feat: implement NotImplementedError for token counting in LLMs and reintroduce disabled token count method

Signed-off-by: -LAN- <laipz8200@outlook.com>

.github/workflows/build-push.yml

@@ -5,10 +5,8 @@ on:
     branches:
       - "main"
       - "deploy/dev"
-      - "deploy/enterprise"
-      - "e-260"
-  release:
-    types: [published]
+    tags:
+      - "*"
 
 concurrency:
   group: build-push-${{ github.head_ref || github.run_id }}

.github/workflows/deploy-enterprise.yml

@@ -1,29 +0,0 @@
-name: Deploy Enterprise
-
-permissions:
-  contents: read
-
-on:
-  workflow_run:
-    workflows: ["Build and Push API & Web"]
-    branches:
-      - "deploy/enterprise"
-    types:
-      - completed
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    if: |
-      github.event.workflow_run.conclusion == 'success' &&
-      github.event.workflow_run.head_branch == 'deploy/enterprise'
-
-    steps:
-      - name: Deploy to server
-        uses: appleboy/ssh-action@v0.1.8
-        with:
-          host: ${{ secrets.ENTERPRISE_SSH_HOST }}
-          username: ${{ secrets.ENTERPRISE_SSH_USER }}
-          password: ${{ secrets.ENTERPRISE_SSH_PASSWORD }}
-          script: |
-            ${{ vars.ENTERPRISE_SSH_SCRIPT || secrets.ENTERPRISE_SSH_SCRIPT }}

.gitignore

@@ -175,6 +175,7 @@ docker/volumes/pgvector/data/*
 docker/volumes/pgvecto_rs/data/*
 docker/volumes/couchbase/*
 docker/volumes/oceanbase/*
+docker/volumes/plugin_daemon/*
 !docker/volumes/oceanbase/init.d
 
 docker/nginx/conf.d/default.conf

.markdownlint.json

@@ -1,4 +0,0 @@
-{
-    "MD024": false,
-    "MD013": false
-}

CHANGELOG.md

@@ -1,45 +0,0 @@
-# Changelog
-
-All notable changes to Dify will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [0.15.8] - 2025-05-30
-
-### Added
-
-- Added gunicorn keepalive setting (#19537)
-
-### Fixed
-
-- Fixed database configuration to allow DB_EXTRAS to set search_path via options (#16a4f77)
-- Fixed frontend third-party package security issues (#19655)
-- Updated dependencies: huggingface-hub (~0.16.4 to ~0.31.0), transformers (~4.35.0 to ~4.39.0), and resend (~0.7.0 to ~2.9.0) (#19563)
-- Downgrade boto3 from 1.36 to 1.35 (#19736)
-
-## [0.15.7] - 2025-04-27
-
-### Added
-
-- Added support for GPT-4.1 in model providers (#18912)
-- Added support for Amazon Bedrock DeepSeek-R1 model (#18908)
-- Added support for Amazon Bedrock Claude Sonnet 3.7 model (#18788)
-- Refined version compatibility logic in app DSL service
-
-### Fixed
-
-- Fixed issue with creating apps from template categories (#18807, #18868)
-- Fixed DSL version check when creating apps from explore templates (#18872, #18878)
-
-## [0.15.6] - 2025-04-22
-
-### Security
-
-- Fixed clickjacking vulnerability (#18552)
-- Fixed reset password security issue (#18366)
-- Updated reset password token when email code verification succeeds (#18362)
-
-### Fixed
-
-- Fixed Vertex AI Gemini 2.0 Flash 001 schema (#18405)

api/.env.example

@@ -430,7 +430,4 @@ CREATE_TIDB_SERVICE_JOB_ENABLED=false
 # Maximum number of submitted thread count in a ThreadPool for parallel node execution
 MAX_SUBMIT_COUNT=100
 # Lockout duration in seconds
-LOGIN_LOCKOUT_DURATION=86400
-
-# Prevent Clickjacking
-ALLOW_EMBED=false
+LOGIN_LOCKOUT_DURATION=86400

api/configs/middleware/__init__.py

@@ -1,5 +1,5 @@
 from typing import Any, Literal, Optional
-from urllib.parse import parse_qsl, quote_plus
+from urllib.parse import quote_plus
 
 from pydantic import Field, NonNegativeInt, PositiveFloat, PositiveInt, computed_field
 from pydantic_settings import BaseSettings
@@ -166,28 +166,14 @@ class DatabaseConfig(BaseSettings):
         default=False,
     )
 
-    @computed_field  # type: ignore[misc]
-    @property
+    @computed_field
     def SQLALCHEMY_ENGINE_OPTIONS(self) -> dict[str, Any]:
-        # Parse DB_EXTRAS for 'options'
-        db_extras_dict = dict(parse_qsl(self.DB_EXTRAS))
-        options = db_extras_dict.get("options", "")
-        # Always include timezone
-        timezone_opt = "-c timezone=UTC"
-        if options:
-            # Merge user options and timezone
-            merged_options = f"{options} {timezone_opt}"
-        else:
-            merged_options = timezone_opt
-
-        connect_args = {"options": merged_options}
-
         return {
             "pool_size": self.SQLALCHEMY_POOL_SIZE,
             "max_overflow": self.SQLALCHEMY_MAX_OVERFLOW,
             "pool_recycle": self.SQLALCHEMY_POOL_RECYCLE,
             "pool_pre_ping": self.SQLALCHEMY_POOL_PRE_PING,
-            "connect_args": connect_args,
+            "connect_args": {"options": "-c timezone=UTC"},
         }
 
 

api/configs/packaging/__init__.py

@@ -9,7 +9,7 @@ class PackagingInfo(BaseSettings):
 
     CURRENT_VERSION: str = Field(
         description="Dify version",
-        default="0.15.8",
+        default="0.15.6-alpha.1",
     )
 
     COMMIT_SHA: str = Field(

api/controllers/console/app/app.py

@@ -2,28 +2,30 @@ import uuid
 from typing import cast
 
 from flask_login import current_user  # type: ignore
-from flask_restful import (Resource, inputs, marshal,  # type: ignore
-                           marshal_with, reqparse)
+from flask_restful import Resource, inputs, marshal, marshal_with, reqparse  # type: ignore
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import BadRequest, Forbidden, abort
 
 from controllers.console import api
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (account_initialization_required,
-                                       cloud_edition_billing_resource_check,
-                                       enterprise_license_required,
-                                       setup_required)
+from controllers.console.wraps import (
+    account_initialization_required,
+    cloud_edition_billing_resource_check,
+    enterprise_license_required,
+    setup_required,
+)
 from core.ops.ops_trace_manager import OpsTraceManager
 from extensions.ext_database import db
-from fields.app_fields import (app_detail_fields, app_detail_fields_with_site,
-                               app_pagination_fields)
+from fields.app_fields import (
+    app_detail_fields,
+    app_detail_fields_with_site,
+    app_pagination_fields,
+)
 from libs.login import login_required
 from models import Account, App
 from services.app_dsl_service import AppDslService, ImportMode
 from services.app_service import AppService
-from services.enterprise.enterprise_service import EnterpriseService
-from services.feature_service import FeatureService
 
 ALLOW_CREATE_APP_MODES = ["chat", "agent-chat", "advanced-chat", "workflow", "completion"]
 
@@ -65,17 +67,7 @@ class AppListApi(Resource):
         if not app_pagination:
             return {"data": [], "total": 0, "page": 1, "limit": 20, "has_more": False}
 
-        if FeatureService.get_system_features().webapp_auth.enabled:
-            app_ids = [str(app.id) for app in app_pagination.items]
-            res = EnterpriseService.WebAppAuth.batch_get_app_access_mode_by_id(app_ids=app_ids)
-            if len(res) != len(app_ids):
-                raise BadRequest("Invalid app id in webapp auth")
-
-            for app in app_pagination.items:
-                if str(app.id) in res:
-                    app.access_mode = res[str(app.id)].access_mode
-
-        return marshal(app_pagination, app_pagination_fields), 200
+        return marshal(app_pagination, app_pagination_fields)
 
     @setup_required
     @login_required
@@ -119,10 +111,6 @@ class AppApi(Resource):
 
         app_model = app_service.get_app(app_model)
 
-        if FeatureService.get_system_features().webapp_auth.enabled:
-            app_setting = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=str(app_model.id))
-            app_model.access_mode = app_setting.access_mode
-
         return app_model
 
     @setup_required

api/controllers/console/auth/error.py

@@ -59,9 +59,3 @@ class EmailCodeAccountDeletionRateLimitExceededError(BaseHTTPException):
     error_code = "email_code_account_deletion_rate_limit_exceeded"
     description = "Too many account deletion emails have been sent. Please try again in 5 minutes."
     code = 429
-
-
-class EmailPasswordResetLimitError(BaseHTTPException):
-    error_code = "email_password_reset_limit"
-    description = "Too many failed password reset attempts. Please try again in 24 hours."
-    code = 429

api/controllers/console/auth/forgot_password.py

@@ -6,13 +6,9 @@ from flask_restful import Resource, reqparse  # type: ignore
 
 from constants.languages import languages
 from controllers.console import api
-from controllers.console.auth.error import (EmailCodeError, InvalidEmailError,
-                                            InvalidTokenError,
-                                            PasswordMismatchError)
-from controllers.console.error import (AccountInFreezeError, AccountNotFound,
-                                       EmailSendIpLimitError)
-from controllers.console.wraps import (email_password_login_enabled,
-                                       setup_required)
+from controllers.console.auth.error import EmailCodeError, InvalidEmailError, InvalidTokenError, PasswordMismatchError
+from controllers.console.error import AccountInFreezeError, AccountNotFound, EmailSendIpLimitError
+from controllers.console.wraps import setup_required
 from events.tenant_event import tenant_was_created
 from extensions.ext_database import db
 from libs.helper import email, extract_remote_ip
@@ -20,14 +16,12 @@ from libs.password import hash_password, valid_password
 from models.account import Account
 from services.account_service import AccountService, TenantService
 from services.errors.account import AccountRegisterError
-from services.errors.workspace import (WorkSpaceNotAllowedCreateError,
-                                       WorkspacesLimitExceededError)
+from services.errors.workspace import WorkSpaceNotAllowedCreateError
 from services.feature_service import FeatureService
 
 
 class ForgotPasswordSendEmailApi(Resource):
     @setup_required
-    @email_password_login_enabled
     def post(self):
         parser = reqparse.RequestParser()
         parser.add_argument("email", type=email, required=True, location="json")
@@ -59,7 +53,6 @@ class ForgotPasswordSendEmailApi(Resource):
 
 class ForgotPasswordCheckApi(Resource):
     @setup_required
-    @email_password_login_enabled
     def post(self):
         parser = reqparse.RequestParser()
         parser.add_argument("email", type=str, required=True, location="json")
@@ -79,20 +72,11 @@ class ForgotPasswordCheckApi(Resource):
         if args["code"] != token_data.get("code"):
             raise EmailCodeError()
 
-        # Verified, revoke the first token
-        AccountService.revoke_reset_password_token(args["token"])
-
-        # Refresh token data by generating a new token
-        _, new_token = AccountService.generate_reset_password_token(
-            user_email, code=args["code"], additional_data={"phase": "reset"}
-        )
-
-        return {"is_valid": True, "email": token_data.get("email"), "token": new_token}
+        return {"is_valid": True, "email": token_data.get("email")}
 
 
 class ForgotPasswordResetApi(Resource):
     @setup_required
-    @email_password_login_enabled
     def post(self):
         parser = reqparse.RequestParser()
         parser.add_argument("token", type=str, required=True, nullable=False, location="json")
@@ -111,9 +95,6 @@ class ForgotPasswordResetApi(Resource):
 
         if reset_data is None:
             raise InvalidTokenError()
-        # Must use token in reset phase
-        if reset_data.get("phase", "") != "reset":
-            raise InvalidTokenError()
 
         AccountService.revoke_reset_password_token(token)
 
@@ -146,8 +127,6 @@ class ForgotPasswordResetApi(Resource):
                 pass
             except AccountRegisterError as are:
                 raise AccountInFreezeError()
-            except WorkspacesLimitExceededError:
-                pass
 
         return {"result": "success"}
 

api/controllers/console/auth/login.py

@@ -21,9 +21,8 @@ from controllers.console.error import (
     AccountNotFound,
     EmailSendIpLimitError,
     NotAllowedCreateWorkspace,
-    WorkspacesLimitExceeded,
 )
-from controllers.console.wraps import email_password_login_enabled, setup_required
+from controllers.console.wraps import setup_required
 from events.tenant_event import tenant_was_created
 from libs.helper import email, extract_remote_ip
 from libs.password import valid_password
@@ -31,7 +30,7 @@ from models.account import Account
 from services.account_service import AccountService, RegisterService, TenantService
 from services.billing_service import BillingService
 from services.errors.account import AccountRegisterError
-from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
+from services.errors.workspace import WorkSpaceNotAllowedCreateError
 from services.feature_service import FeatureService
 
 
@@ -39,7 +38,6 @@ class LoginApi(Resource):
     """Resource for user login."""
 
     @setup_required
-    @email_password_login_enabled
     def post(self):
         """Authenticate user and login."""
         parser = reqparse.RequestParser()
@@ -89,15 +87,10 @@ class LoginApi(Resource):
         # SELF_HOSTED only have one workspace
         tenants = TenantService.get_join_tenants(account)
         if len(tenants) == 0:
-            system_features = FeatureService.get_system_features()
-
-            if system_features.is_allow_create_workspace and not system_features.license.workspaces.is_available():
-                raise WorkspacesLimitExceeded()
-            else:
-                return {
-                    "result": "fail",
-                    "data": "workspace not found, please contact system admin to invite you to join in a workspace",
-                }
+            return {
+                "result": "fail",
+                "data": "workspace not found, please contact system admin to invite you to join in a workspace",
+            }
 
         token_pair = AccountService.login(account=account, ip_address=extract_remote_ip(request))
         AccountService.reset_login_error_rate_limit(args["email"])
@@ -117,7 +110,6 @@ class LogoutApi(Resource):
 
 class ResetPasswordSendEmailApi(Resource):
     @setup_required
-    @email_password_login_enabled
     def post(self):
         parser = reqparse.RequestParser()
         parser.add_argument("email", type=email, required=True, location="json")
@@ -204,9 +196,6 @@ class EmailCodeLoginApi(Resource):
         if account:
             tenant = TenantService.get_join_tenants(account)
             if not tenant:
-                workspaces = FeatureService.get_system_features().license.workspaces
-                if not workspaces.is_available():
-                    raise WorkspacesLimitExceeded()
                 if not FeatureService.get_system_features().is_allow_create_workspace:
                     raise NotAllowedCreateWorkspace()
                 else:
@@ -224,8 +213,6 @@ class EmailCodeLoginApi(Resource):
                 return NotAllowedCreateWorkspace()
             except AccountRegisterError as are:
                 raise AccountInFreezeError()
-            except WorkspacesLimitExceededError:
-                raise WorkspacesLimitExceeded()
         token_pair = AccountService.login(account, ip_address=extract_remote_ip(request))
         AccountService.reset_login_error_rate_limit(args["email"])
         return {"result": "success", "data": token_pair.model_dump()}

api/controllers/console/error.py

@@ -46,18 +46,6 @@ class NotAllowedCreateWorkspace(BaseHTTPException):
     code = 400
 
 
-class WorkspaceMembersLimitExceeded(BaseHTTPException):
-    error_code = "limit_exceeded"
-    description = "Unable to add member because the maximum workspace's member limit was exceeded"
-    code = 400
-
-
-class WorkspacesLimitExceeded(BaseHTTPException):
-    error_code = "limit_exceeded"
-    description = "Unable to create workspace because the maximum workspace limit was exceeded"
-    code = 400
-
-
 class AccountBannedError(BaseHTTPException):
     error_code = "account_banned"
     description = "Account is banned."

api/controllers/console/explore/error.py

@@ -23,9 +23,3 @@ class AppSuggestedQuestionsAfterAnswerDisabledError(BaseHTTPException):
     error_code = "app_suggested_questions_after_answer_disabled"
     description = "Function Suggested questions after answer disabled."
     code = 403
-
-
-class AppAccessDeniedError(BaseHTTPException):
-    error_code = "access_denied"
-    description = "App access denied."
-    code = 403

api/controllers/console/explore/installed_app.py

@@ -1,26 +1,20 @@
-import logging
 from datetime import UTC, datetime
 from typing import Any
 
 from flask import request
 from flask_login import current_user  # type: ignore
-from flask_restful import (Resource, inputs, marshal_with,  # type: ignore
-                           reqparse)
+from flask_restful import Resource, inputs, marshal_with, reqparse  # type: ignore
 from sqlalchemy import and_
 from werkzeug.exceptions import BadRequest, Forbidden, NotFound
 
 from controllers.console import api
 from controllers.console.explore.wraps import InstalledAppResource
-from controllers.console.wraps import (account_initialization_required,
-                                       cloud_edition_billing_resource_check)
+from controllers.console.wraps import account_initialization_required, cloud_edition_billing_resource_check
 from extensions.ext_database import db
 from fields.installed_app_fields import installed_app_list_fields
 from libs.login import login_required
 from models import App, InstalledApp, RecommendedApp
 from services.account_service import TenantService
-from services.app_service import AppService
-from services.enterprise.enterprise_service import EnterpriseService
-from services.feature_service import FeatureService
 
 
 class InstalledAppsListApi(Resource):
@@ -54,30 +48,6 @@ class InstalledAppsListApi(Resource):
             for installed_app in installed_apps
             if installed_app.app is not None
         ]
-
-        # filter out apps that user doesn't have access to
-        if FeatureService.get_system_features().webapp_auth.enabled:
-            user_id = current_user.id
-            res = []
-            app_ids = [installed_app["app"].id for installed_app in installed_app_list]
-            webapp_settings = EnterpriseService.WebAppAuth.batch_get_app_access_mode_by_id(app_ids)
-            for installed_app in installed_app_list:
-                webapp_setting = webapp_settings.get(installed_app["app"].id)
-                if not webapp_setting:
-                    continue
-                if webapp_setting.access_mode == "sso_verified":
-                    continue
-                app_code = AppService.get_app_code_by_id(str(installed_app["app"].id))
-                if EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(
-                    user_id=user_id,
-                    app_code=app_code,
-                ):
-                    res.append(installed_app)
-            installed_app_list = res
-            logging.info(
-                f"installed_app_list: {installed_app_list}, user_id: {user_id}"
-            )
-
         installed_app_list.sort(
             key=lambda app: (
                 -app["is_pinned"],

api/controllers/console/explore/wraps.py

@@ -4,14 +4,10 @@ from flask_login import current_user  # type: ignore
 from flask_restful import Resource  # type: ignore
 from werkzeug.exceptions import NotFound
 
-from controllers.console.explore.error import AppAccessDeniedError
 from controllers.console.wraps import account_initialization_required
 from extensions.ext_database import db
 from libs.login import login_required
 from models import InstalledApp
-from services.app_service import AppService
-from services.enterprise.enterprise_service import EnterpriseService
-from services.feature_service import FeatureService
 
 
 def installed_app_required(view=None):
@@ -52,30 +48,6 @@ def installed_app_required(view=None):
     return decorator
 
 
-def user_allowed_to_access_app(view=None):
-    def decorator(view):
-        @wraps(view)
-        def decorated(installed_app: InstalledApp, *args, **kwargs):
-            feature = FeatureService.get_system_features()
-            if feature.webapp_auth.enabled:
-                app_id = installed_app.app_id
-                app_code = AppService.get_app_code_by_id(app_id)
-                res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(
-                    user_id=str(current_user.id),
-                    app_code=app_code,
-                )
-                if not res:
-                    raise AppAccessDeniedError()
-
-            return view(installed_app, *args, **kwargs)
-
-        return decorated
-    if view:
-        return decorator(view)
-    return decorator
-
-
 class InstalledAppResource(Resource):
     # must be reversed if there are multiple decorators
-
-    method_decorators = [user_allowed_to_access_app, installed_app_required, account_initialization_required, login_required]
+    method_decorators = [installed_app_required, account_initialization_required, login_required]

api/controllers/console/workspace/members.py

@@ -6,7 +6,6 @@ from flask_restful import Resource, abort, marshal_with, reqparse  # type: ignor
 import services
 from configs import dify_config
 from controllers.console import api
-from controllers.console.error import WorkspaceMembersLimitExceeded
 from controllers.console.wraps import (
     account_initialization_required,
     cloud_edition_billing_resource_check,
@@ -18,7 +17,6 @@ from libs.login import login_required
 from models.account import Account, TenantAccountRole
 from services.account_service import RegisterService, TenantService
 from services.errors.account import AccountAlreadyInTenantError
-from services.feature_service import FeatureService
 
 
 class MemberListApi(Resource):
@@ -56,12 +54,6 @@ class MemberInviteEmailApi(Resource):
         inviter = current_user
         invitation_results = []
         console_web_url = dify_config.CONSOLE_WEB_URL
-
-        workspace_members = FeatureService.get_features(tenant_id=inviter.current_tenant.id).workspace_members
-
-        if not workspace_members.is_available(len(invitee_emails)):
-            raise WorkspaceMembersLimitExceeded()
-
         for invitee_email in invitee_emails:
             try:
                 token = RegisterService.invite_new_member(
@@ -79,6 +71,7 @@ class MemberInviteEmailApi(Resource):
                 invitation_results.append(
                     {"status": "success", "email": invitee_email, "url": f"{console_web_url}/signin"}
                 )
+                break
             except Exception as e:
                 invitation_results.append({"status": "failed", "email": invitee_email, "message": str(e)})
 

api/controllers/console/wraps.py

@@ -11,8 +11,7 @@ from models.model import DifySetup
 from services.feature_service import FeatureService, LicenseStatus
 from services.operation_service import OperationService
 
-from .error import (NotInitValidateError, NotSetupError,
-                    UnauthorizedAndForceLogout)
+from .error import NotInitValidateError, NotSetupError, UnauthorizedAndForceLogout
 
 
 def account_initialization_required(view):
@@ -40,28 +39,6 @@ def only_edition_cloud(view):
     return decorated
 
 
-def only_edition_enterprise(view):
-    @wraps(view)
-    def decorated(*args, **kwargs):
-        if not dify_config.ENTERPRISE_ENABLED:
-            abort(404)
-
-        return view(*args, **kwargs)
-
-    return decorated
-
-
-def only_edition_self_hosted(view):
-    @wraps(view)
-    def decorated(*args, **kwargs):
-        if not dify_config.ENTERPRISE_ENABLED:
-            abort(404)
-
-        return view(*args, **kwargs)
-
-    return decorated
-
-
 def only_edition_self_hosted(view):
     @wraps(view)
     def decorated(*args, **kwargs):
@@ -177,16 +154,3 @@ def enterprise_license_required(view):
         return view(*args, **kwargs)
 
     return decorated
-
-
-def email_password_login_enabled(view):
-    @wraps(view)
-    def decorated(*args, **kwargs):
-        features = FeatureService.get_system_features()
-        if features.enable_email_password_login:
-            return view(*args, **kwargs)
-
-        # otherwise, return 403
-        abort(403)
-
-    return decorated

api/controllers/inner_api/__init__.py

@@ -5,5 +5,4 @@ from libs.external_api import ExternalApi
 bp = Blueprint("inner_api", __name__, url_prefix="/inner/api")
 api = ExternalApi(bp)
 
-from . import mail
 from .workspace import workspace

api/controllers/inner_api/mail.py

@@ -1,27 +0,0 @@
-from flask_restful import (
-    Resource,  # type: ignore
-    reqparse,
-)
-
-from controllers.console.wraps import setup_required
-from controllers.inner_api import api
-from controllers.inner_api.wraps import inner_api_only
-from services.enterprise.mail_service import DifyMail, EnterpriseMailService
-
-
-class EnterpriseMail(Resource):
-    @setup_required
-    @inner_api_only
-    def post(self):
-        parser = reqparse.RequestParser()
-        parser.add_argument("to", type=str, action="append", required=True)
-        parser.add_argument("subject", type=str, required=True)
-        parser.add_argument("body", type=str, required=True)
-        parser.add_argument("substitutions", type=dict, required=False)
-        args = parser.parse_args()
-
-        EnterpriseMailService.send_mail(DifyMail(**args))
-        return {"message": "success"}, 200
-
-
-api.add_resource(EnterpriseMail, "/enterprise/mail")

api/controllers/web/__init__.py

@@ -15,17 +15,4 @@ api.add_resource(FileApi, "/files/upload")
 api.add_resource(RemoteFileInfoApi, "/remote-files/<path:url>")
 api.add_resource(RemoteFileUploadApi, "/remote-files/upload")
 
