Merge branch 'main' into feat/metadata-condition-filter-support-array

12 months ago · 419b6ae8a6
parent 0620c9de94 3367d4258d
commit 419b6ae8a6
240 changed files with 4405 additions and 2468 deletions
--- a/.devcontainer/post_create_command.sh
+++ b/.devcontainer/post_create_command.sh
@ -1,6 +1,6 @@
 #!/bin/bash
-npm add -g pnpm@10.8.0
+npm add -g pnpm@10.11.1
 cd web && pnpm install
 pipx install uv
--- a/.gitignore
+++ b/.gitignore
@ -192,12 +192,12 @@ sdks/python-client/dist
 sdks/python-client/dify_client.egg-info
 .vscode/*
-!.vscode/launch.json
+!.vscode/launch.json.template
 !.vscode/README.md
 pyrightconfig.json
 api/.vscode
 .idea/
 .vscode
 # pnpm
 /.pnpm-store
@ -207,3 +207,6 @@ plugins.jsonl
 # mise
 mise.toml
 # Next.js build output
 .next/
--- a/.vscode/README.md
+++ b/.vscode/README.md
@ -0,0 +1,14 @@
 # Debugging with VS Code
 This `launch.json.template` file provides various debug configurations for the Dify project within VS Code / Cursor. To use these configurations, you should copy the contents of this file into a new file named `launch.json` in the same `.vscode` directory.
 ## How to Use
 1.  **Create `launch.json`**: If you don't have one, create a file named `launch.json` inside the `.vscode` directory.
 2.  **Copy Content**: Copy the entire content from `launch.json.template` into your newly created `launch.json` file.
 3.  **Select Debug Configuration**: Go to the Run and Debug view in VS Code / Cursor (Ctrl+Shift+D or Cmd+Shift+D).
 4.  **Start Debugging**: Select the desired configuration from the dropdown menu and click the green play button.
 ## Tips
 - If you need to debug with Edge browser instead of Chrome, modify the `serverReadyAction` configuration in the "Next.js: debug full stack" section, change `"debugWithChrome"` to `"debugWithEdge"` to use Microsoft Edge for debugging.
--- a/.vscode/launch.json.template
+++ b/.vscode/launch.json.template
@ -0,0 +1,68 @@
 {
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Python: Flask API",
            "type": "debugpy",
            "request": "launch",
            "module": "flask",
            "env": {
                "FLASK_APP": "app.py",
                "FLASK_ENV": "development",
                "GEVENT_SUPPORT": "True"
            },
            "args": [
                "run",
                "--host=0.0.0.0",
                "--port=5001",
                "--no-debugger",
                "--no-reload"
            ],
            "jinja": true,
            "justMyCode": true,
            "cwd": "${workspaceFolder}/api",
            "python": "${workspaceFolder}/api/.venv/bin/python"
        },
        {
            "name": "Python: Celery Worker (Solo)",
            "type": "debugpy",
            "request": "launch",
            "module": "celery",
            "env": {
                "GEVENT_SUPPORT": "True"
            },
            "args": [
                "-A",
                "app.celery",
                "worker",
                "-P",
                "solo",
                "-c",
                "1",
                "-Q",
                "dataset,generation,mail,ops_trace",
                "--loglevel",
                "INFO"
            ],
            "justMyCode": false,
            "cwd": "${workspaceFolder}/api",
            "python": "${workspaceFolder}/api/.venv/bin/python"
        },
        {
            "name": "Next.js: debug full stack",
            "type": "node",
            "request": "launch",
            "program": "${workspaceFolder}/web/node_modules/next/dist/bin/next",
            "runtimeArgs": ["--inspect"],
            "skipFiles": ["<node_internals>/**"],
            "serverReadyAction": {
              "action": "debugWithChrome",
              "killOnServerStop": true,
              "pattern": "- Local:.+(https?://.+)",
              "uriFormat": "%s",
              "webRoot": "${workspaceFolder}/web"
            },
            "cwd": "${workspaceFolder}/web"
          }
    ]
 }
--- a/api/.env.example
+++ b/api/.env.example
@ -491,3 +491,10 @@ OTEL_METRIC_EXPORT_TIMEOUT=30000
 # Prevent Clickjacking
 ALLOW_EMBED=false
 # Dataset queue monitor configuration
 QUEUE_MONITOR_THRESHOLD=200
 # You can configure multiple ones, separated by commas. eg: test1@dify.ai,test2@dify.ai
 QUEUE_MONITOR_ALERT_EMAILS=
 # Monitor interval in minutes, default is 30 minutes
 QUEUE_MONITOR_INTERVAL=30
--- a/api/commands.py
+++ b/api/commands.py
@ -846,6 +846,9 @@ def clear_orphaned_file_records(force: bool):
        {"type": "text", "table": "workflow_node_executions", "column": "outputs"},
        {"type": "text", "table": "conversations", "column": "introduction"},
        {"type": "text", "table": "conversations", "column": "system_instruction"},
        {"type": "text", "table": "accounts", "column": "avatar"},
        {"type": "text", "table": "apps", "column": "icon"},
        {"type": "text", "table": "sites", "column": "icon"},
        {"type": "json", "table": "messages", "column": "inputs"},
        {"type": "json", "table": "messages", "column": "message"},
    ]
--- a/api/configs/middleware/init.py
+++ b/api/configs/middleware/init.py
@ -2,7 +2,7 @@ import os
 from typing import Any, Literal, Optional
 from urllib.parse import parse_qsl, quote_plus
-from pydantic import Field, NonNegativeInt, PositiveFloat, PositiveInt, computed_field
+from pydantic import Field, NonNegativeFloat, NonNegativeInt, PositiveFloat, PositiveInt, computed_field
 from pydantic_settings import BaseSettings
 from .cache.redis_config import RedisConfig
@ -256,6 +256,25 @@ class InternalTestConfig(BaseSettings):
    )
 class DatasetQueueMonitorConfig(BaseSettings):
    """
    Configuration settings for Dataset Queue Monitor
    """
    QUEUE_MONITOR_THRESHOLD: Optional[NonNegativeInt] = Field(
        description="Threshold for dataset queue monitor",
        default=200,
    )
    QUEUE_MONITOR_ALERT_EMAILS: Optional[str] = Field(
        description="Emails for dataset queue monitor alert, separated by commas",
        default=None,
    )
    QUEUE_MONITOR_INTERVAL: Optional[NonNegativeFloat] = Field(
        description="Interval for dataset queue monitor in minutes",
        default=30,
    )
 class MiddlewareConfig(
    # place the configs in alphabet order
    CeleryConfig,
@ -303,5 +322,6 @@ class MiddlewareConfig(
    BaiduVectorDBConfig,
    OpenGaussConfig,
    TableStoreConfig,
    DatasetQueueMonitorConfig,
 ):
    pass
--- a/api/configs/remote_settings_sources/nacos/http_request.py
+++ b/api/configs/remote_settings_sources/nacos/http_request.py
@ -60,8 +60,7 @@ class NacosHttpClient:
            sign_str = tenant + "+"
        if group:
            sign_str = sign_str + group + "+"
-        if sign_str:
+        sign_str += ts  # Directly concatenate ts without conditional checks, because the nacos auth header forced it.
            sign_str += ts
        return sign_str
    def get_access_token(self, force_refresh=False):
--- a/api/controllers/service_api/dataset/dataset.py
+++ b/api/controllers/service_api/dataset/dataset.py
@ -369,6 +369,7 @@ class DatasetTagsApi(DatasetApiResource):
        )
        parser.add_argument("tag_id", nullable=False, required=True, help="Id of a tag.", type=str)
        args = parser.parse_args()
        args["type"] = "knowledge"
        tag = TagService.update_tags(args, args.get("tag_id"))
        binding_count = TagService.get_tag_binding_count(args.get("tag_id"))
--- a/api/controllers/service_api/dataset/document.py
+++ b/api/controllers/service_api/dataset/document.py
@ -175,8 +175,11 @@ class DocumentAddByFileApi(DatasetApiResource):
        if not dataset:
            raise ValueError("Dataset does not exist.")
-        if not dataset.indexing_technique and not args.get("indexing_technique"):
+
        indexing_technique = args.get("indexing_technique") or dataset.indexing_technique
        if not indexing_technique:
            raise ValueError("indexing_technique is required.")
        args["indexing_technique"] = indexing_technique
        # save file info
        file = request.files["file"]
@ -206,12 +209,16 @@ class DocumentAddByFileApi(DatasetApiResource):
        knowledge_config = KnowledgeConfig(**args)
        DocumentService.document_create_args_validate(knowledge_config)
        dataset_process_rule = dataset.latest_process_rule if "process_rule" not in args else None
        if not knowledge_config.original_document_id and not dataset_process_rule and not knowledge_config.process_rule:
            raise ValueError("process_rule is required.")
        try:
            documents, batch = DocumentService.save_document_with_dataset_id(
                dataset=dataset,
                knowledge_config=knowledge_config,
                account=dataset.created_by_account,
-                dataset_process_rule=dataset.latest_process_rule if "process_rule" not in args else None,
+                dataset_process_rule=dataset_process_rule,
                created_from="api",
            )
        except ProviderTokenNotInitError as ex:
--- a/api/core/app/app_config/easy_ui_based_app/model_config/converter.py
+++ b/api/core/app/app_config/easy_ui_based_app/model_config/converter.py
@ -70,7 +70,7 @@ class ModelConfigConverter:
        if not model_mode:
            model_mode = LLMMode.CHAT.value
            if model_schema and model_schema.model_properties.get(ModelPropertyKey.MODE):
-                model_mode = LLMMode.value_of(model_schema.model_properties[ModelPropertyKey.MODE]).value
+                model_mode = LLMMode(model_schema.model_properties[ModelPropertyKey.MODE]).value
        if not model_schema:
            raise ValueError(f"Model {model_name} not exist.")
--- a/api/core/entities/model_entities.py
+++ b/api/core/entities/model_entities.py
@ -55,6 +55,25 @@ class ProviderModelWithStatusEntity(ProviderModel):
    status: ModelStatus
    load_balancing_enabled: bool = False
    def raise_for_status(self) -> None:
        """
        Check model status and raise ValueError if not active.
        :raises ValueError: When model status is not active, with a descriptive message
        """
        if self.status == ModelStatus.ACTIVE:
            return
        error_messages = {
            ModelStatus.NO_CONFIGURE: "Model is not configured",
            ModelStatus.QUOTA_EXCEEDED: "Model quota has been exceeded",
            ModelStatus.NO_PERMISSION: "No permission to use this model",
            ModelStatus.DISABLED: "Model is disabled",
        }
        if self.status in error_messages:
            raise ValueError(error_messages[self.status])
 class ModelWithProviderEntity(ProviderModelWithStatusEntity):
    """
--- a/api/core/extension/extensible.py
+++ b/api/core/extension/extensible.py
@ -41,45 +41,53 @@ class Extensible:
        extensions = []
        position_map: dict[str, int] = {}
-        # get the path of the current class
+        # Get the package name from the module path
-        current_path = os.path.abspath(cls.__module__.replace(".", os.path.sep) + ".py")
+        package_name = ".".join(cls.__module__.split(".")[:-1])
        current_dir_path = os.path.dirname(current_path)
-        # traverse subdirectories
+        try:
-        for subdir_name in os.listdir(current_dir_path):
+            # Get package directory path
            package_spec = importlib.util.find_spec(package_name)
            if not package_spec or not package_spec.origin:
                raise ImportError(f"Could not find package {package_name}")
            package_dir = os.path.dirname(package_spec.origin)
            # Traverse subdirectories
            for subdir_name in os.listdir(package_dir):
                if subdir_name.startswith("__"):
                    continue
-            subdir_path = os.path.join(current_dir_path, subdir_name)
+                subdir_path = os.path.join(package_dir, subdir_name)
                if not os.path.isdir(subdir_path):
                    continue
                extension_name = subdir_name
            if os.path.isdir(subdir_path):
                file_names = os.listdir(subdir_path)
-                # is builtin extension, builtin extension
+                # Check for extension module file
-                # in the front-end page and business logic, there are special treatments.
+                if (extension_name + ".py") not in file_names:
                    logging.warning(f"Missing {extension_name}.py file in {subdir_path}, Skip.")
                    continue
                # Check for builtin flag and position
                builtin = False
                # default position is 0 can not be None for sort_to_dict_by_position_map
                position = 0
                if "__builtin__" in file_names:
                    builtin = True
                    builtin_file_path = os.path.join(subdir_path, "__builtin__")
                    if os.path.exists(builtin_file_path):
                        position = int(Path(builtin_file_path).read_text(encoding="utf-8").strip())
                    position_map[extension_name] = position
-                if (extension_name + ".py") not in file_names:
+                # Import the extension module
-                    logging.warning(f"Missing {extension_name}.py file in {subdir_path}, Skip.")
+                module_name = f"{package_name}.{extension_name}.{extension_name}"
-                    continue
+                spec = importlib.util.find_spec(module_name)
                # Dynamic loading {subdir_name}.py file and find the subclass of Extensible
                py_path = os.path.join(subdir_path, extension_name + ".py")
                spec = importlib.util.spec_from_file_location(extension_name, py_path)
                if not spec or not spec.loader:
-                    raise Exception(f"Failed to load module {extension_name} from {py_path}")
+                    raise ImportError(f"Failed to load module {module_name}")
                mod = importlib.util.module_from_spec(spec)
                spec.loader.exec_module(mod)
                # Find extension class
                extension_class = None
                for name, obj in vars(mod).items():
                    if isinstance(obj, type) and issubclass(obj, cls) and obj != cls:
@ -87,21 +95,21 @@ class Extensible:
                        break
                if not extension_class:
-                    logging.warning(f"Missing subclass of {cls.__name__} in {py_path}, Skip.")
+                    logging.warning(f"Missing subclass of {cls.__name__} in {module_name}, Skip.")
                    continue
                # Load schema if not builtin
                json_data: dict[str, Any] = {}
                if not builtin:
-                    if "schema.json" not in file_names:
+                    json_path = os.path.join(subdir_path, "schema.json")
                    if not os.path.exists(json_path):
                        logging.warning(f"Missing schema.json file in {subdir_path}, Skip.")
                        continue
                    json_path = os.path.join(subdir_path, "schema.json")
                    json_data = {}
                    if os.path.exists(json_path):
                    with open(json_path, encoding="utf-8") as f:
                        json_data = json.load(f)
                # Create extension
                extensions.append(
                    ModuleExtension(
                        extension_class=extension_class,
@ -113,6 +121,11 @@ class Extensible:
                    )
                )
        except Exception as e:
            logging.exception("Error scanning extensions")
            raise
        # Sort extensions by position
        sorted_extensions = sort_to_dict_by_position_map(
            position_map=position_map, data=extensions, name_func=lambda x: x.name
        )
--- a/api/core/helper/code_executor/code_executor.py
+++ b/api/core/helper/code_executor/code_executor.py
@ -15,6 +15,7 @@ from core.helper.code_executor.python3.python3_transformer import Python3Templat
 from core.helper.code_executor.template_transformer import TemplateTransformer
 logger = logging.getLogger(__name__)
 code_execution_endpoint_url = URL(str(dify_config.CODE_EXECUTION_ENDPOINT))
 class CodeExecutionError(Exception):
@ -64,7 +65,7 @@ class CodeExecutor:
        :param code: code
        :return:
        """
-        url = URL(str(dify_config.CODE_EXECUTION_ENDPOINT)) / "v1" / "sandbox" / "run"
+        url = code_execution_endpoint_url / "v1" / "sandbox" / "run"
        headers = {"X-Api-Key": dify_config.CODE_EXECUTION_API_KEY}
--- a/api/core/helper/marketplace.py
+++ b/api/core/helper/marketplace.py
@ -7,29 +7,28 @@ from configs import dify_config
 from core.helper.download import download_with_size_limit
 from core.plugin.entities.marketplace import MarketplacePluginDeclaration
 marketplace_api_url = URL(str(dify_config.MARKETPLACE_API_URL))
-def get_plugin_pkg_url(plugin_unique_identifier: str):
+
-    return (URL(str(dify_config.MARKETPLACE_API_URL)) / "api/v1/plugins/download").with_query(
+def get_plugin_pkg_url(plugin_unique_identifier: str) -> str:
-        unique_identifier=plugin_unique_identifier
+    return str((marketplace_api_url / "api/v1/plugins/download").with_query(unique_identifier=plugin_unique_identifier))
    )
 def download_plugin_pkg(plugin_unique_identifier: str):
-    url = str(get_plugin_pkg_url(plugin_unique_identifier))
+    return download_with_size_limit(get_plugin_pkg_url(plugin_unique_identifier), dify_config.PLUGIN_MAX_PACKAGE_SIZE)
    return download_with_size_limit(url, dify_config.PLUGIN_MAX_PACKAGE_SIZE)
 def batch_fetch_plugin_manifests(plugin_ids: list[str]) -> Sequence[MarketplacePluginDeclaration]:
    if len(plugin_ids) == 0:
        return []
-    url = str(URL(str(dify_config.MARKETPLACE_API_URL)) / "api/v1/plugins/batch")
+    url = str(marketplace_api_url / "api/v1/plugins/batch")
    response = requests.post(url, json={"plugin_ids": plugin_ids})
    response.raise_for_status()
    return [MarketplacePluginDeclaration(**plugin) for plugin in response.json()["data"]["plugins"]]
 def record_install_plugin_event(plugin_unique_identifier: str):
-    url = str(URL(str(dify_config.MARKETPLACE_API_URL)) / "api/v1/stats/plugins/install_count")
+    url = str(marketplace_api_url / "api/v1/stats/plugins/install_count")
    response = requests.post(url, json={"unique_identifier": plugin_unique_identifier})
    response.raise_for_status()
--- a/api/core/model_runtime/entities/llm_entities.py
+++ b/api/core/model_runtime/entities/llm_entities.py
@ -17,19 +17,6 @@ class LLMMode(StrEnum):
    COMPLETION = "completion"
    CHAT = "chat"
    @classmethod
    def value_of(cls, value: str) -> "LLMMode":
        """
        Get value of given mode.
