : add GPT4.1 in the model providers (#18912 )	2025-04-27 19:31:20 +08:00
kelvintsim	2e097a1ac0	add bedrock deepseek-r1 (#18908 )	2025-04-27 19:30:42 +08:00
NFish	9f7d8a981f	Patch: hotfix/create from template category (#18807 ) (#18868 )	2025-04-27 14:47:18 +08:00
NFish	c4729f8c20	fix: check dsl version when create app from explore template (#18872 )… (#18881 ) Co-authored-by: zxhlyh <jasonapring2015@outlook.com>	2025-04-27 14:32:28 +08:00
NFish	5cb1cf9eca	Patch: Hotfix/create from template category (#18807 ) (#18869 )	2025-04-27 14:28:05 +08:00
zxhlyh	40b31bafd5	fix: check dsl version when create app from explore template (#18872 ) (#18878 )	2025-04-27 14:21:45 +08:00
-LAN-	d38a2c95fb	docs(CHANGELOG): Update CHANGELOG.md Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-04-25 18:31:08 +08:00
-LAN-	7d18e2a0ef	feat(app_dsl_service): Refines version compatibility logic Updates logic to handle various version comparisons, ensuring more precise status returns based on version differences. Improves handling of older and newer versions to prevent mismatches and ensure appropriate compatibility status. Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-04-25 18:27:31 +08:00
kelvintsim	024f242251	add bedrock claude-sonnet-3.7 (#18788 )	2025-04-25 17:35:12 +08:00
NFish	de14a55bde	fix: i18n update (#18787 )	2025-04-25 17:28:32 +08:00
NFish	cbb1d722a5	fix: break switch logic if the sso protocol is empty (#18783 )	2025-04-25 17:19:44 +08:00
NFish	1769ce16f3	fix: disable batch run button when user has no permission. (#18777 )	2025-04-25 16:46:58 +08:00
NFish	170139bb0f	fix: update sso protocol default value to '' (#18773 )	2025-04-25 16:20:20 +08:00
NFish	ede0deb447	Fix/web app signin error (#18765 )	2025-04-25 15:34:18 +08:00
NFish	d40f2e7d94	fix: web app login show undefined error message (#18757 )	2025-04-25 14:09:38 +08:00
NFish	70ebfc064b	fix: stop auto retry login when web app return error (#18747 )	2025-04-25 12:09:13 +08:00
GareArc	d6c252d77e	Merge branch 'feat/webapp-auth-api' into e-260	2025-04-24 23:48:25 -04:00
GareArc	fc3d3e0565	fix: wrong web sso protocal source in json	2025-04-24 23:48:18 -04:00
Xin Zhang	b786bbdab5	fix: add workspace limitation in invite-login API (#18724 )	2025-04-25 09:52:47 +08:00
Xin Zhang	f45321dd27	fix: handle WorkspacesLimitExceededError in forgot_password.py (#18716 )	2025-04-24 18:41:10 +08:00
NFish	746d4d8ead	fix: update i18n (#18711 )	2025-04-24 18:14:03 +08:00
NFish	7c31e3b6ba	Hotfix/revert webapp login page (#18706 )	2025-04-24 17:54:03 +08:00
Garfield Dai	7c1116f139	update.	2025-04-24 15:27:04 +08:00
Xin Zhang	b82cc1c2e8	feat: priced limit (#17683 )	2025-04-24 14:58:34 +08:00
NFish	fee51ba994	Feat/e permission (#18656 )	2025-04-24 13:10:01 +08:00
GareArc	2259dfdc58	Merge branch 'feat/webapp-auth-api' into e-260	2025-04-23 23:10:02 -04:00
GareArc	3761944a3f	fix: remove debug logs	2025-04-23 23:09:45 -04:00
GareArc	a239e756b0	Merge tag '0.15.6' into e-260 0.15.6	2025-04-23 22:41:12 -04:00
GareArc	ac54dd89f4	fix: change rel url value to target_ref	2025-04-23 22:39:21 -04:00
GareArc	5310ed4b54	Merge branch 'feat/webapp-auth-api' into e-260	2025-04-23 22:38:04 -04:00
-LAN-	bfdce78ca5	chore(*): Bump up to 0.15.6 Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-04-23 14:06:46 +08:00