-from . import (
-    app,
-    audio,
-    completion,
-    conversation,
-    feature,
-    forgot_password,
-    login,
-    message,
-    passport,
-    saved_message,
-    site,
-    workflow,
-)
+from . import app, audio, completion, conversation, feature, message, passport, saved_message, site, workflow

api/controllers/web/app.py

@@ -1,17 +1,12 @@
+from flask_restful import marshal_with  # type: ignore
 
 from controllers.common import fields
 from controllers.common import helpers as controller_helpers
 from controllers.web import api
 from controllers.web.error import AppUnavailableError
 from controllers.web.wraps import WebApiResource
-from flask import request
-from flask_restful import Resource, marshal_with, reqparse  # type: ignore
-from libs.passport import PassportService
 from models.model import App, AppMode
 from services.app_service import AppService
-from services.enterprise.enterprise_service import EnterpriseService
-from services.feature_service import FeatureService
-from services.webapp_auth_service import WebAppAuthService
 
 
 class AppParameterApi(WebApiResource):
@@ -47,65 +42,5 @@ class AppMeta(WebApiResource):
         return AppService().get_app_meta(app_model)
 
 
-class AppAccessMode(Resource):
-    def get(self):
-        parser = reqparse.RequestParser()
-        parser.add_argument("appId", type=str, required=False, location="args")
-        parser.add_argument("appCode", type=str, required=False, location="args")
-        args = parser.parse_args()
-
-        features = FeatureService.get_system_features()
-        if not features.webapp_auth.enabled:
-            return {"accessMode": "public"}
-
-        app_id = args.get("appId")
-        if args.get("appCode"):
-            app_code = args["appCode"]
-            app_id = AppService.get_app_id_by_code(app_code)
-
-        if not app_id:
-            raise ValueError("appId or appCode must be provided")
-
-        res = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id)
-
-        return {"accessMode": res.access_mode}
-
-
-class AppWebAuthPermission(Resource):
-    def get(self):
-        user_id = "visitor"
-        try:
-            auth_header = request.headers.get("Authorization")
-            if auth_header is None:
-                raise
-            if " " not in auth_header:
-                raise
-
-            auth_scheme, tk = auth_header.split(None, 1)
-            auth_scheme = auth_scheme.lower()
-            if auth_scheme != "bearer":
-                raise
-
-            decoded = PassportService().verify(tk)
-            user_id = decoded.get("user_id", "visitor")
-        except Exception as e:
-            pass
-
-        parser = reqparse.RequestParser()
-        parser.add_argument("appId", type=str, required=True, location="args")
-        args = parser.parse_args()
-
-        app_id = args["appId"]
-        app_code = AppService.get_app_code_by_id(app_id)
-
-        res = True
-        if WebAppAuthService.is_app_require_permission_check(app_id=app_id):
-            res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(str(user_id), app_code)
-        return {"result": res}
-
-
 api.add_resource(AppParameterApi, "/parameters")
 api.add_resource(AppMeta, "/meta")
-# webapp auth apis
-api.add_resource(AppAccessMode, "/webapp/access-mode")
-api.add_resource(AppWebAuthPermission, "/webapp/permission")

api/controllers/web/error.py

@@ -7,12 +7,6 @@ class AppUnavailableError(BaseHTTPException):
     code = 400
 
 
-class AppNotPublishedError(BaseHTTPException):
-    error_code = "app_not_published"
-    description = "App not published, please check your app configurations."
-    code = 400
-
-
 class NotCompletionAppError(BaseHTTPException):
     error_code = "not_completion_app"
     description = "Please check if your Completion app mode matches the right API route."
@@ -127,15 +121,9 @@ class UnsupportedFileTypeError(BaseHTTPException):
     code = 415
 
 
-class WebAppAuthRequiredError(BaseHTTPException):
+class WebSSOAuthRequiredError(BaseHTTPException):
     error_code = "web_sso_auth_required"
-    description = "Web app authentication required."
-    code = 401
-
-
-class WebAppAuthAccessDeniedError(BaseHTTPException):
-    error_code = "web_app_access_denied"
-    description = "You do not have permission to access this web app."
+    description = "Web SSO authentication required."
     code = 401
 
 

api/controllers/web/forgot_password.py

@@ -1,147 +0,0 @@
-import base64
-import secrets
-
-from flask import request
-from flask_restful import Resource, reqparse
-from sqlalchemy import select
-from sqlalchemy.orm import Session
-
-from controllers.console.auth.error import (
-    EmailCodeError,
-    EmailPasswordResetLimitError,
-    InvalidEmailError,
-    InvalidTokenError,
-    PasswordMismatchError,
-)
-from controllers.console.error import AccountNotFound, EmailSendIpLimitError
-from controllers.console.wraps import email_password_login_enabled, only_edition_enterprise, setup_required
-from controllers.web import api
-from extensions.ext_database import db
-from libs.helper import email, extract_remote_ip
-from libs.password import hash_password, valid_password
-from models.account import Account
-from services.account_service import AccountService
-
-
-class ForgotPasswordSendEmailApi(Resource):
-    @only_edition_enterprise
-    @setup_required
-    @email_password_login_enabled
-    def post(self):
-        parser = reqparse.RequestParser()
-        parser.add_argument("email", type=email, required=True, location="json")
-        parser.add_argument("language", type=str, required=False, location="json")
-        args = parser.parse_args()
-
-        ip_address = extract_remote_ip(request)
-        if AccountService.is_email_send_ip_limit(ip_address):
-            raise EmailSendIpLimitError()
-
-        if args["language"] is not None and args["language"] == "zh-Hans":
-            language = "zh-Hans"
-        else:
-            language = "en-US"
-
-        with Session(db.engine) as session:
-            account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()
-        token = None
-        if account is None:
-            raise AccountNotFound()
-        else:
-            token = AccountService.send_reset_password_email(account=account, email=args["email"], language=language)
-
-        return {"result": "success", "data": token}
-
-
-class ForgotPasswordCheckApi(Resource):
-    @only_edition_enterprise
-    @setup_required
-    @email_password_login_enabled
-    def post(self):
-        parser = reqparse.RequestParser()
-        parser.add_argument("email", type=str, required=True, location="json")
-        parser.add_argument("code", type=str, required=True, location="json")
-        parser.add_argument("token", type=str, required=True, nullable=False, location="json")
-        args = parser.parse_args()
-
-        user_email = args["email"]
-
-        is_forgot_password_error_rate_limit = AccountService.is_forgot_password_error_rate_limit(args["email"])
-        if is_forgot_password_error_rate_limit:
-            raise EmailPasswordResetLimitError()
-
-        token_data = AccountService.get_reset_password_data(args["token"])
-        if token_data is None:
-            raise InvalidTokenError()
-
-        if user_email != token_data.get("email"):
-            raise InvalidEmailError()
-
-        if args["code"] != token_data.get("code"):
-            AccountService.add_forgot_password_error_rate_limit(args["email"])
-            raise EmailCodeError()
-
-        # Verified, revoke the first token
-        AccountService.revoke_reset_password_token(args["token"])
-
-        # Refresh token data by generating a new token
-        _, new_token = AccountService.generate_reset_password_token(
-            user_email, code=args["code"], additional_data={"phase": "reset"}
-        )
-
-        AccountService.reset_forgot_password_error_rate_limit(args["email"])
-        return {"is_valid": True, "email": token_data.get("email"), "token": new_token}
-
-
-class ForgotPasswordResetApi(Resource):
-    @only_edition_enterprise
-    @setup_required
-    @email_password_login_enabled
-    def post(self):
-        parser = reqparse.RequestParser()
-        parser.add_argument("token", type=str, required=True, nullable=False, location="json")
-        parser.add_argument("new_password", type=valid_password, required=True, nullable=False, location="json")
-        parser.add_argument("password_confirm", type=valid_password, required=True, nullable=False, location="json")
-        args = parser.parse_args()
-
-        # Validate passwords match
-        if args["new_password"] != args["password_confirm"]:
-            raise PasswordMismatchError()
-
-        # Validate token and get reset data
-        reset_data = AccountService.get_reset_password_data(args["token"])
-        if not reset_data:
-            raise InvalidTokenError()
-        # Must use token in reset phase
-        if reset_data.get("phase", "") != "reset":
-            raise InvalidTokenError()
-
-        # Revoke token to prevent reuse
-        AccountService.revoke_reset_password_token(args["token"])
-
-        # Generate secure salt and hash password
-        salt = secrets.token_bytes(16)
-        password_hashed = hash_password(args["new_password"], salt)
-
-        email = reset_data.get("email", "")
-
-        with Session(db.engine) as session:
-            account = session.execute(select(Account).filter_by(email=email)).scalar_one_or_none()
-
-            if account:
-                self._update_existing_account(account, password_hashed, salt, session)
-            else:
-                raise AccountNotFound()
-
-        return {"result": "success"}
-
-    def _update_existing_account(self, account, password_hashed, salt, session):
-        # Update existing account credentials
-        account.password = base64.b64encode(password_hashed).decode()
-        account.password_salt = base64.b64encode(salt).decode()
-        session.commit()
-
-
-api.add_resource(ForgotPasswordSendEmailApi, "/forgot-password")
-api.add_resource(ForgotPasswordCheckApi, "/forgot-password/validity")
-api.add_resource(ForgotPasswordResetApi, "/forgot-password/resets")

api/controllers/web/login.py

@@ -1,109 +0,0 @@
-import services
-from controllers.console.auth.error import (EmailCodeError,
-                                            EmailOrPasswordMismatchError,
-                                            InvalidEmailError)
-from controllers.console.error import AccountBannedError, AccountNotFound
-from controllers.console.wraps import only_edition_enterprise, setup_required
-from controllers.web import api
-from flask_restful import Resource, reqparse
-from jwt import InvalidTokenError  # type: ignore
-from libs.helper import email
-from libs.password import valid_password
-from services.account_service import AccountService
-from services.webapp_auth_service import WebAppAuthService
-
-
-class LoginApi(Resource):
-    """Resource for web app email/password login."""
-
-    @setup_required
-    @only_edition_enterprise
-    def post(self):
-        """Authenticate user and login."""
-        parser = reqparse.RequestParser()
-        parser.add_argument("email", type=email, required=True, location="json")
-        parser.add_argument("password", type=valid_password, required=True, location="json")
-        args = parser.parse_args()
-
-        try:
-            account = WebAppAuthService.authenticate(args["email"], args["password"])
-        except services.errors.account.AccountLoginError:
-            raise AccountBannedError()
-        except services.errors.account.AccountPasswordError:
-            raise EmailOrPasswordMismatchError()
-        except services.errors.account.AccountNotFoundError:
-            raise AccountNotFound()
-
-        token = WebAppAuthService.login(account=account)
-        return {"result": "success", "data": {"access_token": token}}
-
-
-# class LogoutApi(Resource):
-#     @setup_required
-#     def get(self):
-#         account = cast(Account, flask_login.current_user)
-#         if isinstance(account, flask_login.AnonymousUserMixin):
-#             return {"result": "success"}
-#         flask_login.logout_user()
-#         return {"result": "success"}
-
-
-class EmailCodeLoginSendEmailApi(Resource):
-    @setup_required
-    @only_edition_enterprise
-    def post(self):
-        parser = reqparse.RequestParser()
-        parser.add_argument("email", type=email, required=True, location="json")
-        parser.add_argument("language", type=str, required=False, location="json")
-        args = parser.parse_args()
-
-        if args["language"] is not None and args["language"] == "zh-Hans":
-            language = "zh-Hans"
-        else:
-            language = "en-US"
-
-        account = WebAppAuthService.get_user_through_email(args["email"])
-        if account is None:
-            raise AccountNotFound()
-        else:
-            token = WebAppAuthService.send_email_code_login_email(account=account, language=language)
-
-        return {"result": "success", "data": token}
-
-
-class EmailCodeLoginApi(Resource):
-    @setup_required
-    @only_edition_enterprise
-    def post(self):
-        parser = reqparse.RequestParser()
-        parser.add_argument("email", type=str, required=True, location="json")
-        parser.add_argument("code", type=str, required=True, location="json")
-        parser.add_argument("token", type=str, required=True, location="json")
-        args = parser.parse_args()
-
-        user_email = args["email"]
-
-        token_data = WebAppAuthService.get_email_code_login_data(args["token"])
-        if token_data is None:
-            raise InvalidTokenError()
-
-        if token_data["email"] != args["email"]:
-            raise InvalidEmailError()
-
-        if token_data["code"] != args["code"]:
-            raise EmailCodeError()
-
-        WebAppAuthService.revoke_email_code_login_token(args["token"])
-        account = WebAppAuthService.get_user_through_email(user_email)
-        if not account:
-            raise AccountNotFound()
-
-        token = WebAppAuthService.login(account=account)
-        AccountService.reset_login_error_rate_limit(args["email"])
-        return {"result": "success", "data": {"access_token": token}}
-
-
-api.add_resource(LoginApi, "/login")
-# api.add_resource(LogoutApi, "/logout")
-api.add_resource(EmailCodeLoginSendEmailApi, "/email-code-login")
-api.add_resource(EmailCodeLoginApi, "/email-code-login/validity")

api/controllers/web/passport.py

@@ -1,18 +1,16 @@
 import uuid
-from datetime import UTC, datetime, timedelta
 
-from configs import dify_config
-from controllers.web import api
-from controllers.web.error import WebAppAuthRequiredError
-from extensions.ext_database import db
 from flask import request
-from flask_restful import Resource
+from flask_restful import Resource  # type: ignore
+from werkzeug.exceptions import NotFound, Unauthorized
+
+from controllers.web import api
+from controllers.web.error import WebSSOAuthRequiredError
+from extensions.ext_database import db
 from libs.passport import PassportService
 from models.model import App, EndUser, Site
 from services.enterprise.enterprise_service import EnterpriseService
 from services.feature_service import FeatureService
-from services.webapp_auth_service import WebAppAuthService, WebAppAuthType
-from werkzeug.exceptions import NotFound, Unauthorized
 
 
 class PassportResource(Resource):
@@ -21,23 +19,13 @@ class PassportResource(Resource):
     def get(self):
         system_features = FeatureService.get_system_features()
         app_code = request.headers.get("X-App-Code")
-        web_app_access_token = request.args.get("web_app_access_token")
-
         if app_code is None:
             raise Unauthorized("X-App-Code header is missing.")
 
-        # exchange token for enterprise logined web user
-        enterprise_user_decoded = decode_enterprise_webapp_user_id(web_app_access_token)
-        if enterprise_user_decoded:
-            # a web user has already logged in, exchange a token for this app without redirecting to the login page
-            return exchange_token_for_existing_web_user(
-                app_code=app_code, enterprise_user_decoded=enterprise_user_decoded
-            )
-
-        if system_features.webapp_auth.enabled:
-            app_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
-            if not app_settings or not app_settings.access_mode == "public":
-                raise WebAppAuthRequiredError()
+        if system_features.sso_enforced_for_web:
+            app_web_sso_enabled = EnterpriseService.get_app_web_sso_enabled(app_code).get("enabled", False)
+            if app_web_sso_enabled:
+                raise WebSSOAuthRequiredError()
 
         # get site from db and check if it is normal
         site = db.session.query(Site).filter(Site.code == app_code, Site.status == "normal").first()
@@ -77,128 +65,6 @@ class PassportResource(Resource):
 api.add_resource(PassportResource, "/passport")
 
 
-def decode_enterprise_webapp_user_id(jwt_token: str | None):
-    """
-    Decode the enterprise user session from the Authorization header.
-    """
-    if not jwt_token:
-        return None
-
-    decoded = PassportService().verify(jwt_token)
-    source = decoded.get("token_source")
-    if not source or source != "webapp_login_token":
-        raise Unauthorized("Invalid token source. Expected 'webapp_login_token'.")
-    return decoded
-
-
-def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded: dict):
-    """
-    Exchange a token for an existing web user session.
-    """
-    user_id = enterprise_user_decoded.get("user_id")
-    end_user_id = enterprise_user_decoded.get("end_user_id")
-    session_id = enterprise_user_decoded.get("session_id")
-    user_auth_type = enterprise_user_decoded.get("auth_type")
-    if not user_auth_type:
-        raise Unauthorized("Missing auth_type in the token.")
-
-    site = db.session.query(Site).filter(Site.code == app_code, Site.status == "normal").first()
-    if not site:
-        raise NotFound()
-
-    app_model = db.session.query(App).filter(App.id == site.app_id).first()
-    if not app_model or app_model.status != "normal" or not app_model.enable_site:
-        raise NotFound()
-
-    app_auth_type = WebAppAuthService.get_app_auth_type(app_code=app_code)
-
-    if app_auth_type == WebAppAuthType.PUBLIC:
-        return _exchange_for_public_app_token(app_model, site, enterprise_user_decoded)
-    elif app_auth_type == WebAppAuthType.EXTERNAL and user_auth_type != "external":
-        raise WebAppAuthRequiredError("Please login as external user.")
-    elif app_auth_type == WebAppAuthType.INTERNAL and user_auth_type != "internal":
-        raise WebAppAuthRequiredError("Please login as internal user.")
-
-    end_user = None
-    if end_user_id:
-        end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
-    if session_id:
-        end_user = (
-            db.session.query(EndUser)
-            .filter(
-                EndUser.session_id == session_id,
-                EndUser.tenant_id == app_model.tenant_id,
-                EndUser.app_id == app_model.id,
-            )
-            .first()
-        )
-    if not end_user:
-        if not session_id:
-            raise NotFound("Missing session_id for existing web user.")
-        end_user = EndUser(
-            tenant_id=app_model.tenant_id,
-            app_id=app_model.id,
-            type="browser",
-            is_anonymous=True,
-            session_id=session_id,
-        )
-        db.session.add(end_user)
-        db.session.commit()
-    exp_dt = datetime.now(UTC) + timedelta(hours=dify_config.ACCESS_TOKEN_EXPIRE_MINUTES * 24)
-    exp = int(exp_dt.timestamp())
-    payload = {
-        "iss": site.id,
-        "sub": "Web API Passport",
-        "app_id": site.app_id,
-        "app_code": site.code,
-        "user_id": user_id,
-        "end_user_id": end_user.id,
-        "auth_type": user_auth_type,
-        "granted_at": int(datetime.now(UTC).timestamp()),
-        "token_source": "webapp",
-        "exp": exp,
-    }
-    token: str = PassportService().issue(payload)
-    return {
-        "access_token": token,
-    }
-
-
-def _exchange_for_public_app_token(app_model, site, token_decoded):
-    user_id = token_decoded.get("user_id")
-    end_user = None
-    if user_id:
-        end_user = db.session.query(EndUser).filter(
-            EndUser.app_id == app_model.id, EndUser.session_id == user_id
-        ).first()
-
-    if not end_user:
-        end_user = EndUser(
-            tenant_id=app_model.tenant_id,
-            app_id=app_model.id,
-            type="browser",
-            is_anonymous=True,
-            session_id=generate_session_id(),
-        )
-
-        db.session.add(end_user)
-        db.session.commit()
-
-    payload = {
-        "iss": site.app_id,
-        "sub": "Web API Passport",
-        "app_id": site.app_id,
-        "app_code": site.code,
-        "end_user_id": end_user.id,
-    }
-
-    tk = PassportService().issue(payload)
-
-    return {
-        "access_token": tk,
-    }
-
-
 def generate_session_id():
     """
     Generate a unique session ID.

api/controllers/web/wraps.py

@@ -1,19 +1,15 @@
-from datetime import UTC, datetime
 from functools import wraps
 
-from controllers.web.error import (AppNotPublishedError,
-                                   WebAppAuthAccessDeniedError,
-                                   WebAppAuthRequiredError)
-from extensions.ext_database import db
 from flask import request
 from flask_restful import Resource  # type: ignore
+from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
+
+from controllers.web.error import WebSSOAuthRequiredError
+from extensions.ext_database import db
 from libs.passport import PassportService
 from models.model import App, EndUser, Site
-from services.enterprise.enterprise_service import (EnterpriseService,
-                                                    WebAppSettings)
+from services.enterprise.enterprise_service import EnterpriseService
 from services.feature_service import FeatureService
-from services.webapp_auth_service import WebAppAuthService
-from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
 
 
 def validate_jwt_token(view=None):
@@ -49,99 +45,47 @@ def decode_jwt_token():
             raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")
         decoded = PassportService().verify(tk)
         app_code = decoded.get("app_code")
-        app_id = decoded.get("app_id")
-        app_model = db.session.query(App).filter(App.id == app_id).first()
+        app_model = db.session.query(App).filter(App.id == decoded["app_id"]).first()
         site = db.session.query(Site).filter(Site.code == app_code).first()
         if not app_model:
             raise NotFound()
         if not app_code or not site:
             raise BadRequest("Site URL is no longer valid.")
-        if app_model.enable_site is False or app_model.status != "normal":
-            raise AppNotPublishedError()
-        end_user_id = decoded.get("end_user_id")
-        end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
+        if app_model.enable_site is False:
+            raise BadRequest("Site is disabled.")
+        end_user = db.session.query(EndUser).filter(EndUser.id == decoded["end_user_id"]).first()
         if not end_user:
             raise NotFound()
 
-        # for enterprise webapp auth
-        app_web_auth_enabled = False
-        webapp_settings = None
-        if system_features.webapp_auth.enabled:
-            webapp_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
-            if not webapp_settings:
-                raise NotFound("Web app settings not found.")
-            app_web_auth_enabled = webapp_settings.access_mode != "public"
-
-        _validate_webapp_token(decoded, app_web_auth_enabled, system_features.webapp_auth.enabled)
-        _validate_user_accessibility(
-            decoded, app_code, app_web_auth_enabled, system_features.webapp_auth.enabled, webapp_settings
-        )
+        _validate_web_sso_token(decoded, system_features, app_code)
 
         return app_model, end_user
     except Unauthorized as e:
-        if system_features.webapp_auth.enabled:
-            if not app_code:
-                raise Unauthorized("Please re-login to access the web app.")
-            app_web_auth_enabled = (
-                EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code).access_mode != "public"
-            )
-            if app_web_auth_enabled:
-                raise WebAppAuthRequiredError()
+        if system_features.sso_enforced_for_web:
+            app_web_sso_enabled = EnterpriseService.get_app_web_sso_enabled(app_code).get("enabled", False)
+            if app_web_sso_enabled:
+                raise WebSSOAuthRequiredError()
 
         raise Unauthorized(e.description)
 
 
-def _validate_webapp_token(decoded, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):
-    # Check if authentication is enforced for web app, and if the token source is not webapp,
-    # raise an error and redirect to login
-    if system_webapp_auth_enabled and app_web_auth_enabled:
-        source = decoded.get("token_source")
-        if not source or source != "webapp":
-            raise WebAppAuthRequiredError()
+def _validate_web_sso_token(decoded, system_features, app_code):
+    app_web_sso_enabled = False
 
-    # Check if authentication is not enforced for web, and if the token source is webapp,
+    # Check if SSO is enforced for web, and if the token source is not SSO, raise an error and redirect to SSO login
+    if system_features.sso_enforced_for_web:
+        app_web_sso_enabled = EnterpriseService.get_app_web_sso_enabled(app_code).get("enabled", False)
+        if app_web_sso_enabled:
+            source = decoded.get("token_source")
+            if not source or source != "sso":
+                raise WebSSOAuthRequiredError()
+
+    # Check if SSO is not enforced for web, and if the token source is SSO,
     # raise an error and redirect to normal passport login
-    if not system_webapp_auth_enabled or not app_web_auth_enabled:
+    if not system_features.sso_enforced_for_web or not app_web_sso_enabled:
         source = decoded.get("token_source")
-        if source and source == "webapp":
-            raise Unauthorized("webapp token expired.")
-
-
-def _validate_user_accessibility(
-    decoded,
-    app_code,
-    app_web_auth_enabled: bool,
-    system_webapp_auth_enabled: bool,
-    webapp_settings: WebAppSettings | None,
-):
-    if system_webapp_auth_enabled and app_web_auth_enabled:
-        # Check if the user is allowed to access the web app
-        user_id = decoded.get("user_id")
-        if not user_id:
-            raise WebAppAuthRequiredError()
-
-        if not webapp_settings:
-            raise WebAppAuthRequiredError("Web app settings not found.")
-
-        if WebAppAuthService.is_app_require_permission_check(access_mode=webapp_settings.access_mode):
-            if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):
-                raise WebAppAuthAccessDeniedError()
-
-        auth_type = decoded.get("auth_type")
-        granted_at = decoded.get("granted_at")
-        if not auth_type:
-            raise WebAppAuthAccessDeniedError("Missing auth_type in the token.")
-        if not granted_at:
-            raise WebAppAuthAccessDeniedError("Missing granted_at in the token.")
-        # check if sso has been updated
-        if auth_type == "external":
-            last_update_time = EnterpriseService.get_app_sso_settings_last_update_time()
-            if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
-                raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")
-        elif auth_type == "internal":
-            last_update_time = EnterpriseService.get_workspace_sso_settings_last_update_time()
-            if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
-                raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")
+        if source and source == "sso":
+            raise Unauthorized("sso token expired.")
 