        :param value: mode value
        :return: mode
        """
        for mode in cls:
            if mode.value == value:
                return mode
        raise ValueError(f"invalid mode value {value}")
 class LLMUsage(ModelUsage):
    """
--- a/api/core/model_runtime/entities/model_entities.py
+++ b/api/core/model_runtime/entities/model_entities.py
@ -160,6 +160,10 @@ class ProviderModel(BaseModel):
    deprecated: bool = False
    model_config = ConfigDict(protected_namespaces=())
    @property
    def support_structure_output(self) -> bool:
        return self.features is not None and ModelFeature.STRUCTURED_OUTPUT in self.features
 class ParameterRule(BaseModel):
    """
--- a/api/core/plugin/impl/base.py
+++ b/api/core/plugin/impl/base.py
@ -31,8 +31,7 @@ from core.plugin.impl.exc import (
    PluginUniqueIdentifierError,
 )
-plugin_daemon_inner_api_baseurl = dify_config.PLUGIN_DAEMON_URL
+plugin_daemon_inner_api_baseurl = URL(str(dify_config.PLUGIN_DAEMON_URL))
 plugin_daemon_inner_api_key = dify_config.PLUGIN_DAEMON_KEY
 T = TypeVar("T", bound=(BaseModel | dict | list | bool | str))
@ -53,9 +52,9 @@ class BasePluginClient:
        """
        Make a request to the plugin daemon inner API.
        """
-        url = URL(str(plugin_daemon_inner_api_baseurl)) / path
+        url = plugin_daemon_inner_api_baseurl / path
        headers = headers or {}
-        headers["X-Api-Key"] = plugin_daemon_inner_api_key
+        headers["X-Api-Key"] = dify_config.PLUGIN_DAEMON_KEY
        headers["Accept-Encoding"] = "gzip, deflate, br"
        if headers.get("Content-Type") == "application/json" and isinstance(data, dict):
--- a/api/core/provider_manager.py
+++ b/api/core/provider_manager.py
@ -3,7 +3,9 @@ from collections import defaultdict
 from json import JSONDecodeError
 from typing import Any, Optional, cast
 from sqlalchemy import select
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import Session
 from configs import dify_config
 from core.entities.model_entities import DefaultModelEntity, DefaultModelProviderEntity
@ -393,19 +395,13 @@ class ProviderManager:
    @staticmethod
    def _get_all_providers(tenant_id: str) -> dict[str, list[Provider]]:
        """
        Get all provider records of the workspace.
        :param tenant_id: workspace id
        :return:
        """
        providers = db.session.query(Provider).filter(Provider.tenant_id == tenant_id, Provider.is_valid == True).all()
        provider_name_to_provider_records_dict = defaultdict(list)
        with Session(db.engine, expire_on_commit=False) as session:
            stmt = select(Provider).where(Provider.tenant_id == tenant_id, Provider.is_valid == True)
            providers = session.scalars(stmt)
            for provider in providers:
-            # TODO: Use provider name with prefix after the data migration
+                # Use provider name with prefix after the data migration
                provider_name_to_provider_records_dict[str(ModelProviderID(provider.provider_name))].append(provider)
        return provider_name_to_provider_records_dict
    @staticmethod
@ -416,17 +412,12 @@ class ProviderManager:
        :param tenant_id: workspace id
        :return:
        """
        # Get all provider model records of the workspace
        provider_models = (
            db.session.query(ProviderModel)
            .filter(ProviderModel.tenant_id == tenant_id, ProviderModel.is_valid == True)
            .all()
        )
        provider_name_to_provider_model_records_dict = defaultdict(list)
        with Session(db.engine, expire_on_commit=False) as session:
            stmt = select(ProviderModel).where(ProviderModel.tenant_id == tenant_id, ProviderModel.is_valid == True)
            provider_models = session.scalars(stmt)
            for provider_model in provider_models:
                provider_name_to_provider_model_records_dict[provider_model.provider_name].append(provider_model)
        return provider_name_to_provider_model_records_dict
    @staticmethod
@ -437,17 +428,14 @@ class ProviderManager:
        :param tenant_id: workspace id
        :return:
        """
-        preferred_provider_types = (
+        provider_name_to_preferred_provider_type_records_dict = {}
-            db.session.query(TenantPreferredModelProvider)
+        with Session(db.engine, expire_on_commit=False) as session:
-            .filter(TenantPreferredModelProvider.tenant_id == tenant_id)
+            stmt = select(TenantPreferredModelProvider).where(TenantPreferredModelProvider.tenant_id == tenant_id)
-            .all()
+            preferred_provider_types = session.scalars(stmt)
        )
            provider_name_to_preferred_provider_type_records_dict = {
                preferred_provider_type.provider_name: preferred_provider_type
                for preferred_provider_type in preferred_provider_types
            }
        return provider_name_to_preferred_provider_type_records_dict
    @staticmethod
@ -458,18 +446,14 @@ class ProviderManager:
        :param tenant_id: workspace id
        :return:
        """
        provider_model_settings = (
            db.session.query(ProviderModelSetting).filter(ProviderModelSetting.tenant_id == tenant_id).all()
        )
        provider_name_to_provider_model_settings_dict = defaultdict(list)
        with Session(db.engine, expire_on_commit=False) as session:
            stmt = select(ProviderModelSetting).where(ProviderModelSetting.tenant_id == tenant_id)
            provider_model_settings = session.scalars(stmt)
            for provider_model_setting in provider_model_settings:
            (
                provider_name_to_provider_model_settings_dict[provider_model_setting.provider_name].append(
                    provider_model_setting
                )
            )
        return provider_name_to_provider_model_settings_dict
    @staticmethod
@ -492,11 +476,10 @@ class ProviderManager:
        if not model_load_balancing_enabled:
            return {}
        provider_load_balancing_configs = (
            db.session.query(LoadBalancingModelConfig).filter(LoadBalancingModelConfig.tenant_id == tenant_id).all()
        )
        provider_name_to_provider_load_balancing_model_configs_dict = defaultdict(list)
        with Session(db.engine, expire_on_commit=False) as session:
            stmt = select(LoadBalancingModelConfig).where(LoadBalancingModelConfig.tenant_id == tenant_id)
            provider_load_balancing_configs = session.scalars(stmt)
            for provider_load_balancing_config in provider_load_balancing_configs:
                provider_name_to_provider_load_balancing_model_configs_dict[
                    provider_load_balancing_config.provider_name
@ -626,10 +609,9 @@ class ProviderManager:
            if not cached_provider_credentials:
                try:
                    # fix origin data
-                    if (
+                    if custom_provider_record.encrypted_config is None:
-                        custom_provider_record.encrypted_config
+                        raise ValueError("No credentials found")
-                        and not custom_provider_record.encrypted_config.startswith("{")
+                    if not custom_provider_record.encrypted_config.startswith("{"):
                    ):
                        provider_credentials = {"openai_api_key": custom_provider_record.encrypted_config}
                    else:
                        provider_credentials = json.loads(custom_provider_record.encrypted_config)
@ -733,7 +715,7 @@ class ProviderManager:
            return SystemConfiguration(enabled=False)
        # Convert provider_records to dict
-        quota_type_to_provider_records_dict = {}
+        quota_type_to_provider_records_dict: dict[ProviderQuotaType, Provider] = {}
        for provider_record in provider_records:
            if provider_record.provider_type != ProviderType.SYSTEM.value:
                continue
@ -758,6 +740,11 @@ class ProviderManager:
            else:
                provider_record = quota_type_to_provider_records_dict[provider_quota.quota_type]
                if provider_record.quota_used is None:
                    raise ValueError("quota_used is None")
                if provider_record.quota_limit is None:
                    raise ValueError("quota_limit is None")
                quota_configuration = QuotaConfiguration(
                    quota_type=provider_quota.quota_type,
                    quota_unit=provider_hosting_configuration.quota_unit or QuotaUnit.TOKENS,
@ -791,10 +778,9 @@ class ProviderManager:
                cached_provider_credentials = provider_credentials_cache.get()
                if not cached_provider_credentials:
-                    try:
+                    provider_credentials: dict[str, Any] = {}
-                        provider_credentials: dict[str, Any] = json.loads(provider_record.encrypted_config)
+                    if provider_records and provider_records[0].encrypted_config:
-                    except JSONDecodeError:
+                        provider_credentials = json.loads(provider_records[0].encrypted_config)
                        provider_credentials = {}
                    # Get provider credential secret variables
                    provider_credential_secret_variables = self._extract_secret_variables(
--- a/api/core/rag/datasource/keyword/jieba/stopwords.py
+++ b/api/core/rag/datasource/keyword/jieba/stopwords.py
@ -720,7 +720,7 @@ STOPWORDS = {
    "〉",
    "〈",
    "…",
-    "　",
+    " ",
    "0",
    "1",
    "2",
@ -731,16 +731,6 @@ STOPWORDS = {
    "7",
    "8",
    "9",
    "０",
    "１",
    "２",
    "３",
    "４",
    "５",
    "６",
    "７",
    "８",
    "９",
    "二",
    "三",
    "四",
--- a/api/core/rag/datasource/vdb/milvus/milvus_vector.py
+++ b/api/core/rag/datasource/vdb/milvus/milvus_vector.py
@ -97,6 +97,10 @@ class MilvusVector(BaseVector):
        try:
            milvus_version = self._client.get_server_version()
            # Check if it's Zilliz Cloud - it supports full-text search with Milvus 2.5 compatibility
            if "Zilliz Cloud" in milvus_version:
                return True
            # For standard Milvus installations, check version number
            return version.parse(milvus_version).base_version >= version.parse("2.5.0").base_version
        except Exception as e:
            logger.warning(f"Failed to check Milvus version: {str(e)}. Disabling hybrid search.")
--- a/api/core/rag/datasource/vdb/oracle/oraclevector.py
+++ b/api/core/rag/datasource/vdb/oracle/oraclevector.py
@ -261,7 +261,7 @@ class OracleVector(BaseVector):
                words = pseg.cut(query)
                current_entity = ""
                for word, pos in words:
-                    if pos in {"nr", "Ng", "eng", "nz", "n", "ORG", "v"}:  # nr: 人名, ns: 地名, nt: 机构名
+                    if pos in {"nr", "Ng", "eng", "nz", "n", "ORG", "v"}:  # nr: 人名，ns: 地名，nt: 机构名
                        current_entity += word
                    else:
                        if current_entity:
--- a/api/core/tools/custom_tool/tool.py
+++ b/api/core/tools/custom_tool/tool.py
@ -168,7 +168,7 @@ class ApiTool(Tool):
                cookies[parameter["name"]] = value
            elif parameter["in"] == "header":
-                headers[parameter["name"]] = value
+                headers[parameter["name"]] = str(value)
        # check if there is a request body and handle it
        if "requestBody" in self.api_bundle.openapi and self.api_bundle.openapi["requestBody"] is not None:
--- a/api/core/tools/utils/parser.py
+++ b/api/core/tools/utils/parser.py
@ -55,6 +55,13 @@ class ApiBasedToolSchemaParser:
            # convert parameters
            parameters = []
            if "parameters" in interface["operation"]:
                for i, parameter in enumerate(interface["operation"]["parameters"]):
                    if "$ref" in parameter:
                        root = openapi
                        reference = parameter["$ref"].split("/")[1:]
                        for ref in reference:
                            root = root[ref]
                        interface["operation"]["parameters"][i] = root
                for parameter in interface["operation"]["parameters"]:
                    tool_parameter = ToolParameter(
                        name=parameter["name"],
--- a/api/core/workflow/graph_engine/graph_engine.py
+++ b/api/core/workflow/graph_engine/graph_engine.py
@ -53,7 +53,6 @@ from core.workflow.nodes.end.end_stream_processor import EndStreamProcessor
 from core.workflow.nodes.enums import ErrorStrategy, FailBranchSourceHandle
 from core.workflow.nodes.event import RunCompletedEvent, RunRetrieverResourceEvent, RunStreamChunkEvent
 from core.workflow.nodes.node_mapping import NODE_TYPE_CLASSES_MAPPING
 from extensions.ext_database import db
 from models.enums import UserFrom
 from models.workflow import WorkflowType
@ -607,8 +606,6 @@ class GraphEngine:
                        error=str(e),
                    )
                )
            finally:
                db.session.remove()
    def _run_node(
        self,
@ -646,7 +643,6 @@ class GraphEngine:
            agent_strategy=agent_strategy,
        )
        db.session.close()
        max_retries = node_instance.node_data.retry_config.max_retries
        retry_interval = node_instance.node_data.retry_config.retry_interval_seconds
        retries = 0
@ -863,8 +859,6 @@ class GraphEngine:
            except Exception as e:
                logger.exception(f"Node {node_instance.node_data.title} run failed")
                raise e
            finally:
                db.session.close()
    def _append_variables_recursively(self, node_id: str, variable_key_list: list[str], variable_value: VariableValue):
        """
--- a/api/core/workflow/nodes/agent/agent_node.py
+++ b/api/core/workflow/nodes/agent/agent_node.py
@ -2,6 +2,9 @@ import json
 from collections.abc import Generator, Mapping, Sequence
 from typing import Any, Optional, cast
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 from core.agent.entities import AgentToolEntity
 from core.agent.plugin_entities import AgentStrategyParameter
 from core.memory.token_buffer_memory import TokenBufferMemory
@ -320,12 +323,9 @@ class AgentNode(ToolNode):
            return None
        conversation_id = conversation_id_variable.value
-        # get conversation
+        with Session(db.engine, expire_on_commit=False) as session:
-        conversation = (
+            stmt = select(Conversation).where(Conversation.app_id == self.app_id, Conversation.id == conversation_id)
-            db.session.query(Conversation)
+            conversation = session.scalar(stmt)
            .filter(Conversation.app_id == self.app_id, Conversation.id == conversation_id)
            .first()
        )
            if not conversation:
                return None
--- a/api/core/workflow/nodes/knowledge_retrieval/knowledge_retrieval_node.py
+++ b/api/core/workflow/nodes/knowledge_retrieval/knowledge_retrieval_node.py
@ -8,6 +8,7 @@ from typing import Any, Optional, cast
 from sqlalchemy import Float, and_, func, or_, text
 from sqlalchemy import cast as sqlalchemy_cast
 from sqlalchemy.orm import Session
 from core.app.app_config.entities import DatasetRetrieveConfigEntity
 from core.app.entities.app_invoke_entities import ModelConfigWithCredentialsEntity
@ -85,8 +86,8 @@ class KnowledgeRetrievalNode(LLMNode):
            return NodeRunResult(
                status=WorkflowNodeExecutionStatus.FAILED, inputs=variables, error="Query is required."
            )
        # TODO(-LAN-): Move this check outside.
        # check rate limit
        if self.tenant_id:
        knowledge_rate_limit = FeatureService.get_knowledge_rate_limit(self.tenant_id)
        if knowledge_rate_limit.enabled:
            current_time = int(time.time() * 1000)
@ -95,14 +96,15 @@ class KnowledgeRetrievalNode(LLMNode):
            redis_client.zremrangebyscore(key, 0, current_time - 60000)
            request_count = redis_client.zcard(key)
            if request_count > knowledge_rate_limit.limit:
                with Session(db.engine) as session:
                    # add ratelimit record
                    rate_limit_log = RateLimitLog(
                        tenant_id=self.tenant_id,
                        subscription_plan=knowledge_rate_limit.subscription_plan,
                        operation="knowledge",
                    )
-                    db.session.add(rate_limit_log)
+                    session.add(rate_limit_log)
-                    db.session.commit()
+                    session.commit()
                return NodeRunResult(
                    status=WorkflowNodeExecutionStatus.FAILED,
                    inputs=variables,
@ -173,7 +175,9 @@ class KnowledgeRetrievalNode(LLMNode):
        dataset_retrieval = DatasetRetrieval()
        if node_data.retrieval_mode == DatasetRetrieveConfigEntity.RetrieveStrategy.SINGLE.value:
            # fetch model config
-            model_instance, model_config = self._fetch_model_config(node_data.single_retrieval_config.model)  # type: ignore
+            if node_data.single_retrieval_config is None:
                raise ValueError("single_retrieval_config is required")
            model_instance, model_config = self.get_model_config(node_data.single_retrieval_config.model)
            # check model is support tool calling
            model_type_instance = model_config.provider_model_bundle.model_type_instance
            model_type_instance = cast(LargeLanguageModel, model_type_instance)
@ -434,7 +438,7 @@ class KnowledgeRetrievalNode(LLMNode):
            raise ValueError("metadata_model_config is required")
        # get metadata model instance
        # fetch model config
-        model_instance, model_config = self._fetch_model_config(node_data.metadata_model_config)  # type: ignore
+        model_instance, model_config = self.get_model_config(metadata_model_config)
        # fetch prompt messages
        prompt_template = self._get_prompt_template(
            node_data=node_data,
@ -616,14 +620,7 @@ class KnowledgeRetrievalNode(LLMNode):
        variable_mapping[node_id + ".query"] = node_data.query_variable_selector
        return variable_mapping
-    def _fetch_model_config(self, model: ModelConfig) -> tuple[ModelInstance, ModelConfigWithCredentialsEntity]:  # type: ignore
+    def get_model_config(self, model: ModelConfig) -> tuple[ModelInstance, ModelConfigWithCredentialsEntity]:
        """
        Fetch model config
        :param model: model
        :return:
        """
        if model is None:
            raise ValueError("model is required")
        model_name = model.name
        provider_name = model.provider
--- a/api/core/workflow/nodes/llm/entities.py
+++ b/api/core/workflow/nodes/llm/entities.py
@ -66,7 +66,8 @@ class LLMNodeData(BaseNodeData):
    context: ContextConfig
    vision: VisionConfig = Field(default_factory=VisionConfig)
    structured_output: dict | None = None
-    structured_output_enabled: bool = False
+    # We used 'structured_output_enabled' in the past, but it's not a good name.
    structured_output_switch_on: bool = Field(False, alias="structured_output_enabled")
    @field_validator("prompt_config", mode="before")
    @classmethod
@ -74,3 +75,7 @@ class LLMNodeData(BaseNodeData):
        if v is None:
            return PromptConfig()
        return v
    @property
    def structured_output_enabled(self) -> bool:
        return self.structured_output_switch_on and self.structured_output is not None
--- a/api/core/workflow/nodes/llm/node.py
+++ b/api/core/workflow/nodes/llm/node.py
@ -7,12 +7,12 @@ from datetime import UTC, datetime
 from typing import TYPE_CHECKING, Any, Optional, cast
 import json_repair
 from sqlalchemy import select, update
 from sqlalchemy.orm import Session
 from configs import dify_config
 from core.app.entities.app_invoke_entities import ModelConfigWithCredentialsEntity
 from core.entities.model_entities import ModelStatus
 from core.entities.provider_entities import QuotaUnit
 from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
 from core.file import FileType, file_manager
 from core.helper.code_executor import CodeExecutor, CodeLanguage
 from core.memory.token_buffer_memory import TokenBufferMemory
@ -72,7 +72,6 @@ from core.workflow.nodes.event import (
 from core.workflow.utils.structured_output.entities import (
    ResponseFormat,
    SpecialModelType,
    SupportStructuredOutputStatus,
 )
 from core.workflow.utils.structured_output.prompt import STRUCTURED_OUTPUT_PROMPT
 from core.workflow.utils.variable_template_parser import VariableTemplateParser
@ -275,7 +274,7 @@ class LLMNode(BaseNode[LLMNodeData]):
                    llm_usage=usage,
                )
            )
-        except LLMNodeError as e:
+        except ValueError as e:
            yield RunCompletedEvent(
                run_result=NodeRunResult(
                    status=WorkflowNodeExecutionStatus.FAILED,
@ -303,8 +302,6 @@ class LLMNode(BaseNode[LLMNodeData]):
        prompt_messages: Sequence[PromptMessage],
        stop: Optional[Sequence[str]] = None,
    ) -> Generator[NodeEvent, None, None]:
        db.session.close()
        invoke_result = model_instance.invoke_llm(
            prompt_messages=list(prompt_messages),
            model_parameters=node_data_model.completion_params,
@ -527,65 +524,53 @@ class LLMNode(BaseNode[LLMNodeData]):
    def _fetch_model_config(
        self, node_data_model: ModelConfig
    ) -> tuple[ModelInstance, ModelConfigWithCredentialsEntity]:
-        model_name = node_data_model.name
+        if not node_data_model.mode:
-        provider_name = node_data_model.provider
+            raise LLMModeRequiredError("LLM mode is required.")