-LAN-	00c2258352	CHANGELOG): Adds initial changelog for version 0.15.6 Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-04-23 13:55:33 +08:00
GareArc	09f8da1429	fix: allow empty list api	2025-04-22 22:20:29 -04:00
NFish	9f07584a00	Feat/e license limit (#18436 ) Co-authored-by: Garfield Dai <dai.hai@foxmail.com>	2025-04-23 00:23:38 +08:00
Joel	a1b3d41712	fix: clickjacking (#18552 )	2025-04-22 17:08:52 +08:00
GareArc	fcc274d679	fix: add filter in installedapp list api	2025-04-22 02:54:30 -04:00
GareArc	14f378bbc6	Merge branch 'feat/webapp-auth-api' into e-260	2025-04-21 22:18:35 -04:00
GareArc	669fb6be0f	fix: wrong field name	2025-04-21 22:18:16 -04:00
GareArc	724ffe55c9	fix: add back sso system feature	2025-04-21 22:02:50 -04:00
GareArc	bfa5828259	fix: temp fix for unauthorized user in explore page	2025-04-21 19:40:51 -04:00
GareArc	455d14296f	fix: get app id from upstream decorator	2025-04-21 19:03:10 -04:00
GareArc	d1a25e54e5	fix: add logging	2025-04-21 18:48:24 -04:00
GareArc	9462ed7bbf	fix: add auth constraint to explore apps	2025-04-21 18:47:24 -04:00
GareArc	c6e63ac816	Revert "fix: update webapp auth api path" This reverts commit `a27db51b83`.	2025-04-21 02:07:43 -04:00
GareArc	a27db51b83	fix: update webapp auth api path	2025-04-21 02:06:07 -04:00
GareArc	e52a9fbfb7	fix: remove curr user in webapp permission api	2025-04-20 23:33:51 -04:00
GareArc	2af1dd6de3	feat: add webapp auth apis	2025-04-20 23:30:59 -04:00
kautsar_masuara	b26e20fe34	fix: fix vertex gemini 2.0 flash 001 schema (#18405 ) Co-authored-by: achmad-kautsar <achmad.kautsar@insignia.co.id>	2025-04-19 22:04:13 +08:00
NFish	161ff432f1	fix: update reset password token when email code verify success (#18362 )	2025-04-18 17:15:15 +08:00
NFish	509733fbf0	fix: update reset password token when email code verify success (#18367 )	2025-04-18 17:15:02 +08:00
Xiyuan Chen	99a9def623	fix: reset_password security issue (#18366 )	2025-04-18 05:04:44 -04:00
GareArc	7770a45253	fix: add password security update	2025-04-18 05:02:26 -04:00
GareArc	bafdbade52	fix: wrong json structure	2025-04-11 17:19:34 -04:00
GareArc	fa76590c24	chore: add log	2025-04-11 16:59:52 -04:00
GareArc	d5b75470e4	fix: bad request	2025-04-11 16:48:09 -04:00
GareArc	5f87bdbe3a	fix: add batch get access mode api	2025-04-11 15:24:32 -04:00
GareArc	cb13b53ccd	fix: update webapp sso features	2025-04-11 03:25:58 -04:00
GareArc	a1dc3cfdec	fix: update code for access denied error	2025-04-11 02:45:46 -04:00
GareArc	7a4ec9cf23	fix: change error code for webapp auth	2025-04-11 02:41:02 -04:00
GareArc	4785c061a9	feat: add webapp clean up	2025-04-10 15:19:28 -04:00
GareArc	4105c8ff70	fix: bad api call	2025-04-10 06:27:00 -04:00
GareArc	b922c8c215	fix: make app private when created	2025-04-10 00:36:35 -04:00
GareArc	cbea30e65f	fix: bad field name	2025-04-09 17:21:16 -04:00
GareArc	e9a207b38e	fix: adjust enterprise api	2025-04-09 16:30:41 -04:00
GareArc	5e50570739	fix: update webapp jwt claim and add user accessibility support	2025-04-07 18:41:02 -04:00
GareArc	46d43e6758	feat: add web app auth	2025-04-07 17:03:26 -04:00
Alexi.F	fe1846c437	fix: change gemini-2.0-flash to validate google api #17082 (#17115 )	2025-03-30 13:04:12 +08:00
GareArc	1045f6db7a	fix: wrong arg parsing	2025-03-26 01:37:45 -04:00
GareArc	50d36612f0	fix: bad import	2025-03-26 00:34:04 -04:00