 
 class WebApiResource(Resource):

api/core/agent/cot_agent_runner.py

@@ -104,6 +104,7 @@ class CotAgentRunner(BaseAgentRunner, ABC):
 
             # recalc llm max tokens
             prompt_messages = self._organize_prompt_messages()
+            self.recalc_llm_max_tokens(self.model_config, prompt_messages)
             # invoke model
             chunks = model_instance.invoke_llm(
                 prompt_messages=prompt_messages,

api/core/agent/fc_agent_runner.py

@@ -84,6 +84,7 @@ class FunctionCallAgentRunner(BaseAgentRunner):
 
             # recalc llm max tokens
             prompt_messages = self._organize_prompt_messages()
+            self.recalc_llm_max_tokens(self.model_config, prompt_messages)
             # invoke model
             chunks: Union[Generator[LLMResultChunk, None, None], LLMResult] = model_instance.invoke_llm(
                 prompt_messages=prompt_messages,

api/core/app/apps/agent_chat/app_runner.py

@@ -55,6 +55,20 @@ class AgentChatAppRunner(AppRunner):
         query = application_generate_entity.query
         files = application_generate_entity.files
 
+        # Pre-calculate the number of tokens of the prompt messages,
+        # and return the rest number of tokens by model context token size limit and max token size limit.
+        # If the rest number of tokens is not enough, raise exception.
+        # Include: prompt template, inputs, query(optional), files(optional)
+        # Not Include: memory, external data, dataset context
+        self.get_pre_calculate_rest_tokens(
+            app_record=app_record,
+            model_config=application_generate_entity.model_conf,
+            prompt_template_entity=app_config.prompt_template,
+            inputs=inputs,
+            files=files,
+            query=query,
+        )
+
         memory = None
         if application_generate_entity.conversation_id:
             # get memory of conversation (read-only)

api/core/app/apps/base_app_runner.py

@@ -15,8 +15,10 @@ from core.app.features.annotation_reply.annotation_reply import AnnotationReplyF
 from core.app.features.hosting_moderation.hosting_moderation import HostingModerationFeature
 from core.external_data_tool.external_data_fetch import ExternalDataFetch
 from core.memory.token_buffer_memory import TokenBufferMemory
+from core.model_manager import ModelInstance
 from core.model_runtime.entities.llm_entities import LLMResult, LLMResultChunk, LLMResultChunkDelta, LLMUsage
 from core.model_runtime.entities.message_entities import AssistantPromptMessage, PromptMessage
+from core.model_runtime.entities.model_entities import ModelPropertyKey
 from core.model_runtime.errors.invoke import InvokeBadRequestError
 from core.moderation.input_moderation import InputModeration
 from core.prompt.advanced_prompt_transform import AdvancedPromptTransform
@@ -29,6 +31,106 @@ if TYPE_CHECKING:
 
 
 class AppRunner:
+    def get_pre_calculate_rest_tokens(
+        self,
+        app_record: App,
+        model_config: ModelConfigWithCredentialsEntity,
+        prompt_template_entity: PromptTemplateEntity,
+        inputs: Mapping[str, str],
+        files: Sequence["File"],
+        query: Optional[str] = None,
+    ) -> int:
+        """
+        Get pre calculate rest tokens
+        :param app_record: app record
+        :param model_config: model config entity
+        :param prompt_template_entity: prompt template entity
+        :param inputs: inputs
+        :param files: files
+        :param query: query
+        :return:
+        """
+        # Invoke model
+        model_instance = ModelInstance(
+            provider_model_bundle=model_config.provider_model_bundle, model=model_config.model
+        )
+
+        model_context_tokens = model_config.model_schema.model_properties.get(ModelPropertyKey.CONTEXT_SIZE)
+
+        max_tokens = 0
+        for parameter_rule in model_config.model_schema.parameter_rules:
+            if parameter_rule.name == "max_tokens" or (
+                parameter_rule.use_template and parameter_rule.use_template == "max_tokens"
+            ):
+                max_tokens = (
+                    model_config.parameters.get(parameter_rule.name)
+                    or model_config.parameters.get(parameter_rule.use_template or "")
+                ) or 0
+
+        if model_context_tokens is None:
+            return -1
+
+        if max_tokens is None:
+            max_tokens = 0
+
+        # get prompt messages without memory and context
+        prompt_messages, stop = self.organize_prompt_messages(
+            app_record=app_record,
+            model_config=model_config,
+            prompt_template_entity=prompt_template_entity,
+            inputs=inputs,
+            files=files,
+            query=query,
+        )
+
+        prompt_tokens = model_instance.get_llm_num_tokens(prompt_messages)
+
+        rest_tokens: int = model_context_tokens - max_tokens - prompt_tokens
+        if rest_tokens < 0:
+            raise InvokeBadRequestError(
+                "Query or prefix prompt is too long, you can reduce the prefix prompt, "
+                "or shrink the max token, or switch to a llm with a larger token limit size."
+            )
+
+        return rest_tokens
+
+    def recalc_llm_max_tokens(
+        self, model_config: ModelConfigWithCredentialsEntity, prompt_messages: list[PromptMessage]
+    ):
+        # recalc max_tokens if sum(prompt_token +  max_tokens) over model token limit
+        model_instance = ModelInstance(
+            provider_model_bundle=model_config.provider_model_bundle, model=model_config.model
+        )
+
+        model_context_tokens = model_config.model_schema.model_properties.get(ModelPropertyKey.CONTEXT_SIZE)
+
+        max_tokens = 0
+        for parameter_rule in model_config.model_schema.parameter_rules:
+            if parameter_rule.name == "max_tokens" or (
+                parameter_rule.use_template and parameter_rule.use_template == "max_tokens"
+            ):
+                max_tokens = (
+                    model_config.parameters.get(parameter_rule.name)
+                    or model_config.parameters.get(parameter_rule.use_template or "")
+                ) or 0
+
+        if model_context_tokens is None:
+            return -1
+
+        if max_tokens is None:
+            max_tokens = 0
+
+        prompt_tokens = model_instance.get_llm_num_tokens(prompt_messages)
+
+        if prompt_tokens + max_tokens > model_context_tokens:
+            max_tokens = max(model_context_tokens - prompt_tokens, 16)
+
+            for parameter_rule in model_config.model_schema.parameter_rules:
+                if parameter_rule.name == "max_tokens" or (
+                    parameter_rule.use_template and parameter_rule.use_template == "max_tokens"
+                ):
+                    model_config.parameters[parameter_rule.name] = max_tokens
+
     def organize_prompt_messages(
         self,
         app_record: App,

api/core/app/apps/chat/app_runner.py

@@ -50,6 +50,20 @@ class ChatAppRunner(AppRunner):
         query = application_generate_entity.query
         files = application_generate_entity.files
 
+        # Pre-calculate the number of tokens of the prompt messages,
+        # and return the rest number of tokens by model context token size limit and max token size limit.
+        # If the rest number of tokens is not enough, raise exception.
+        # Include: prompt template, inputs, query(optional), files(optional)
+        # Not Include: memory, external data, dataset context
+        self.get_pre_calculate_rest_tokens(
+            app_record=app_record,
+            model_config=application_generate_entity.model_conf,
+            prompt_template_entity=app_config.prompt_template,
+            inputs=inputs,
+            files=files,
+            query=query,
+        )
+
         memory = None
         if application_generate_entity.conversation_id:
             # get memory of conversation (read-only)
@@ -180,6 +194,9 @@ class ChatAppRunner(AppRunner):
         if hosting_moderation_result:
             return
 
+        # Re-calculate the max tokens if sum(prompt_token +  max_tokens) over model token limit
+        self.recalc_llm_max_tokens(model_config=application_generate_entity.model_conf, prompt_messages=prompt_messages)
+
         # Invoke model
         model_instance = ModelInstance(
             provider_model_bundle=application_generate_entity.model_conf.provider_model_bundle,

api/core/app/apps/completion/app_runner.py

@@ -43,6 +43,20 @@ class CompletionAppRunner(AppRunner):
         query = application_generate_entity.query
         files = application_generate_entity.files
 
+        # Pre-calculate the number of tokens of the prompt messages,
+        # and return the rest number of tokens by model context token size limit and max token size limit.
+        # If the rest number of tokens is not enough, raise exception.
+        # Include: prompt template, inputs, query(optional), files(optional)
+        # Not Include: memory, external data, dataset context
+        self.get_pre_calculate_rest_tokens(
+            app_record=app_record,
+            model_config=application_generate_entity.model_conf,
+            prompt_template_entity=app_config.prompt_template,
+            inputs=inputs,
+            files=files,
+            query=query,
+        )
+
         # organize all inputs and template to prompt messages
         # Include: prompt template, inputs, query(optional), files(optional)
         prompt_messages, stop = self.organize_prompt_messages(
@@ -138,6 +152,9 @@ class CompletionAppRunner(AppRunner):
         if hosting_moderation_result:
             return
 
+        # Re-calculate the max tokens if sum(prompt_token +  max_tokens) over model token limit
+        self.recalc_llm_max_tokens(model_config=application_generate_entity.model_conf, prompt_messages=prompt_messages)
+
         # Invoke model
         model_instance = ModelInstance(
             provider_model_bundle=application_generate_entity.model_conf.provider_model_bundle,

api/core/memory/token_buffer_memory.py

@@ -26,7 +26,7 @@ class TokenBufferMemory:
         self.model_instance = model_instance
 
     def get_history_prompt_messages(
-        self, max_token_limit: int = 100000, message_limit: Optional[int] = None
+        self, max_token_limit: int = 2000, message_limit: Optional[int] = None
     ) -> Sequence[PromptMessage]:
         """
         Get history prompt messages.

api/core/model_runtime/model_providers/__base/large_language_model.py

@@ -537,7 +537,6 @@ if you are not sure about the structure.
         """
         raise NotImplementedError
 
-    @abstractmethod
     def get_num_tokens(
         self,
         model: str,
@@ -915,3 +914,7 @@ if you are not sure about the structure.
             filtered_model_parameters[parameter_name] = parameter_value
 
         return filtered_model_parameters
+
+    def _get_num_tokens_by_gpt2(self, text: str) -> int:
+        # Disable the token count in LLMs for profermance testing.
+        return 0

api/core/model_runtime/model_providers/bedrock/llm/eu.anthropic.claude-3.7-sonnet-v1.yaml

@@ -1,115 +0,0 @@
-model: us.anthropic.claude-3-7-sonnet-20250219-v1:0
-label:
-  en_US: Claude 3.7 Sonnet(US.Cross Region Inference)
-icon: icon_s_en.svg
-model_type: llm
-features:
-  - agent-thought
-  - vision
-  - tool-call
-  - stream-tool-call
-model_properties:
-  mode: chat
-  context_size: 200000
-# docs: https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-anthropic-claude-messages.html
-parameter_rules:
-  - name: enable_cache
-    label:
-      zh_Hans: 启用提示缓存
-      en_US: Enable Prompt Cache
-    type: boolean
-    required: false
-    default: true
-    help:
-      zh_Hans: 启用提示缓存可以提高性能并降低成本。Claude 3.7 Sonnet支持在system、messages和tools字段中使用缓存检查点。
-      en_US: Enable prompt caching to improve performance and reduce costs. Claude 3.7 Sonnet supports cache checkpoints in system, messages, and tools fields.
-  - name: reasoning_type
-    label:
-      zh_Hans: 推理配置
-      en_US: Reasoning Type
-    type: boolean
-    required: false
-    default: false
-    placeholder:
-      zh_Hans: 设置推理配置
-      en_US: Set reasoning configuration
-    help:
-      zh_Hans: 控制模型的推理能力。启用时，temperature将固定为1且top_p将被禁用。
-      en_US: Controls the model's reasoning capability. When enabled, temperature will be fixed to 1 and top_p will be disabled.
-  - name: reasoning_budget
-    show_on:
-      - variable: reasoning_type
-        value: true
-    label:
-      zh_Hans: 推理预算
-      en_US: Reasoning Budget
-    type: int
-    default: 1024
-    min: 0
-    max: 128000
-    help:
-      zh_Hans: 推理的预算限制（最小1024），必须小于max_tokens。仅在推理类型为enabled时可用。
-      en_US: Budget limit for reasoning (minimum 1024), must be less than max_tokens. Only available when reasoning type is enabled.
-
-  - name: max_tokens
-    use_template: max_tokens
-    required: true
-    label:
-      zh_Hans: 最大token数
-      en_US: Max Tokens
-    type: int
-    default: 8192
-    min: 1
-    max: 128000
-    help:
-      zh_Hans: 停止前生成的最大令牌数。请注意，Anthropic Claude 模型可能会在达到 max_tokens 的值之前停止生成令牌。不同的 Anthropic Claude 模型对此参数具有不同的最大值。
-      en_US: The maximum number of tokens to generate before stopping. Note that Anthropic Claude models might stop generating tokens before reaching the value of max_tokens. Different Anthropic Claude models have different maximum values for this parameter.
-  - name: temperature
-    use_template: temperature
-    required: false
-    label:
-      zh_Hans: 模型温度
-      en_US: Model Temperature
-    type: float
-    default: 1
-    min: 0.0
-    max: 1.0
-    help:
-      zh_Hans: 生成内容的随机性。当推理功能启用时，该值将被固定为1。
-      en_US: The amount of randomness injected into the response. When reasoning is enabled, this value will be fixed to 1.
-  - name: top_p
-    show_on:
-      - variable: reasoning_type
-        value: disabled
-    use_template: top_p
-    label:
-      zh_Hans: Top P
-      en_US: Top P
-    required: false
-    type: float
-    default: 0.999
-    min: 0.000
-    max: 1.000
-    help:
-      zh_Hans: 在核采样中的概率阈值。当推理功能启用时，该参数将被禁用。
-      en_US: The probability threshold in nucleus sampling. When reasoning is enabled, this parameter will be disabled.
-  - name: top_k
-    label:
-      zh_Hans: 取样数量
-      en_US: Top k
-    required: false
-    type: int
-    default: 0
-    min: 0
-    # tip docs from aws has error, max value is 500
-    max: 500
-    help:
-      zh_Hans: 对于每个后续标记，仅从前 K 个选项中进行采样。使用 top_k 删除长尾低概率响应。
-      en_US: Only sample from the top K options for each subsequent token. Use top_k to remove long tail low probability responses.
-  - name: response_format
-    use_template: response_format
-pricing:
-  input: '0.003'
-  output: '0.015'
-  unit: '0.001'
-  currency: USD

api/core/model_runtime/model_providers/bedrock/llm/llm.py

@@ -58,7 +58,6 @@ class BedrockLargeLanguageModel(LargeLanguageModel):
     # TODO There is invoke issue: context limit on Cohere Model, will add them after fixed.
     CONVERSE_API_ENABLED_MODEL_INFO = [
         {"prefix": "anthropic.claude-v2", "support_system_prompts": True, "support_tool_use": False},
-        {"prefix": "us.deepseek", "support_system_prompts": True, "support_tool_use": False},
         {"prefix": "anthropic.claude-v1", "support_system_prompts": True, "support_tool_use": False},
         {"prefix": "us.anthropic.claude-3", "support_system_prompts": True, "support_tool_use": True},
         {"prefix": "eu.anthropic.claude-3", "support_system_prompts": True, "support_tool_use": True},

api/core/model_runtime/model_providers/bedrock/llm/us.deepseek-r1.yaml

@@ -1,63 +0,0 @@
-model: us.deepseek.r1-v1:0
-label:
-  en_US: DeepSeek-R1(US.Cross Region Inference)
-icon: icon_s_en.svg
-model_type: llm
-features:
-  - agent-thought
-  - vision
-  - tool-call
-  - stream-tool-call
-model_properties:
-  mode: chat
-  context_size: 32768
-parameter_rules:
-  - name: max_tokens
-    use_template: max_tokens
-    required: true
-    label:
-      zh_Hans: 最大token数
-      en_US: Max Tokens
-    type: int
-    default: 8192
-    min: 1
-    max: 128000
-    help:
-      zh_Hans: 停止前生成的最大令牌数。
-      en_US: The maximum number of tokens to generate before stopping.
-  - name: temperature
-    use_template: temperature
-    required: false
-    label:
-      zh_Hans: 模型温度
-      en_US: Model Temperature
-    type: float
-    default: 1
-    min: 0.0
-    max: 1.0
-    help:
-      zh_Hans: 生成内容的随机性。当推理功能启用时，该值将被固定为1。
-      en_US: The amount of randomness injected into the response. When reasoning is enabled, this value will be fixed to 1.
-  - name: top_p
-    show_on:
-      - variable: reasoning_type
-        value: disabled
-    use_template: top_p
-    label:
-      zh_Hans: Top P
-      en_US: Top P
-    required: false
-    type: float
-    default: 0.999
-    min: 0.000
-    max: 1.000
-    help:
-      zh_Hans: 在核采样中的概率阈值。当推理功能启用时，该参数将被禁用。
-      en_US: The probability threshold in nucleus sampling. When reasoning is enabled, this parameter will be disabled.
-  - name: response_format
-    use_template: response_format
-pricing:
-  input: '0.001'
-  output: '0.005'
-  unit: '0.001'
-  currency: USD

api/core/model_runtime/model_providers/google/google.py

@@ -19,8 +19,8 @@ class GoogleProvider(ModelProvider):
         try:
             model_instance = self.get_model_instance(ModelType.LLM)
 
-            # Use `gemini-2.0-flash` model for validate,
-            model_instance.validate_credentials(model="gemini-2.0-flash", credentials=credentials)
+            # Use `gemini-pro` model for validate,
+            model_instance.validate_credentials(model="gemini-pro", credentials=credentials)
         except CredentialsValidateFailedError as ex:
             raise ex
         except Exception as ex:

api/core/model_runtime/model_providers/google/llm/_position.yaml

@@ -19,3 +19,5 @@
 - gemini-exp-1206
 - gemini-exp-1121
 - gemini-exp-1114
+- gemini-pro
+- gemini-pro-vision

api/core/model_runtime/model_providers/google/llm/gemini-pro-vision.yaml

@@ -0,0 +1,35 @@
+model: gemini-pro-vision
+label:
+  en_US: Gemini Pro Vision
+model_type: llm
+features:
+  - vision
+model_properties:
+  mode: chat
+  context_size: 12288
+parameter_rules:
+  - name: temperature
+    use_template: temperature
+  - name: top_p
+    use_template: top_p
+  - name: top_k
+    label:
+      zh_Hans: 取样数量
+      en_US: Top k
+    type: int
+    help:
+      zh_Hans: 仅从每个后续标记的前 K 个选项中采样。
+      en_US: Only sample from the top K options for each subsequent token.
+    required: false
+  - name: max_tokens_to_sample
+    use_template: max_tokens
+    required: true
+    default: 4096
+    min: 1
+    max: 4096
+pricing:
+  input: '0.00'
+  output: '0.00'
+  unit: '0.000001'
+  currency: USD
+deprecated: true

api/core/model_runtime/model_providers/google/llm/gemini-pro.yaml

@@ -0,0 +1,39 @@
+model: gemini-pro
+label:
+  en_US: Gemini Pro
+model_type: llm
+features:
+  - agent-thought
+  - tool-call
+  - stream-tool-call
+model_properties:
+  mode: chat
+  context_size: 30720
+parameter_rules:
+  - name: temperature
+    use_template: temperature
+  - name: top_p
+    use_template: top_p
+  - name: top_k
+    label:
+      zh_Hans: 取样数量
+      en_US: Top k
+    type: int
+    help:
+      zh_Hans: 仅从每个后续标记的前 K 个选项中采样。
+      en_US: Only sample from the top K options for each subsequent token.
+    required: false
+  - name: max_tokens_to_sample
+    use_template: max_tokens
+    required: true
+    default: 2048
+    min: 1
+    max: 2048
+  - name: response_format
+    use_template: response_format
+pricing:
+  input: '0.00'
+  output: '0.00'
+  unit: '0.000001'
+  currency: USD
+deprecated: true

api/core/model_runtime/model_providers/openai/llm/_position.yaml

@@ -1,4 +1,3 @@
-- gpt-4.1
 - o1
 - o1-2024-12-17
 - o1-mini

api/core/model_runtime/model_providers/openai/llm/gpt-4-1.yaml

@@ -1,60 +0,0 @@
-model: gpt-4.1
-label:
-  zh_Hans: gpt-4.1
-  en_US: gpt-4.1
-model_type: llm
-features:
-  - multi-tool-call
-  - agent-thought
-  - stream-tool-call
-  - vision
-model_properties:
-  mode: chat
-  context_size: 1047576
-parameter_rules:
-  - name: temperature
-    use_template: temperature
-  - name: top_p
-    use_template: top_p
-  - name: presence_penalty
-    use_template: presence_penalty
-  - name: frequency_penalty
-    use_template: frequency_penalty
-  - name: max_tokens
-    use_template: max_tokens
-    default: 512
-    min: 1
-    max: 32768
-  - name: reasoning_effort
-    label:
-      zh_Hans: 推理工作
-      en_US: Reasoning Effort
-    type: string
-    help:
-      zh_Hans: 限制推理模型的推理工作
-      en_US: Constrains effort on reasoning for reasoning models
-    required: false
-    options:
-      - low
-      - medium
-      - high
-  - name: response_format
-    label:
-      zh_Hans: 回复格式
-      en_US: Response Format
-    type: string
-    help:
-      zh_Hans: 指定模型必须输出的格式
-      en_US: specifying the format that the model must output
-    required: false
-    options:
-      - text
-      - json_object
-      - json_schema
-  - name: json_schema
-    use_template: json_schema
-pricing:
-  input: '2.00'
-  output: '8.00'
-  unit: '0.000001'
-  currency: USD

api/core/model_runtime/model_providers/openai/llm/llm.py

@@ -1049,9 +1049,6 @@ class OpenAILargeLanguageModel(_CommonOpenAI, LargeLanguageModel):
         """Calculate num tokens for gpt-3.5-turbo and gpt-4 with tiktoken package.
 