-        model_manager = ModelManager()
+        model = ModelManager().get_model_instance(
-        model_instance = model_manager.get_model_instance(
+            tenant_id=self.tenant_id,
-            tenant_id=self.tenant_id, model_type=ModelType.LLM, provider=provider_name, model=model_name
+            model_type=ModelType.LLM,
            provider=node_data_model.provider,
            model=node_data_model.name,
        )
-        provider_model_bundle = model_instance.provider_model_bundle
+        model.model_type_instance = cast(LargeLanguageModel, model.model_type_instance)
        model_type_instance = model_instance.model_type_instance
        model_type_instance = cast(LargeLanguageModel, model_type_instance)
        model_credentials = model_instance.credentials
        # check model
-        provider_model = provider_model_bundle.configuration.get_provider_model(
+        provider_model = model.provider_model_bundle.configuration.get_provider_model(
-            model=model_name, model_type=ModelType.LLM
+            model=node_data_model.name, model_type=ModelType.LLM
        )
        if provider_model is None:
-            raise ModelNotExistError(f"Model {model_name} not exist.")
+            raise ModelNotExistError(f"Model {node_data_model.name} not exist.")
-
+        provider_model.raise_for_status()
        if provider_model.status == ModelStatus.NO_CONFIGURE:
            raise ProviderTokenNotInitError(f"Model {model_name} credentials is not initialized.")
        elif provider_model.status == ModelStatus.NO_PERMISSION:
            raise ModelCurrentlyNotSupportError(f"Dify Hosted OpenAI {model_name} currently not support.")
        elif provider_model.status == ModelStatus.QUOTA_EXCEEDED:
            raise QuotaExceededError(f"Model provider {provider_name} quota exceeded.")
        # model config
-        completion_params = node_data_model.completion_params
+        stop: list[str] = []
-        stop = []
+        if "stop" in node_data_model.completion_params:
-        if "stop" in completion_params:
+            stop = node_data_model.completion_params.pop("stop")
            stop = completion_params["stop"]
            del completion_params["stop"]
        # get model mode
        model_mode = node_data_model.mode
        if not model_mode:
            raise LLMModeRequiredError("LLM mode is required.")
        model_schema = model_type_instance.get_model_schema(model_name, model_credentials)
        model_schema = model.model_type_instance.get_model_schema(node_data_model.name, model.credentials)
        if not model_schema:
-            raise ModelNotExistError(f"Model {model_name} not exist.")
+            raise ModelNotExistError(f"Model {node_data_model.name} not exist.")
-        support_structured_output = self._check_model_structured_output_support()
+
-        if support_structured_output == SupportStructuredOutputStatus.SUPPORTED:
+        if self.node_data.structured_output_enabled:
-            completion_params = self._handle_native_json_schema(completion_params, model_schema.parameter_rules)
+            if model_schema.support_structure_output:
-        elif support_structured_output == SupportStructuredOutputStatus.UNSUPPORTED:
+                node_data_model.completion_params = self._handle_native_json_schema(
                    node_data_model.completion_params, model_schema.parameter_rules
                )
            else:
                # Set appropriate response format based on model capabilities
-            self._set_response_format(completion_params, model_schema.parameter_rules)
+                self._set_response_format(node_data_model.completion_params, model_schema.parameter_rules)
-        return model_instance, ModelConfigWithCredentialsEntity(
+
-            provider=provider_name,
+        return model, ModelConfigWithCredentialsEntity(
-            model=model_name,
+            provider=node_data_model.provider,
            model=node_data_model.name,
            model_schema=model_schema,
-            mode=model_mode,
+            mode=node_data_model.mode,
-            provider_model_bundle=provider_model_bundle,
+            provider_model_bundle=model.provider_model_bundle,
-            credentials=model_credentials,
+            credentials=model.credentials,
-            parameters=completion_params,
+            parameters=node_data_model.completion_params,
            stop=stop,
        )
@ -603,13 +588,9 @@ class LLMNode(BaseNode[LLMNodeData]):
            return None
        conversation_id = conversation_id_variable.value
-        # get conversation
+        with Session(db.engine, expire_on_commit=False) as session:
-        conversation = (
+            stmt = select(Conversation).where(Conversation.app_id == self.app_id, Conversation.id == conversation_id)
-            db.session.query(Conversation)
+            conversation = session.scalar(stmt)
            .filter(Conversation.app_id == self.app_id, Conversation.id == conversation_id)
            .first()
        )
            if not conversation:
                return None
@ -790,13 +771,25 @@ class LLMNode(BaseNode[LLMNodeData]):
                "No prompt found in the LLM configuration. "
                "Please ensure a prompt is properly configured before proceeding."
            )
-        support_structured_output = self._check_model_structured_output_support()
+
-        if support_structured_output == SupportStructuredOutputStatus.UNSUPPORTED:
+        model = ModelManager().get_model_instance(
            tenant_id=self.tenant_id,
            model_type=ModelType.LLM,
            provider=self.node_data.model.provider,
            model=self.node_data.model.name,
        )
        model_schema = model.model_type_instance.get_model_schema(
            model=self.node_data.model.name,
            credentials=model.credentials,
        )
        if not model_schema:
            raise ModelNotExistError(f"Model {self.node_data.model.name} not exist.")
        if self.node_data.structured_output_enabled:
            if not model_schema.support_structure_output:
                filtered_prompt_messages = self._handle_prompt_based_schema(
                    prompt_messages=filtered_prompt_messages,
                )
-        stop = model_config.stop
+        return filtered_prompt_messages, model_config.stop
        return filtered_prompt_messages, stop
    def _parse_structured_output(self, result_text: str) -> dict[str, Any]:
        structured_output: dict[str, Any] = {}
@ -847,20 +840,24 @@ class LLMNode(BaseNode[LLMNodeData]):
                used_quota = 1
        if used_quota is not None and system_configuration.current_quota_type is not None:
-            db.session.query(Provider).filter(
+            with Session(db.engine) as session:
                stmt = (
                    update(Provider)
                    .where(
                        Provider.tenant_id == tenant_id,
                        # TODO: Use provider name with prefix after the data migration.
                        Provider.provider_name == ModelProviderID(model_instance.provider).provider_name,
                        Provider.provider_type == ProviderType.SYSTEM.value,
                        Provider.quota_type == system_configuration.current_quota_type.value,
                        Provider.quota_limit > Provider.quota_used,
            ).update(
                {
                    "quota_used": Provider.quota_used + used_quota,
                    "last_used": datetime.now(tz=UTC).replace(tzinfo=None),
                }
                    )
-            db.session.commit()
+                    .values(
                        quota_used=Provider.quota_used + used_quota,
                        last_used=datetime.now(tz=UTC).replace(tzinfo=None),
                    )
                )
                session.execute(stmt)
                session.commit()
    @classmethod
    def _extract_variable_selector_to_variable_mapping(
@ -903,7 +900,7 @@ class LLMNode(BaseNode[LLMNodeData]):
            variable_mapping["#context#"] = node_data.context.variable_selector
        if node_data.vision.enabled:
-            variable_mapping["#files#"] = ["sys", SystemVariableKey.FILES.value]
+            variable_mapping["#files#"] = node_data.vision.configs.variable_selector
        if node_data.memory:
            variable_mapping["#sys.query#"] = ["sys", SystemVariableKey.QUERY.value]
@ -1185,32 +1182,6 @@ class LLMNode(BaseNode[LLMNodeData]):
        except json.JSONDecodeError:
            raise LLMNodeError("structured_output_schema is not valid JSON format")
    def _check_model_structured_output_support(self) -> SupportStructuredOutputStatus:
        """
        Check if the current model supports structured output.
        Returns:
            SupportStructuredOutput: The support status of structured output
        """
        # Early return if structured output is disabled
        if (
            not isinstance(self.node_data, LLMNodeData)
            or not self.node_data.structured_output_enabled
            or not self.node_data.structured_output
        ):
            return SupportStructuredOutputStatus.DISABLED
        # Get model schema and check if it exists
        model_schema = self._fetch_model_schema(self.node_data.model.provider)
        if not model_schema:
            return SupportStructuredOutputStatus.DISABLED
        # Check if model supports structured output feature
        return (
            SupportStructuredOutputStatus.SUPPORTED
            if bool(model_schema.features and ModelFeature.STRUCTURED_OUTPUT in model_schema.features)
            else SupportStructuredOutputStatus.UNSUPPORTED
        )
    def _save_multimodal_output_and_convert_result_to_markdown(
        self,
        contents: str | list[PromptMessageContentUnionTypes] | None,
--- a/api/core/workflow/nodes/parameter_extractor/parameter_extractor_node.py
+++ b/api/core/workflow/nodes/parameter_extractor/parameter_extractor_node.py
@ -31,7 +31,6 @@ from core.workflow.entities.workflow_node_execution import WorkflowNodeExecution
 from core.workflow.nodes.enums import NodeType
 from core.workflow.nodes.llm import LLMNode, ModelConfig
 from core.workflow.utils import variable_template_parser
 from extensions.ext_database import db
 from .entities import ParameterExtractorNodeData
 from .exc import (
@ -259,8 +258,6 @@ class ParameterExtractorNode(LLMNode):
        tools: list[PromptMessageTool],
        stop: list[str],
    ) -> tuple[str, LLMUsage, Optional[AssistantPromptMessage.ToolCall]]:
        db.session.close()
        invoke_result = model_instance.invoke_llm(
            prompt_messages=prompt_messages,
            model_parameters=node_data_model.completion_params,
--- a/api/core/workflow/nodes/question_classifier/question_classifier_node.py
+++ b/api/core/workflow/nodes/question_classifier/question_classifier_node.py
@ -79,9 +79,13 @@ class QuestionClassifierNode(LLMNode):
            memory=memory,
            max_token_limit=rest_token,
        )
        # Some models (e.g. Gemma, Mistral) force roles alternation (user/assistant/user/assistant...).
        # If both self._get_prompt_template and self._fetch_prompt_messages append a user prompt,
        # two consecutive user prompts will be generated, causing model's error.
        # To avoid this, set sys_query to an empty string so that only one user prompt is appended at the end.
        prompt_messages, stop = self._fetch_prompt_messages(
            prompt_template=prompt_template,
-            sys_query=query,
+            sys_query="",
            memory=memory,
            model_config=model_config,
            sys_files=files,
--- a/api/core/workflow/nodes/variable_aggregator/entities.py
+++ b/api/core/workflow/nodes/variable_aggregator/entities.py
@ -1,7 +1,8 @@
-from typing import Literal, Optional
+from typing import Optional
 from pydantic import BaseModel
 from core.variables.types import SegmentType
 from core.workflow.nodes.base import BaseNodeData
@ -17,7 +18,7 @@ class AdvancedSettings(BaseModel):
        Group.