GareArc	e38631db8a	feat: add inner mail api	2025-03-25 21:47:30 -04:00
Garfield Dai	7f63cd52a2	update.	2025-03-24 23:08:54 +08:00
-LAN-	8e75eb5c63	fix: update version to 0.15.5 in packaging and docker-compose files Sgned-off-by: -LAN- <lapz8200@outlook.com>	2025-03-24 16:47:06 +08:00
-LAN-	970508fcb6	fix: update GitHub Actions workflow to trigger on tags Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-03-24 16:45:29 +08:00
NFish	5b357fdbf0	Merge branch 'release/0.15.5' into e-0154	2025-03-24 16:42:11 +08:00
NFish	9283a5414f	fix: update yarn.lock	2025-03-24 16:41:07 +08:00
NFish	8923e64b8d	Merge branch 'release/0.15.5' into e-0154	2025-03-24 15:40:32 +08:00
-LAN-	2a2a0e9be9	fix: update DifySandbox image version to 0.2.11 in docker-compose files Sgned-off-by: -LAN- <laipz8200@outlook.com>	2025-03-24 15:37:55 +08:00
Joel	061a765b7d	fix: sanitizer svg to avoid xss (#16608 )	2025-03-24 14:48:40 +08:00
-LAN-	acd7fead87	feat: remove Vanna provider and associated assets from the project Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-03-24 14:34:03 +08:00
KVOJJJin	64e9d96d84	chore: compatible with es5 (#14268 )	2025-03-24 13:17:48 +08:00
NFish	d27de3818c	Merge branch 'release/0.15.5' into e-0154	2025-03-24 11:46:30 +08:00
NFish	bbb080d5b2	fix: update chatbot help doc link on the create app form	2025-03-24 11:28:35 +08:00
NFish	8c025abb3b	Merge branch 'release/0.15.5' into e-0154	2025-03-24 10:32:56 +08:00
NFish	c01d8a70f3	fix: upgrade nextjs to v14.2.25. a security patch for CVE-2025-29927.	2025-03-24 10:32:18 +08:00
NFish	98606ca558	fix: upgrade nextjs to v14.2.25	2025-03-24 10:12:21 +08:00
Garfield Dai	adf3e18ebd	Merge tag '0.15.4' into e-0154	2025-03-21 18:29:43 +08:00
-LAN-	1ca15989e0	chore: update version to 0.15.4 in configuration and docker files Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-03-21 16:39:06 +08:00
-LAN-	8b5a3a9424	Merge branch 'release/0.15.4' of github.com:langgenius/dify into release/0.15.4	2025-03-21 16:31:06 +08:00
-LAN-	42ddcf1edd	chore: remove 0.15.3 branch config in the build action Signed-off-by: -LAN- <laipz8200@outlook.com>	2025-03-21 16:30:33 +08:00
Joel	21561df10f	fix: xss in render svg (#16437 )	2025-03-21 15:24:58 +08:00
Byron.wang	4327ec8c4c	fix license expireAt field typo (#16428 )	2025-03-21 13:43:43 +08:00
NFish	bbc5ec8301	fix: expired date calc error	2025-03-21 11:00:07 +08:00
NFish	4a51a72c1d	Merge branch 'e-0154' into deploy/enterprise	2025-03-20 17:34:52 +08:00
NFish	4b6adffa8e	fix: hide copyright on forgot-password/install/reset-password page	2025-03-20 17:34:19 +08:00
NFish	c7fd73d330	Merge branch 'e-0154' into deploy/enterprise	2025-03-20 10:13:09 +08:00
NFish	8a709e445a	fix: remove Dify from Service API doc	2025-03-20 10:12:27 +08:00
NFish	f02b77b99f	fix: Decouple login page logo component to avoid conflict with internal logo	2025-03-20 10:11:26 +08:00
GareArc	abc625bcce	Merge branch 'e-0154' into deploy/enterprise	2025-03-18 22:35:39 -04:00
GareArc	b6bc1f8bc4	fix: adjust logic for branding toggle	2025-03-18 22:35:27 -04:00
NFish	b8f9037cd3	Merge branch 'e-0154' into deploy/enterprise	2025-03-18 16:13:14 +08:00
NFish	02606ba3c7	fix: cannot update webapp copyright info	2025-03-18 16:12:52 +08:00
GareArc	79311d3fb5	Merge branch 'e-0154' into deploy/enterprise	2025-03-18 03:53:18 -04:00