         Official documentation: https://github.com/openai/openai-cookbook/blob/main/examples/How_to_format_inputs_to_ChatGPT_models.ipynb"""
-        if not messages and not tools:
-            return 0
-
         if model.startswith("ft:"):
             model = model.split(":")[1]
 
@@ -1060,18 +1057,18 @@ class OpenAILargeLanguageModel(_CommonOpenAI, LargeLanguageModel):
             model = "gpt-4o"
 
         try:
-            encoding = tiktoken.get_encoding(model)
-        except (KeyError, ValueError) as e:
+            encoding = tiktoken.encoding_for_model(model)
+        except KeyError:
             logger.warning("Warning: model not found. Using cl100k_base encoding.")
-            encoding_name = "cl100k_base"
-            encoding = tiktoken.get_encoding(encoding_name)
+            model = "cl100k_base"
+            encoding = tiktoken.get_encoding(model)
 
         if model.startswith("gpt-3.5-turbo-0301"):
             # every message follows <im_start>{role/name}\n{content}<im_end>\n
             tokens_per_message = 4
             # if there's a name, the role is omitted
             tokens_per_name = -1
-        elif model.startswith("gpt-3.5-turbo") or model.startswith("gpt-4") or model.startswith(("o1", "o3", "o4")):
+        elif model.startswith("gpt-3.5-turbo") or model.startswith("gpt-4") or model.startswith(("o1", "o3")):
             tokens_per_message = 3
             tokens_per_name = 1
         else:

api/core/model_runtime/model_providers/vertex_ai/llm/gemini-2.0-flash-001.yaml

@@ -5,6 +5,11 @@ model_type: llm
 features:
   - agent-thought
   - vision
+  - tool-call
+  - stream-tool-call
+  - document
+  - video
+  - audio
 model_properties:
   mode: chat
   context_size: 1048576
@@ -15,21 +20,20 @@ parameter_rules:
     use_template: top_p
   - name: top_k
     label:
+      zh_Hans: 取样数量
       en_US: Top k
     type: int
     help:
+      zh_Hans: 仅从每个后续标记的前 K 个选项中采样。
       en_US: Only sample from the top K options for each subsequent token.
     required: false
-  - name: presence_penalty
-    use_template: presence_penalty
-  - name: frequency_penalty
-    use_template: frequency_penalty
   - name: max_output_tokens
     use_template: max_tokens
-    required: true
     default: 8192
     min: 1
     max: 8192
+  - name: json_schema
+    use_template: json_schema
 pricing:
   input: '0.00'
   output: '0.00'

api/core/rag/extractor/word_extractor.py

@@ -85,7 +85,7 @@ class WordExtractor(BaseExtractor):
             if "image" in rel.target_ref:
                 image_count += 1
                 if rel.is_external:
-                    url = rel.target_ref
+                    url = rel.reltype
                     response = ssrf_proxy.get(url)
                     if response.status_code == 200:
                         image_ext = mimetypes.guess_extension(response.headers["Content-Type"])

api/core/tools/utils/web_reader_tool.py

@@ -1,13 +1,21 @@
+import hashlib
+import json
 import mimetypes
+import os
 import re
-from collections.abc import Sequence
-from dataclasses import dataclass
-from typing import Any, Optional, cast
+import site
+import subprocess
+import tempfile
+import unicodedata
+from contextlib import contextmanager
+from pathlib import Path
+from typing import Any, Literal, Optional, cast
 from urllib.parse import unquote
 
 import chardet
 import cloudscraper  # type: ignore
-from readabilipy import simple_json_from_html_string  # type: ignore
+from bs4 import BeautifulSoup, CData, Comment, NavigableString  # type: ignore
+from regex import regex  # type: ignore
 
 from core.helper import ssrf_proxy
 from core.rag.extractor import extract_processor
@@ -15,7 +23,9 @@ from core.rag.extractor.extract_processor import ExtractProcessor
 
 FULL_TEMPLATE = """
 TITLE: {title}
-AUTHOR: {author}
+AUTHORS: {authors}
+PUBLISH DATE: {publish_date}
+TOP_IMAGE_URL: {top_image}
 TEXT:
 
 {text}
@@ -63,8 +73,8 @@ def get_url(url: str, user_agent: Optional[str] = None) -> str:
         response = ssrf_proxy.get(url, headers=headers, follow_redirects=True, timeout=(120, 300))
     elif response.status_code == 403:
         scraper = cloudscraper.create_scraper()
-        scraper.perform_request = ssrf_proxy.make_request  # type: ignore
-        response = scraper.get(url, headers=headers, follow_redirects=True, timeout=(120, 300))  # type: ignore
+        scraper.perform_request = ssrf_proxy.make_request
+        response = scraper.get(url, headers=headers, follow_redirects=True, timeout=(120, 300))
 
     if response.status_code != 200:
         return "URL returned status code {}.".format(response.status_code)
@@ -80,36 +90,273 @@ def get_url(url: str, user_agent: Optional[str] = None) -> str:
     else:
         content = response.text
 
-    article = extract_using_readabilipy(content)
+    a = extract_using_readabilipy(content)
 
-    if not article.text:
+    if not a["plain_text"] or not a["plain_text"].strip():
         return ""
 
     res = FULL_TEMPLATE.format(
-        title=article.title,
-        author=article.auther,
-        text=article.text,
+        title=a["title"],
+        authors=a["byline"],
+        publish_date=a["date"],
+        top_image="",
+        text=a["plain_text"] or "",
     )
 
     return res
 
 
-@dataclass
-class Article:
-    title: str
-    auther: str
-    text: Sequence[dict]
+def extract_using_readabilipy(html):
+    with tempfile.NamedTemporaryFile(delete=False, mode="w+") as f_html:
+        f_html.write(html)
+        f_html.close()
+    html_path = f_html.name
+
+    # Call Mozilla's Readability.js Readability.parse() function via node, writing output to a temporary file
+    article_json_path = html_path + ".json"
+    jsdir = os.path.join(find_module_path("readabilipy"), "javascript")
+    with chdir(jsdir):
+        subprocess.check_call(["node", "ExtractArticle.js", "-i", html_path, "-o", article_json_path])
+
+    # Read output of call to Readability.parse() from JSON file and return as Python dictionary
+    input_json = json.loads(Path(article_json_path).read_text(encoding="utf-8"))
+
+    # Deleting files after processing
+    os.unlink(article_json_path)
+    os.unlink(html_path)
+
+    article_json: dict[str, Any] = {
+        "title": None,
+        "byline": None,
+        "date": None,
+        "content": None,
+        "plain_content": None,
+        "plain_text": None,
+    }
+    # Populate article fields from readability fields where present
+    if input_json:
+        if input_json.get("title"):
+            article_json["title"] = input_json["title"]
+        if input_json.get("byline"):
+            article_json["byline"] = input_json["byline"]
+        if input_json.get("date"):
+            article_json["date"] = input_json["date"]
+        if input_json.get("content"):
+            article_json["content"] = input_json["content"]
+            article_json["plain_content"] = plain_content(article_json["content"], False, False)
+            article_json["plain_text"] = extract_text_blocks_as_plain_text(article_json["plain_content"])
+        if input_json.get("textContent"):
+            article_json["plain_text"] = input_json["textContent"]
+            article_json["plain_text"] = re.sub(r"\n\s*\n", "\n", article_json["plain_text"])
+
+    return article_json
 
 
-def extract_using_readabilipy(html: str):
-    json_article: dict[str, Any] = simple_json_from_html_string(html, use_readability=True)
-    article = Article(
-        title=json_article.get("title") or "",
-        auther=json_article.get("byline") or "",
-        text=json_article.get("plain_text") or [],
+def find_module_path(module_name):
+    for package_path in site.getsitepackages():
+        potential_path = os.path.join(package_path, module_name)
+        if os.path.exists(potential_path):
+            return potential_path
+
+    return None
+
+
+@contextmanager
+def chdir(path):
+    """Change directory in context and return to original on exit"""
+    # From https://stackoverflow.com/a/37996581, couldn't find a built-in
+    original_path = os.getcwd()
+    os.chdir(path)
+    try:
+        yield
+    finally:
+        os.chdir(original_path)
+
+
+def extract_text_blocks_as_plain_text(paragraph_html):
+    # Load article as DOM
+    soup = BeautifulSoup(paragraph_html, "html.parser")
+    # Select all lists
+    list_elements = soup.find_all(["ul", "ol"])
+    # Prefix text in all list items with "* " and make lists paragraphs
+    for list_element in list_elements:
+        plain_items = "".join(
+            list(filter(None, [plain_text_leaf_node(li)["text"] for li in list_element.find_all("li")]))
+        )
+        list_element.string = plain_items
+        list_element.name = "p"
+    # Select all text blocks
+    text_blocks = [s.parent for s in soup.find_all(string=True)]
+    text_blocks = [plain_text_leaf_node(block) for block in text_blocks]
+    # Drop empty paragraphs
+    text_blocks = list(filter(lambda p: p["text"] is not None, text_blocks))
+    return text_blocks
+
+
+def plain_text_leaf_node(element):
+    # Extract all text, stripped of any child HTML elements and normalize it
+    plain_text = normalize_text(element.get_text())
+    if plain_text != "" and element.name == "li":
+        plain_text = "* {}, ".format(plain_text)
+    if plain_text == "":
+        plain_text = None
+    if "data-node-index" in element.attrs:
+        plain = {"node_index": element["data-node-index"], "text": plain_text}
+    else:
+        plain = {"text": plain_text}
+    return plain
+
+
+def plain_content(readability_content, content_digests, node_indexes):
+    # Load article as DOM
+    soup = BeautifulSoup(readability_content, "html.parser")
+    # Make all elements plain
+    elements = plain_elements(soup.contents, content_digests, node_indexes)
+    if node_indexes:
+        # Add node index attributes to nodes
+        elements = [add_node_indexes(element) for element in elements]
+    # Replace article contents with plain elements
+    soup.contents = elements
+    return str(soup)
+
+
+def plain_elements(elements, content_digests, node_indexes):
+    # Get plain content versions of all elements
+    elements = [plain_element(element, content_digests, node_indexes) for element in elements]
+    if content_digests:
+        # Add content digest attribute to nodes
+        elements = [add_content_digest(element) for element in elements]
+    return elements
+
+
+def plain_element(element, content_digests, node_indexes):
+    # For lists, we make each item plain text
+    if is_leaf(element):
+        # For leaf node elements, extract the text content, discarding any HTML tags
+        # 1. Get element contents as text
+        plain_text = element.get_text()
+        # 2. Normalize the extracted text string to a canonical representation
+        plain_text = normalize_text(plain_text)
+        # 3. Update element content to be plain text
+        element.string = plain_text
+    elif is_text(element):
+        if is_non_printing(element):
+            # The simplified HTML may have come from Readability.js so might
+            # have non-printing text (e.g. Comment or CData). In this case, we
+            # keep the structure, but ensure that the string is empty.
+            element = type(element)("")
+        else:
+            plain_text = element.string
+            plain_text = normalize_text(plain_text)
+            element = type(element)(plain_text)
+    else:
+        # If not a leaf node or leaf type call recursively on child nodes, replacing
+        element.contents = plain_elements(element.contents, content_digests, node_indexes)
+    return element
+
+
+def add_node_indexes(element, node_index="0"):
+    # Can't add attributes to string types
+    if is_text(element):
+        return element
+    # Add index to current element
+    element["data-node-index"] = node_index
+    # Add index to child elements
+    for local_idx, child in enumerate([c for c in element.contents if not is_text(c)], start=1):
+        # Can't add attributes to leaf string types
+        child_index = "{stem}.{local}".format(stem=node_index, local=local_idx)
+        add_node_indexes(child, node_index=child_index)
+    return element
+
+
+def normalize_text(text):
+    """Normalize unicode and whitespace."""
+    # Normalize unicode first to try and standardize whitespace characters as much as possible before normalizing them
+    text = strip_control_characters(text)
+    text = normalize_unicode(text)
+    text = normalize_whitespace(text)
+    return text
+
+
+def strip_control_characters(text):
+    """Strip out unicode control characters which might break the parsing."""
+    # Unicode control characters
+    #   [Cc]: Other, Control [includes new lines]
+    #   [Cf]: Other, Format
+    #   [Cn]: Other, Not Assigned
+    #   [Co]: Other, Private Use
+    #   [Cs]: Other, Surrogate
+    control_chars = {"Cc", "Cf", "Cn", "Co", "Cs"}
+    retained_chars = ["\t", "\n", "\r", "\f"]
+
+    # Remove non-printing control characters
+    return "".join(
+        [
+            "" if (unicodedata.category(char) in control_chars) and (char not in retained_chars) else char
+            for char in text
+        ]
     )
 
-    return article
+
+def normalize_unicode(text):
+    """Normalize unicode such that things that are visually equivalent map to the same unicode string where possible."""
+    normal_form: Literal["NFC", "NFD", "NFKC", "NFKD"] = "NFKC"
+    text = unicodedata.normalize(normal_form, text)
+    return text
+
+
+def normalize_whitespace(text):
+    """Replace runs of whitespace characters with a single space as this is what happens when HTML text is displayed."""
+    text = regex.sub(r"\s+", " ", text)
+    # Remove leading and trailing whitespace
+    text = text.strip()
+    return text
+
+
+def is_leaf(element):
+    return element.name in {"p", "li"}
+
+
+def is_text(element):
+    return isinstance(element, NavigableString)
+
+
+def is_non_printing(element):
+    return any(isinstance(element, _e) for _e in [Comment, CData])
+
+
+def add_content_digest(element):
+    if not is_text(element):
+        element["data-content-digest"] = content_digest(element)
+    return element
+
+
+def content_digest(element):
+    digest: Any
+    if is_text(element):
+        # Hash
+        trimmed_string = element.string.strip()
+        if trimmed_string == "":
+            digest = ""
+        else:
+            digest = hashlib.sha256(trimmed_string.encode("utf-8")).hexdigest()
+    else:
+        contents = element.contents
+        num_contents = len(contents)
+        if num_contents == 0:
+            # No hash when no child elements exist
+            digest = ""
+        elif num_contents == 1:
+            # If single child, use digest of child
+            digest = content_digest(contents[0])
+        else:
+            # Build content digest from the "non-empty" digests of child nodes
+            digest = hashlib.sha256()
+            child_digests = list(filter(lambda x: x != "", [content_digest(content) for content in contents]))
+            for child in child_digests:
+                digest.update(child.encode("utf-8"))
+            digest = digest.hexdigest()
+    return digest
 
 
 def get_image_upload_file_ids(content):

api/core/workflow/nodes/code/code_node.py

@@ -195,7 +195,7 @@ class CodeNode(BaseNode[CodeNodeData]):
             if output_config.type == "object":
                 # check if output is object
                 if not isinstance(result.get(output_name), dict):
-                    if result.get(output_name) is None:
+                    if isinstance(result.get(output_name), type(None)):
                         transformed_result[output_name] = None
                     else:
                         raise OutputValidationError(
@@ -223,7 +223,7 @@ class CodeNode(BaseNode[CodeNodeData]):
             elif output_config.type == "array[number]":
                 # check if array of number available
                 if not isinstance(result[output_name], list):
-                    if result[output_name] is None:
+                    if isinstance(result[output_name], type(None)):
                         transformed_result[output_name] = None
                     else:
                         raise OutputValidationError(
@@ -244,7 +244,7 @@ class CodeNode(BaseNode[CodeNodeData]):
             elif output_config.type == "array[string]":
                 # check if array of string available
                 if not isinstance(result[output_name], list):
-                    if result[output_name] is None:
+                    if isinstance(result[output_name], type(None)):
                         transformed_result[output_name] = None
                     else:
                         raise OutputValidationError(
@@ -265,7 +265,7 @@ class CodeNode(BaseNode[CodeNodeData]):
             elif output_config.type == "array[object]":
                 # check if array of object available
                 if not isinstance(result[output_name], list):
-                    if result[output_name] is None:
+                    if isinstance(result[output_name], type(None)):
                         transformed_result[output_name] = None
                     else:
                         raise OutputValidationError(

api/core/workflow/nodes/llm/node.py

@@ -968,12 +968,14 @@ def _handle_memory_chat_mode(
     *,
     memory: TokenBufferMemory | None,
     memory_config: MemoryConfig | None,
-    model_config: ModelConfigWithCredentialsEntity,  # TODO(-LAN-): Needs to remove
+    model_config: ModelConfigWithCredentialsEntity,
 ) -> Sequence[PromptMessage]:
     memory_messages: Sequence[PromptMessage] = []
     # Get messages from memory for chat model
     if memory and memory_config:
+        rest_tokens = _calculate_rest_token(prompt_messages=[], model_config=model_config)
         memory_messages = memory.get_history_prompt_messages(
+            max_token_limit=rest_tokens,
             message_limit=memory_config.window.size if memory_config.window.enabled else None,
         )
     return memory_messages

api/docker/entrypoint.sh

@@ -35,7 +35,6 @@ else
       --worker-class ${SERVER_WORKER_CLASS:-gevent} \
       --worker-connections ${SERVER_WORKER_CONNECTIONS:-10} \
       --timeout ${GUNICORN_TIMEOUT:-200} \
-      --keep-alive ${GUNICORN_KEEP_ALIVE:-2} \
       app:app
   fi
 fi

api/extensions/ext_login.py

@@ -35,9 +35,6 @@ def load_user_from_request(request_from_flask_login):
 
     decoded = PassportService().verify(auth_token)
     user_id = decoded.get("user_id")
-    source = decoded.get("token_source")
-    if source:
-        raise Unauthorized("Invalid Authorization token.")
 
     logged_in_account = AccountService.load_logged_in_account(account_id=user_id)
     return logged_in_account

api/fields/app_fields.py

@@ -63,7 +63,6 @@ app_detail_fields = {
     "created_at": TimestampField,
     "updated_by": fields.String,
     "updated_at": TimestampField,
-    "access_mode": fields.String,
 }
 
 prompt_config_fields = {
@@ -99,7 +98,6 @@ app_partial_fields = {
     "updated_by": fields.String,
     "updated_at": TimestampField,
     "tags": fields.List(fields.Nested(tag_fields)),
-    "access_mode": fields.String,
 }
 
 
@@ -172,7 +170,6 @@ app_detail_fields_with_site = {
     "updated_by": fields.String,
     "updated_at": TimestampField,
     "deleted_tools": fields.List(fields.String),
-    "access_mode": fields.String,
 }
 
 app_site_fields = {

api/pyproject.toml

@@ -21,7 +21,7 @@ azure-ai-inference = "~1.0.0b8"
 azure-ai-ml = "~1.20.0"
 azure-identity = "1.16.1"
 beautifulsoup4 = "4.12.2"
-boto3 = "~1.35.0"
+boto3 = "1.36.12"
 bs4 = "~0.0.1"
 cachetools = "~5.3.0"
 celery = "~5.4.0"
@@ -48,7 +48,7 @@ google-generativeai = "0.8.1"
 googleapis-common-protos = "1.63.0"
 gunicorn = "~23.0.0"
 httpx = { version = "~0.27.0", extras = ["socks"] }
-huggingface-hub = "~0.31.0"
+huggingface-hub = "~0.16.4"
 jieba = "0.42.1"
 langfuse = "~2.51.3"
 langsmith = "~0.1.77"
@@ -78,18 +78,18 @@ pyyaml = "~6.0.1"
 readabilipy = "0.2.0"
 redis = { version = "~5.0.3", extras = ["hiredis"] }
 replicate = "~0.22.0"
-resend = "~2.9.0"
+resend = "~0.7.0"
 sagemaker = "~2.231.0"
 scikit-learn = "~1.5.1"
 sentry-sdk = { version = "~1.44.1", extras = ["flask"] }
 sqlalchemy = "~2.0.29"
 starlette = "0.41.0"
 tencentcloud-sdk-python-hunyuan = "~3.0.1294"
-tiktoken = "^0.9.0"
+tiktoken = "~0.8.0"
 tokenizers = "~0.15.0"
-transformers = "~4.39.0"
+transformers = "~4.35.0"
 unstructured = { version = "~0.16.1", extras = ["docx", "epub", "md", "msg", "ppt", "pptx"] }
-validators = "0.22.0"
+validators = "0.21.0"
 volcengine-python-sdk = {extras = ["ark"], version = "~1.0.98"}
 websocket-client = "~1.7.0"
 xinference-client = "0.15.2"
@@ -112,7 +112,7 @@ safetensors = "~0.4.3"
 # [ Tools ] dependency group
 ############################################################
 [tool.poetry.group.tools.dependencies]
-arxiv = "2.2.0"
+arxiv = "2.1.0"
 cloudscraper = "1.2.71"
 duckduckgo-search = "~6.3.0"
 jsonpath-ng = "1.6.1"
@@ -166,7 +166,7 @@ tcvectordb = "1.3.2"
 tidb-vector = "0.0.9"
 upstash-vector = "0.6.0"
 volcengine-compat = "~1.0.156"
-weaviate-client = "~3.26.0"
+weaviate-client = "~3.21.0"
 
 ############################################################
 # [ Dev ] dependency group

api/services/account_service.py

@@ -49,7 +49,7 @@ from services.errors.account import (
     RoleAlreadyAssignedError,
     TenantNotFoundError,
 )
-from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
+from services.errors.workspace import WorkSpaceNotAllowedCreateError
 from services.feature_service import FeatureService
 from tasks.delete_account_task import delete_account_task
 from tasks.mail_account_deletion_task import send_account_deletion_verification_code
@@ -406,8 +406,10 @@ class AccountService:
 
             raise PasswordResetRateLimitExceededError()
 
-        code, token = cls.generate_reset_password_token(account_email, account)
-
+        code = "".join([str(random.randint(0, 9)) for _ in range(6)])
+        token = TokenManager.generate_token(
+            account=account, email=email, token_type="reset_password", additional_data={"code": code}
+        )
         send_reset_password_mail_task.delay(
             language=language,
             to=account_email,
@@ -416,22 +418,6 @@ class AccountService:
         cls.reset_password_rate_limiter.increment_rate_limit(account_email)
         return token
 
-    @classmethod
-    def generate_reset_password_token(
-        cls,
-        email: str,
-        account: Optional[Account] = None,
-        code: Optional[str] = None,
-        additional_data: dict[str, Any] = {},
-    ):
-        if not code:
-            code = "".join([str(random.randint(0, 9)) for _ in range(6)])
-        additional_data["code"] = code
-        token = TokenManager.generate_token(
-            account=account, email=email, token_type="reset_password", additional_data=additional_data
-        )
-        return code, token
-
     @classmethod
     def revoke_reset_password_token(cls, token: str):
         TokenManager.revoke_token(token, "reset_password")
@@ -599,10 +585,6 @@ class TenantService:
         if not FeatureService.get_system_features().is_allow_create_workspace and not is_setup:
             raise WorkSpaceNotAllowedCreateError()
 
-        workspaces = FeatureService.get_system_features().license.workspaces
-        if not workspaces.is_available():
-            raise WorkspacesLimitExceededError()
-
         if name:
             tenant = TenantService.create_tenant(name=name, is_setup=is_setup)
         else:
@@ -776,11 +758,9 @@ class TenantService:
     @staticmethod
     def remove_member_from_tenant(tenant: Tenant, account: Account, operator: Account) -> None:
         """Remove member from tenant"""
-        if operator.id == account.id:
+        if operator.id == account.id and TenantService.check_member_permission(tenant, operator, account, "remove"):
             raise CannotOperateSelfError("Cannot operate self.")
 