        """
-        output_type: Literal["string", "number", "object", "array[string]", "array[number]", "array[object]"]
+        output_type: SegmentType
        variables: list[list[str]]
        group_name: str
--- a/api/core/workflow/utils/structured_output/entities.py
+++ b/api/core/workflow/utils/structured_output/entities.py
@ -14,11 +14,3 @@ class SpecialModelType(StrEnum):
    GEMINI = "gemini"
    OLLAMA = "ollama"
 class SupportStructuredOutputStatus(StrEnum):
    """Constants for structured output support status"""
    SUPPORTED = "supported"
    UNSUPPORTED = "unsupported"
    DISABLED = "disabled"
--- a/api/extensions/ext_celery.py
+++ b/api/extensions/ext_celery.py
@ -70,6 +70,7 @@ def init_app(app: DifyApp) -> Celery:
        "schedule.update_tidb_serverless_status_task",
        "schedule.clean_messages",
        "schedule.mail_clean_document_notify_task",
        "schedule.queue_monitor_task",
    ]
    day = dify_config.CELERY_BEAT_SCHEDULER_TIME
    beat_schedule = {
@ -98,6 +99,12 @@ def init_app(app: DifyApp) -> Celery:
            "task": "schedule.mail_clean_document_notify_task.mail_clean_document_notify_task",
            "schedule": crontab(minute="0", hour="10", day_of_week="1"),
        },
        "datasets-queue-monitor": {
            "task": "schedule.queue_monitor_task.queue_monitor_task",
            "schedule": timedelta(
                minutes=dify_config.QUEUE_MONITOR_INTERVAL if dify_config.QUEUE_MONITOR_INTERVAL else 30
            ),
        },
    }
    celery_app.conf.update(beat_schedule=beat_schedule, imports=imports)
--- a/api/libs/helper.py
+++ b/api/libs/helper.py
@ -18,6 +18,7 @@ from flask_restful import fields
 from configs import dify_config
 from core.app.features.rate_limiting.rate_limit import RateLimitGenerator
 from core.file import helpers as file_helpers
 from core.model_runtime.utils.encoders import jsonable_encoder
 from extensions.ext_redis import redis_client
 if TYPE_CHECKING:
@ -196,7 +197,7 @@ def generate_text_hash(text: str) -> str:
 def compact_generate_response(response: Union[Mapping, Generator, RateLimitGenerator]) -> Response:
    if isinstance(response, dict):
-        return Response(response=json.dumps(response), status=200, mimetype="application/json")
+        return Response(response=json.dumps(jsonable_encoder(response)), status=200, mimetype="application/json")
    else:
        def generate() -> Generator:
--- a/api/libs/smtp.py
+++ b/api/libs/smtp.py
@ -28,7 +28,8 @@ class SMTPClient:
            else:
                smtp = smtplib.SMTP(self.server, self.port, timeout=10)
-            if self.username and self.password:
+            # Only authenticate if both username and password are non-empty
            if self.username and self.password and self.username.strip() and self.password.strip():
                smtp.login(self.username, self.password)
            msg = MIMEMultipart()
--- a/api/models/provider.py
+++ b/api/models/provider.py
@ -1,6 +1,9 @@
 from datetime import datetime
 from enum import Enum
 from typing import Optional
-from sqlalchemy import func
+from sqlalchemy import func, text
 from sqlalchemy.orm import Mapped, mapped_column
 from .base import Base
 from .engine import db
@ -51,20 +54,24 @@ class Provider(Base):
        ),
    )
-    id = db.Column(StringUUID, server_default=db.text("uuid_generate_v4()"))
+    id: Mapped[str] = mapped_column(StringUUID, server_default=text("uuid_generate_v4()"))
-    tenant_id = db.Column(StringUUID, nullable=False)
+    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    provider_name = db.Column(db.String(255), nullable=False)
+    provider_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    provider_type = db.Column(db.String(40), nullable=False, server_default=db.text("'custom'::character varying"))
+    provider_type: Mapped[str] = mapped_column(
-    encrypted_config = db.Column(db.Text, nullable=True)
+        db.String(40), nullable=False, server_default=text("'custom'::character varying")
-    is_valid = db.Column(db.Boolean, nullable=False, server_default=db.text("false"))
+    )
-    last_used = db.Column(db.DateTime, nullable=True)
+    encrypted_config: Mapped[Optional[str]] = mapped_column(db.Text, nullable=True)
    is_valid: Mapped[bool] = mapped_column(db.Boolean, nullable=False, server_default=text("false"))
    last_used: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True)
-    quota_type = db.Column(db.String(40), nullable=True, server_default=db.text("''::character varying"))
+    quota_type: Mapped[Optional[str]] = mapped_column(
-    quota_limit = db.Column(db.BigInteger, nullable=True)
+        db.String(40), nullable=True, server_default=text("''::character varying")
-    quota_used = db.Column(db.BigInteger, default=0)
+    )
    quota_limit: Mapped[Optional[int]] = mapped_column(db.BigInteger, nullable=True)
    quota_used: Mapped[Optional[int]] = mapped_column(db.BigInteger, default=0)
-    created_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    created_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
-    updated_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    updated_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
    def __repr__(self):
        return (
@ -104,15 +111,15 @@ class ProviderModel(Base):
        ),
    )
-    id = db.Column(StringUUID, server_default=db.text("uuid_generate_v4()"))
+    id: Mapped[str] = mapped_column(StringUUID, server_default=text("uuid_generate_v4()"))
-    tenant_id = db.Column(StringUUID, nullable=False)
+    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    provider_name = db.Column(db.String(255), nullable=False)
+    provider_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_name = db.Column(db.String(255), nullable=False)
+    model_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_type = db.Column(db.String(40), nullable=False)
+    model_type: Mapped[str] = mapped_column(db.String(40), nullable=False)
-    encrypted_config = db.Column(db.Text, nullable=True)
+    encrypted_config: Mapped[Optional[str]] = mapped_column(db.Text, nullable=True)
-    is_valid = db.Column(db.Boolean, nullable=False, server_default=db.text("false"))
+    is_valid: Mapped[bool] = mapped_column(db.Boolean, nullable=False, server_default=text("false"))
-    created_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    created_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
-    updated_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    updated_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
 class TenantDefaultModel(Base):
@ -122,13 +129,13 @@ class TenantDefaultModel(Base):
        db.Index("tenant_default_model_tenant_id_provider_type_idx", "tenant_id", "provider_name", "model_type"),
    )
-    id = db.Column(StringUUID, server_default=db.text("uuid_generate_v4()"))
+    id: Mapped[str] = mapped_column(StringUUID, server_default=text("uuid_generate_v4()"))
-    tenant_id = db.Column(StringUUID, nullable=False)
+    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    provider_name = db.Column(db.String(255), nullable=False)
+    provider_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_name = db.Column(db.String(255), nullable=False)
+    model_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_type = db.Column(db.String(40), nullable=False)
+    model_type: Mapped[str] = mapped_column(db.String(40), nullable=False)
-    created_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    created_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
-    updated_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    updated_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
 class TenantPreferredModelProvider(Base):
@ -138,12 +145,12 @@ class TenantPreferredModelProvider(Base):
        db.Index("tenant_preferred_model_provider_tenant_provider_idx", "tenant_id", "provider_name"),
    )
-    id = db.Column(StringUUID, server_default=db.text("uuid_generate_v4()"))
+    id: Mapped[str] = mapped_column(StringUUID, server_default=text("uuid_generate_v4()"))
-    tenant_id = db.Column(StringUUID, nullable=False)
+    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    provider_name = db.Column(db.String(255), nullable=False)
+    provider_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    preferred_provider_type = db.Column(db.String(40), nullable=False)
+    preferred_provider_type: Mapped[str] = mapped_column(db.String(40), nullable=False)
-    created_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    created_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
-    updated_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    updated_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
 class ProviderOrder(Base):
@ -153,22 +160,24 @@ class ProviderOrder(Base):
        db.Index("provider_order_tenant_provider_idx", "tenant_id", "provider_name"),
    )
-    id = db.Column(StringUUID, server_default=db.text("uuid_generate_v4()"))
+    id: Mapped[str] = mapped_column(StringUUID, server_default=text("uuid_generate_v4()"))
-    tenant_id = db.Column(StringUUID, nullable=False)
+    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    provider_name = db.Column(db.String(255), nullable=False)
+    provider_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    account_id = db.Column(StringUUID, nullable=False)
+    account_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    payment_product_id = db.Column(db.String(191), nullable=False)
+    payment_product_id: Mapped[str] = mapped_column(db.String(191), nullable=False)
-    payment_id = db.Column(db.String(191))
+    payment_id: Mapped[Optional[str]] = mapped_column(db.String(191))
-    transaction_id = db.Column(db.String(191))
+    transaction_id: Mapped[Optional[str]] = mapped_column(db.String(191))
-    quantity = db.Column(db.Integer, nullable=False, server_default=db.text("1"))
+    quantity: Mapped[int] = mapped_column(db.Integer, nullable=False, server_default=text("1"))
-    currency = db.Column(db.String(40))
+    currency: Mapped[Optional[str]] = mapped_column(db.String(40))
-    total_amount = db.Column(db.Integer)
+    total_amount: Mapped[Optional[int]] = mapped_column(db.Integer)
-    payment_status = db.Column(db.String(40), nullable=False, server_default=db.text("'wait_pay'::character varying"))
+    payment_status: Mapped[str] = mapped_column(
-    paid_at = db.Column(db.DateTime)
+        db.String(40), nullable=False, server_default=text("'wait_pay'::character varying")
-    pay_failed_at = db.Column(db.DateTime)
+    )
-    refunded_at = db.Column(db.DateTime)
+    paid_at: Mapped[Optional[datetime]] = mapped_column(db.DateTime)
-    created_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    pay_failed_at: Mapped[Optional[datetime]] = mapped_column(db.DateTime)
-    updated_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    refunded_at: Mapped[Optional[datetime]] = mapped_column(db.DateTime)
    created_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
    updated_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
 class ProviderModelSetting(Base):
@ -182,15 +191,15 @@ class ProviderModelSetting(Base):
        db.Index("provider_model_setting_tenant_provider_model_idx", "tenant_id", "provider_name", "model_type"),
    )
-    id = db.Column(StringUUID, server_default=db.text("uuid_generate_v4()"))
+    id: Mapped[str] = mapped_column(StringUUID, server_default=text("uuid_generate_v4()"))
-    tenant_id = db.Column(StringUUID, nullable=False)
+    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    provider_name = db.Column(db.String(255), nullable=False)
+    provider_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_name = db.Column(db.String(255), nullable=False)
+    model_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_type = db.Column(db.String(40), nullable=False)
+    model_type: Mapped[str] = mapped_column(db.String(40), nullable=False)
-    enabled = db.Column(db.Boolean, nullable=False, server_default=db.text("true"))
+    enabled: Mapped[bool] = mapped_column(db.Boolean, nullable=False, server_default=text("true"))
-    load_balancing_enabled = db.Column(db.Boolean, nullable=False, server_default=db.text("false"))
+    load_balancing_enabled: Mapped[bool] = mapped_column(db.Boolean, nullable=False, server_default=text("false"))
-    created_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    created_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
-    updated_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    updated_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
 class LoadBalancingModelConfig(Base):
@ -204,13 +213,13 @@ class LoadBalancingModelConfig(Base):
        db.Index("load_balancing_model_config_tenant_provider_model_idx", "tenant_id", "provider_name", "model_type"),
    )
-    id = db.Column(StringUUID, server_default=db.text("uuid_generate_v4()"))
+    id: Mapped[str] = mapped_column(StringUUID, server_default=text("uuid_generate_v4()"))
-    tenant_id = db.Column(StringUUID, nullable=False)
+    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    provider_name = db.Column(db.String(255), nullable=False)
+    provider_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_name = db.Column(db.String(255), nullable=False)
+    model_name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    model_type = db.Column(db.String(40), nullable=False)
+    model_type: Mapped[str] = mapped_column(db.String(40), nullable=False)
-    name = db.Column(db.String(255), nullable=False)
+    name: Mapped[str] = mapped_column(db.String(255), nullable=False)
-    encrypted_config = db.Column(db.Text, nullable=True)
+    encrypted_config: Mapped[Optional[str]] = mapped_column(db.Text, nullable=True)
-    enabled = db.Column(db.Boolean, nullable=False, server_default=db.text("true"))
+    enabled: Mapped[bool] = mapped_column(db.Boolean, nullable=False, server_default=text("true"))
-    created_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    created_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
-    updated_at = db.Column(db.DateTime, nullable=False, server_default=func.current_timestamp())
+    updated_at: Mapped[datetime] = mapped_column(db.DateTime, nullable=False, server_default=func.current_timestamp())
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@ -14,7 +14,7 @@ dependencies = [
    "chardet~=5.1.0",
    "flask~=3.1.0",
    "flask-compress~=1.17",
-    "flask-cors~=5.0.0",
+    "flask-cors~=6.0.0",
    "flask-login~=0.6.3",
    "flask-migrate~=4.0.7",
    "flask-restful~=0.3.10",
@ -36,7 +36,6 @@ dependencies = [
    "mailchimp-transactional~=1.0.50",
    "markdown~=3.5.1",
    "numpy~=1.26.4",
    "oci~=2.135.1",
    "openai~=1.61.0",
    "openpyxl~=3.1.5",
    "opik~=1.7.25",
@ -143,13 +142,16 @@ dev = [
    "types-requests~=2.32.0",
    "types-requests-oauthlib~=2.0.0",
    "types-shapely~=2.0.0",
-    "types-simplejson~=3.20.0",
+    "types-simplejson>=3.20.0",
-    "types-six~=1.17.0",
+    "types-six>=1.17.0",
-    "types-tensorflow~=2.18.0",
+    "types-tensorflow>=2.18.0",
-    "types-tqdm~=4.67.0",
+    "types-tqdm>=4.67.0",
-    "types-ujson~=5.10.0",
+    "types-ujson>=5.10.0",
    "boto3-stubs>=1.38.20",
    "types-jmespath>=1.0.2.20240106",
    "types_pyOpenSSL>=24.1.0",
    "types_cffi>=1.17.0",
    "types_setuptools>=80.9.0",
 ]
 ############################################################
--- a/api/schedule/queue_monitor_task.py
+++ b/api/schedule/queue_monitor_task.py
@ -0,0 +1,62 @@
 import logging
 from datetime import datetime
 from urllib.parse import urlparse
 import click
 from flask import render_template
 from redis import Redis
 import app
 from configs import dify_config
 from extensions.ext_database import db
 from extensions.ext_mail import mail
 # Create a dedicated Redis connection (using the same configuration as Celery)
 celery_broker_url = dify_config.CELERY_BROKER_URL
 parsed = urlparse(celery_broker_url)
 host = parsed.hostname or "localhost"
 port = parsed.port or 6379
 password = parsed.password or None
 redis_db = parsed.path.strip("/") or "1"  # type: ignore
 celery_redis = Redis(host=host, port=port, password=password, db=redis_db)
@app.celery.task(queue="monitor")
 def queue_monitor_task():
    queue_name = "dataset"
    threshold = dify_config.QUEUE_MONITOR_THRESHOLD
    try:
        queue_length = celery_redis.llen(f"{queue_name}")
        logging.info(click.style(f"Start monitor {queue_name}", fg="green"))
        logging.info(click.style(f"Queue length: {queue_length}", fg="green"))
        if queue_length >= threshold:
            warning_msg = f"Queue {queue_name} task count exceeded the limit.: {queue_length}/{threshold}"
            logging.warning(click.style(warning_msg, fg="red"))
            alter_emails = dify_config.QUEUE_MONITOR_ALERT_EMAILS
            if alter_emails:
                to_list = alter_emails.split(",")
                for to in to_list:
                    try:
                        current_time = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
                        html_content = render_template(
                            "queue_monitor_alert_email_template_en-US.html",
                            queue_name=queue_name,
                            queue_length=queue_length,
                            threshold=threshold,
                            alert_time=current_time,
                        )
                        mail.send(
                            to=to, subject="Alert: Dataset Queue pending tasks exceeded the limit", html=html_content
                        )
                    except Exception as e:
                        logging.exception(click.style("Exception occurred during sending email", fg="red"))
    except Exception as e:
        logging.exception(click.style("Exception occurred during queue monitoring", fg="red"))
    finally:
        if db.session.is_active:
            db.session.close()
--- a/api/services/tag_service.py
+++ b/api/services/tag_service.py
@ -46,6 +46,8 @@ class TagService:
    @staticmethod
    def get_tag_by_tag_name(tag_type: str, current_tenant_id: str, tag_name: str) -> list:
        if not tag_type or not tag_name:
            return []
        tags = (
            db.session.query(Tag)
            .filter(Tag.name == tag_name, Tag.tenant_id == current_tenant_id, Tag.type == tag_type)
@ -88,7 +90,7 @@ class TagService:
    @staticmethod
    def update_tags(args: dict, tag_id: str) -> Tag:
-        if TagService.get_tag_by_tag_name(args["type"], current_user.current_tenant_id, args["name"]):
+        if TagService.get_tag_by_tag_name(args.get("type", ""), current_user.current_tenant_id, args.get("name", "")):
            raise ValueError("Tag name already exists")
        tag = db.session.query(Tag).filter(Tag.id == tag_id).first()
        if not tag:
--- a/api/tasks/batch_create_segment_to_index_task.py
+++ b/api/tasks/batch_create_segment_to_index_task.py
@ -5,7 +5,7 @@ import uuid
 import click
 from celery import shared_task  # type: ignore
-from sqlalchemy import func, select
+from sqlalchemy import func
 from sqlalchemy.orm import Session
 from core.model_manager import ModelManager
@ -69,11 +69,6 @@ def batch_create_segment_to_index_task(
                    model=dataset.embedding_model,
                )
        word_count_change = 0
            segments_to_insert: list[str] = []
            max_position_stmt = select(func.max(DocumentSegment.position)).where(
                DocumentSegment.document_id == dataset_document.id
            )
        word_count_change = 0
        if embedding_model:
            tokens_list = embedding_model.get_text_embedding_num_tokens(
                texts=[segment["content"] for segment in content]
--- a/api/templates/queue_monitor_alert_email_template_en-US.html
+++ b/api/templates/queue_monitor_alert_email_template_en-US.html
@ -0,0 +1,129 @@
 <!DOCTYPE html>
 <html>
 <head>
  <style>
    body {
      font-family: 'Arial', sans-serif;
      line-height: 16pt;
      color: #101828;
      background-color: #e9ebf0;
      margin: 0;
      padding: 0;
    }
    .container {
      width: 600px;
      min-height: 605px;
      margin: 40px auto;
      padding: 36px 48px;
      background-color: #fcfcfd;
      border-radius: 16px;
      border: 1px solid #ffffff;
      box-shadow: 0 2px 4px -2px rgba(9, 9, 11, 0.08);
    }
    .header {
      margin-bottom: 24px;
    }
    .header img {
      max-width: 100px;
      height: auto;
    }
    .title {
      font-weight: 600;
      font-size: 24px;
      line-height: 28.8px;
    }
    .description {
      font-size: 13px;
      line-height: 16px;
      color: #676f83;
      margin-top: 12px;
    }
    .alert-content {
      padding: 16px 32px;
      text-align: center;
      border-radius: 16px;
      background-color: #fef0f0;
      margin: 16px auto;
      border: 1px solid #fda29b;
    }
    .alert-title {
      line-height: 24px;
      font-weight: 700;
      font-size: 18px;
      color: #d92d20;
    }
    .alert-detail {
      line-height: 20px;
      font-size: 14px;
      margin-top: 8px;
    }
    .typography {
      letter-spacing: -0.07px;
      font-weight: 400;
      font-style: normal;
      font-size: 14px;
      line-height: 20px;
      color: #354052;
      margin-top: 12px;
      margin-bottom: 12px;
    }
    .typography p{
      margin: 0 auto;
    }
    .typography-title {
      color: #101828;
      font-size: 14px;
      font-style: normal;
      font-weight: 600;
      line-height: 20px;
      margin-top: 12px;
      margin-bottom: 4px;
    }
    .tip-list{
      margin: 0;
      padding-left: 10px;
    }
  </style>
 </head>
 <body>
  <div class="container">
    <div class="header">
      <img src="https://assets.dify.ai/images/logo.png" alt="Dify Logo" />
    </div>
    <p class="title">Queue Monitoring Alert</p>
    <p class="typography">Our system has detected an abnormal queue status that requires your attention:</p>
    <div class="alert-content">
      <div class="alert-title">Queue Task Alert</div>
      <div class="alert-detail">
        Queue "{{queue_name}}" has {{queue_length}} pending tasks (Threshold: {{threshold}})
      </div>
    </div>
    <div class="typography">
      <p style="margin-bottom:4px">Recommended actions:</p>
      <p>1. Check the queue processing status in the system dashboard</p>
      <p>2. Verify if there are any processing bottlenecks</p>
      <p>3. Consider scaling up workers if needed</p>
    </div>
    <p class="typography-title">Additional Information:</p>
    <ul class="typography tip-list">
      <li>Alert triggered at: {{alert_time}}</li>
    </ul>
  </div>
 </body>
 </html>
--- a/api/tests/integration_tests/workflow/nodes/test_llm.py
+++ b/api/tests/integration_tests/workflow/nodes/test_llm.py
@ -3,11 +3,16 @@ import os
 import time
 import uuid
 from collections.abc import Generator
-from unittest.mock import MagicMock
+from decimal import Decimal
 from unittest.mock import MagicMock, patch
 import pytest
 from app_factory import create_app
 from configs import dify_config
 from core.app.entities.app_invoke_entities import InvokeFrom
 from core.model_runtime.entities.llm_entities import LLMResult, LLMUsage
 from core.model_runtime.entities.message_entities import AssistantPromptMessage
 from core.workflow.entities.variable_pool import VariablePool
 from core.workflow.entities.workflow_node_execution import WorkflowNodeExecutionStatus
 from core.workflow.enums import SystemVariableKey
@ -19,13 +24,27 @@ from core.workflow.nodes.llm.node import LLMNode
 from extensions.ext_database import db
 from models.enums import UserFrom
 from models.workflow import WorkflowType
 from tests.integration_tests.workflow.nodes.__mock.model import get_mocked_fetch_model_config
 """FOR MOCK FIXTURES, DO NOT REMOVE"""
 from tests.integration_tests.model_runtime.__mock.plugin_daemon import setup_model_mock
 from tests.integration_tests.workflow.nodes.__mock.code_executor import setup_code_executor_mock
@pytest.fixture(scope="session")
 def app():
    # Set up storage configuration
    os.environ["STORAGE_TYPE"] = "opendal"
    os.environ["OPENDAL_SCHEME"] = "fs"
    os.environ["OPENDAL_FS_ROOT"] = "storage"
    # Ensure storage directory exists
    os.makedirs("storage", exist_ok=True)
    app = create_app()
    dify_config.LOGIN_DISABLED = True
    return app
 def init_llm_node(config: dict) -> LLMNode:
    graph_config = {
        "edges": [
@ -40,13 +59,19 @@ def init_llm_node(config: dict) -> LLMNode:
    graph = Graph.init(graph_config=graph_config)
    # Use proper UUIDs for database compatibility
    tenant_id = "9d2074fc-6f86-45a9-b09d-6ecc63b9056b"
    app_id = "9d2074fc-6f86-45a9-b09d-6ecc63b9056c"
    workflow_id = "9d2074fc-6f86-45a9-b09d-6ecc63b9056d"
    user_id = "9d2074fc-6f86-45a9-b09d-6ecc63b9056e"
    init_params = GraphInitParams(
-        tenant_id="1",
+        tenant_id=tenant_id,
-        app_id="1",
+        app_id=app_id,
        workflow_type=WorkflowType.WORKFLOW,
-        workflow_id="1",
+        workflow_id=workflow_id,
        graph_config=graph_config,
-        user_id="1",
+        user_id=user_id,
        user_from=UserFrom.ACCOUNT,
        invoke_from=InvokeFrom.DEBUGGER,
        call_depth=0,
@ -77,7 +102,8 @@ def init_llm_node(config: dict) -> LLMNode:
    return node
-def test_execute_llm(setup_model_mock):
+def test_execute_llm(app):
    with app.app_context():
        node = init_llm_node(
            config={
                "id": "llm",
@ -91,7 +117,10 @@ def test_execute_llm(setup_model_mock):
                        "completion_params": {},
                    },
                    "prompt_template": [
-                    {"role": "system", "text": "you are a helpful assistant.\ntoday's weather is {{#abc.output#}}."},
+                        {
                            "role": "system",
                            "text": "you are a helpful assistant.\ntoday's weather is {{#abc.output#}}.",
                        },
                        {"role": "user", "text": "{{#sys.query#}}"},
                    ],
                    "memory": None,
@ -103,16 +132,54 @@ def test_execute_llm(setup_model_mock):
        credentials = {"openai_api_key": os.environ.get("OPENAI_API_KEY")}
-    # Mock db.session.close()
+        # Create a proper LLM result with real entities
-    db.session.close = MagicMock()
+        mock_usage = LLMUsage(
            prompt_tokens=30,
            prompt_unit_price=Decimal("0.001"),
            prompt_price_unit=Decimal("1000"),
            prompt_price=Decimal("0.00003"),
            completion_tokens=20,
            completion_unit_price=Decimal("0.002"),
            completion_price_unit=Decimal("1000"),
            completion_price=Decimal("0.00004"),
            total_tokens=50,
            total_price=Decimal("0.00007"),
            currency="USD",
            latency=0.5,
        )
        mock_message = AssistantPromptMessage(content="This is a test response from the mocked LLM.")