GareArc	31086a1fbf	feat: add webapp copyright feature	2025-03-18 03:53:07 -04:00
NFish	6ae5d052e5	Merge branch 'e-0154' into deploy/enterprise	2025-03-18 14:55:36 +08:00
NFish	c794ecf101	fix: user can edit webapp copyright info only if webapp_copyright_enabled is true	2025-03-18 14:54:34 +08:00
GareArc	d887aae012	Merge branch 'e-0154' into deploy/enterprise	2025-03-18 01:55:38 -04:00
GareArc	1b1e96eff7	fix: typo	2025-03-18 01:55:27 -04:00
GareArc	eecd091063	Merge branch 'e-0154' into deploy/enterprise	2025-03-17 15:34:49 -04:00
GareArc	d38f2cb380	fix: change subject title	2025-03-17 15:34:28 -04:00
GareArc	56aaee5558	fix: wrong branding title	2025-03-17 15:01:31 -04:00
GareArc	d72b4752c9	fix: wrong title location	2025-03-17 15:00:04 -04:00
GareArc	ea769c6483	Merge branch 'e-0154' into deploy/enterprise	2025-03-17 14:24:00 -04:00
GareArc	ec194fa3d4	fix: invalid email template variables	2025-03-17 14:23:46 -04:00
NFish	b877039859	Merge branch 'e-0154' into deploy/enterprise	2025-03-17 10:37:20 +08:00
NFish	54634f26d2	fix: show copyright in webapp	2025-03-17 10:36:51 +08:00
NFish	3bef91a2cd	fix: show loading icon when fetching system features	2025-03-15 12:01:30 +08:00
NFish	7da45ba589	fix: show loading icon when fetching system features	2025-03-15 12:00:22 +08:00
NFish	e0232c67cc	fix: update document title and favicon in client side	2025-03-15 12:00:22 +08:00
GareArc	1dc4a229d4	Merge branch 'e-0154' into deploy/enterprise	2025-03-14 16:37:02 -04:00
GareArc	0e0bada1f3	fix: missing json keys	2025-03-14 16:36:49 -04:00
GareArc	5366a814f9	fix: update json keys	2025-03-14 16:35:05 -04:00
GareArc	f1240a22db	fix: remove default value	2025-03-14 13:26:44 -04:00
NFish	66f35c2b7e	Merge branch 'e-0154' into deploy/enterprise	2025-03-15 01:25:15 +08:00
NFish	766ee48531	fix: update document title and favicon in client side	2025-03-15 01:25:04 +08:00
NFish	083045f45c	Merge branch 'e-0154' into deploy/enterprise	2025-03-14 20:49:17 +08:00
NFish	fe237802c9	fix: update Dify text	2025-03-14 19:10:03 +08:00
NFish	00b923651f	fix: update document title with system features config	2025-03-14 19:10:03 +08:00
NFish	24fce3cc64	chore: use global zustand manage systemFeatures and share between all pages	2025-03-14 19:10:03 +08:00
GareArc	8ba969f67d	fix: add ci workflow	2025-03-13 17:15:11 -04:00
GareArc	6844d59371	fix: add default title name	2025-03-13 17:07:45 -04:00
GareArc	fe5529db85	Trigger workflow	2025-03-13 17:04:13 -04:00
GareArc	d89034d913	feat: add application title	2025-03-13 15:49:04 -04:00
NFish	360fbeb108	fix: update email template, add application_title	2025-03-13 17:28:49 +08:00
GareArc	e7c2fa1cfa	fix: remove system feature is_branding	2025-03-12 10:48:58 -04:00
Hash Brown	735f09d977	fix: build failed due to `getPrevChatList` no longer exists (#13383 )	2025-03-12 10:22:33 +08:00
GareArc	f83a5e3e49	fix: wrong type	2025-03-11 07:46:48 -04:00
NFish	01a8d4efcc	fix: remove dify from invite template	2025-03-11 19:25:30 +08:00
GareArc	fdb1e649d4	feat: add branding support	2025-03-11 07:14:52 -04:00
NFish	0856792a57	fix: add email templates that are no brands or logo	2025-03-11 16:03:15 +08:00
crazywoola	0e33a3aa5f	chore: add ci	2025-02-19 14:34:36 +08:00
Hash Brown	d3895bcd6b	revert	2025-02-19 14:32:28 +08:00
Hash Brown	eeb390650b	fix: build failed	2025-02-19 14:32:28 +08:00