-        TenantService.check_member_permission(tenant, operator, account, "remove")
-
         ta = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=account.id).first()
         if not ta:
             raise MemberNotInTenantError("Member not in tenant.")
@@ -895,10 +875,7 @@ class RegisterService:
             if open_id is not None and provider is not None:
                 AccountService.link_account_integrate(provider, open_id, account)
 
-            if (FeatureService.get_system_features().is_allow_create_workspace
-                    and create_workspace_required
-                    and FeatureService.get_system_features().license.workspaces.is_available()
-            ):
+            if FeatureService.get_system_features().is_allow_create_workspace and create_workspace_required:
                 tenant = TenantService.create_tenant(f"{account.name}'s Workspace")
                 TenantService.create_tenant_member(tenant, account, role="owner")
                 account.current_tenant = tenant

api/services/app_dsl_service.py

@@ -55,19 +55,13 @@ def _check_version_compatibility(imported_version: str) -> ImportStatus:
     except version.InvalidVersion:
         return ImportStatus.FAILED
 
-    # If imported version is newer than current, always return PENDING
-    if imported_ver > current_ver:
+    # Compare major version and minor version
+    if current_ver.major != imported_ver.major or current_ver.minor != imported_ver.minor:
         return ImportStatus.PENDING
 
-    # If imported version is older than current's major, return PENDING
-    if imported_ver.major < current_ver.major:
-        return ImportStatus.PENDING
-
-    # If imported version is older than current's minor, return COMPLETED_WITH_WARNINGS
-    if imported_ver.minor < current_ver.minor:
+    if current_ver.micro != imported_ver.micro:
         return ImportStatus.COMPLETED_WITH_WARNINGS
 
-    # If imported version equals or is older than current's micro, return COMPLETED
     return ImportStatus.COMPLETED
 
 

api/services/app_service.py

@@ -19,10 +19,8 @@ from core.tools.utils.configuration import ToolParameterConfigurationManager
 from events.app_event import app_was_created
 from extensions.ext_database import db
 from models.account import Account
-from models.model import App, AppMode, AppModelConfig, Site
+from models.model import App, AppMode, AppModelConfig
 from models.tools import ApiToolProvider
-from services.enterprise.enterprise_service import EnterpriseService
-from services.feature_service import FeatureService
 from services.tag_service import TagService
 from tasks.remove_app_and_related_data_task import remove_app_and_related_data_task
 
@@ -154,10 +152,6 @@ class AppService:
 
         app_was_created.send(app, account=account)
 
-        if FeatureService.get_system_features().webapp_auth.enabled:
-            # update web app setting as private
-            EnterpriseService.WebAppAuth.update_app_access_mode(app.id, "private")
-
         return app
 
     def get_app(self, app: App) -> App:
@@ -314,10 +308,6 @@ class AppService:
         db.session.delete(app)
         db.session.commit()
 
-        # clean up web app settings
-        if FeatureService.get_system_features().webapp_auth.enabled:
-            EnterpriseService.WebAppAuth.cleanup_webapp(app.id)
-
         # Trigger asynchronous deletion of app and related data
         remove_app_and_related_data_task.delay(tenant_id=app.tenant_id, app_id=app.id)
 
@@ -384,27 +374,3 @@ class AppService:
                         meta["tool_icons"][tool_name] = {"background": "#252525", "content": "\ud83d\ude01"}
 
         return meta
-
-    @staticmethod
-    def get_app_code_by_id(app_id: str) -> str:
-        """
-        Get app code by app id
-        :param app_id: app id
-        :return: app code
-        """
-        site = db.session.query(Site).filter(Site.app_id == app_id).first()
-        if not site:
-            raise ValueError(f"App with id {app_id} not found")
-        return str(site.code)
-
-    @staticmethod
-    def get_app_id_by_code(app_code: str) -> str:
-        """
-        Get app id by app code
-        :param app_code: app code
-        :return: app id
-        """
-        site = db.session.query(Site).filter(Site.code == app_code).first()
-        if not site:
-            raise ValueError(f"App with code {app_code} not found")
-        return str(site.app_id)

api/services/enterprise/enterprise_service.py

@@ -1,114 +1,11 @@
-
-from datetime import datetime
-
-from pydantic import BaseModel, Field
 from services.enterprise.base import EnterpriseRequest
 
 
-class WebAppSettings(BaseModel):
-    access_mode: str = Field(
-        description="Access mode for the web app. Can be 'public', 'private', 'private_all', 'sso_verified'",
-        default="private",
-        alias="accessMode",
-    )
-
-
 class EnterpriseService:
     @classmethod
     def get_info(cls):
         return EnterpriseRequest.send_request("GET", "/info")
 
     @classmethod
-    def get_workspace_info(cls, tenant_id: str):
-        return EnterpriseRequest.send_request("GET", f"/workspace/{tenant_id}/info")
-
-    @classmethod
-    def get_app_sso_settings_last_update_time(cls) -> datetime:
-        data = EnterpriseRequest.send_request("GET", "/sso/app/last-update-time")
-        if not data:
-            raise ValueError("No data found.")
-        try:
-            # parse the UTC timestamp from the response
-            return datetime.fromisoformat(data.replace("Z", "+00:00"))
-        except ValueError as e:
-            raise ValueError(f"Invalid date format: {data}") from e
-
-    @classmethod
-    def get_workspace_sso_settings_last_update_time(cls) -> datetime:
-        data = EnterpriseRequest.send_request("GET", "/sso/workspace/last-update-time")
-        if not data:
-            raise ValueError("No data found.")
-        try:
-            # parse the UTC timestamp from the response
-            return datetime.fromisoformat(data.replace("Z", "+00:00"))
-        except ValueError as e:
-            raise ValueError(f"Invalid date format: {data}") from e
-
-    class WebAppAuth:
-        @classmethod
-        def is_user_allowed_to_access_webapp(cls, user_id: str, app_code: str) -> bool:
-            params = {"userId": user_id, "appCode": app_code}
-            data = EnterpriseRequest.send_request("GET", "/webapp/permission", params=params)
-
-            return data.get("result", False)
-
-        @classmethod
-        def get_app_access_mode_by_id(cls, app_id: str) -> WebAppSettings:
-            if not app_id:
-                raise ValueError("app_id must be provided.")
-            params = {"appId": app_id}
-            data = EnterpriseRequest.send_request("GET", "/webapp/access-mode/id", params=params)
-            if not data:
-                raise ValueError("No data found.")
-            return WebAppSettings(**data)
-
-        @classmethod
-        def batch_get_app_access_mode_by_id(cls, app_ids: list[str]) -> dict[str, WebAppSettings]:
-            if not app_ids:
-                return {}
-            body = {"appIds": app_ids}
-            data: dict[str, str] = EnterpriseRequest.send_request("POST", "/webapp/access-mode/batch/id", json=body)
-            if not data:
-                raise ValueError("No data found.")
-
-            if not isinstance(data["accessModes"], dict):
-                raise ValueError("Invalid data format.")
-
-            ret = {}
-            for key, value in data["accessModes"].items():
-                curr = WebAppSettings()
-                curr.access_mode = value
-                ret[key] = curr
-
-            return ret
-
-        @classmethod
-        def get_app_access_mode_by_code(cls, app_code: str) -> WebAppSettings:
-            if not app_code:
-                raise ValueError("app_code must be provided.")
-            params = {"appCode": app_code}
-            data = EnterpriseRequest.send_request("GET", "/webapp/access-mode/code", params=params)
-            if not data:
-                raise ValueError("No data found.")
-            return WebAppSettings(**data)
-
-        @classmethod
-        def update_app_access_mode(cls, app_id: str, access_mode: str) -> bool:
-            if not app_id:
-                raise ValueError("app_id must be provided.")
-            if access_mode not in ["public", "private", "private_all"]:
-                raise ValueError("access_mode must be either 'public', 'private', or 'private_all'")
-
-            data = {"appId": app_id, "accessMode": access_mode}
-
-            response = EnterpriseRequest.send_request("POST", "/webapp/access-mode", json=data)
-
-            return response.get("result", False)
-
-        @classmethod
-        def cleanup_webapp(cls, app_id: str):
-            if not app_id:
-                raise ValueError("app_id must be provided.")
-
-            body = {"appId": app_id}
-            EnterpriseRequest.send_request("DELETE", "/webapp/clean", json=body)
+    def get_app_web_sso_enabled(cls, app_code):
+        return EnterpriseRequest.send_request("GET", f"/app-sso-setting?appCode={app_code}")

api/services/enterprise/mail_service.py

@@ -1,18 +0,0 @@
-from pydantic import BaseModel
-
-from tasks.mail_enterprise_task import send_enterprise_email_task
-
-
-class DifyMail(BaseModel):
-    to: list[str]
-    subject: str
-    body: str
-    substitutions: dict[str, str] = {}
-
-
-class EnterpriseMailService:
-    @classmethod
-    def send_mail(cls, mail: DifyMail):
-        send_enterprise_email_task.delay(
-            to=mail.to, subject=mail.subject, body=mail.body, substitutions=mail.substitutions
-        )

api/services/errors/workspace.py

@@ -7,7 +7,3 @@ class WorkSpaceNotAllowedCreateError(BaseServiceError):
 
 class WorkSpaceNotFoundError(BaseServiceError):
     pass
-
-
-class WorkspacesLimitExceededError(BaseServiceError):
-    pass

api/services/feature_service.py

@@ -1,6 +1,6 @@
 from enum import StrEnum
 
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 
 from configs import dify_config
 from services.billing_service import BillingService
@@ -22,32 +22,6 @@ class LimitationModel(BaseModel):
     limit: int = 0
 
 
-class LicenseLimitationModel(BaseModel):
-    """
-    - enabled: whether this limit is enforced
-    - size: current usage count
-    - limit: maximum allowed count; 0 means unlimited
-    """
-
-    enabled: bool = Field(False, description="Whether this limit is currently active")
-    size: int = Field(0, description="Number of resources already consumed")
-    limit: int = Field(0, description="Maximum number of resources allowed; 0 means no limit")
-
-    def is_available(self, required: int = 1) -> bool:
-        """
-        Determine whether the requested amount can be allocated.
-
-        Returns True if:
-         - this limit is not active, or
-         - the limit is zero (unlimited), or
-         - there is enough remaining quota.
-        """
-        if not self.enabled or self.limit == 0:
-            return True
-
-        return (self.limit - self.size) >= required
-
-
 class LicenseStatus(StrEnum):
     NONE = "none"
     INACTIVE = "inactive"
@@ -60,27 +34,6 @@ class LicenseStatus(StrEnum):
 class LicenseModel(BaseModel):
     status: LicenseStatus = LicenseStatus.NONE
     expired_at: str = ""
-    workspaces: LicenseLimitationModel = LicenseLimitationModel(enabled=False, size=0, limit=0)
-
-
-class BrandingModel(BaseModel):
-    enabled: bool = False
-    application_title: str = ""
-    login_page_logo: str = ""
-    workspace_logo: str = ""
-    favicon: str = ""
-
-
-class WebAppAuthSSOModel(BaseModel):
-    protocol: str = ""
-
-
-class WebAppAuthModel(BaseModel):
-    enabled: bool = False
-    allow_sso: bool = False
-    sso_config: WebAppAuthSSOModel = WebAppAuthSSOModel()
-    allow_email_code_login: bool = False
-    allow_email_password_login: bool = False
 
 
 class FeatureModel(BaseModel):
@@ -94,8 +47,6 @@ class FeatureModel(BaseModel):
     can_replace_logo: bool = False
     model_load_balancing_enabled: bool = False
     dataset_operator_enabled: bool = False
-    webapp_copyright_enabled: bool = False
-    workspace_members: LicenseLimitationModel = LicenseLimitationModel(enabled=False, size=0, limit=0)
 
     # pydantic configs
     model_config = ConfigDict(protected_namespaces=())
@@ -104,6 +55,9 @@ class FeatureModel(BaseModel):
 class SystemFeatureModel(BaseModel):
     sso_enforced_for_signin: bool = False
     sso_enforced_for_signin_protocol: str = ""
+    sso_enforced_for_web: bool = False
+    sso_enforced_for_web_protocol: str = ""
+    enable_web_sso_switch_component: bool = False
     enable_email_code_login: bool = False
     enable_email_password_login: bool = True
     enable_social_oauth_login: bool = False
@@ -111,8 +65,6 @@ class SystemFeatureModel(BaseModel):
     is_allow_create_workspace: bool = False
     is_email_setup: bool = False
     license: LicenseModel = LicenseModel()
-    branding: BrandingModel = BrandingModel()
-    webapp_auth: WebAppAuthModel = WebAppAuthModel()
 
 
 class FeatureService:
@@ -125,10 +77,6 @@ class FeatureService:
         if dify_config.BILLING_ENABLED and tenant_id:
             cls._fulfill_params_from_billing_api(features, tenant_id)
 
-        if dify_config.ENTERPRISE_ENABLED:
-            features.webapp_copyright_enabled = True
-            cls._fulfill_params_from_workspace_info(features, tenant_id)
-
         return features
 
     @classmethod
@@ -138,8 +86,8 @@ class FeatureService:
         cls._fulfill_system_params_from_env(system_features)
 
         if dify_config.ENTERPRISE_ENABLED:
-            system_features.branding.enabled = True
-            system_features.webapp_auth.enabled = True
+            system_features.enable_web_sso_switch_component = True
+
             cls._fulfill_params_from_enterprise(system_features)
 
         return system_features
@@ -159,14 +107,6 @@ class FeatureService:
         features.model_load_balancing_enabled = dify_config.MODEL_LB_ENABLED
         features.dataset_operator_enabled = dify_config.DATASET_OPERATOR_ENABLED
 
-    @classmethod
-    def _fulfill_params_from_workspace_info(cls, features: FeatureModel, tenant_id: str):
-        workspace_info = EnterpriseService.get_workspace_info(tenant_id)
-        if "WorkspaceMembers" in workspace_info:
-            features.workspace_members.size = workspace_info["WorkspaceMembers"]["used"]
-            features.workspace_members.limit = workspace_info["WorkspaceMembers"]["limit"]
-            features.workspace_members.enabled = workspace_info["WorkspaceMembers"]["enabled"]
-
     @classmethod
     def _fulfill_params_from_billing_api(cls, features: FeatureModel, tenant_id: str):
         billing_info = BillingService.get_info(tenant_id)
@@ -175,9 +115,6 @@ class FeatureService:
         features.billing.subscription.plan = billing_info["subscription"]["plan"]
         features.billing.subscription.interval = billing_info["subscription"]["interval"]
 
-        if features.billing.subscription.plan != "sandbox":
-            features.webapp_copyright_enabled = True
-
         if "members" in billing_info:
             features.members.size = billing_info["members"]["size"]
             features.members.limit = billing_info["members"]["limit"]
@@ -208,53 +145,38 @@ class FeatureService:
             features.model_load_balancing_enabled = billing_info["model_load_balancing_enabled"]
 
     @classmethod
-    def _fulfill_params_from_enterprise(cls, features: SystemFeatureModel):
+    def _fulfill_params_from_enterprise(cls, features):
         enterprise_info = EnterpriseService.get_info()
 
-        if "SSOEnforcedForSignin" in enterprise_info:
-            features.sso_enforced_for_signin = enterprise_info["SSOEnforcedForSignin"]
+        if "sso_enforced_for_signin" in enterprise_info:
+            features.sso_enforced_for_signin = enterprise_info["sso_enforced_for_signin"]
 
-        if "SSOEnforcedForSigninProtocol" in enterprise_info:
-            features.sso_enforced_for_signin_protocol = enterprise_info["SSOEnforcedForSigninProtocol"]
+        if "sso_enforced_for_signin_protocol" in enterprise_info:
+            features.sso_enforced_for_signin_protocol = enterprise_info["sso_enforced_for_signin_protocol"]
 
-        if "EnableEmailCodeLogin" in enterprise_info:
-            features.enable_email_code_login = enterprise_info["EnableEmailCodeLogin"]
+        if "sso_enforced_for_web" in enterprise_info:
+            features.sso_enforced_for_web = enterprise_info["sso_enforced_for_web"]
 
-        if "EnableEmailPasswordLogin" in enterprise_info:
-            features.enable_email_password_login = enterprise_info["EnableEmailPasswordLogin"]
+        if "sso_enforced_for_web_protocol" in enterprise_info:
+            features.sso_enforced_for_web_protocol = enterprise_info["sso_enforced_for_web_protocol"]
 
-        if "IsAllowRegister" in enterprise_info:
-            features.is_allow_register = enterprise_info["IsAllowRegister"]
+        if "enable_email_code_login" in enterprise_info:
+            features.enable_email_code_login = enterprise_info["enable_email_code_login"]
 
-        if "IsAllowCreateWorkspace" in enterprise_info:
-            features.is_allow_create_workspace = enterprise_info["IsAllowCreateWorkspace"]
+        if "enable_email_password_login" in enterprise_info:
+            features.enable_email_password_login = enterprise_info["enable_email_password_login"]
 
-        if "Branding" in enterprise_info:
-            features.branding.application_title = enterprise_info["Branding"].get("applicationTitle", "")
-            features.branding.login_page_logo = enterprise_info["Branding"].get("loginPageLogo", "")
-            features.branding.workspace_logo = enterprise_info["Branding"].get("workspaceLogo", "")
-            features.branding.favicon = enterprise_info["Branding"].get("favicon", "")
+        if "is_allow_register" in enterprise_info:
+            features.is_allow_register = enterprise_info["is_allow_register"]
 
-        if "WebAppAuth" in enterprise_info:
-            features.webapp_auth.allow_sso = enterprise_info["WebAppAuth"].get("allowSso", False)
-            features.webapp_auth.allow_email_code_login = enterprise_info["WebAppAuth"].get(
-                "allowEmailCodeLogin", False
-            )
-            features.webapp_auth.allow_email_password_login = enterprise_info["WebAppAuth"].get(
-                "allowEmailPasswordLogin", False
-            )
-            features.webapp_auth.sso_config.protocol = enterprise_info.get("SSOEnforcedForWebProtocol", "")
+        if "is_allow_create_workspace" in enterprise_info:
+            features.is_allow_create_workspace = enterprise_info["is_allow_create_workspace"]
 
-        if "License" in enterprise_info:
-            license_info = enterprise_info["License"]
+        if "license" in enterprise_info:
+            license_info = enterprise_info["license"]
 
             if "status" in license_info:
                 features.license.status = LicenseStatus(license_info.get("status", LicenseStatus.INACTIVE))
 
-            if "expiredAt" in license_info:
-                features.license.expired_at = license_info["expiredAt"]
-
-            if "workspaces" in license_info:
-                features.license.workspaces.enabled = license_info["workspaces"]["enabled"]
-                features.license.workspaces.limit = license_info["workspaces"]["limit"]
-                features.license.workspaces.size = license_info["workspaces"]["used"]
+            if "expired_at" in license_info:
+                features.license.expired_at = license_info["expired_at"]

api/services/webapp_auth_service.py

@@ -1,174 +0,0 @@
-import enum
-import random
-from datetime import UTC, datetime, timedelta
-from typing import Any, Optional, cast
-
-from configs import dify_config
-from extensions.ext_database import db
-from libs.helper import TokenManager
-from libs.passport import PassportService
-from libs.password import compare_password
-from models.account import Account, AccountStatus
-from models.model import App, EndUser, Site
-from services.app_service import AppService
-from services.enterprise.enterprise_service import EnterpriseService
-from services.errors.account import (AccountLoginError, AccountNotFoundError,
-                                     AccountPasswordError)
-from tasks.mail_email_code_login import send_email_code_login_mail_task
-from werkzeug.exceptions import Unauthorized
-
-
-class WebAppAuthType(enum.StrEnum):
-    """Enum for web app authentication types."""
-
-    PUBLIC = "public"
-    INTERNAL = "internal"
-    EXTERNAL = "external"
-
-
-class WebAppAuthService:
-    """Service for web app authentication."""
-
-    @staticmethod
-    def authenticate(email: str, password: str) -> Account:
-        """authenticate account with email and password"""
-        account = db.session.query(Account).filter_by(email=email).first()
-        if not account:
-            raise AccountNotFoundError()
-
-        if account.status == AccountStatus.BANNED.value:
-            raise AccountLoginError("Account is banned.")
-
-        if account.password is None or not compare_password(password, account.password, account.password_salt):
-            raise AccountPasswordError("Invalid email or password.")
-
-        return cast(Account, account)
-
-    @classmethod
-    def login(cls, account: Account) -> str:
-        access_token = cls._get_account_jwt_token(account=account)
-
-        return access_token
-
-    @classmethod
-    def get_user_through_email(cls, email: str):
-        account = db.session.query(Account).filter(Account.email == email).first()
-        if not account:
-            return None
-
-        if account.status == AccountStatus.BANNED.value:
-            raise Unauthorized("Account is banned.")
-
-        return account
-
-    @classmethod
-    def send_email_code_login_email(
-        cls, account: Optional[Account] = None, email: Optional[str] = None, language: Optional[str] = "en-US"
-    ):
-        email = account.email if account else email
-        if email is None:
-            raise ValueError("Email must be provided.")
-
-        code = "".join([str(random.randint(0, 9)) for _ in range(6)])
-        token = TokenManager.generate_token(
-            account=account, email=email, token_type="email_code_login", additional_data={"code": code}
-        )
-        send_email_code_login_mail_task.delay(
-            language=language,
-            to=account.email if account else email,
-            code=code,
-        )
-
-        return token
-
-    @classmethod
-    def get_email_code_login_data(cls, token: str) -> Optional[dict[str, Any]]:
-        return TokenManager.get_token_data(token, "email_code_login")
-
-    @classmethod
-    def revoke_email_code_login_token(cls, token: str):
-        TokenManager.revoke_token(token, "email_code_login")
-
-    @classmethod
-    def create_end_user(cls, app_code, email) -> EndUser:
-        site = db.session.query(Site).filter(Site.code == app_code).first()
-        app_model = db.session.query(App).filter(App.id == site.app_id).first()
-        end_user = EndUser(
-            tenant_id=app_model.tenant_id,
-            app_id=app_model.id,
-            type="browser",
-            is_anonymous=False,
-            session_id=email,
-            name="enterpriseuser",
-            external_user_id="enterpriseuser",
-        )
-        db.session.add(end_user)
-        db.session.commit()
-
-        return end_user
-
-    @classmethod
-    def _get_account_jwt_token(cls, account: Account) -> str:
-        exp_dt = datetime.now(UTC) + timedelta(hours=dify_config.ACCESS_TOKEN_EXPIRE_MINUTES * 24)
-        exp = int(exp_dt.timestamp())
-
-        payload = {
-            "sub": "Web API Passport",
-            "user_id": account.id,
-            "session_id": account.email,
-            "token_source": "webapp_login_token",
-            "auth_type": "internal",
-            "exp": exp,
-        }
-
-        token: str = PassportService().issue(payload)
-        return token
-
-    @classmethod
-    def is_app_require_permission_check(
-        cls, app_code: Optional[str] = None, app_id: Optional[str] = None, access_mode: Optional[str] = None
-    ) -> bool:
-        """
-        Check if the app requires permission check based on its access mode.
-        """
-        modes_requiring_permission_check = [
-            "private",
-            "private_all",
-        ]
-        if access_mode:
-            return access_mode in modes_requiring_permission_check
-
-        if not app_code and not app_id:
-            raise ValueError("Either app_code or app_id must be provided.")
-
-        if app_code:
-            app_id = AppService.get_app_id_by_code(app_code)
-        if not app_id:
-            raise ValueError("App ID could not be determined from the provided app_code.")
-
-        webapp_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id)
-        if webapp_settings and webapp_settings.access_mode in modes_requiring_permission_check:
-            return True
-        return False
-
-    @classmethod
-    def get_app_auth_type(cls, app_code: str | None = None, access_mode: str | None = None) -> WebAppAuthType:
-        """
-        Get the authentication type for the app based on its access mode.
-        """
-        if not app_code and not access_mode:
-            raise ValueError("Either app_code or access_mode must be provided.")
-
-        if access_mode:
-            if access_mode == "public":
-                return WebAppAuthType.PUBLIC
-            elif access_mode in ["private", "private_all"]:
-                return WebAppAuthType.INTERNAL
-            elif access_mode == "sso_verified":
-                return WebAppAuthType.EXTERNAL
-
-        if app_code:
-            webapp_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code)
-            return cls.get_app_auth_type(access_mode=webapp_settings.access_mode)
-
-        raise ValueError("Could not determine app authentication type.")

api/tasks/mail_email_code_login.py

@@ -6,7 +6,6 @@ from celery import shared_task  # type: ignore
 from flask import render_template
 
 from extensions.ext_mail import mail
-from services.feature_service import FeatureService
 
 
 @shared_task(queue="mail")
@@ -26,24 +25,10 @@ def send_email_code_login_mail_task(language: str, to: str, code: str):
     # send email code login mail using different languages
     try:
         if language == "zh-Hans":
-            template = "email_code_login_mail_template_zh-CN.html"
-            system_features = FeatureService.get_system_features()
-            if system_features.branding.enabled:
-                application_title = system_features.branding.application_title
-                template = "without-brand/email_code_login_mail_template_zh-CN.html"
-                html_content = render_template(template, to=to, code=code, application_title=application_title)
-            else:
-                html_content = render_template(template, to=to, code=code)
+            html_content = render_template("email_code_login_mail_template_zh-CN.html", to=to, code=code)
             mail.send(to=to, subject="邮箱验证码", html=html_content)
         else:
-            template = "email_code_login_mail_template_en-US.html"
-            system_features = FeatureService.get_system_features()
-            if system_features.branding.enabled:
-                application_title = system_features.branding.application_title
-                template = "without-brand/email_code_login_mail_template_en-US.html"
-                html_content = render_template(template, to=to, code=code, application_title=application_title)
-            else:
-                html_content = render_template(template, to=to, code=code)
+            html_content = render_template("email_code_login_mail_template_en-US.html", to=to, code=code)
             mail.send(to=to, subject="Email Code", html=html_content)
 
         end_at = time.perf_counter()

api/tasks/mail_enterprise_task.py

@@ -1,33 +0,0 @@
-import logging
-import time
-
-import click
-from celery import shared_task  # type: ignore
-from flask import render_template_string
-
-from extensions.ext_mail import mail
-
-
-@shared_task(queue="mail")
-def send_enterprise_email_task(to, subject, body, substitutions):
-    if not mail.is_inited():
-        return
-
-    logging.info(click.style("Start enterprise mail to {} with subject {}".format(to, subject), fg="green"))
-    start_at = time.perf_counter()
-
-    try:
-        html_content = render_template_string(body, **substitutions)
-
-        if isinstance(to, list):
-            for t in to:
-                mail.send(to=t, subject=subject, html=html_content)
-        else:
-            mail.send(to=to, subject=subject, html=html_content)
-
-        end_at = time.perf_counter()
-        logging.info(
-            click.style("Send enterprise mail to {} succeeded: latency: {}".format(to, end_at - start_at), fg="green")
-        )
-    except Exception:
-        logging.exception("Send enterprise mail to {} failed".format(to))

api/tasks/mail_invite_member_task.py

@@ -7,7 +7,6 @@ from flask import render_template
 
 from configs import dify_config
 from extensions.ext_mail import mail
-from services.feature_service import FeatureService
 