-    node._fetch_model_config = get_mocked_fetch_model_config(
+        mock_llm_result = LLMResult(
        provider="langgenius/openai/openai",
            model="gpt-3.5-turbo",
-        mode="chat",
+            prompt_messages=[],
-        credentials=credentials,
+            message=mock_message,
            usage=mock_usage,
        )
        # Create a simple mock model instance that doesn't call real providers
        mock_model_instance = MagicMock()
        mock_model_instance.invoke_llm.return_value = mock_llm_result
        # Create a simple mock model config with required attributes
        mock_model_config = MagicMock()
        mock_model_config.mode = "chat"
        mock_model_config.provider = "langgenius/openai/openai"
        mock_model_config.model = "gpt-3.5-turbo"
        mock_model_config.provider_model_bundle.configuration.tenant_id = "9d2074fc-6f86-45a9-b09d-6ecc63b9056b"
        # Mock the _fetch_model_config method
        def mock_fetch_model_config_func(_node_data_model):
            return mock_model_instance, mock_model_config
        # Also mock ModelManager.get_model_instance to avoid database calls
        def mock_get_model_instance(_self, **kwargs):
            return mock_model_instance
        with (
            patch.object(node, "_fetch_model_config", mock_fetch_model_config_func),
            patch("core.model_manager.ModelManager.get_model_instance", mock_get_model_instance),
        ):
            # execute node
            result = node._run()
            assert isinstance(result, Generator)
@ -127,10 +194,11 @@ def test_execute_llm(setup_model_mock):
@pytest.mark.parametrize("setup_code_executor_mock", [["none"]], indirect=True)
-def test_execute_llm_with_jinja2(setup_code_executor_mock, setup_model_mock):
+def test_execute_llm_with_jinja2(app, setup_code_executor_mock):
    """
    Test execute LLM node with jinja2
    """
    with app.app_context():
        node = init_llm_node(
            config={
                "id": "llm",
@ -165,18 +233,57 @@ def test_execute_llm_with_jinja2(setup_code_executor_mock, setup_model_mock):
            },
        )
    credentials = {"openai_api_key": os.environ.get("OPENAI_API_KEY")}
        # Mock db.session.close()
        db.session.close = MagicMock()
-    node._fetch_model_config = get_mocked_fetch_model_config(
+        # Create a proper LLM result with real entities
-        provider="langgenius/openai/openai",
+        mock_usage = LLMUsage(
            prompt_tokens=30,
            prompt_unit_price=Decimal("0.001"),
            prompt_price_unit=Decimal("1000"),
            prompt_price=Decimal("0.00003"),
            completion_tokens=20,
            completion_unit_price=Decimal("0.002"),
            completion_price_unit=Decimal("1000"),
            completion_price=Decimal("0.00004"),
            total_tokens=50,
            total_price=Decimal("0.00007"),
            currency="USD",
            latency=0.5,
        )
        mock_message = AssistantPromptMessage(content="Test response: sunny weather and what's the weather today?")
        mock_llm_result = LLMResult(
            model="gpt-3.5-turbo",
-        mode="chat",
+            prompt_messages=[],
-        credentials=credentials,
+            message=mock_message,
            usage=mock_usage,
        )
        # Create a simple mock model instance that doesn't call real providers
        mock_model_instance = MagicMock()
        mock_model_instance.invoke_llm.return_value = mock_llm_result
        # Create a simple mock model config with required attributes
        mock_model_config = MagicMock()
        mock_model_config.mode = "chat"
        mock_model_config.provider = "openai"
        mock_model_config.model = "gpt-3.5-turbo"
        mock_model_config.provider_model_bundle.configuration.tenant_id = "9d2074fc-6f86-45a9-b09d-6ecc63b9056b"
        # Mock the _fetch_model_config method
        def mock_fetch_model_config_func(_node_data_model):
            return mock_model_instance, mock_model_config
        # Also mock ModelManager.get_model_instance to avoid database calls
        def mock_get_model_instance(_self, **kwargs):
            return mock_model_instance
        with (
            patch.object(node, "_fetch_model_config", mock_fetch_model_config_func),
            patch("core.model_manager.ModelManager.get_model_instance", mock_get_model_instance),
        ):
            # execute node
            result = node._run()
--- a/api/uv.lock
+++ b/api/uv.lock
--- a/docker/.env.example
+++ b/docker/.env.example
@ -1057,7 +1057,7 @@ PLUGIN_MAX_EXECUTION_TIMEOUT=600
 PIP_MIRROR_URL=
 # https://github.com/langgenius/dify-plugin-daemon/blob/main/.env.example
-# Plugin storage type, local aws_s3 tencent_cos azure_blob aliyun_oss
+# Plugin storage type, local aws_s3 tencent_cos azure_blob aliyun_oss volcengine_tos
 PLUGIN_STORAGE_TYPE=local
 PLUGIN_STORAGE_LOCAL_ROOT=/app/storage
 PLUGIN_WORKING_PATH=/app/storage/cwd
@ -1087,6 +1087,11 @@ PLUGIN_ALIYUN_OSS_ACCESS_KEY_ID=
 PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET=
 PLUGIN_ALIYUN_OSS_AUTH_VERSION=v4
 PLUGIN_ALIYUN_OSS_PATH=
 # Plugin oss volcengine tos
 PLUGIN_VOLCENGINE_TOS_ENDPOINT=
 PLUGIN_VOLCENGINE_TOS_ACCESS_KEY=
 PLUGIN_VOLCENGINE_TOS_SECRET_KEY=
 PLUGIN_VOLCENGINE_TOS_REGION=
 # ------------------------------
 # OTLP Collector Configuration
@ -1106,3 +1111,10 @@ OTEL_METRIC_EXPORT_TIMEOUT=30000
 # Prevent Clickjacking
 ALLOW_EMBED=false
 # Dataset queue monitor configuration
 QUEUE_MONITOR_THRESHOLD=200
 # You can configure multiple ones, separated by commas. eg: test1@dify.ai,test2@dify.ai
 QUEUE_MONITOR_ALERT_EMAILS=
 # Monitor interval in minutes, default is 30 minutes
 QUEUE_MONITOR_INTERVAL=30
--- a/docker/docker-compose-template.yaml
+++ b/docker/docker-compose-template.yaml
@ -184,6 +184,10 @@ services:
      ALIYUN_OSS_ACCESS_KEY_SECRET: ${PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET:-}
      ALIYUN_OSS_AUTH_VERSION: ${PLUGIN_ALIYUN_OSS_AUTH_VERSION:-v4}
      ALIYUN_OSS_PATH: ${PLUGIN_ALIYUN_OSS_PATH:-}
      VOLCENGINE_TOS_ENDPOINT: ${PLUGIN_VOLCENGINE_TOS_ENDPOINT:-}
      VOLCENGINE_TOS_ACCESS_KEY: ${PLUGIN_VOLCENGINE_TOS_ACCESS_KEY:-}
      VOLCENGINE_TOS_SECRET_KEY: ${PLUGIN_VOLCENGINE_TOS_SECRET_KEY:-}
      VOLCENGINE_TOS_REGION: ${PLUGIN_VOLCENGINE_TOS_REGION:-}
    ports:
      - "${EXPOSE_PLUGIN_DEBUGGING_PORT:-5003}:${PLUGIN_DEBUGGING_PORT:-5003}"
    volumes:
--- a/docker/docker-compose.middleware.yaml
+++ b/docker/docker-compose.middleware.yaml
@ -121,6 +121,10 @@ services:
      ALIYUN_OSS_ACCESS_KEY_SECRET: ${PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET:-}
      ALIYUN_OSS_AUTH_VERSION: ${PLUGIN_ALIYUN_OSS_AUTH_VERSION:-v4}
      ALIYUN_OSS_PATH: ${PLUGIN_ALIYUN_OSS_PATH:-}
      VOLCENGINE_TOS_ENDPOINT: ${PLUGIN_VOLCENGINE_TOS_ENDPOINT:-}
      VOLCENGINE_TOS_ACCESS_KEY: ${PLUGIN_VOLCENGINE_TOS_ACCESS_KEY:-}
      VOLCENGINE_TOS_SECRET_KEY: ${PLUGIN_VOLCENGINE_TOS_SECRET_KEY:-}
      VOLCENGINE_TOS_REGION: ${PLUGIN_VOLCENGINE_TOS_REGION:-}
    ports:
      - "${EXPOSE_PLUGIN_DAEMON_PORT:-5002}:${PLUGIN_DAEMON_PORT:-5002}"
      - "${EXPOSE_PLUGIN_DEBUGGING_PORT:-5003}:${PLUGIN_DEBUGGING_PORT:-5003}"
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@ -484,6 +484,10 @@ x-shared-env: &shared-api-worker-env
  PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET: ${PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET:-}
  PLUGIN_ALIYUN_OSS_AUTH_VERSION: ${PLUGIN_ALIYUN_OSS_AUTH_VERSION:-v4}
  PLUGIN_ALIYUN_OSS_PATH: ${PLUGIN_ALIYUN_OSS_PATH:-}
  PLUGIN_VOLCENGINE_TOS_ENDPOINT: ${PLUGIN_VOLCENGINE_TOS_ENDPOINT:-}
  PLUGIN_VOLCENGINE_TOS_ACCESS_KEY: ${PLUGIN_VOLCENGINE_TOS_ACCESS_KEY:-}
  PLUGIN_VOLCENGINE_TOS_SECRET_KEY: ${PLUGIN_VOLCENGINE_TOS_SECRET_KEY:-}
  PLUGIN_VOLCENGINE_TOS_REGION: ${PLUGIN_VOLCENGINE_TOS_REGION:-}
  ENABLE_OTEL: ${ENABLE_OTEL:-false}
  OTLP_BASE_ENDPOINT: ${OTLP_BASE_ENDPOINT:-http://localhost:4318}
  OTLP_API_KEY: ${OTLP_API_KEY:-}
@ -497,6 +501,9 @@ x-shared-env: &shared-api-worker-env
  OTEL_BATCH_EXPORT_TIMEOUT: ${OTEL_BATCH_EXPORT_TIMEOUT:-10000}
  OTEL_METRIC_EXPORT_TIMEOUT: ${OTEL_METRIC_EXPORT_TIMEOUT:-30000}
  ALLOW_EMBED: ${ALLOW_EMBED:-false}
  QUEUE_MONITOR_THRESHOLD: ${QUEUE_MONITOR_THRESHOLD:-200}
  QUEUE_MONITOR_ALERT_EMAILS: ${QUEUE_MONITOR_ALERT_EMAILS:-}
  QUEUE_MONITOR_INTERVAL: ${QUEUE_MONITOR_INTERVAL:-30}
 services:
  # API service
@ -683,6 +690,10 @@ services:
      ALIYUN_OSS_ACCESS_KEY_SECRET: ${PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET:-}
      ALIYUN_OSS_AUTH_VERSION: ${PLUGIN_ALIYUN_OSS_AUTH_VERSION:-v4}
      ALIYUN_OSS_PATH: ${PLUGIN_ALIYUN_OSS_PATH:-}
      VOLCENGINE_TOS_ENDPOINT: ${PLUGIN_VOLCENGINE_TOS_ENDPOINT:-}
      VOLCENGINE_TOS_ACCESS_KEY: ${PLUGIN_VOLCENGINE_TOS_ACCESS_KEY:-}
      VOLCENGINE_TOS_SECRET_KEY: ${PLUGIN_VOLCENGINE_TOS_SECRET_KEY:-}
      VOLCENGINE_TOS_REGION: ${PLUGIN_VOLCENGINE_TOS_REGION:-}
    ports:
      - "${EXPOSE_PLUGIN_DEBUGGING_PORT:-5003}:${PLUGIN_DEBUGGING_PORT:-5003}"
    volumes:
--- a/docker/middleware.env.example
+++ b/docker/middleware.env.example
@ -152,3 +152,8 @@ PLUGIN_ALIYUN_OSS_ACCESS_KEY_ID=
 PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET=
 PLUGIN_ALIYUN_OSS_AUTH_VERSION=v4
 PLUGIN_ALIYUN_OSS_PATH=
 # Plugin oss volcengine tos
 PLUGIN_VOLCENGINE_TOS_ENDPOINT=
 PLUGIN_VOLCENGINE_TOS_ACCESS_KEY=
 PLUGIN_VOLCENGINE_TOS_SECRET_KEY=
 PLUGIN_VOLCENGINE_TOS_REGION=
--- a/web/Dockerfile
+++ b/web/Dockerfile
@ -6,7 +6,7 @@ LABEL maintainer="takatost@gmail.com"
 # RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories
 RUN apk add --no-cache tzdata
-RUN npm install -g pnpm@10.8.0
+RUN npm install -g pnpm@10.11.1
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
--- a/web/app/(commonLayout)/apps/AppCard.tsx
+++ b/web/app/(commonLayout)/apps/AppCard.tsx
@ -4,7 +4,7 @@ import { useContext, useContextSelector } from 'use-context-selector'
 import { useRouter } from 'next/navigation'
 import { useCallback, useEffect, useMemo, useState } from 'react'
 import { useTranslation } from 'react-i18next'
-import { RiBuildingLine, RiGlobalLine, RiLockLine, RiMoreFill } from '@remixicon/react'
+import { RiBuildingLine, RiGlobalLine, RiLockLine, RiMoreFill, RiVerifiedBadgeLine } from '@remixicon/react'
 import cn from '@/utils/classnames'
 import type { App } from '@/types/app'
 import Confirm from '@/app/components/base/confirm'
@ -338,7 +338,7 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
          </div>
          <div className='flex h-5 w-5 shrink-0 items-center justify-center'>
            {app.access_mode === AccessMode.PUBLIC && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.anyone')}>
-              <RiGlobalLine className='h-4 w-4 text-text-accent' />
+              <RiGlobalLine className='h-4 w-4 text-text-quaternary' />
            </Tooltip>}
            {app.access_mode === AccessMode.SPECIFIC_GROUPS_MEMBERS && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.specific')}>
              <RiLockLine className='h-4 w-4 text-text-quaternary' />
@ -346,6 +346,9 @@ const AppCard = ({ app, onRefresh }: AppCardProps) => {
            {app.access_mode === AccessMode.ORGANIZATION && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.organization')}>
              <RiBuildingLine className='h-4 w-4 text-text-quaternary' />
            </Tooltip>}
            {app.access_mode === AccessMode.EXTERNAL_MEMBERS && <Tooltip asChild={false} popupContent={t('app.accessItemsDescription.external')}>
              <RiVerifiedBadgeLine className='h-4 w-4 text-text-quaternary' />
            </Tooltip>}
          </div>
        </div>
        <div className='title-wrapper h-[90px] px-[14px] text-xs leading-normal text-text-tertiary'>
--- a/web/app/(commonLayout)/datasets/Container.tsx
+++ b/web/app/(commonLayout)/datasets/Container.tsx
@ -87,7 +87,7 @@ const Container = () => {
  return (
    <div ref={containerRef} className='scroll-container relative flex grow flex-col overflow-y-auto bg-background-body'>
-      <div className='sticky top-0 z-10 flex flex-wrap items-center justify-between gap-y-2 bg-background-body px-12 pb-2 pt-4 leading-[56px]'>
+      <div className='sticky top-0 z-10 flex h-[80px] shrink-0 flex-wrap items-center justify-between gap-y-2 bg-background-body px-12 pb-2 pt-4 leading-[56px]'>
        <TabSliderNew
          value={activeTab}
          onChange={newActiveTab => setActiveTab(newActiveTab)}
--- a/web/app/(commonLayout)/datasets/template/template.ja.mdx
+++ b/web/app/(commonLayout)/datasets/template/template.ja.mdx
@ -192,15 +192,15 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
          - original_document_id が渡されない場合、新しい操作が実行され、process_rule が必要です。
        - <code>indexing_technique</code> インデックスモード
-          - <code>high_quality</code> 高品質: 埋め込みモデルを使用してベクトルデータベースインデックスを構築
+          - <code>high_quality</code> 高品質：埋め込みモデルを使用してベクトルデータベースインデックスを構築
-          - <code>economy</code> 経済: キーワードテーブルインデックスの反転インデックスを構築
+          - <code>economy</code> 経済：キーワードテーブルインデックスの反転インデックスを構築
        - <code>doc_form</code> インデックス化された内容の形式
          - <code>text_model</code> テキストドキュメントは直接埋め込まれます; `economy` モードではこの形式がデフォルト
          - <code>hierarchical_model</code> 親子モード
-          - <code>qa_model</code> Q&A モード: 分割されたドキュメントの質問と回答ペアを生成し、質問を埋め込みます
+          - <code>qa_model</code> Q&A モード：分割されたドキュメントの質問と回答ペアを生成し、質問を埋め込みます
-        - <code>doc_language</code> Q&A モードでは、ドキュメントの言語を指定します。例: <code>English</code>, <code>Chinese</code>
+        - <code>doc_language</code> Q&A モードでは、ドキュメントの言語を指定します。例：<code>English</code>, <code>Chinese</code>
        - <code>process_rule</code> 処理ルール
          - <code>mode</code> (string) クリーニング、セグメンテーションモード、自動 / カスタム
@ -214,7 +214,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
            - <code>segmentation</code> (object) セグメンテーションルール
              - <code>separator</code> カスタムセグメント識別子。現在は 1 つの区切り文字のみ設定可能。デフォルトは \n
              - <code>max_tokens</code> 最大長 (トークン) デフォルトは 1000
-            - <code>parent_mode</code> 親チャンクの検索モード: <code>full-doc</code> 全文検索 / <code>paragraph</code> 段落検索
+            - <code>parent_mode</code> 親チャンクの検索モード：<code>full-doc</code> 全文検索 / <code>paragraph</code> 段落検索
            - <code>subchunk_segmentation</code> (object) 子チャンクルール
              - <code>separator</code> セグメンテーション識別子。現在は 1 つの区切り文字のみ許可。デフォルトは <code>***</code>
              - <code>max_tokens</code> 最大長 (トークン) は親チャンクの長さより短いことを検証する必要があります
@ -324,7 +324,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
          - <code>partial_members</code> 一部のメンバー
      </Property>
      <Property name='provider' type='string' key='provider'>
-        プロバイダー (オプション、デフォルト: vendor)
+        プロバイダー (オプション、デフォルト：vendor)
          - <code>vendor</code> ベンダー
          - <code>external</code> 外部ナレッジ
      </Property>
--- a/web/app/(commonLayout)/datasets/template/template.zh.mdx
+++ b/web/app/(commonLayout)/datasets/template/template.zh.mdx
@ -2223,7 +2223,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty, PropertyInstructi
        - <code>document_id</code> (string) 文档 ID
        - <code>metadata_list</code> (list) 元数据列表
          - <code>id</code> (string) 元数据 ID
-          - <code>type</code> (string) 元数据类型
+          - <code>value</code> (string) 元数据值
          - <code>name</code> (string) 元数据名称
      </Property>
    </Properties>
--- a/web/app/(shareLayout)/layout.tsx
+++ b/web/app/(shareLayout)/layout.tsx
@ -1,14 +1,42 @@
-import React from 'react'
+'use client'
 import React, { useEffect, useState } from 'react'
 import type { FC } from 'react'
-import type { Metadata } from 'next'
+import { usePathname, useSearchParams } from 'next/navigation'
-
+import Loading from '../components/base/loading'
-export const metadata: Metadata = {
+import { useGlobalPublicStore } from '@/context/global-public-context'
-  icons: 'data:,', // prevent browser from using default favicon
+import { AccessMode } from '@/models/access-control'
-}
+import { getAppAccessModeByAppCode } from '@/service/share'
 const Layout: FC<{
  children: React.ReactNode
 }> = ({ children }) => {
  const isGlobalPending = useGlobalPublicStore(s => s.isGlobalPending)
  const setWebAppAccessMode = useGlobalPublicStore(s => s.setWebAppAccessMode)
  const pathname = usePathname()
  const searchParams = useSearchParams()
  const redirectUrl = searchParams.get('redirect_url')
  const [isLoading, setIsLoading] = useState(true)
  useEffect(() => {
    (async () => {
      let appCode: string | null = null
      if (redirectUrl)
        appCode = redirectUrl?.split('/').pop() || null
      else
        appCode = pathname.split('/').pop() || null
      if (!appCode)
        return
      setIsLoading(true)
      const ret = await getAppAccessModeByAppCode(appCode)
      setWebAppAccessMode(ret?.accessMode || AccessMode.PUBLIC)
      setIsLoading(false)
    })()
  }, [pathname, redirectUrl, setWebAppAccessMode])
  if (isLoading || isGlobalPending) {
    return <div className='flex h-full w-full items-center justify-center'>
      <Loading />
    </div>
  }
  return (
    <div className="h-full min-w-[300px] pb-[env(safe-area-inset-bottom)]">
      {children}
--- a/web/app/(shareLayout)/webapp-reset-password/check-code/page.tsx
+++ b/web/app/(shareLayout)/webapp-reset-password/check-code/page.tsx
@ -0,0 +1,96 @@
 'use client'
 import { RiArrowLeftLine, RiMailSendFill } from '@remixicon/react'
 import { useTranslation } from 'react-i18next'