 
 @shared_task(queue="mail")
@@ -34,45 +33,23 @@ def send_invite_member_mail_task(language: str, to: str, token: str, inviter_nam
     try:
         url = f"{dify_config.CONSOLE_WEB_URL}/activate?token={token}"
         if language == "zh-Hans":
-            template = "invite_member_mail_template_zh-CN.html"
-            system_features = FeatureService.get_system_features()
-            if system_features.branding.enabled:
-                application_title = system_features.branding.application_title
-                template = "without-brand/invite_member_mail_template_zh-CN.html"
-                html_content = render_template(
-                    template,
-                    to=to,
-                    inviter_name=inviter_name,
-                    workspace_name=workspace_name,
-                    url=url,
-                    application_title=application_title,
-                )
-                mail.send(to=to, subject=f"立即加入 {application_title} 工作空间", html=html_content)
-            else:
-                html_content = render_template(
-                    template, to=to, inviter_name=inviter_name, workspace_name=workspace_name, url=url
-                )
-                mail.send(to=to, subject="立即加入 Dify 工作空间", html=html_content)
+            html_content = render_template(
+                "invite_member_mail_template_zh-CN.html",
+                to=to,
+                inviter_name=inviter_name,
+                workspace_name=workspace_name,
+                url=url,
+            )
+            mail.send(to=to, subject="立即加入 Dify 工作空间", html=html_content)
         else:
-            template = "invite_member_mail_template_en-US.html"
-            system_features = FeatureService.get_system_features()
-            if system_features.branding.enabled:
-                application_title = system_features.branding.application_title
-                template = "without-brand/invite_member_mail_template_en-US.html"
-                html_content = render_template(
-                    template,
-                    to=to,
-                    inviter_name=inviter_name,
-                    workspace_name=workspace_name,
-                    url=url,
-                    application_title=application_title,
-                )
-                mail.send(to=to, subject=f"Join {application_title} Workspace Now", html=html_content)
-            else:
-                html_content = render_template(
-                    template, to=to, inviter_name=inviter_name, workspace_name=workspace_name, url=url
-                )
-                mail.send(to=to, subject="Join Dify Workspace Now", html=html_content)
+            html_content = render_template(
+                "invite_member_mail_template_en-US.html",
+                to=to,
+                inviter_name=inviter_name,
+                workspace_name=workspace_name,
+                url=url,
+            )
+            mail.send(to=to, subject="Join Dify Workspace Now", html=html_content)
 
         end_at = time.perf_counter()
         logging.info(

api/tasks/mail_reset_password_task.py

@@ -6,7 +6,6 @@ from celery import shared_task  # type: ignore
 from flask import render_template
 
 from extensions.ext_mail import mail
-from services.feature_service import FeatureService
 
 
 @shared_task(queue="mail")
@@ -26,27 +25,11 @@ def send_reset_password_mail_task(language: str, to: str, code: str):
     # send reset password mail using different languages
     try:
         if language == "zh-Hans":
-            template = "reset_password_mail_template_zh-CN.html"
-            system_features = FeatureService.get_system_features()
-            if system_features.branding.enabled:
-                application_title = system_features.branding.application_title
-                template = "without-brand/reset_password_mail_template_zh-CN.html"
-                html_content = render_template(template, to=to, code=code, application_title=application_title)
-                mail.send(to=to, subject=f"设置您的 {application_title} 密码", html=html_content)
-            else:
-                html_content = render_template(template, to=to, code=code)
-                mail.send(to=to, subject="设置您的 Dify 密码", html=html_content)
+            html_content = render_template("reset_password_mail_template_zh-CN.html", to=to, code=code)
+            mail.send(to=to, subject="设置您的 Dify 密码", html=html_content)
         else:
-            template = "reset_password_mail_template_en-US.html"
-            system_features = FeatureService.get_system_features()
-            if system_features.branding.enabled:
-                application_title = system_features.branding.application_title
-                template = "without-brand/reset_password_mail_template_en-US.html"
-                html_content = render_template(template, to=to, code=code, application_title=application_title)
-                mail.send(to=to, subject=f"Set Your {application_title} Password", html=html_content)
-            else:
-                html_content = render_template(template, to=to, code=code)
-                mail.send(to=to, subject="Set Your Dify Password", html=html_content)
+            html_content = render_template("reset_password_mail_template_en-US.html", to=to, code=code)
+            mail.send(to=to, subject="Set Your Dify Password", html=html_content)
 
         end_at = time.perf_counter()
         logging.info(

api/templates/without-brand/email_code_login_mail_template_en-US.html

@@ -1,70 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <style>
-      body {
-        font-family: 'Arial', sans-serif;
-        line-height: 16pt;
-        color: #101828;
-        background-color: #e9ebf0;
-        margin: 0;
-        padding: 0;
-      }
-      .container {
-        width: 600px;
-        height: 360px;
-        margin: 40px auto;
-        padding: 36px 48px;
-        background-color: #fcfcfd;
-        border-radius: 16px;
-        border: 1px solid #ffffff;
-        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
-      }
-      .header {
-        margin-bottom: 24px;
-      }
-      .header img {
-        max-width: 100px;
-        height: auto;
-      }
-      .title {
-        font-weight: 600;
-        font-size: 24px;
-        line-height: 28.8px;
-      }
-      .description {
-        font-size: 13px;
-        line-height: 16px;
-        color: #676f83;
-        margin-top: 12px;
-      }
-      .code-content {
-        padding: 16px 32px;
-        text-align: center;
-        border-radius: 16px;
-        background-color: #f2f4f7;
-        margin: 16px auto;
-      }
-      .code {
-        line-height: 36px;
-        font-weight: 700;
-        font-size: 30px;
-      }
-      .tips {
-        line-height: 16px;
-        color: #676f83;
-        font-size: 13px;
-      }
-    </style>
-  </head>
-  <body>
-    <div class="container">
-      <p class="title">Your login code for {{application_title}}</p>
-      <p class="description">Copy and paste this code, this code will only be valid for the next 5 minutes.</p>
-      <div class="code-content">
-        <span class="code">{{code}}</span>
-      </div>
-      <p class="tips">If you didn't request a login, don't worry. You can safely ignore this email.</p>
-    </div>
-  </body>
-</html>

api/templates/without-brand/email_code_login_mail_template_zh-CN.html

@@ -1,70 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <style>
-      body {
-        font-family: 'Arial', sans-serif;
-        line-height: 16pt;
-        color: #101828;
-        background-color: #e9ebf0;
-        margin: 0;
-        padding: 0;
-      }
-      .container {
-        width: 600px;
-        height: 360px;
-        margin: 40px auto;
-        padding: 36px 48px;
-        background-color: #fcfcfd;
-        border-radius: 16px;
-        border: 1px solid #ffffff;
-        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
-      }
-      .header {
-        margin-bottom: 24px;
-      }
-      .header img {
-        max-width: 100px;
-        height: auto;
-      }
-      .title {
-        font-weight: 600;
-        font-size: 24px;
-        line-height: 28.8px;
-      }
-      .description {
-        font-size: 13px;
-        line-height: 16px;
-        color: #676f83;
-        margin-top: 12px;
-      }
-      .code-content {
-        padding: 16px 32px;
-        text-align: center;
-        border-radius: 16px;
-        background-color: #f2f4f7;
-        margin: 16px auto;
-      }
-      .code {
-        line-height: 36px;
-        font-weight: 700;
-        font-size: 30px;
-      }
-      .tips {
-        line-height: 16px;
-        color: #676f83;
-        font-size: 13px;
-      }
-    </style>
-  </head>
-  <body>
-    <div class="container">
-      <p class="title">{{application_title}} 的登录验证码</p>
-      <p class="description">复制并粘贴此验证码，注意验证码仅在接下来的 5 分钟内有效。</p>
-      <div class="code-content">
-        <span class="code">{{code}}</span>
-      </div>
-      <p class="tips">如果您没有请求登录，请不要担心。您可以安全地忽略此电子邮件。</p>
-    </div>
-  </body>
-</html>

api/templates/without-brand/invite_member_mail_template_en-US.html

@@ -1,69 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <style>
-        body {
-            font-family: 'Arial', sans-serif;
-            line-height: 16pt;
-            color: #374151;
-            background-color: #E5E7EB;
-            margin: 0;
-            padding: 0;
-        }
-        .container {
-            width: 100%;
-            max-width: 560px;
-            margin: 40px auto;
-            padding: 20px;
-            background-color: #F3F4F6;
-            border-radius: 8px;
-            box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
-        }
-        .header {
-            text-align: center;
-            margin-bottom: 20px;
-        }
-        .header img {
-            max-width: 100px;
-            height: auto;
-        }
-        .button {
-            display: inline-block;
-            padding: 12px 24px;
-            background-color: #2970FF;
-            color: white;
-            text-decoration: none;
-            border-radius: 4px;
-            text-align: center;
-            transition: background-color 0.3s ease;
-        }
-        .button:hover {
-            background-color: #265DD4;
-        }
-        .footer {
-            font-size: 0.9em;
-            color: #777777;
-            margin-top: 30px;
-        }
-        .content {
-            margin-top: 20px;
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="content">
-            <p>Dear {{ to }},</p>
-            <p>{{ inviter_name }} is pleased to invite you to join our workspace on {{application_title}}, a platform specifically designed for LLM application development. On {{application_title}}, you can explore, create, and collaborate to build and operate AI applications.</p>
-            <p>Click the button below to log in to {{application_title}} and join the workspace.</p>
-            <p style="text-align: center;"><a style="color: #fff; text-decoration: none" class="button" href="{{ url }}">Login Here</a></p>
-        </div>
-        <div class="footer">
-            <p>Best regards,</p>
-            <p>{{application_title}} Team</p>
-            <p>Please do not reply directly to this email; it is automatically sent by the system.</p>
-        </div>
-    </div>
-</body>
-
-</html>

api/templates/without-brand/invite_member_mail_template_zh-CN.html

@@ -1,69 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <style>
-        body {
-            font-family: 'Arial', sans-serif;
-            line-height: 16pt;
-            color: #374151;
-            background-color: #E5E7EB;
-            margin: 0;
-            padding: 0;
-        }
-        .container {
-            width: 100%;
-            max-width: 560px;
-            margin: 40px auto;
-            padding: 20px;
-            background-color: #F3F4F6;
-            border-radius: 8px;
-            box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
-        }
-        .header {
-            text-align: center;
-            margin-bottom: 20px;
-        }
-        .header img {
-            max-width: 100px;
-            height: auto;
-        }
-        .button {
-            display: inline-block;
-            padding: 12px 24px;
-            background-color: #2970FF;
-            color: white;
-            text-decoration: none;
-            border-radius: 4px;
-            text-align: center;
-            transition: background-color 0.3s ease;
-        }
-        .button:hover {
-            background-color: #265DD4;
-        }
-        .footer {
-            font-size: 0.9em;
-            color: #777777;
-            margin-top: 30px;
-        }
-        .content {
-            margin-top: 20px;
-        }
-    </style>
-</head>
-
-<body>
-    <div class="container">
-        <div class="content">
-            <p>尊敬的 {{ to }}，</p>
-            <p>{{ inviter_name }} 现邀请您加入我们在 {{application_title}} 的工作区，这是一个专为 LLM 应用开发而设计的平台。在 {{application_title}} 上，您可以探索、创造和合作，构建和运营 AI 应用。</p>
-            <p>点击下方按钮即可登录 {{application_title}} 并且加入空间。</p>
-            <p style="text-align: center;"><a style="color: #fff; text-decoration: none" class="button" href="{{ url }}">在此登录</a></p>
-        </div>
-        <div class="footer">
-            <p>此致，</p>
-            <p>{{application_title}} 团队</p>
-            <p>请不要直接回复此电子邮件；由系统自动发送。</p>
-        </div>
-    </div>
-</body>
-</html>

api/templates/without-brand/reset_password_mail_template_en-US.html

@@ -1,70 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <style>
-      body {
-        font-family: 'Arial', sans-serif;
-        line-height: 16pt;
-        color: #101828;
-        background-color: #e9ebf0;
-        margin: 0;
-        padding: 0;
-      }
-      .container {
-        width: 600px;
-        height: 360px;
-        margin: 40px auto;
-        padding: 36px 48px;
-        background-color: #fcfcfd;
-        border-radius: 16px;
-        border: 1px solid #ffffff;
-        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
-      }
-      .header {
-        margin-bottom: 24px;
-      }
-      .header img {
-        max-width: 100px;
-        height: auto;
-      }
-      .title {
-        font-weight: 600;
-        font-size: 24px;
-        line-height: 28.8px;
-      }
-      .description {
-        font-size: 13px;
-        line-height: 16px;
-        color: #676f83;
-        margin-top: 12px;
-      }
-      .code-content {
-        padding: 16px 32px;
-        text-align: center;
-        border-radius: 16px;
-        background-color: #f2f4f7;
-        margin: 16px auto;
-      }
-      .code {
-        line-height: 36px;
-        font-weight: 700;
-        font-size: 30px;
-      }
-      .tips {
-        line-height: 16px;
-        color: #676f83;
-        font-size: 13px;
-      }
-    </style>
-  </head>
-  <body>
-    <div class="container">
-        <p class="title">Set your {{application_title}} password</p>
-      <p class="description">Copy and paste this code, this code will only be valid for the next 5 minutes.</p>
-      <div class="code-content">
-        <span class="code">{{code}}</span>
-      </div>
-        <p class="tips">If you didn't request, don't worry. You can safely ignore this email.</p>
-    </div>
-  </body>
-</html>

api/templates/without-brand/reset_password_mail_template_zh-CN.html

@@ -1,70 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <style>
-      body {
-        font-family: 'Arial', sans-serif;
-        line-height: 16pt;
-        color: #101828;
-        background-color: #e9ebf0;
-        margin: 0;
-        padding: 0;
-      }
-      .container {
-        width: 600px;
-        height: 360px;
-        margin: 40px auto;
-        padding: 36px 48px;
-        background-color: #fcfcfd;
-        border-radius: 16px;
-        border: 1px solid #ffffff;
-        box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
-      }
-      .header {
-        margin-bottom: 24px;
-      }
-      .header img {
-        max-width: 100px;
-        height: auto;
-      }
-      .title {
-        font-weight: 600;
-        font-size: 24px;
-        line-height: 28.8px;
-      }
-      .description {
-        font-size: 13px;
-        line-height: 16px;
-        color: #676f83;
-        margin-top: 12px;
-      }
-      .code-content {
-        padding: 16px 32px;
-        text-align: center;
-        border-radius: 16px;
-        background-color: #f2f4f7;
-        margin: 16px auto;
-      }
-      .code {
-        line-height: 36px;
-        font-weight: 700;
-        font-size: 30px;
-      }
-      .tips {
-        line-height: 16px;
-        color: #676f83;
-        font-size: 13px;
-      }
-    </style>
-  </head>
-  <body>
-    <div class="container">
-        <p class="title">设置您的 {{application_title}} 账户密码</p>
-      <p class="description">复制并粘贴此验证码，注意验证码仅在接下来的 5 分钟内有效。</p>
-      <div class="code-content">
-        <span class="code">{{code}}</span>
-      </div>
-        <p class="tips">如果您没有请求，请不要担心。您可以安全地忽略此电子邮件。</p>
-    </div>
-  </body>
-</html>

docker/.env.example

@@ -142,9 +142,6 @@ CELERY_WORKER_CLASS=
 # it is recommended to set it to 360 to support a longer sse connection time.
 GUNICORN_TIMEOUT=360
 
-# The number of seconds to wait for requests on a Keep-Alive connection, default to 2
-GUNICORN_KEEP_ALIVE=2
-
 # The number of Celery workers. The default is 1, and can be set as needed.
 CELERY_WORKER_AMOUNT=
 
@@ -935,6 +932,3 @@ MAX_SUBMIT_COUNT=100
 
 # The maximum number of top-k value for RAG.
 TOP_K_MAX_VALUE=10
-
-# Prevent Clickjacking
-ALLOW_EMBED=false

docker/docker-compose-template.yaml

@@ -1,8 +1,8 @@
-x-shared-env: &shared-api-worker-env 
+x-shared-env: &shared-api-worker-env
 services:
   # API service
   api:
-    image: langgenius/dify-api:0.15.8
+    image: langgenius/dify-api:0.15.6-alpha.1
     restart: always
     environment:
       # Use the shared environment variables.
@@ -25,7 +25,7 @@ services:
   # worker service
   # The Celery worker for processing the queue.
   worker:
-    image: langgenius/dify-api:0.15.8
+    image: langgenius/dify-api:0.15.6-alpha.1
     restart: always
     environment:
       # Use the shared environment variables.
@@ -47,7 +47,7 @@ services:
 
   # Frontend web application.
   web:
-    image: langgenius/dify-web:0.15.8
+    image: langgenius/dify-web:0.15.6-alpha.1
     restart: always
     environment:
       CONSOLE_API_URL: ${CONSOLE_API_URL:-}
@@ -56,7 +56,6 @@ services:
       NEXT_TELEMETRY_DISABLED: ${NEXT_TELEMETRY_DISABLED:-0}
       TEXT_GENERATION_TIMEOUT_MS: ${TEXT_GENERATION_TIMEOUT_MS:-60000}
       CSP_WHITELIST: ${CSP_WHITELIST:-}
-      ALLOW_EMBED: ${ALLOW_EMBED:-false}
       TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-}
       INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH: ${INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH:-}
 

docker/docker-compose.yaml

@@ -37,7 +37,6 @@ x-shared-env: &shared-api-worker-env
   SERVER_WORKER_CONNECTIONS: ${SERVER_WORKER_CONNECTIONS:-10}
   CELERY_WORKER_CLASS: ${CELERY_WORKER_CLASS:-}
   GUNICORN_TIMEOUT: ${GUNICORN_TIMEOUT:-360}
-  GUNICORN_KEEP_ALIVE: ${GUNICORN_KEEP_ALIVE:-2}
   CELERY_WORKER_AMOUNT: ${CELERY_WORKER_AMOUNT:-}
   CELERY_AUTO_SCALE: ${CELERY_AUTO_SCALE:-false}
   CELERY_MAX_WORKERS: ${CELERY_MAX_WORKERS:-}
@@ -390,12 +389,11 @@ x-shared-env: &shared-api-worker-env
   CREATE_TIDB_SERVICE_JOB_ENABLED: ${CREATE_TIDB_SERVICE_JOB_ENABLED:-false}
   MAX_SUBMIT_COUNT: ${MAX_SUBMIT_COUNT:-100}
   TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-10}
-  ALLOW_EMBED: ${ALLOW_EMBED:-false}
 
 services:
   # API service
   api:
-    image: langgenius/dify-api:0.15.8
+    image: langgenius/dify-api:0.15.5-alpha.1
     restart: always
     environment:
       # Use the shared environment variables.
@@ -418,7 +416,7 @@ services:
   # worker service
   # The Celery worker for processing the queue.
   worker:
-    image: langgenius/dify-api:0.15.8
+    image: langgenius/dify-api:0.15.5-alpha.1
     restart: always
     environment:
       # Use the shared environment variables.
@@ -440,7 +438,7 @@ services:
 
   # Frontend web application.
   web:
-    image: langgenius/dify-web:0.15.8
+    image: langgenius/dify-web:0.15.5-alpha.1
     restart: always
     environment:
       CONSOLE_API_URL: ${CONSOLE_API_URL:-}
@@ -449,7 +447,6 @@ services:
       NEXT_TELEMETRY_DISABLED: ${NEXT_TELEMETRY_DISABLED:-0}
       TEXT_GENERATION_TIMEOUT_MS: ${TEXT_GENERATION_TIMEOUT_MS:-60000}
       CSP_WHITELIST: ${CSP_WHITELIST:-}
-      ALLOW_EMBED: ${ALLOW_EMBED:-false}
       TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-}
       INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH: ${INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH:-}
 

web/.env.example

@@ -31,6 +31,3 @@ NEXT_PUBLIC_TOP_K_MAX_VALUE=10
 
 # The maximum number of tokens for segmentation
 NEXT_PUBLIC_INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH=4000
-
-# Default is not allow to embed into iframe to prevent Clickjacking: https://owasp.org/www-community/attacks/Clickjacking
-NEXT_PUBLIC_ALLOW_EMBED=

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/layout.tsx

@@ -15,30 +15,23 @@ import {
 } from '@remixicon/react'
 import { useTranslation } from 'react-i18next'
 import { useShallow } from 'zustand/react/shallow'
+import { useContextSelector } from 'use-context-selector'
 import s from './style.module.css'
 import cn from '@/utils/classnames'
 import { useStore } from '@/app/components/app/store'
 import AppSideBar from '@/app/components/app-sidebar'
 import type { NavIcon } from '@/app/components/app-sidebar/navLink'
-import { fetchAppDetail } from '@/service/apps'
-import { useAppContext } from '@/context/app-context'
+import { fetchAppDetail, fetchAppSSO } from '@/service/apps'
+import AppContext, { useAppContext } from '@/context/app-context'
 import Loading from '@/app/components/base/loading'
 import useBreakpoints, { MediaType } from '@/hooks/use-breakpoints'
 import type { App } from '@/types/app'
-import { useGlobalPublicStore } from '@/context/global-public-context'
 
 export type IAppDetailLayoutProps = {
   children: React.ReactNode
   params: { appId: string }
 }
 
-type NavigationType = {
-  name: string
-  href: string
-  icon: NavIcon
-  selectedIcon: NavIcon
-}
-
 const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
   const {
     children,
@@ -57,8 +50,13 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
   })))
   const [isLoadingAppDetail, setIsLoadingAppDetail] = useState(false)
   const [appDetailRes, setAppDetailRes] = useState<App | null>(null)
-  const [navigation, setNavigation] = useState<Array<NavigationType>>([])
-  const { systemFeatures } = useGlobalPublicStore()
+  const [navigation, setNavigation] = useState<Array<{
+    name: string
+    href: string
+    icon: NavIcon
+    selectedIcon: NavIcon
+  }>>([])
+  const systemFeatures = useContextSelector(AppContext, state => state.systemFeatures)
 
   const getNavigations = useCallback((appId: string, isCurrentWorkspaceEditor: boolean, mode: string) => {
     const navs = [
@@ -100,11 +98,7 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
 
   useEffect(() => {
     if (appDetail) {
-      if (systemFeatures.branding.enabled)
-        document.title = `${(appDetail.name || 'App')} - ${systemFeatures.branding.application_title}`
-      else
-        document.title = `${(appDetail.name || 'App')} - Dify`
-
+      document.title = `${(appDetail.name || 'App')} - Dify`
       const localeMode = localStorage.getItem('app-detail-collapse-or-expand') || 'expand'
       const mode = isMobile ? 'collapse' : 'expand'
       setAppSiderbarExpand(isMobile ? mode : localeMode)
@@ -112,7 +106,7 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
       // if ((appDetail.mode === 'advanced-chat' || appDetail.mode === 'workflow') && (pathname).endsWith('workflow'))
       //   setAppSiderbarExpand('collapse')
     }
-  }, [appDetail, isMobile, pathname, setAppSiderbarExpand, systemFeatures])
+  }, [appDetail, isMobile])
 
   useEffect(() => {
     setAppDetail()
@@ -144,10 +138,15 @@ const AppDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
       router.replace(`/app/${appId}/configuration`)
     }
     else {
-      setAppDetail({ ...res })
-      setNavigation(getNavigations(appId, isCurrentWorkspaceEditor, res.mode) as Array<NavigationType>)
+      setAppDetail({ ...res, enable_sso: false })
+      setNavigation(getNavigations(appId, isCurrentWorkspaceEditor, res.mode))
+      if (systemFeatures.enable_web_sso_switch_component && canIEditApp) {
+        fetchAppSSO({ appId }).then((ssoRes) => {
+          setAppDetail({ ...res, enable_sso: ssoRes.enabled })
+        })
+      }
     }
-  }, [appDetailRes, appId, getNavigations, isCurrentWorkspaceEditor, isLoadingAppDetail, isLoadingCurrentWorkspace, pathname, router, setAppDetail])
+  }, [appDetailRes, appId, getNavigations, isCurrentWorkspaceEditor, isLoadingAppDetail, isLoadingCurrentWorkspace, pathname, router, setAppDetail, systemFeatures.enable_web_sso_switch_component])
 
   useUnmount(() => {
     setAppDetail()

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/cardView.tsx

@@ -2,22 +2,25 @@
 import type { FC } from 'react'
 import React from 'react'
 import { useTranslation } from 'react-i18next'
-import { useContext } from 'use-context-selector'
+import { useContext, useContextSelector } from 'use-context-selector'
 import AppCard from '@/app/components/app/overview/appCard'
 import Loading from '@/app/components/base/loading'
 import { ToastContext } from '@/app/components/base/toast'
 import {
   fetchAppDetail,
+  fetchAppSSO,
+  updateAppSSO,
   updateAppSiteAccessToken,
   updateAppSiteConfig,
   updateAppSiteStatus,
 } from '@/service/apps'
-import type { App } from '@/types/app'
+import type { App, AppSSO } from '@/types/app'
 import type { UpdateAppSiteCodeResponse } from '@/models/app'
 import { asyncRunSafe } from '@/utils'
 import { NEED_REFRESH_APP_LIST_KEY } from '@/config'
 import type { IAppCardProps } from '@/app/components/app/overview/appCard'
 import { useStore as useAppStore } from '@/app/components/app/store'
+import AppContext from '@/context/app-context'
 
 export type ICardViewProps = {
   appId: string
@@ -28,11 +31,18 @@ const CardView: FC<ICardViewProps> = ({ appId }) => {
   const { notify } = useContext(ToastContext)
   const appDetail = useAppStore(state => state.appDetail)
   const setAppDetail = useAppStore(state => state.setAppDetail)
+  const systemFeatures = useContextSelector(AppContext, state => state.systemFeatures)
 
   const updateAppDetail = async () => {
     try {
       const res = await fetchAppDetail({ url: '/apps', id: appId })
-      setAppDetail({ ...res })
+      if (systemFeatures.enable_web_sso_switch_component) {
+        const ssoRes = await fetchAppSSO({ appId })
+        setAppDetail({ ...res, enable_sso: ssoRes.enabled })
+      }
+      else {
+        setAppDetail({ ...res })
+      }
     }
     catch (error) { console.error(error) }
   }
@@ -83,6 +93,16 @@ const CardView: FC<ICardViewProps> = ({ appId }) => {
     if (!err)
       localStorage.setItem(NEED_REFRESH_APP_LIST_KEY, '1')
 
+    if (systemFeatures.enable_web_sso_switch_component) {
+      const [sso_err] = await asyncRunSafe<AppSSO>(
+        updateAppSSO({ id: appId, enabled: Boolean(params.enable_sso) }) as Promise<AppSSO>,
+      )
+      if (sso_err) {
+        handleCallbackResult(sso_err)
+        return
+      }
+    }
+
     handleCallbackResult(err)
   }
 

web/app/(commonLayout)/app/(appDetailLayout)/layout.tsx

@@ -2,9 +2,7 @@
 import type { FC } from 'react'
 import React, { useEffect } from 'react'
 import { useRouter } from 'next/navigation'
-import { useTranslation } from 'react-i18next'
 import { useAppContext } from '@/context/app-context'
-import useDocumentTitle from '@/hooks/use-document-title'
 
 export type IAppDetail = {
   children: React.ReactNode
@@ -13,13 +11,11 @@ export type IAppDetail = {
 const AppDetail: FC<IAppDetail> = ({ children }) => {
   const router = useRouter()
   const { isCurrentWorkspaceDatasetOperator } = useAppContext()
-  const { t } = useTranslation()
-  useDocumentTitle(t('common.menus.appDetail'))
 
   useEffect(() => {
     if (isCurrentWorkspaceDatasetOperator)
       return router.replace('/datasets')
-  }, [isCurrentWorkspaceDatasetOperator, router])
+  }, [isCurrentWorkspaceDatasetOperator])
 
   return (
     <>

web/app/(commonLayout)/apps/AppCard.tsx

@@ -4,7 +4,7 @@ import { useContext, useContextSelector } from 'use-context-selector'
 import { useRouter } from 'next/navigation'
 import { useCallback, useEffect, useState } from 'react'
 import { useTranslation } from 'react-i18next'
-import { RiBuildingLine, RiGlobalLine, RiLockLine, RiMoreFill, RiVerifiedBadgeLine } from '@remixicon/react'
+import { RiMoreFill } from '@remixicon/react'
 import s from './style.module.css'
 import cn from '@/utils/classnames'
 import type { App } from '@/types/app'
@@ -31,9 +31,6 @@ import DSLExportConfirmModal from '@/app/components/workflow/dsl-export-confirm-
 import { fetchWorkflowDraft } from '@/service/workflow'
 import { fetchInstalledAppList } from '@/service/explore'
 import { AppTypeIcon } from '@/app/components/app/type-selector'
-import Tooltip from '@/app/components/base/tooltip'
-import AccessControl from '@/app/components/app/app-access-control'
-import { AccessMode } from '@/models/access-control'
 
 export type AppCardProps = {
   app: App
@@ -56,7 +53,6 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
   const [showDuplicateModal, setShowDuplicateModal] = useState(false)
   const [showSwitchModal, setShowSwitchModal] = useState<boolean>(false)
   const [showConfirmDelete, setShowConfirmDelete] = useState(false)
-  const [showAccessControl, setShowAccessControl] = useState(false)
   const [secretEnvList, setSecretEnvList] = useState<EnvironmentVariable[]>([])
 
   const onConfirmDelete = useCallback(async () => {
@@ -75,7 +71,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
       })
     }
     setShowConfirmDelete(false)
-  }, [app.id, mutateApps, notify, onPlanInfoChanged, onRefresh, t])
+  }, [app.id])
 
   const onEdit: CreateAppModalProps['onConfirm'] = useCallback(async ({
     name,
@@ -179,13 +175,6 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
     setShowSwitchModal(false)
   }
 
-  const onUpdateAccessControl = useCallback(() => {
-    if (onRefresh)
-      onRefresh()
-    mutateApps()
-    setShowAccessControl(false)
-  }, [onRefresh, mutateApps, setShowAccessControl])
-
   const Operations = (props: HtmlContentProps) => {
     const onMouseLeave = async () => {
       props.onClose?.()
@@ -220,12 +209,6 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
       e.preventDefault()
       setShowConfirmDelete(true)
     }
-    const onClickAccessControl = async (e: React.MouseEvent<HTMLButtonElement>) => {
-      e.stopPropagation()
-      props.onClick?.()
-      e.preventDefault()
-      setShowAccessControl(true)
-    }
     const onClickInstalledApp = async (e: React.MouseEvent<HTMLButtonElement>) => {
       e.stopPropagation()
       props.onClick?.()
@@ -269,14 +252,6 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
           <span className={s.actionName}>{t('app.openInExplore')}</span>
         </button>
         <Divider className="!my-1" />
-        {
-          isCurrentWorkspaceEditor && <>
-            <button className={s.actionItem} onClick={onClickAccessControl}>
-              <span className={s.actionName}>{t('app.accessControl')}</span>
-            </button>
-            <Divider />
-          </>
-        }
         <div
           className={cn(s.actionItem, s.deleteActionItem, 'group')}
           onClick={onClickDelete}
@@ -303,7 +278,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
         }}
         className='relative h-[160px] group col-span-1 bg-components-card-bg border-[1px] border-solid border-components-card-border rounded-xl shadow-sm inline-flex flex-col transition-all duration-200 ease-in-out cursor-pointer hover:shadow-lg'
       >
-        <div className='flex p-4 pb-3 h-[68px] items-start gap-3 grow-0 shrink-0'>
+        <div className='flex pt-[14px] px-[14px] pb-3 h-[66px] items-center gap-3 grow-0 shrink-0'>
           <div className='relative shrink-0'>
             <AppIcon
               size="large"
@@ -326,27 +301,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
               {app.mode === 'completion' && <div className='truncate'>{t('app.types.completion').toUpperCase()}</div>}
             </div>
           </div>
-          <div className='shrink-0 w-5 h-5 flex items-center justify-center'>
-            {app.access_mode === AccessMode.PUBLIC && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.anyone')}>
-              <RiGlobalLine className='h-4 w-4 text-text-quaternary' />
-            </Tooltip >}
-            {
-              app.access_mode === AccessMode.SPECIFIC_GROUPS_MEMBERS && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.specific')}>
-                <RiLockLine className='text-text-quaternary w-4 h-4' />
-              </Tooltip>
-            }
-            {
-              app.access_mode === AccessMode.ORGANIZATION && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.organization')}>
-                <RiBuildingLine className='text-text-quaternary w-4 h-4' />
-              </Tooltip>
-            }
-            {
-              app.access_mode === AccessMode.EXTERNAL_MEMBERS && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.external')}>
-                <RiVerifiedBadgeLine className='h-4 w-4 text-text-quaternary' />
-              </Tooltip>
-            }
-          </div >
-        </div >
+        </div>
         <div className='title-wrapper h-[90px] px-[14px] text-xs leading-normal text-text-tertiary'>
           <div
             className={cn(tags.length ? 'line-clamp-2' : 'line-clamp-4', 'group-hover:line-clamp-2')}
@@ -402,7 +357,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
                   popupClassName={
                     (app.mode === 'completion' || app.mode === 'chat')
                       ? '!w-[256px] translate-x-[-224px]'
-                      : '!w-[216px] translate-x-[-128px]'
+                      : '!w-[160px] translate-x-[-128px]'
                   }
                   className={'h-fit !z-20'}
                 />
@@ -410,7 +365,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
             </>
           )}
         </div>
-      </div >
+      </div>
       {showEditModal && (
         <EditAppModal
           isEditModal
@@ -427,55 +382,42 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
           onHide={() => setShowEditModal(false)}
         />
       )}
-      {
-        showDuplicateModal && (
-          <DuplicateAppModal
-            appName={app.name}
-            icon_type={app.icon_type}
-            icon={app.icon}
-            icon_background={app.icon_background}
-            icon_url={app.icon_url}
-            show={showDuplicateModal}
-            onConfirm={onCopy}
-            onHide={() => setShowDuplicateModal(false)}
-          />
-        )
-      }
-      {
-        showSwitchModal && (
-          <SwitchAppModal
-            show={showSwitchModal}
-            appDetail={app}
-            onClose={() => setShowSwitchModal(false)}
-            onSuccess={onSwitch}
-          />
-        )
-      }
-      {
-        showConfirmDelete && (
-          <Confirm
-            title={t('app.deleteAppConfirmTitle')}
-            content={t('app.deleteAppConfirmContent')}
-            isShow={showConfirmDelete}
-            onConfirm={onConfirmDelete}
-            onCancel={() => setShowConfirmDelete(false)}
-          />
-        )
-      }
-      {
-        secretEnvList.length > 0 && (
-          <DSLExportConfirmModal
-            envList={secretEnvList}
-            onConfirm={onExport}
-            onClose={() => setSecretEnvList([])}
-          />
-        )
-      }
-      {
-        showAccessControl && (
-          <AccessControl app={app} onConfirm={onUpdateAccessControl} onClose={() => setShowAccessControl(false)} />
-        )
-      }
+      {showDuplicateModal && (
+        <DuplicateAppModal
+          appName={app.name}
+          icon_type={app.icon_type}
+          icon={app.icon}
+          icon_background={app.icon_background}
+          icon_url={app.icon_url}
+          show={showDuplicateModal}
+          onConfirm={onCopy}
+          onHide={() => setShowDuplicateModal(false)}
+        />
+      )}
+      {showSwitchModal && (
+        <SwitchAppModal
+          show={showSwitchModal}
+          appDetail={app}
+          onClose={() => setShowSwitchModal(false)}
+          onSuccess={onSwitch}
+        />
+      )}
+      {showConfirmDelete && (
+        <Confirm
+          title={t('app.deleteAppConfirmTitle')}
+          content={t('app.deleteAppConfirmContent')}
+          isShow={showConfirmDelete}
+          onConfirm={onConfirmDelete}
+          onCancel={() => setShowConfirmDelete(false)}
+        />
+      )}
+      {secretEnvList.length > 0 && (
+        <DSLExportConfirmModal
+          envList={secretEnvList}
+          onConfirm={onExport}
+          onClose={() => setSecretEnvList([])}
+        />
+      )}
     </>
   )
 }

web/app/(commonLayout)/apps/Apps.tsx

@@ -85,6 +85,7 @@ const Apps = () => {
   ]
 
   useEffect(() => {
+    document.title = `${t('common.menus.apps')} -  Dify`
     if (localStorage.getItem(NEED_REFRESH_APP_LIST_KEY) === '1') {
       localStorage.removeItem(NEED_REFRESH_APP_LIST_KEY)
       mutate()

web/app/(commonLayout)/apps/page.tsx

@@ -1,20 +1,21 @@
 'use client'
+import { useContextSelector } from 'use-context-selector'
 import { useTranslation } from 'react-i18next'
 import { RiDiscordFill, RiGithubFill } from '@remixicon/react'
 import Link from 'next/link'
 import style from '../list.module.css'
 import Apps from './Apps'
-import { useGlobalPublicStore } from '@/context/global-public-context'
-import useDocumentTitle from '@/hooks/use-document-title'
+import AppContext from '@/context/app-context'
+import { LicenseStatus } from '@/types/feature'
 
 const AppList = () => {
   const { t } = useTranslation()
-  const { systemFeatures } = useGlobalPublicStore()
-  useDocumentTitle(t('common.menus.apps'))
+  const systemFeatures = useContextSelector(AppContext, v => v.systemFeatures)
+
   return (
     <div className='relative flex flex-col overflow-y-auto bg-background-body shrink-0 h-0 grow'>
       <Apps />
-      {!systemFeatures.branding.enabled && <footer className='px-12 py-6 grow-0 shrink-0'>
+      {systemFeatures.license.status === LicenseStatus.NONE && <footer className='px-12 py-6 grow-0 shrink-0'>
         <h3 className='text-xl font-semibold leading-tight text-gradient'>{t('app.join')}</h3>
         <p className='mt-1 system-sm-regular text-text-tertiary'>{t('app.communityIntro')}</p>
         <div className='flex items-center gap-2 mt-3'>

web/app/(commonLayout)/datasets/(datasetDetailLayout)/[datasetId]/layout.tsx

@@ -31,7 +31,6 @@ import { getLocaleOnClient } from '@/i18n'
 import { useAppContext } from '@/context/app-context'
 import Tooltip from '@/app/components/base/tooltip'
 import LinkedAppsPanel from '@/app/components/base/linked-apps-panel'
-import useDocumentTitle from '@/hooks/use-document-title'
 
 export type IAppDetailLayoutProps = {
   children: React.ReactNode
@@ -187,7 +186,11 @@ const DatasetDetailLayout: FC<IAppDetailLayoutProps> = (props) => {
     }
     return baseNavigation
   }, [datasetRes?.provider, datasetId, t])
-  useDocumentTitle(`${datasetRes?.name || 'Dataset'}`)
+
+  useEffect(() => {
+    if (datasetRes)
+      document.title = `${datasetRes.name || 'Dataset'} - Dify`
+  }, [datasetRes])
 
   const setAppSiderbarExpand = useStore(state => state.setAppSiderbarExpand)
 

web/app/(commonLayout)/datasets/Container.tsx

@@ -29,11 +29,9 @@ import { useTabSearchParams } from '@/hooks/use-tab-searchparams'
 import { useStore as useTagStore } from '@/app/components/base/tag-management/store'
 import { useAppContext } from '@/context/app-context'
 import { useExternalApiPanel } from '@/context/external-api-panel-context'
-import { useGlobalPublicStore } from '@/context/global-public-context'
 
 const Container = () => {
   const { t } = useTranslation()
-  const { systemFeatures } = useGlobalPublicStore()
   const router = useRouter()
   const { currentWorkspace, isCurrentWorkspaceOwner } = useAppContext()
   const showTagManagementModal = useTagStore(s => s.showTagManagementModal)
@@ -125,7 +123,7 @@ const Container = () => {
       {activeTab === 'dataset' && (
         <>
           <Datasets containerRef={containerRef} tags={tagIDs} keywords={searchKeywords} includeAll={includeAll} />
-          {!systemFeatures.branding.enabled && <DatasetFooter />}
+          <DatasetFooter />
           {showTagManagementModal && (
             <TagManagementModal type='knowledge' show={showTagManagementModal} />
           )}

web/app/(commonLayout)/datasets/Datasets.tsx

@@ -3,6 +3,7 @@
 import { useEffect, useRef } from 'react'
 import useSWRInfinite from 'swr/infinite'
 import { debounce } from 'lodash-es'
+import { useTranslation } from 'react-i18next'
 import NewDatasetCard from './NewDatasetCard'
 import DatasetCard from './DatasetCard'
 import type { DataSetListResponse, FetchDatasetsParams } from '@/models/datasets'
@@ -56,8 +57,11 @@ const Datasets = ({
   const loadingStateRef = useRef(false)
   const anchorRef = useRef<HTMLAnchorElement>(null)
 
+  const { t } = useTranslation()
+
   useEffect(() => {
     loadingStateRef.current = isLoading
+    document.title = `${t('dataset.knowledge')} - Dify`
   }, [isLoading])
 
   useEffect(() => {
@@ -76,7 +80,7 @@ const Datasets = ({
 
   return (
     <nav className='grid content-start grid-cols-1 gap-4 px-12 pt-2 sm:grid-cols-2 md:grid-cols-3 lg:grid-cols-4 grow shrink-0'>
-      {isCurrentWorkspaceEditor && <NewDatasetCard ref={anchorRef} />}
+      { isCurrentWorkspaceEditor && <NewDatasetCard ref={anchorRef} /> }
       {data?.map(({ data: datasets }) => datasets.map(dataset => (
         <DatasetCard key={dataset.id} dataset={dataset} onSuccess={mutate} />),
       ))}

web/app/(commonLayout)/datasets/page.tsx

@@ -1,12 +1,11 @@
-'use client'
-import { useTranslation } from 'react-i18next'
 import Container from './Container'
-import useDocumentTitle from '@/hooks/use-document-title'
 
-const AppList = () => {
-  const { t } = useTranslation()
-  useDocumentTitle(t('common.menus.datasets'))
+const AppList = async () => {
   return <Container />
 }
 
+export const metadata = {
+  title: 'Datasets - Dify',
+}
+
 export default AppList

web/app/(commonLayout)/datasets/template/template.en.mdx

@@ -6,7 +6,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
 <div>
   ### Authentication
 
-  Service API authenticates using an `API-Key`.
+  Service API of Dify authenticates using an `API-Key`.
 
   It is suggested that developers store the `API-Key` in the backend instead of sharing or storing it in the client side to avoid the leakage of the `API-Key`, which may lead to property loss.
 

web/app/(commonLayout)/datasets/template/template.zh.mdx

@@ -6,7 +6,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
 <div>
   ### 鉴权
 
-  Service API 使用 `API-Key` 进行鉴权。
+  Dify Service API 使用 `API-Key` 进行鉴权。
 
   建议开发者把 `API-Key` 放在后端存储，而非分享或者放在客户端存储，以免 `API-Key` 泄露，导致财产损失。
 

web/app/(commonLayout)/explore/layout.tsx

@@ -1,13 +1,11 @@
-'use client'
-import type { FC, PropsWithChildren } from 'react'
+import type { FC } from 'react'
 import React from 'react'
-import { useTranslation } from 'react-i18next'
 import ExploreClient from '@/app/components/explore'
-import useDocumentTitle from '@/hooks/use-document-title'
+export type IAppDetail = {
+  children: React.ReactNode
+}
 
-const ExploreLayout: FC<PropsWithChildren> = ({ children }) => {
-  const { t } = useTranslation()
-  useDocumentTitle(t('common.menus.explore'))
+const AppDetail: FC<IAppDetail> = ({ children }) => {
   return (
     <ExploreClient>
       {children}
@@ -15,4 +13,4 @@ const ExploreLayout: FC<PropsWithChildren> = ({ children }) => {
   )
 }
 
-export default React.memo(ExploreLayout)
+export default React.memo(AppDetail)

web/app/(commonLayout)/layout.tsx

@@ -30,4 +30,9 @@ const Layout = ({ children }: { children: ReactNode }) => {
     </>
   )
 }
+
+export const metadata = {
+  title: 'Dify',
+}
+
 export default Layout

web/app/(commonLayout)/tools/page.tsx

@@ -1,16 +1,22 @@
 'use client'
 import type { FC } from 'react'
 import { useRouter } from 'next/navigation'
-import React, { useEffect } from 'react'
 import { useTranslation } from 'react-i18next'
+import React, { useEffect } from 'react'
 import ToolProviderList from '@/app/components/tools/provider-list'
 import { useAppContext } from '@/context/app-context'
-import useDocumentTitle from '@/hooks/use-document-title'
-const ToolsList: FC = () => {
+
+const Layout: FC = () => {
+  const { t } = useTranslation()
   const router = useRouter()
   const { isCurrentWorkspaceDatasetOperator } = useAppContext()
-  const { t } = useTranslation()
-  useDocumentTitle(t('common.menus.tools'))
+
+  useEffect(() => {
+    if (typeof window !== 'undefined')
+      document.title = `${t('tools.title')} - Dify`
+    if (isCurrentWorkspaceDatasetOperator)
+      return router.replace('/datasets')
+  }, [isCurrentWorkspaceDatasetOperator, router, t])
 
   useEffect(() => {
     if (isCurrentWorkspaceDatasetOperator)
@@ -19,4 +25,4 @@ const ToolsList: FC = () => {
 
   return <ToolProviderList />
 }
-export default React.memo(ToolsList)
+export default React.memo(Layout)

web/app/(shareLayout)/layout.tsx

@@ -1,42 +1,14 @@
-'use client'
-import React, { useEffect, useState } from 'react'
+import React from 'react'
 import type { FC } from 'react'
-import { usePathname, useSearchParams } from 'next/navigation'
-import Loading from '../components/base/loading'
-import { useGlobalPublicStore } from '@/context/global-public-context'
-import { AccessMode } from '@/models/access-control'
-import { getAppAccessModeByAppCode } from '@/service/share'
+import type { Metadata } from 'next'
+
+export const metadata: Metadata = {
+  icons: 'data:,', // prevent browser from using default favicon
+}
 
 const Layout: FC<{
   children: React.ReactNode
 }> = ({ children }) => {
-  const isGlobalPending = useGlobalPublicStore(s => s.isGlobalPending)
-  const setWebAppAccessMode = useGlobalPublicStore(s => s.setWebAppAccessMode)
-  const pathname = usePathname()
-  const searchParams = useSearchParams()
-  const redirectUrl = searchParams.get('redirect_url')
-  const [isLoading, setIsLoading] = useState(true)
-  useEffect(() => {
-    (async () => {
-      let appCode: string | null = null
-      if (redirectUrl)
-        appCode = redirectUrl?.split('/').pop() || null
-      else
-        appCode = pathname.split('/').pop() || null
-
-      if (!appCode)
-        return
-      setIsLoading(true)
-      const ret = await getAppAccessModeByAppCode(appCode)
-      setWebAppAccessMode(ret?.accessMode || AccessMode.PUBLIC)
-      setIsLoading(false)
-    })()
-  }, [pathname, redirectUrl, setWebAppAccessMode])
-  if (isLoading || isGlobalPending) {
-    return <div className='flex h-full w-full items-center justify-center'>
-      <Loading />
-    </div>
-  }
   return (
     <div className="min-w-[300px] h-full pb-[env(safe-area-inset-bottom)]">
       {children}