 import { useState } from 'react'
 import { useRouter, useSearchParams } from 'next/navigation'
 import { useContext } from 'use-context-selector'
 import Countdown from '@/app/components/signin/countdown'
 import Button from '@/app/components/base/button'
 import Input from '@/app/components/base/input'
 import Toast from '@/app/components/base/toast'
 import { sendWebAppResetPasswordCode, verifyWebAppResetPasswordCode } from '@/service/common'
 import I18NContext from '@/context/i18n'
 export default function CheckCode() {
  const { t } = useTranslation()
  const router = useRouter()
  const searchParams = useSearchParams()
  const email = decodeURIComponent(searchParams.get('email') as string)
  const token = decodeURIComponent(searchParams.get('token') as string)
  const [code, setVerifyCode] = useState('')
  const [loading, setIsLoading] = useState(false)
  const { locale } = useContext(I18NContext)
  const verify = async () => {
    try {
      if (!code.trim()) {
        Toast.notify({
          type: 'error',
          message: t('login.checkCode.emptyCode'),
        })
        return
      }
      if (!/\d{6}/.test(code)) {
        Toast.notify({
          type: 'error',
          message: t('login.checkCode.invalidCode'),
        })
        return
      }
      setIsLoading(true)
      const ret = await verifyWebAppResetPasswordCode({ email, code, token })
      if (ret.is_valid) {
        const params = new URLSearchParams(searchParams)
        params.set('token', encodeURIComponent(ret.token))
        router.push(`/webapp-reset-password/set-password?${params.toString()}`)
      }
    }
    catch (error) { console.error(error) }
    finally {
      setIsLoading(false)
    }
  }
  const resendCode = async () => {
    try {
      const res = await sendWebAppResetPasswordCode(email, locale)
      if (res.result === 'success') {
        const params = new URLSearchParams(searchParams)
        params.set('token', encodeURIComponent(res.data))
        router.replace(`/webapp-reset-password/check-code?${params.toString()}`)
      }
    }
    catch (error) { console.error(error) }
  }
  return <div className='flex flex-col gap-3'>
    <div className='inline-flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle bg-background-default-dodge text-text-accent-light-mode-only shadow-lg'>
      <RiMailSendFill className='h-6 w-6 text-2xl' />
    </div>
    <div className='pb-4 pt-2'>
      <h2 className='title-4xl-semi-bold text-text-primary'>{t('login.checkCode.checkYourEmail')}</h2>
      <p className='body-md-regular mt-2 text-text-secondary'>
        <span dangerouslySetInnerHTML={{ __html: t('login.checkCode.tips', { email }) as string }}></span>
        <br />
        {t('login.checkCode.validTime')}
      </p>
    </div>
    <form action="">
      <input type='text' className='hidden' />
      <label htmlFor="code" className='system-md-semibold mb-1 text-text-secondary'>{t('login.checkCode.verificationCode')}</label>
      <Input value={code} onChange={e => setVerifyCode(e.target.value)} max-length={6} className='mt-1' placeholder={t('login.checkCode.verificationCodePlaceholder') as string} />
      <Button loading={loading} disabled={loading} className='my-3 w-full' variant='primary' onClick={verify}>{t('login.checkCode.verify')}</Button>
      <Countdown onResend={resendCode} />
    </form>
    <div className='py-2'>
      <div className='h-px bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
    </div>
    <div onClick={() => router.back()} className='flex h-9 cursor-pointer items-center justify-center text-text-tertiary'>
      <div className='bg-background-default-dimm inline-block rounded-full p-1'>
        <RiArrowLeftLine size={12} />
      </div>
      <span className='system-xs-regular ml-2'>{t('login.back')}</span>
    </div>
  </div>
 }
--- a/web/app/(shareLayout)/webapp-reset-password/layout.tsx
+++ b/web/app/(shareLayout)/webapp-reset-password/layout.tsx
@ -0,0 +1,30 @@
 'use client'
 import Header from '@/app/signin/_header'
 import cn from '@/utils/classnames'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 export default function SignInLayout({ children }: any) {
  const { systemFeatures } = useGlobalPublicStore()
  return <>
    <div className={cn('flex min-h-screen w-full justify-center bg-background-default-burn p-6')}>
      <div className={cn('flex w-full shrink-0 flex-col rounded-2xl border border-effects-highlight bg-background-default-subtle')}>
        <Header />
        <div className={
          cn(
            'flex w-full grow flex-col items-center justify-center',
            'px-6',
            'md:px-[108px]',
          )
        }>
          <div className='flex w-[400px] flex-col'>
            {children}
          </div>
        </div>
        {!systemFeatures.branding.enabled && <div className='system-xs-regular px-8 py-6 text-text-tertiary'>
          © {new Date().getFullYear()} LangGenius, Inc. All rights reserved.
        </div>}
      </div>
    </div>
  </>
 }
--- a/web/app/(shareLayout)/webapp-reset-password/page.tsx
+++ b/web/app/(shareLayout)/webapp-reset-password/page.tsx
@ -0,0 +1,104 @@
 'use client'
 import Link from 'next/link'
 import { RiArrowLeftLine, RiLockPasswordLine } from '@remixicon/react'
 import { useTranslation } from 'react-i18next'
 import { useState } from 'react'
 import { useRouter, useSearchParams } from 'next/navigation'
 import { useContext } from 'use-context-selector'
 import { COUNT_DOWN_KEY, COUNT_DOWN_TIME_MS } from '@/app/components/signin/countdown'
 import { emailRegex } from '@/config'
 import Button from '@/app/components/base/button'
 import Input from '@/app/components/base/input'
 import Toast from '@/app/components/base/toast'
 import { sendResetPasswordCode } from '@/service/common'
 import I18NContext from '@/context/i18n'
 import { noop } from 'lodash-es'
 import useDocumentTitle from '@/hooks/use-document-title'
 export default function CheckCode() {
  const { t } = useTranslation()
  useDocumentTitle('')
  const searchParams = useSearchParams()
  const router = useRouter()
  const [email, setEmail] = useState('')
  const [loading, setIsLoading] = useState(false)
  const { locale } = useContext(I18NContext)
  const handleGetEMailVerificationCode = async () => {
    try {
      if (!email) {
        Toast.notify({ type: 'error', message: t('login.error.emailEmpty') })
        return
      }
      if (!emailRegex.test(email)) {
        Toast.notify({
          type: 'error',
          message: t('login.error.emailInValid'),
        })
        return
      }
      setIsLoading(true)
      const res = await sendResetPasswordCode(email, locale)
      if (res.result === 'success') {
        localStorage.setItem(COUNT_DOWN_KEY, `${COUNT_DOWN_TIME_MS}`)
        const params = new URLSearchParams(searchParams)
        params.set('token', encodeURIComponent(res.data))
        params.set('email', encodeURIComponent(email))
        router.push(`/webapp-reset-password/check-code?${params.toString()}`)
      }
      else if (res.code === 'account_not_found') {
        Toast.notify({
          type: 'error',
          message: t('login.error.registrationNotAllowed'),
        })
      }
      else {
        Toast.notify({
          type: 'error',
          message: res.data,
        })
      }
    }
    catch (error) {
      console.error(error)
    }
    finally {
      setIsLoading(false)
    }
  }
  return <div className='flex flex-col gap-3'>
    <div className='inline-flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle bg-background-default-dodge shadow-lg'>
      <RiLockPasswordLine className='h-6 w-6 text-2xl text-text-accent-light-mode-only' />
    </div>
    <div className='pb-4 pt-2'>
      <h2 className='title-4xl-semi-bold text-text-primary'>{t('login.resetPassword')}</h2>
      <p className='body-md-regular mt-2 text-text-secondary'>
        {t('login.resetPasswordDesc')}
      </p>
    </div>
    <form onSubmit={noop}>
      <input type='text' className='hidden' />
      <div className='mb-2'>
        <label htmlFor="email" className='system-md-semibold my-2 text-text-secondary'>{t('login.email')}</label>
        <div className='mt-1'>
          <Input id='email' type="email" disabled={loading} value={email} placeholder={t('login.emailPlaceholder') as string} onChange={e => setEmail(e.target.value)} />
        </div>
        <div className='mt-3'>
          <Button loading={loading} disabled={loading} variant='primary' className='w-full' onClick={handleGetEMailVerificationCode}>{t('login.sendVerificationCode')}</Button>
        </div>
      </div>
    </form>
    <div className='py-2'>
      <div className='h-px bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
    </div>
    <Link href={`/webapp-signin?${searchParams.toString()}`} className='flex h-9 items-center justify-center text-text-tertiary hover:text-text-primary'>
      <div className='inline-block rounded-full bg-background-default-dimmed p-1'>
        <RiArrowLeftLine size={12} />
      </div>
      <span className='system-xs-regular ml-2'>{t('login.backToLogin')}</span>
    </Link>
  </div>
 }
--- a/web/app/(shareLayout)/webapp-reset-password/set-password/page.tsx
+++ b/web/app/(shareLayout)/webapp-reset-password/set-password/page.tsx
@ -0,0 +1,188 @@
 'use client'
 import { useCallback, useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { useRouter, useSearchParams } from 'next/navigation'
 import cn from 'classnames'
 import { RiCheckboxCircleFill } from '@remixicon/react'
 import { useCountDown } from 'ahooks'
 import Button from '@/app/components/base/button'
 import { changeWebAppPasswordWithToken } from '@/service/common'
 import Toast from '@/app/components/base/toast'
 import Input from '@/app/components/base/input'
 const validPassword = /^(?=.*[a-zA-Z])(?=.*\d).{8,}$/
 const ChangePasswordForm = () => {
  const { t } = useTranslation()
  const router = useRouter()
  const searchParams = useSearchParams()
  const token = decodeURIComponent(searchParams.get('token') || '')
  const [password, setPassword] = useState('')
  const [confirmPassword, setConfirmPassword] = useState('')
  const [showSuccess, setShowSuccess] = useState(false)
  const [showPassword, setShowPassword] = useState(false)
  const [showConfirmPassword, setShowConfirmPassword] = useState(false)
  const showErrorMessage = useCallback((message: string) => {
    Toast.notify({
      type: 'error',
      message,
    })
  }, [])
  const getSignInUrl = () => {
    return `/webapp-signin?redirect_url=${searchParams.get('redirect_url') || ''}`
  }
  const AUTO_REDIRECT_TIME = 5000
  const [leftTime, setLeftTime] = useState<number | undefined>(undefined)
  const [countdown] = useCountDown({
    leftTime,
    onEnd: () => {
      router.replace(getSignInUrl())
    },
  })
  const valid = useCallback(() => {
    if (!password.trim()) {
      showErrorMessage(t('login.error.passwordEmpty'))
      return false
    }
    if (!validPassword.test(password)) {
      showErrorMessage(t('login.error.passwordInvalid'))
      return false
    }
    if (password !== confirmPassword) {
      showErrorMessage(t('common.account.notEqual'))
      return false
    }
    return true
  }, [password, confirmPassword, showErrorMessage, t])
  const handleChangePassword = useCallback(async () => {
    if (!valid())
      return
    try {
      await changeWebAppPasswordWithToken({
        url: '/forgot-password/resets',
        body: {
          token,
          new_password: password,
          password_confirm: confirmPassword,
        },
      })
      setShowSuccess(true)
      setLeftTime(AUTO_REDIRECT_TIME)
    }
    catch (error) {
      console.error(error)
    }
  }, [password, token, valid, confirmPassword])
  return (
    <div className={
      cn(
        'flex w-full grow flex-col items-center justify-center',
        'px-6',
        'md:px-[108px]',
      )
    }>
      {!showSuccess && (
        <div className='flex flex-col md:w-[400px]'>
          <div className="mx-auto w-full">
            <h2 className="title-4xl-semi-bold text-text-primary">
              {t('login.changePassword')}
            </h2>
            <p className='body-md-regular mt-2 text-text-secondary'>
              {t('login.changePasswordTip')}
            </p>
          </div>
          <div className="mx-auto mt-6 w-full">
            <div className="bg-white">
              {/* Password */}
              <div className='mb-5'>
                <label htmlFor="password" className="system-md-semibold my-2 text-text-secondary">
                  {t('common.account.newPassword')}
                </label>
                <div className='relative mt-1'>
                  <Input
                    id="password" type={showPassword ? 'text' : 'password'}
                    value={password}
                    onChange={e => setPassword(e.target.value)}
                    placeholder={t('login.passwordPlaceholder') || ''}
                  />
                  <div className="absolute inset-y-0 right-0 flex items-center">
                    <Button
                      type="button"
                      variant='ghost'
                      onClick={() => setShowPassword(!showPassword)}
                    >
                      {showPassword ? '👀' : '😝'}
                    </Button>
                  </div>
                </div>
                <div className='body-xs-regular mt-1 text-text-secondary'>{t('login.error.passwordInvalid')}</div>
              </div>
              {/* Confirm Password */}
              <div className='mb-5'>
                <label htmlFor="confirmPassword" className="system-md-semibold my-2 text-text-secondary">
                  {t('common.account.confirmPassword')}
                </label>
                <div className='relative mt-1'>
                  <Input
                    id="confirmPassword"
                    type={showConfirmPassword ? 'text' : 'password'}
                    value={confirmPassword}
                    onChange={e => setConfirmPassword(e.target.value)}
                    placeholder={t('login.confirmPasswordPlaceholder') || ''}
                  />
                  <div className="absolute inset-y-0 right-0 flex items-center">
                    <Button
                      type="button"
                      variant='ghost'
                      onClick={() => setShowConfirmPassword(!showConfirmPassword)}
                    >
                      {showConfirmPassword ? '👀' : '😝'}
                    </Button>
                  </div>
                </div>
              </div>
              <div>
                <Button
                  variant='primary'
                  className='w-full'
                  onClick={handleChangePassword}
                >
                  {t('login.changePasswordBtn')}
                </Button>
              </div>
            </div>
          </div>
        </div>
      )}
      {showSuccess && (
        <div className="flex flex-col md:w-[400px]">
          <div className="mx-auto w-full">
            <div className="mb-3 flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle font-bold shadow-lg">
              <RiCheckboxCircleFill className='h-6 w-6 text-text-success' />
            </div>
            <h2 className="title-4xl-semi-bold text-text-primary">
              {t('login.passwordChangedTip')}
            </h2>
          </div>
          <div className="mx-auto mt-6 w-full">
            <Button variant='primary' className='w-full' onClick={() => {
              setLeftTime(undefined)
              router.replace(getSignInUrl())
            }}>{t('login.passwordChanged')} ({Math.round(countdown / 1000)}) </Button>
          </div>
        </div>
      )}
    </div>
  )
 }
 export default ChangePasswordForm
--- a/web/app/(shareLayout)/webapp-signin/check-code/page.tsx
+++ b/web/app/(shareLayout)/webapp-signin/check-code/page.tsx
@ -0,0 +1,115 @@
 'use client'
 import { RiArrowLeftLine, RiMailSendFill } from '@remixicon/react'
 import { useTranslation } from 'react-i18next'
 import { useCallback, useState } from 'react'
 import { useRouter, useSearchParams } from 'next/navigation'
 import { useContext } from 'use-context-selector'
 import Countdown from '@/app/components/signin/countdown'
 import Button from '@/app/components/base/button'
 import Input from '@/app/components/base/input'
 import Toast from '@/app/components/base/toast'
 import { sendWebAppEMailLoginCode, webAppEmailLoginWithCode } from '@/service/common'
 import I18NContext from '@/context/i18n'
 import { setAccessToken } from '@/app/components/share/utils'
 import { fetchAccessToken } from '@/service/share'
 export default function CheckCode() {
  const { t } = useTranslation()
  const router = useRouter()
  const searchParams = useSearchParams()
  const email = decodeURIComponent(searchParams.get('email') as string)
  const token = decodeURIComponent(searchParams.get('token') as string)
  const [code, setVerifyCode] = useState('')
  const [loading, setIsLoading] = useState(false)
  const { locale } = useContext(I18NContext)
  const redirectUrl = searchParams.get('redirect_url')
  const getAppCodeFromRedirectUrl = useCallback(() => {
    const appCode = redirectUrl?.split('/').pop()
    if (!appCode)
      return null
    return appCode
  }, [redirectUrl])
  const verify = async () => {
    try {
      const appCode = getAppCodeFromRedirectUrl()
      if (!code.trim()) {