web/app/(shareLayout)/webapp-reset-password/check-code/page.tsx

@@ -1,96 +0,0 @@
-'use client'
-import { RiArrowLeftLine, RiMailSendFill } from '@remixicon/react'
-import { useTranslation } from 'react-i18next'
-import { useState } from 'react'
-import { useRouter, useSearchParams } from 'next/navigation'
-import { useContext } from 'use-context-selector'
-import Countdown from '@/app/components/signin/countdown'
-import Button from '@/app/components/base/button'
-import Input from '@/app/components/base/input'
-import Toast from '@/app/components/base/toast'
-import { sendWebAppResetPasswordCode, verifyWebAppResetPasswordCode } from '@/service/common'
-import I18NContext from '@/context/i18n'
-
-export default function CheckCode() {
-  const { t } = useTranslation()
-  const router = useRouter()
-  const searchParams = useSearchParams()
-  const email = decodeURIComponent(searchParams.get('email') as string)
-  const token = decodeURIComponent(searchParams.get('token') as string)
-  const [code, setVerifyCode] = useState('')
-  const [loading, setIsLoading] = useState(false)
-  const { locale } = useContext(I18NContext)
-
-  const verify = async () => {
-    try {
-      if (!code.trim()) {
-        Toast.notify({
-          type: 'error',
-          message: t('login.checkCode.emptyCode'),
-        })
-        return
-      }
-      if (!/\d{6}/.test(code)) {
-        Toast.notify({
-          type: 'error',
-          message: t('login.checkCode.invalidCode'),
-        })
-        return
-      }
-      setIsLoading(true)
-      const ret = await verifyWebAppResetPasswordCode({ email, code, token })
-      if (ret.is_valid) {
-        const params = new URLSearchParams(searchParams)
-        params.set('token', encodeURIComponent(ret.token))
-        router.push(`/webapp-reset-password/set-password?${params.toString()}`)
-      }
-    }
-    catch (error) { console.error(error) }
-    finally {
-      setIsLoading(false)
-    }
-  }
-
-  const resendCode = async () => {
-    try {
-      const res = await sendWebAppResetPasswordCode(email, locale)
-      if (res.result === 'success') {
-        const params = new URLSearchParams(searchParams)
-        params.set('token', encodeURIComponent(res.data))
-        router.replace(`/webapp-reset-password/check-code?${params.toString()}`)
-      }
-    }
-    catch (error) { console.error(error) }
-  }
-
-  return <div className='flex flex-col gap-3'>
-    <div className='inline-flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle bg-background-default-dodge text-text-accent-light-mode-only shadow-lg'>
-      <RiMailSendFill className='h-6 w-6 text-2xl' />
-    </div>
-    <div className='pb-4 pt-2'>
-      <h2 className='title-4xl-semi-bold text-text-primary'>{t('login.checkCode.checkYourEmail')}</h2>
-      <p className='body-md-regular mt-2 text-text-secondary'>
-        <span dangerouslySetInnerHTML={{ __html: t('login.checkCode.tips', { email }) as string }}></span>
-        <br />
-        {t('login.checkCode.validTime')}
-      </p>
-    </div>
-
-    <form action="">
-      <input type='text' className='hidden' />
-      <label htmlFor="code" className='system-md-semibold mb-1 text-text-secondary'>{t('login.checkCode.verificationCode')}</label>
-      <Input value={code} onChange={e => setVerifyCode(e.target.value)} max-length={6} className='mt-1' placeholder={t('login.checkCode.verificationCodePlaceholder') as string} />
-      <Button loading={loading} disabled={loading} className='my-3 w-full' variant='primary' onClick={verify}>{t('login.checkCode.verify')}</Button>
-      <Countdown onResend={resendCode} />
-    </form>
-    <div className='py-2'>
-      <div className='h-px bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
-    </div>
-    <div onClick={() => router.back()} className='flex h-9 cursor-pointer items-center justify-center text-text-tertiary'>
-      <div className='bg-background-default-dimm inline-block rounded-full p-1'>
-        <RiArrowLeftLine size={12} />
-      </div>
-      <span className='system-xs-regular ml-2'>{t('login.back')}</span>
-    </div>
-  </div>
-}

web/app/(shareLayout)/webapp-reset-password/layout.tsx

@@ -1,30 +0,0 @@
-'use client'
-import Header from '@/app/signin/_header'
-
-import cn from '@/utils/classnames'
-import { useGlobalPublicStore } from '@/context/global-public-context'
-
-export default function SignInLayout({ children }: any) {
-  const { systemFeatures } = useGlobalPublicStore()
-  return <>
-    <div className={cn('flex min-h-screen w-full justify-center bg-background-default-burn p-6')}>
-      <div className={cn('flex w-full shrink-0 flex-col rounded-2xl border border-effects-highlight bg-background-default-subtle')}>
-        <Header />
-        <div className={
-          cn(
-            'flex w-full grow flex-col items-center justify-center',
-            'px-6',
-            'md:px-[108px]',
-          )
-        }>
-          <div className='flex w-[400px] flex-col'>
-            {children}
-          </div>
-        </div>
-        {!systemFeatures.branding.enabled && <div className='system-xs-regular px-8 py-6 text-text-tertiary'>
-          © {new Date().getFullYear()} LangGenius, Inc. All rights reserved.
-        </div>}
-      </div>
-    </div>
-  </>
-}

web/app/(shareLayout)/webapp-reset-password/page.tsx

@@ -1,104 +0,0 @@
-'use client'
-import Link from 'next/link'
-import { RiArrowLeftLine, RiLockPasswordLine } from '@remixicon/react'
-import { useTranslation } from 'react-i18next'
-import { useState } from 'react'
-import { useRouter, useSearchParams } from 'next/navigation'
-import { useContext } from 'use-context-selector'
-import { noop } from 'lodash-es'
-import { COUNT_DOWN_KEY, COUNT_DOWN_TIME_MS } from '@/app/components/signin/countdown'
-import { emailRegex } from '@/config'
-import Button from '@/app/components/base/button'
-import Input from '@/app/components/base/input'
-import Toast from '@/app/components/base/toast'
-import { sendResetPasswordCode } from '@/service/common'
-import I18NContext from '@/context/i18n'
-import useDocumentTitle from '@/hooks/use-document-title'
-
-export default function CheckCode() {
-  const { t } = useTranslation()
-  useDocumentTitle('')
-  const searchParams = useSearchParams()
-  const router = useRouter()
-  const [email, setEmail] = useState('')
-  const [loading, setIsLoading] = useState(false)
-  const { locale } = useContext(I18NContext)
-
-  const handleGetEMailVerificationCode = async () => {
-    try {
-      if (!email) {
-        Toast.notify({ type: 'error', message: t('login.error.emailEmpty') })
-        return
-      }
-
-      if (!emailRegex.test(email)) {
-        Toast.notify({
-          type: 'error',
-          message: t('login.error.emailInValid'),
-        })
-        return
-      }
-      setIsLoading(true)
-      const res = await sendResetPasswordCode(email, locale)
-      if (res.result === 'success') {
-        localStorage.setItem(COUNT_DOWN_KEY, `${COUNT_DOWN_TIME_MS}`)
-        const params = new URLSearchParams(searchParams)
-        params.set('token', encodeURIComponent(res.data))
-        params.set('email', encodeURIComponent(email))
-        router.push(`/webapp-reset-password/check-code?${params.toString()}`)
-      }
-      else if (res.code === 'account_not_found') {
-        Toast.notify({
-          type: 'error',
-          message: t('login.error.registrationNotAllowed'),
-        })
-      }
-      else {
-        Toast.notify({
-          type: 'error',
-          message: res.data,
-        })
-      }
-    }
-    catch (error) {
-      console.error(error)
-    }
-    finally {
-      setIsLoading(false)
-    }
-  }
-
-  return <div className='flex flex-col gap-3'>
-    <div className='inline-flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle bg-background-default-dodge shadow-lg'>
-      <RiLockPasswordLine className='h-6 w-6 text-2xl text-text-accent-light-mode-only' />
-    </div>
-    <div className='pb-4 pt-2'>
-      <h2 className='title-4xl-semi-bold text-text-primary'>{t('login.resetPassword')}</h2>
-      <p className='body-md-regular mt-2 text-text-secondary'>
-        {t('login.resetPasswordDesc')}
-      </p>
-    </div>
-
-    <form onSubmit={noop}>
-      <input type='text' className='hidden' />
-      <div className='mb-2'>
-        <label htmlFor="email" className='system-md-semibold my-2 text-text-secondary'>{t('login.email')}</label>
-        <div className='mt-1'>
-          <Input id='email' type="email" disabled={loading} value={email} placeholder={t('login.emailPlaceholder') as string} onChange={e => setEmail(e.target.value)} />
-        </div>
-        <div className='mt-3'>
-          <Button loading={loading} disabled={loading} variant='primary' className='w-full' onClick={handleGetEMailVerificationCode}>{t('login.sendVerificationCode')}</Button>
-        </div>
-      </div>
-    </form>
-    <div className='py-2'>
-      <div className='h-px bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
-    </div>
-    <Link href={`/webapp-signin?${searchParams.toString()}`} className='flex h-9 items-center justify-center text-text-tertiary hover:text-text-primary'>
-      <div className='inline-block rounded-full bg-background-default-dimmed p-1'>
-        <RiArrowLeftLine size={12} />
-      </div>
-      <span className='system-xs-regular ml-2'>{t('login.backToLogin')}</span>
-    </Link>
-  </div>
-}

web/app/(shareLayout)/webapp-reset-password/set-password/page.tsx

@@ -1,188 +0,0 @@
-'use client'
-import { useCallback, useState } from 'react'
-import { useTranslation } from 'react-i18next'
-import { useRouter, useSearchParams } from 'next/navigation'
-import cn from 'classnames'
-import { RiCheckboxCircleFill } from '@remixicon/react'
-import { useCountDown } from 'ahooks'
-import Button from '@/app/components/base/button'
-import { changeWebAppPasswordWithToken } from '@/service/common'
-import Toast from '@/app/components/base/toast'
-import Input from '@/app/components/base/input'
-
-const validPassword = /^(?=.*[a-zA-Z])(?=.*\d).{8,}$/
-
-const ChangePasswordForm = () => {
-  const { t } = useTranslation()
-  const router = useRouter()
-  const searchParams = useSearchParams()
-  const token = decodeURIComponent(searchParams.get('token') || '')
-
-  const [password, setPassword] = useState('')
-  const [confirmPassword, setConfirmPassword] = useState('')
-  const [showSuccess, setShowSuccess] = useState(false)
-  const [showPassword, setShowPassword] = useState(false)
-  const [showConfirmPassword, setShowConfirmPassword] = useState(false)
-
-  const showErrorMessage = useCallback((message: string) => {
-    Toast.notify({
-      type: 'error',
-      message,
-    })
-  }, [])
-
-  const getSignInUrl = () => {
-    return `/webapp-signin?redirect_url=${searchParams.get('redirect_url') || ''}`
-  }
-
-  const AUTO_REDIRECT_TIME = 5000
-  const [leftTime, setLeftTime] = useState<number | undefined>(undefined)
-  const [countdown] = useCountDown({
-    leftTime,
-    onEnd: () => {
-      router.replace(getSignInUrl())
-    },
-  })
-
-  const valid = useCallback(() => {
-    if (!password.trim()) {
-      showErrorMessage(t('login.error.passwordEmpty'))
-      return false
-    }
-    if (!validPassword.test(password)) {
-      showErrorMessage(t('login.error.passwordInvalid'))
-      return false
-    }
-    if (password !== confirmPassword) {
-      showErrorMessage(t('common.account.notEqual'))
-      return false
-    }
-    return true
-  }, [password, confirmPassword, showErrorMessage, t])
-
-  const handleChangePassword = useCallback(async () => {
-    if (!valid())
-      return
-    try {
-      await changeWebAppPasswordWithToken({
-        url: '/forgot-password/resets',
-        body: {
-          token,
-          new_password: password,
-          password_confirm: confirmPassword,
-        },
-      })
-      setShowSuccess(true)
-      setLeftTime(AUTO_REDIRECT_TIME)
-    }
-    catch (error) {
-      console.error(error)
-    }
-  }, [password, token, valid, confirmPassword])
-
-  return (
-    <div className={
-      cn(
-        'flex w-full grow flex-col items-center justify-center',
-        'px-6',
-        'md:px-[108px]',
-      )
-    }>
-      {!showSuccess && (
-        <div className='flex flex-col md:w-[400px]'>
-          <div className="mx-auto w-full">
-            <h2 className="title-4xl-semi-bold text-text-primary">
-              {t('login.changePassword')}
-            </h2>
-            <p className='body-md-regular mt-2 text-text-secondary'>
-              {t('login.changePasswordTip')}
-            </p>
-          </div>
-
-          <div className="mx-auto mt-6 w-full">
-            <div className="bg-white">
-              {/* Password */}
-              <div className='mb-5'>
-                <label htmlFor="password" className="system-md-semibold my-2 text-text-secondary">
-                  {t('common.account.newPassword')}
-                </label>
-                <div className='relative mt-1'>
-                  <Input
-                    id="password" type={showPassword ? 'text' : 'password'}
-                    value={password}
-                    onChange={e => setPassword(e.target.value)}
-                    placeholder={t('login.passwordPlaceholder') || ''}
-                  />
-
-                  <div className="absolute inset-y-0 right-0 flex items-center">
-                    <Button
-                      type="button"
-                      variant='ghost'
-                      onClick={() => setShowPassword(!showPassword)}
-                    >
-                      {showPassword ? '👀' : '😝'}
-                    </Button>
-                  </div>
-                </div>
-                <div className='body-xs-regular mt-1 text-text-secondary'>{t('login.error.passwordInvalid')}</div>
-              </div>
-              {/* Confirm Password */}
-              <div className='mb-5'>
-                <label htmlFor="confirmPassword" className="system-md-semibold my-2 text-text-secondary">
-                  {t('common.account.confirmPassword')}
-                </label>
-                <div className='relative mt-1'>
-                  <Input
-                    id="confirmPassword"
-                    type={showConfirmPassword ? 'text' : 'password'}
-                    value={confirmPassword}
-                    onChange={e => setConfirmPassword(e.target.value)}
-                    placeholder={t('login.confirmPasswordPlaceholder') || ''}
-                  />
-                  <div className="absolute inset-y-0 right-0 flex items-center">
-                    <Button
-                      type="button"
-                      variant='ghost'
-                      onClick={() => setShowConfirmPassword(!showConfirmPassword)}
-                    >
-                      {showConfirmPassword ? '👀' : '😝'}
-                    </Button>
-                  </div>
-                </div>
-              </div>
-              <div>
-                <Button
-                  variant='primary'
-                  className='w-full'
-                  onClick={handleChangePassword}
-                >
-                  {t('login.changePasswordBtn')}
-                </Button>
-              </div>
-            </div>
-          </div>
-        </div>
-      )}
-      {showSuccess && (
-        <div className="flex flex-col md:w-[400px]">
-          <div className="mx-auto w-full">
-            <div className="mb-3 flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle font-bold shadow-lg">
-              <RiCheckboxCircleFill className='h-6 w-6 text-text-success' />
-            </div>
-            <h2 className="title-4xl-semi-bold text-text-primary">
-              {t('login.passwordChangedTip')}
-            </h2>
-          </div>
-          <div className="mx-auto mt-6 w-full">
-            <Button variant='primary' className='w-full' onClick={() => {
-              setLeftTime(undefined)
-              router.replace(getSignInUrl())
-            }}>{t('login.passwordChanged')} ({Math.round(countdown / 1000)}) </Button>
-          </div>
-        </div>
-      )}
-    </div>
-  )
-}
-
-export default ChangePasswordForm

web/app/(shareLayout)/webapp-signin/check-code/page.tsx

@@ -1,115 +0,0 @@
-'use client'
-import { RiArrowLeftLine, RiMailSendFill } from '@remixicon/react'
-import { useTranslation } from 'react-i18next'
-import { useCallback, useState } from 'react'
-import { useRouter, useSearchParams } from 'next/navigation'
-import { useContext } from 'use-context-selector'
-import Countdown from '@/app/components/signin/countdown'
-import Button from '@/app/components/base/button'
-import Input from '@/app/components/base/input'
-import Toast from '@/app/components/base/toast'
-import { sendWebAppEMailLoginCode, webAppEmailLoginWithCode } from '@/service/common'
-import I18NContext from '@/context/i18n'
-import { setAccessToken } from '@/app/components/share/utils'
-import { fetchAccessToken } from '@/service/share'
-
-export default function CheckCode() {
-  const { t } = useTranslation()
-  const router = useRouter()
-  const searchParams = useSearchParams()
-  const email = decodeURIComponent(searchParams.get('email') as string)
-  const token = decodeURIComponent(searchParams.get('token') as string)
-  const [code, setVerifyCode] = useState('')
-  const [loading, setIsLoading] = useState(false)
-  const { locale } = useContext(I18NContext)
-  const redirectUrl = searchParams.get('redirect_url')
-
-  const getAppCodeFromRedirectUrl = useCallback(() => {
-    const appCode = redirectUrl?.split('/').pop()
-    if (!appCode)
-      return null
-
-    return appCode
-  }, [redirectUrl])
-
-  const verify = async () => {
-    try {
-      const appCode = getAppCodeFromRedirectUrl()
-      if (!code.trim()) {
-        Toast.notify({
-          type: 'error',
-          message: t('login.checkCode.emptyCode'),
-        })
-        return
-      }
-      if (!/\d{6}/.test(code)) {
-        Toast.notify({
-          type: 'error',
-          message: t('login.checkCode.invalidCode'),
-        })
-        return
-      }
-      if (!redirectUrl || !appCode) {
-        Toast.notify({
-          type: 'error',
-          message: t('login.error.redirectUrlMissing'),
-        })
-        return
-      }
-      setIsLoading(true)
-      const ret = await webAppEmailLoginWithCode({ email, code, token })
-      if (ret.result === 'success') {
-        localStorage.setItem('webapp_access_token', ret.data.access_token)
-        const tokenResp = await fetchAccessToken({ appCode, webAppAccessToken: ret.data.access_token })
-        await setAccessToken(appCode, tokenResp.access_token)
-        router.replace(redirectUrl)
-      }
-    }
-    catch (error) { console.error(error) }
-    finally {
-      setIsLoading(false)
-    }
-  }
-
-  const resendCode = async () => {
-    try {
-      const ret = await sendWebAppEMailLoginCode(email, locale)
-      if (ret.result === 'success') {
-        const params = new URLSearchParams(searchParams)
-        params.set('token', encodeURIComponent(ret.data))
-        router.replace(`/webapp-signin/check-code?${params.toString()}`)
-      }
-    }
-    catch (error) { console.error(error) }
-  }
-
-  return <div className='flex w-[400px] flex-col gap-3'>
-    <div className='inline-flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle bg-background-default-dodge shadow-lg'>
-      <RiMailSendFill className='h-6 w-6 text-2xl text-text-accent-light-mode-only' />
-    </div>
-    <div className='pb-4 pt-2'>
-      <h2 className='title-4xl-semi-bold text-text-primary'>{t('login.checkCode.checkYourEmail')}</h2>
-      <p className='body-md-regular mt-2 text-text-secondary'>
-        <span dangerouslySetInnerHTML={{ __html: t('login.checkCode.tips', { email }) as string }}></span>
-        <br />
-        {t('login.checkCode.validTime')}
-      </p>
-    </div>
-
-    <form action="">
-      <label htmlFor="code" className='system-md-semibold mb-1 text-text-secondary'>{t('login.checkCode.verificationCode')}</label>
-      <Input value={code} onChange={e => setVerifyCode(e.target.value)} max-length={6} className='mt-1' placeholder={t('login.checkCode.verificationCodePlaceholder') as string} />
-      <Button loading={loading} disabled={loading} className='my-3 w-full' variant='primary' onClick={verify}>{t('login.checkCode.verify')}</Button>
-      <Countdown onResend={resendCode} />
-    </form>
-    <div className='py-2'>
-      <div className='h-px bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
-    </div>
-    <div onClick={() => router.back()} className='flex h-9 cursor-pointer items-center justify-center text-text-tertiary'>
-      <div className='bg-background-default-dimm inline-block rounded-full p-1'>
-        <RiArrowLeftLine size={12} />
-      </div>
-      <span className='system-xs-regular ml-2'>{t('login.back')}</span>
-    </div>
-  </div>
-}

web/app/(shareLayout)/webapp-signin/components/external-member-sso-auth.tsx

@@ -1,80 +0,0 @@
-'use client'
-import { useRouter, useSearchParams } from 'next/navigation'
-import React, { useCallback, useEffect } from 'react'
-import Toast from '@/app/components/base/toast'
-import { fetchWebOAuth2SSOUrl, fetchWebOIDCSSOUrl, fetchWebSAMLSSOUrl } from '@/service/share'
-import { useGlobalPublicStore } from '@/context/global-public-context'
-import { SSOProtocol } from '@/types/feature'
-import Loading from '@/app/components/base/loading'
-import AppUnavailable from '@/app/components/base/app-unavailable'
-
-const ExternalMemberSSOAuth = () => {
-  const systemFeatures = useGlobalPublicStore(s => s.systemFeatures)
-  const searchParams = useSearchParams()
-  const router = useRouter()
-
-  const redirectUrl = searchParams.get('redirect_url')
-
-  const showErrorToast = (message: string) => {
-    Toast.notify({
-      type: 'error',
-      message,
-    })
-  }
-
-  const getAppCodeFromRedirectUrl = useCallback(() => {
-    const appCode = redirectUrl?.split('/').pop()
-    if (!appCode)
-      return null
-
-    return appCode
-  }, [redirectUrl])
-
-  const handleSSOLogin = useCallback(async () => {
-    const appCode = getAppCodeFromRedirectUrl()
-    if (!appCode || !redirectUrl) {
-      showErrorToast('redirect url or app code is invalid.')
-      return
-    }
-
-    switch (systemFeatures.webapp_auth.sso_config.protocol) {
-      case SSOProtocol.SAML: {
-        const samlRes = await fetchWebSAMLSSOUrl(appCode, redirectUrl)
-        router.push(samlRes.url)
-        break
-      }
-      case SSOProtocol.OIDC: {
-        const oidcRes = await fetchWebOIDCSSOUrl(appCode, redirectUrl)
-        router.push(oidcRes.url)
-        break
-      }
-      case SSOProtocol.OAuth2: {
-        const oauth2Res = await fetchWebOAuth2SSOUrl(appCode, redirectUrl)
-        router.push(oauth2Res.url)
-        break
-      }
-      case '':
-        break
-      default:
-        showErrorToast('SSO protocol is not supported.')
-    }
-  }, [getAppCodeFromRedirectUrl, redirectUrl, router, systemFeatures.webapp_auth.sso_config.protocol])
-
-  useEffect(() => {
-    handleSSOLogin()
-  }, [handleSSOLogin])
-
-  if (!systemFeatures.webapp_auth.sso_config.protocol) {
-    return <div className="flex h-full items-center justify-center">
-      <AppUnavailable code={403} unknownReason='sso protocol is invalid.' />
-    </div>
-  }
-
-  return (
-    <div className="flex h-full items-center justify-center">
-      <Loading />
-    </div>
-  )
-}
-
-export default React.memo(ExternalMemberSSOAuth)

web/app/(shareLayout)/webapp-signin/components/mail-and-code-auth.tsx

@@ -1,68 +0,0 @@
-import { useState } from 'react'
-import { useTranslation } from 'react-i18next'
-import { useRouter, useSearchParams } from 'next/navigation'
-import { useContext } from 'use-context-selector'
-import { noop } from 'lodash-es'
-import Input from '@/app/components/base/input'
-import Button from '@/app/components/base/button'
-import { emailRegex } from '@/config'
-import Toast from '@/app/components/base/toast'
-import { sendWebAppEMailLoginCode } from '@/service/common'
-import { COUNT_DOWN_KEY, COUNT_DOWN_TIME_MS } from '@/app/components/signin/countdown'
-import I18NContext from '@/context/i18n'
-
-export default function MailAndCodeAuth() {
-  const { t } = useTranslation()
-  const router = useRouter()
-  const searchParams = useSearchParams()
-  const emailFromLink = decodeURIComponent(searchParams.get('email') || '')
-  const [email, setEmail] = useState(emailFromLink)
-  const [loading, setIsLoading] = useState(false)
-  const { locale } = useContext(I18NContext)
-
-  const handleGetEMailVerificationCode = async () => {
-    try {
-      if (!email) {
-        Toast.notify({ type: 'error', message: t('login.error.emailEmpty') })
-        return
-      }
-
-      if (!emailRegex.test(email)) {
-        Toast.notify({
-          type: 'error',
-          message: t('login.error.emailInValid'),
-        })
-        return
-      }
-      setIsLoading(true)
-      const ret = await sendWebAppEMailLoginCode(email, locale)
-      if (ret.result === 'success') {
-        localStorage.setItem(COUNT_DOWN_KEY, `${COUNT_DOWN_TIME_MS}`)
-        const params = new URLSearchParams(searchParams)
-        params.set('email', encodeURIComponent(email))
-        params.set('token', encodeURIComponent(ret.data))
-        router.push(`/webapp-signin/check-code?${params.toString()}`)
-      }
-    }
-    catch (error) {
-      console.error(error)
-    }
-    finally {
-      setIsLoading(false)
-    }
-  }
-
-  return (<form onSubmit={noop}>
-    <input type='text' className='hidden' />
-    <div className='mb-2'>
-      <label htmlFor="email" className='system-md-semibold my-2 text-text-secondary'>{t('login.email')}</label>
-      <div className='mt-1'>
-        <Input id='email' type="email" value={email} placeholder={t('login.emailPlaceholder') as string} onChange={e => setEmail(e.target.value)} />
-      </div>
-      <div className='mt-3'>
-        <Button loading={loading} disabled={loading || !email} variant='primary' className='w-full' onClick={handleGetEMailVerificationCode}>{t('login.continueWithCode')}</Button>
-      </div>
-    </div>
-  </form>
-  )
-}