        Toast.notify({
          type: 'error',
          message: t('login.checkCode.emptyCode'),
        })
        return
      }
      if (!/\d{6}/.test(code)) {
        Toast.notify({
          type: 'error',
          message: t('login.checkCode.invalidCode'),
        })
        return
      }
      if (!redirectUrl || !appCode) {
        Toast.notify({
          type: 'error',
          message: t('login.error.redirectUrlMissing'),
        })
        return
      }
      setIsLoading(true)
      const ret = await webAppEmailLoginWithCode({ email, code, token })
      if (ret.result === 'success') {
        localStorage.setItem('webapp_access_token', ret.data.access_token)
        const tokenResp = await fetchAccessToken({ appCode, webAppAccessToken: ret.data.access_token })
        await setAccessToken(appCode, tokenResp.access_token)
        router.replace(redirectUrl)
      }
    }
    catch (error) { console.error(error) }
    finally {
      setIsLoading(false)
    }
  }
  const resendCode = async () => {
    try {
      const ret = await sendWebAppEMailLoginCode(email, locale)
      if (ret.result === 'success') {
        const params = new URLSearchParams(searchParams)
        params.set('token', encodeURIComponent(ret.data))
        router.replace(`/webapp-signin/check-code?${params.toString()}`)
      }
    }
    catch (error) { console.error(error) }
  }
  return <div className='flex w-[400px] flex-col gap-3'>
    <div className='inline-flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle bg-background-default-dodge shadow-lg'>
      <RiMailSendFill className='h-6 w-6 text-2xl text-text-accent-light-mode-only' />
    </div>
    <div className='pb-4 pt-2'>
      <h2 className='title-4xl-semi-bold text-text-primary'>{t('login.checkCode.checkYourEmail')}</h2>
      <p className='body-md-regular mt-2 text-text-secondary'>
        <span dangerouslySetInnerHTML={{ __html: t('login.checkCode.tips', { email }) as string }}></span>
        <br />
        {t('login.checkCode.validTime')}
      </p>
    </div>
    <form action="">
      <label htmlFor="code" className='system-md-semibold mb-1 text-text-secondary'>{t('login.checkCode.verificationCode')}</label>
      <Input value={code} onChange={e => setVerifyCode(e.target.value)} max-length={6} className='mt-1' placeholder={t('login.checkCode.verificationCodePlaceholder') as string} />
      <Button loading={loading} disabled={loading} className='my-3 w-full' variant='primary' onClick={verify}>{t('login.checkCode.verify')}</Button>
      <Countdown onResend={resendCode} />
    </form>
    <div className='py-2'>
      <div className='h-px bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
    </div>
    <div onClick={() => router.back()} className='flex h-9 cursor-pointer items-center justify-center text-text-tertiary'>
      <div className='bg-background-default-dimm inline-block rounded-full p-1'>
        <RiArrowLeftLine size={12} />
      </div>
      <span className='system-xs-regular ml-2'>{t('login.back')}</span>
    </div>
  </div>
 }
--- a/web/app/(shareLayout)/webapp-signin/components/external-member-sso-auth.tsx
+++ b/web/app/(shareLayout)/webapp-signin/components/external-member-sso-auth.tsx
@ -0,0 +1,80 @@
 'use client'
 import { useRouter, useSearchParams } from 'next/navigation'
 import React, { useCallback, useEffect } from 'react'
 import Toast from '@/app/components/base/toast'
 import { fetchWebOAuth2SSOUrl, fetchWebOIDCSSOUrl, fetchWebSAMLSSOUrl } from '@/service/share'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 import { SSOProtocol } from '@/types/feature'
 import Loading from '@/app/components/base/loading'
 import AppUnavailable from '@/app/components/base/app-unavailable'
 const ExternalMemberSSOAuth = () => {
  const systemFeatures = useGlobalPublicStore(s => s.systemFeatures)
  const searchParams = useSearchParams()
  const router = useRouter()
  const redirectUrl = searchParams.get('redirect_url')
  const showErrorToast = (message: string) => {
    Toast.notify({
      type: 'error',
      message,
    })
  }
  const getAppCodeFromRedirectUrl = useCallback(() => {
    const appCode = redirectUrl?.split('/').pop()
    if (!appCode)
      return null
    return appCode
  }, [redirectUrl])
  const handleSSOLogin = useCallback(async () => {
    const appCode = getAppCodeFromRedirectUrl()
    if (!appCode || !redirectUrl) {
      showErrorToast('redirect url or app code is invalid.')
      return
    }
    switch (systemFeatures.webapp_auth.sso_config.protocol) {
      case SSOProtocol.SAML: {
        const samlRes = await fetchWebSAMLSSOUrl(appCode, redirectUrl)
        router.push(samlRes.url)
        break
      }
      case SSOProtocol.OIDC: {
        const oidcRes = await fetchWebOIDCSSOUrl(appCode, redirectUrl)
        router.push(oidcRes.url)
        break
      }
      case SSOProtocol.OAuth2: {
        const oauth2Res = await fetchWebOAuth2SSOUrl(appCode, redirectUrl)
        router.push(oauth2Res.url)
        break
      }
      case '':
        break
      default:
        showErrorToast('SSO protocol is not supported.')
    }
  }, [getAppCodeFromRedirectUrl, redirectUrl, router, systemFeatures.webapp_auth.sso_config.protocol])
  useEffect(() => {
    handleSSOLogin()
  }, [handleSSOLogin])
  if (!systemFeatures.webapp_auth.sso_config.protocol) {
    return <div className="flex h-full items-center justify-center">
      <AppUnavailable code={403} unknownReason='sso protocol is invalid.' />
    </div>
  }
  return (
    <div className="flex h-full items-center justify-center">
      <Loading />
    </div>
  )
 }
 export default React.memo(ExternalMemberSSOAuth)
--- a/web/app/(shareLayout)/webapp-signin/components/mail-and-code-auth.tsx
+++ b/web/app/(shareLayout)/webapp-signin/components/mail-and-code-auth.tsx
@ -0,0 +1,68 @@
 import { useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { useRouter, useSearchParams } from 'next/navigation'
 import { useContext } from 'use-context-selector'
 import Input from '@/app/components/base/input'
 import Button from '@/app/components/base/button'
 import { emailRegex } from '@/config'
 import Toast from '@/app/components/base/toast'
 import { sendWebAppEMailLoginCode } from '@/service/common'
 import { COUNT_DOWN_KEY, COUNT_DOWN_TIME_MS } from '@/app/components/signin/countdown'
 import I18NContext from '@/context/i18n'
 import { noop } from 'lodash-es'
 export default function MailAndCodeAuth() {
  const { t } = useTranslation()
  const router = useRouter()
  const searchParams = useSearchParams()
  const emailFromLink = decodeURIComponent(searchParams.get('email') || '')
  const [email, setEmail] = useState(emailFromLink)
  const [loading, setIsLoading] = useState(false)
  const { locale } = useContext(I18NContext)
  const handleGetEMailVerificationCode = async () => {
    try {
      if (!email) {
        Toast.notify({ type: 'error', message: t('login.error.emailEmpty') })
        return
      }
      if (!emailRegex.test(email)) {
        Toast.notify({
          type: 'error',
          message: t('login.error.emailInValid'),
        })
        return
      }
      setIsLoading(true)
      const ret = await sendWebAppEMailLoginCode(email, locale)
      if (ret.result === 'success') {
        localStorage.setItem(COUNT_DOWN_KEY, `${COUNT_DOWN_TIME_MS}`)
        const params = new URLSearchParams(searchParams)
        params.set('email', encodeURIComponent(email))
        params.set('token', encodeURIComponent(ret.data))
        router.push(`/webapp-signin/check-code?${params.toString()}`)
      }
    }
    catch (error) {
      console.error(error)
    }
    finally {
      setIsLoading(false)
    }
  }
  return (<form onSubmit={noop}>
    <input type='text' className='hidden' />
    <div className='mb-2'>
      <label htmlFor="email" className='system-md-semibold my-2 text-text-secondary'>{t('login.email')}</label>
      <div className='mt-1'>
        <Input id='email' type="email" value={email} placeholder={t('login.emailPlaceholder') as string} onChange={e => setEmail(e.target.value)} />
      </div>
      <div className='mt-3'>
        <Button loading={loading} disabled={loading || !email} variant='primary' className='w-full' onClick={handleGetEMailVerificationCode}>{t('login.continueWithCode')}</Button>
      </div>
    </div>
  </form>
  )
 }
--- a/web/app/(shareLayout)/webapp-signin/components/mail-and-password-auth.tsx
+++ b/web/app/(shareLayout)/webapp-signin/components/mail-and-password-auth.tsx
@ -0,0 +1,171 @@
 import Link from 'next/link'
 import { useCallback, useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { useRouter, useSearchParams } from 'next/navigation'
 import { useContext } from 'use-context-selector'
 import Button from '@/app/components/base/button'
 import Toast from '@/app/components/base/toast'
 import { emailRegex } from '@/config'
 import { webAppLogin } from '@/service/common'
 import Input from '@/app/components/base/input'
 import I18NContext from '@/context/i18n'
 import { noop } from 'lodash-es'
 import { setAccessToken } from '@/app/components/share/utils'
 import { fetchAccessToken } from '@/service/share'
 type MailAndPasswordAuthProps = {
  isEmailSetup: boolean
 }
 const passwordRegex = /^(?=.*[a-zA-Z])(?=.*\d).{8,}$/
 export default function MailAndPasswordAuth({ isEmailSetup }: MailAndPasswordAuthProps) {
  const { t } = useTranslation()
  const { locale } = useContext(I18NContext)
  const router = useRouter()
  const searchParams = useSearchParams()
  const [showPassword, setShowPassword] = useState(false)
  const emailFromLink = decodeURIComponent(searchParams.get('email') || '')
  const [email, setEmail] = useState(emailFromLink)
  const [password, setPassword] = useState('')
  const [isLoading, setIsLoading] = useState(false)
  const redirectUrl = searchParams.get('redirect_url')
  const getAppCodeFromRedirectUrl = useCallback(() => {
    const appCode = redirectUrl?.split('/').pop()
    if (!appCode)
      return null
    return appCode
  }, [redirectUrl])
  const handleEmailPasswordLogin = async () => {
    const appCode = getAppCodeFromRedirectUrl()
    if (!email) {
      Toast.notify({ type: 'error', message: t('login.error.emailEmpty') })
      return
    }
    if (!emailRegex.test(email)) {
      Toast.notify({
        type: 'error',
        message: t('login.error.emailInValid'),
      })
      return
    }
    if (!password?.trim()) {
      Toast.notify({ type: 'error', message: t('login.error.passwordEmpty') })
      return
    }
    if (!passwordRegex.test(password)) {
      Toast.notify({
        type: 'error',
        message: t('login.error.passwordInvalid'),
      })
      return
    }
    if (!redirectUrl || !appCode) {
      Toast.notify({
        type: 'error',
        message: t('login.error.redirectUrlMissing'),
      })
      return
    }
    try {
      setIsLoading(true)
      const loginData: Record<string, any> = {
        email,
        password,
        language: locale,
        remember_me: true,
      }
      const res = await webAppLogin({
        url: '/login',
        body: loginData,
      })
      if (res.result === 'success') {
        localStorage.setItem('webapp_access_token', res.data.access_token)
        const tokenResp = await fetchAccessToken({ appCode, webAppAccessToken: res.data.access_token })
        await setAccessToken(appCode, tokenResp.access_token)
        router.replace(redirectUrl)
      }
      else {
        Toast.notify({
          type: 'error',
          message: res.data,
        })
      }
    }
    finally {
      setIsLoading(false)
    }
  }
  return <form onSubmit={noop}>
    <div className='mb-3'>
      <label htmlFor="email" className="system-md-semibold my-2 text-text-secondary">
        {t('login.email')}
      </label>
      <div className="mt-1">
        <Input
          value={email}
          onChange={e => setEmail(e.target.value)}
          id="email"
          type="email"
          autoComplete="email"
          placeholder={t('login.emailPlaceholder') || ''}
          tabIndex={1}
        />
      </div>
    </div>
    <div className='mb-3'>
      <label htmlFor="password" className="my-2 flex items-center justify-between">
        <span className='system-md-semibold text-text-secondary'>{t('login.password')}</span>
        <Link
          href={`/webapp-reset-password?${searchParams.toString()}`}
          className={`system-xs-regular ${isEmailSetup ? 'text-components-button-secondary-accent-text' : 'pointer-events-none text-components-button-secondary-accent-text-disabled'}`}
          tabIndex={isEmailSetup ? 0 : -1}
          aria-disabled={!isEmailSetup}
        >
          {t('login.forget')}
        </Link>
      </label>
      <div className="relative mt-1">
        <Input
          id="password"
          value={password}
          onChange={e => setPassword(e.target.value)}
          onKeyDown={(e) => {
            if (e.key === 'Enter')
              handleEmailPasswordLogin()
          }}
          type={showPassword ? 'text' : 'password'}
          autoComplete="current-password"
          placeholder={t('login.passwordPlaceholder') || ''}
          tabIndex={2}
        />
        <div className="absolute inset-y-0 right-0 flex items-center">
          <Button
            type="button"
            variant='ghost'
            onClick={() => setShowPassword(!showPassword)}
          >
            {showPassword ? '👀' : '😝'}
          </Button>
        </div>
      </div>
    </div>
    <div className='mb-2'>
      <Button
        tabIndex={2}
        variant='primary'
        onClick={handleEmailPasswordLogin}
        disabled={isLoading || !email || !password}
        className="w-full"
      >{t('login.signBtn')}</Button>
    </div>
  </form>
 }
--- a/web/app/(shareLayout)/webapp-signin/components/sso-auth.tsx
+++ b/web/app/(shareLayout)/webapp-signin/components/sso-auth.tsx
@ -0,0 +1,88 @@
 'use client'
 import { useRouter, useSearchParams } from 'next/navigation'
 import type { FC } from 'react'
 import { useCallback } from 'react'
 import { useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { Lock01 } from '@/app/components/base/icons/src/vender/solid/security'
 import Toast from '@/app/components/base/toast'
 import Button from '@/app/components/base/button'
 import { SSOProtocol } from '@/types/feature'
 import { fetchMembersOAuth2SSOUrl, fetchMembersOIDCSSOUrl, fetchMembersSAMLSSOUrl } from '@/service/share'
 type SSOAuthProps = {
  protocol: SSOProtocol | ''
 }
 const SSOAuth: FC<SSOAuthProps> = ({
  protocol,
 }) => {
  const router = useRouter()
  const { t } = useTranslation()
  const searchParams = useSearchParams()
  const redirectUrl = searchParams.get('redirect_url')
  const getAppCodeFromRedirectUrl = useCallback(() => {
    const appCode = redirectUrl?.split('/').pop()
    if (!appCode)
      return null
    return appCode
  }, [redirectUrl])
  const [isLoading, setIsLoading] = useState(false)
  const handleSSOLogin = () => {
    const appCode = getAppCodeFromRedirectUrl()
    if (!redirectUrl || !appCode) {
      Toast.notify({
        type: 'error',
        message: 'invalid redirect URL or app code',
      })
      return
    }
    setIsLoading(true)
    if (protocol === SSOProtocol.SAML) {
      fetchMembersSAMLSSOUrl(appCode, redirectUrl).then((res) => {
        router.push(res.url)
      }).finally(() => {
        setIsLoading(false)
      })
    }
    else if (protocol === SSOProtocol.OIDC) {
      fetchMembersOIDCSSOUrl(appCode, redirectUrl).then((res) => {
        router.push(res.url)
      }).finally(() => {
        setIsLoading(false)
      })
    }
    else if (protocol === SSOProtocol.OAuth2) {
      fetchMembersOAuth2SSOUrl(appCode, redirectUrl).then((res) => {
        router.push(res.url)
      }).finally(() => {
        setIsLoading(false)
      })
    }
    else {
      Toast.notify({
        type: 'error',
        message: 'invalid SSO protocol',
      })
      setIsLoading(false)
    }
  }
  return (
    <Button
      tabIndex={0}
      onClick={() => { handleSSOLogin() }}
      disabled={isLoading}
      className="w-full"
    >
      <Lock01 className='mr-2 h-5 w-5 text-text-accent-light-mode-only' />
      <span className="truncate">{t('login.withSSO')}</span>
    </Button>
  )
 }
 export default SSOAuth
--- a/web/app/(shareLayout)/webapp-signin/layout.tsx
+++ b/web/app/(shareLayout)/webapp-signin/layout.tsx
@ -0,0 +1,25 @@
 'use client'
 import cn from '@/utils/classnames'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 import useDocumentTitle from '@/hooks/use-document-title'
 export default function SignInLayout({ children }: any) {
  const { systemFeatures } = useGlobalPublicStore()
  useDocumentTitle('')
  return <>
    <div className={cn('flex min-h-screen w-full justify-center bg-background-default-burn p-6')}>
      <div className={cn('flex w-full shrink-0 flex-col rounded-2xl border border-effects-highlight bg-background-default-subtle')}>
        {/* <Header /> */}
        <div className={cn('flex w-full grow flex-col items-center justify-center px-6 md:px-[108px]')}>
          <div className='flex justify-center md:w-[440px] lg:w-[600px]'>
            {children}
          </div>
        </div>
        {systemFeatures.branding.enabled === false && <div className='system-xs-regular px-8 py-6 text-text-tertiary'>
          © {new Date().getFullYear()} LangGenius, Inc. All rights reserved.
        </div>}
      </div>
    </div>
  </>
 }
--- a/web/app/(shareLayout)/webapp-signin/normalForm.tsx
+++ b/web/app/(shareLayout)/webapp-signin/normalForm.tsx
@ -0,0 +1,176 @@
 import React, { useCallback, useEffect, useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import Link from 'next/link'
 import { RiContractLine, RiDoorLockLine, RiErrorWarningFill } from '@remixicon/react'
 import Loading from '@/app/components/base/loading'
 import MailAndCodeAuth from './components/mail-and-code-auth'
 import MailAndPasswordAuth from './components/mail-and-password-auth'
 import SSOAuth from './components/sso-auth'
 import cn from '@/utils/classnames'
 import { LicenseStatus } from '@/types/feature'
 import { IS_CE_EDITION } from '@/config'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 const NormalForm = () => {
  const { t } = useTranslation()
  const [isLoading, setIsLoading] = useState(true)
  const { systemFeatures } = useGlobalPublicStore()
  const [authType, updateAuthType] = useState<'code' | 'password'>('password')
  const [showORLine, setShowORLine] = useState(false)
  const [allMethodsAreDisabled, setAllMethodsAreDisabled] = useState(false)
  const init = useCallback(async () => {
    try {
      setAllMethodsAreDisabled(!systemFeatures.enable_social_oauth_login && !systemFeatures.enable_email_code_login && !systemFeatures.enable_email_password_login && !systemFeatures.sso_enforced_for_signin)
      setShowORLine((systemFeatures.enable_social_oauth_login || systemFeatures.sso_enforced_for_signin) && (systemFeatures.enable_email_code_login || systemFeatures.enable_email_password_login))
      updateAuthType(systemFeatures.enable_email_password_login ? 'password' : 'code')
    }
    catch (error) {
      console.error(error)
      setAllMethodsAreDisabled(true)
    }
    finally { setIsLoading(false) }
  }, [systemFeatures])
  useEffect(() => {
    init()
  }, [init])
  if (isLoading) {
    return <div className={
      cn(
        'flex w-full grow flex-col items-center justify-center',
        'px-6',
        'md:px-[108px]',
      )
    }>
      <Loading type='area' />
    </div>
  }
  if (systemFeatures.license?.status === LicenseStatus.LOST) {
    return <div className='mx-auto mt-8 w-full'>
      <div className='relative'>
        <div className="rounded-lg bg-gradient-to-r from-workflow-workflow-progress-bg-1 to-workflow-workflow-progress-bg-2 p-4">
          <div className='shadows-shadow-lg relative mb-2 flex h-10 w-10 items-center justify-center rounded-xl bg-components-card-bg shadow'>
            <RiContractLine className='h-5 w-5' />
            <RiErrorWarningFill className='absolute -right-1 -top-1 h-4 w-4 text-text-warning-secondary' />
          </div>
          <p className='system-sm-medium text-text-primary'>{t('login.licenseLost')}</p>
          <p className='system-xs-regular mt-1 text-text-tertiary'>{t('login.licenseLostTip')}</p>
        </div>
      </div>
    </div>
  }
  if (systemFeatures.license?.status === LicenseStatus.EXPIRED) {
    return <div className='mx-auto mt-8 w-full'>
      <div className='relative'>
        <div className="rounded-lg bg-gradient-to-r from-workflow-workflow-progress-bg-1 to-workflow-workflow-progress-bg-2 p-4">
          <div className='shadows-shadow-lg relative mb-2 flex h-10 w-10 items-center justify-center rounded-xl bg-components-card-bg shadow'>
            <RiContractLine className='h-5 w-5' />
            <RiErrorWarningFill className='absolute -right-1 -top-1 h-4 w-4 text-text-warning-secondary' />
          </div>
          <p className='system-sm-medium text-text-primary'>{t('login.licenseExpired')}</p>
          <p className='system-xs-regular mt-1 text-text-tertiary'>{t('login.licenseExpiredTip')}</p>
        </div>
      </div>
    </div>
  }
  if (systemFeatures.license?.status === LicenseStatus.INACTIVE) {
    return <div className='mx-auto mt-8 w-full'>
      <div className='relative'>
        <div className="rounded-lg bg-gradient-to-r from-workflow-workflow-progress-bg-1 to-workflow-workflow-progress-bg-2 p-4">
          <div className='shadows-shadow-lg relative mb-2 flex h-10 w-10 items-center justify-center rounded-xl bg-components-card-bg shadow'>
            <RiContractLine className='h-5 w-5' />
            <RiErrorWarningFill className='absolute -right-1 -top-1 h-4 w-4 text-text-warning-secondary' />
          </div>
          <p className='system-sm-medium text-text-primary'>{t('login.licenseInactive')}</p>
          <p className='system-xs-regular mt-1 text-text-tertiary'>{t('login.licenseInactiveTip')}</p>
        </div>
      </div>
    </div>
  }
  return (
    <>
      <div className="mx-auto mt-8 w-full">
        <div className="mx-auto w-full">
          <h2 className="title-4xl-semi-bold text-text-primary">{t('login.pageTitle')}</h2>
          {!systemFeatures.branding.enabled && <p className='body-md-regular mt-2 text-text-tertiary'>{t('login.welcome')}</p>}
        </div>
        <div className="relative">
          <div className="mt-6 flex flex-col gap-3">
            {systemFeatures.sso_enforced_for_signin && <div className='w-full'>
              <SSOAuth protocol={systemFeatures.sso_enforced_for_signin_protocol} />
            </div>}
          </div>
          {showORLine && <div className="relative mt-6">
            <div className="absolute inset-0 flex items-center" aria-hidden="true">
              <div className='h-px w-full bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
            </div>
            <div className="relative flex justify-center">
              <span className="system-xs-medium-uppercase px-2 text-text-tertiary">{t('login.or')}</span>
            </div>
          </div>}
          {
            (systemFeatures.enable_email_code_login || systemFeatures.enable_email_password_login) && <>
              {systemFeatures.enable_email_code_login && authType === 'code' && <>
                <MailAndCodeAuth />
                {systemFeatures.enable_email_password_login && <div className='cursor-pointer py-1 text-center' onClick={() => { updateAuthType('password') }}>
                  <span className='system-xs-medium text-components-button-secondary-accent-text'>{t('login.usePassword')}</span>
                </div>}
              </>}
              {systemFeatures.enable_email_password_login && authType === 'password' && <>
                <MailAndPasswordAuth isEmailSetup={systemFeatures.is_email_setup} />
                {systemFeatures.enable_email_code_login && <div className='cursor-pointer py-1 text-center' onClick={() => { updateAuthType('code') }}>
                  <span className='system-xs-medium text-components-button-secondary-accent-text'>{t('login.useVerificationCode')}</span>
                </div>}
              </>}
            </>
          }
          {allMethodsAreDisabled && <>
            <div className="rounded-lg bg-gradient-to-r from-workflow-workflow-progress-bg-1 to-workflow-workflow-progress-bg-2 p-4">
              <div className='shadows-shadow-lg mb-2 flex h-10 w-10 items-center justify-center rounded-xl bg-components-card-bg shadow'>
                <RiDoorLockLine className='h-5 w-5' />
              </div>
              <p className='system-sm-medium text-text-primary'>{t('login.noLoginMethod')}</p>
              <p className='system-xs-regular mt-1 text-text-tertiary'>{t('login.noLoginMethodTip')}</p>
            </div>
            <div className="relative my-2 py-2">
              <div className="absolute inset-0 flex items-center" aria-hidden="true">
                <div className='h-px w-full bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
              </div>
            </div>
          </>}
          {!systemFeatures.branding.enabled && <>
            <div className="system-xs-regular mt-2 block w-full text-text-tertiary">
              {t('login.tosDesc')}
              &nbsp;
              <Link
                className='system-xs-medium text-text-secondary hover:underline'
                target='_blank' rel='noopener noreferrer'
                href='https://dify.ai/terms'
              >{t('login.tos')}</Link>
              &nbsp;&&nbsp;
              <Link
                className='system-xs-medium text-text-secondary hover:underline'
                target='_blank' rel='noopener noreferrer'
                href='https://dify.ai/privacy'
              >{t('login.pp')}</Link>
            </div>
            {IS_CE_EDITION && <div className="w-hull system-xs-regular mt-2 block text-text-tertiary">
              {t('login.goToInit')}
              &nbsp;
              <Link
                className='system-xs-medium text-text-secondary hover:underline'
                href='/install'
              >{t('login.setAdminAccount')}</Link>
            </div>}
          </>}
        </div>
      </div>
    </>
  )
 }
 export default NormalForm
--- a/web/app/(shareLayout)/webapp-signin/page.tsx
+++ b/web/app/(shareLayout)/webapp-signin/page.tsx
@ -3,19 +3,20 @@ import { useRouter, useSearchParams } from 'next/navigation'
 import type { FC } from 'react'
 import React, { useCallback, useEffect } from 'react'
 import { useTranslation } from 'react-i18next'
 import { RiDoorLockLine } from '@remixicon/react'
 import cn from '@/utils/classnames'
 import Toast from '@/app/components/base/toast'
-import { fetchWebOAuth2SSOUrl, fetchWebOIDCSSOUrl, fetchWebSAMLSSOUrl } from '@/service/share'
+import { removeAccessToken, setAccessToken } from '@/app/components/share/utils'
 import { setAccessToken } from '@/app/components/share/utils'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 import { SSOProtocol } from '@/types/feature'
 import Loading from '@/app/components/base/loading'
 import AppUnavailable from '@/app/components/base/app-unavailable'
 import NormalForm from './normalForm'
 import { AccessMode } from '@/models/access-control'
 import ExternalMemberSsoAuth from './components/external-member-sso-auth'
 import { fetchAccessToken } from '@/service/share'
 const WebSSOForm: FC = () => {
  const { t } = useTranslation()
  const systemFeatures = useGlobalPublicStore(s => s.systemFeatures)
  const webAppAccessMode = useGlobalPublicStore(s => s.webAppAccessMode)
  const searchParams = useSearchParams()
  const router = useRouter()
@ -23,10 +24,22 @@ const WebSSOForm: FC = () => {
  const tokenFromUrl = searchParams.get('web_sso_token')
  const message = searchParams.get('message')
-  const showErrorToast = (message: string) => {
+  const getSigninUrl = useCallback(() => {
    const params = new URLSearchParams(searchParams)
    params.delete('message')
    return `/webapp-signin?${params.toString()}`
  }, [searchParams])
  const backToHome = useCallback(() => {
    removeAccessToken()
    const url = getSigninUrl()
    router.replace(url)
  }, [getSigninUrl, router])
  const showErrorToast = (msg: string) => {
    Toast.notify({
      type: 'error',
-      message,
+      message: msg,
    })
  }
@ -38,102 +51,73 @@ const WebSSOForm: FC = () => {
    return appCode
  }, [redirectUrl])
-  const processTokenAndRedirect = useCallback(async () => {
+  useEffect(() => {
-    const appCode = getAppCodeFromRedirectUrl()
+    (async () => {
-    if (!appCode || !tokenFromUrl || !redirectUrl) {
+      if (message)
      showErrorToast('redirect url or app code or token is invalid.')
        return
    }
    await setAccessToken(appCode, tokenFromUrl)
    router.push(redirectUrl)
  }, [getAppCodeFromRedirectUrl, redirectUrl, router, tokenFromUrl])
  const handleSSOLogin = useCallback(async () => {
      const appCode = getAppCodeFromRedirectUrl()
-    if (!appCode || !redirectUrl) {
+      if (appCode && tokenFromUrl && redirectUrl) {
-      showErrorToast('redirect url or app code is invalid.')
+        localStorage.setItem('webapp_access_token', tokenFromUrl)
        const tokenResp = await fetchAccessToken({ appCode, webAppAccessToken: tokenFromUrl })
        await setAccessToken(appCode, tokenResp.access_token)
        router.replace(redirectUrl)
        return
      }
-
+      if (appCode && redirectUrl && localStorage.getItem('webapp_access_token')) {
-    switch (systemFeatures.webapp_auth.sso_config.protocol) {
+        const tokenResp = await fetchAccessToken({ appCode, webAppAccessToken: localStorage.getItem('webapp_access_token') })
-      case SSOProtocol.SAML: {
+        await setAccessToken(appCode, tokenResp.access_token)
-        const samlRes = await fetchWebSAMLSSOUrl(appCode, redirectUrl)
+        router.replace(redirectUrl)
        router.push(samlRes.url)
        break
      }
      case SSOProtocol.OIDC: {
        const oidcRes = await fetchWebOIDCSSOUrl(appCode, redirectUrl)
        router.push(oidcRes.url)
        break
      }
      case SSOProtocol.OAuth2: {
        const oauth2Res = await fetchWebOAuth2SSOUrl(appCode, redirectUrl)
        router.push(oauth2Res.url)
        break
      }
-      case '':
+    })()
-        break
+  }, [getAppCodeFromRedirectUrl, redirectUrl, router, tokenFromUrl, message])
      default:
        showErrorToast('SSO protocol is not supported.')
    }
  }, [getAppCodeFromRedirectUrl, redirectUrl, router, systemFeatures.webapp_auth.sso_config.protocol])
  useEffect(() => {
-    const init = async () => {
+    if (webAppAccessMode && webAppAccessMode === AccessMode.PUBLIC && redirectUrl)
-      if (message) {
+      router.replace(redirectUrl)
-        showErrorToast(message)
+  }, [webAppAccessMode, router, redirectUrl])
        return
      }
-      if (!tokenFromUrl) {
+  if (tokenFromUrl) {
-        await handleSSOLogin()
+    return <div className='flex h-full items-center justify-center'>
-        return
+      <Loading />
-      }
+    </div>
      await processTokenAndRedirect()
  }
    init()
  }, [message, processTokenAndRedirect, tokenFromUrl, handleSSOLogin])
  if (tokenFromUrl)
    return <div className='flex h-full items-center justify-center'><Loading /></div>
  if (message) {
    return <div className='flex h-full flex-col items-center justify-center gap-y-4'>
      <AppUnavailable className='h-auto w-auto' code={t('share.common.appUnavailable')} unknownReason={message} />
      <span className='system-sm-regular cursor-pointer text-text-tertiary' onClick={backToHome}>{t('share.login.backToHome')}</span>
    </div>
  }
  if (!redirectUrl) {
    showErrorToast('redirect url is invalid.')
    return <div className='flex h-full items-center justify-center'>
-      <AppUnavailable code={'App Unavailable'} unknownReason={message} />
+      <AppUnavailable code={t('share.common.appUnavailable')} unknownReason='redirect url is invalid.' />
    </div>
  }
-
+  if (webAppAccessMode && webAppAccessMode === AccessMode.PUBLIC) {
-  if (systemFeatures.webapp_auth.enabled) {
+    return <div className='flex h-full items-center justify-center'>
    if (systemFeatures.webapp_auth.allow_sso) {
      return (
        <div className="flex h-full items-center justify-center">
          <div className={cn('flex w-full grow flex-col items-center justify-center', 'px-6', 'md:px-[108px]')}>
      <Loading />
    </div>
        </div>
      )
  }
  if (!systemFeatures.webapp_auth.enabled) {
    return <div className="flex h-full items-center justify-center">
-      <div className="rounded-lg bg-gradient-to-r from-workflow-workflow-progress-bg-1 to-workflow-workflow-progress-bg-2 p-4">
+      <p className='system-xs-regular text-text-tertiary'>{t('login.webapp.disabled')}</p>
        <div className='shadows-shadow-lg mb-2 flex h-10 w-10 items-center justify-center rounded-xl bg-components-card-bg shadow'>
          <RiDoorLockLine className='h-5 w-5' />
        </div>
        <p className='system-sm-medium text-text-primary'>{t('login.webapp.noLoginMethod')}</p>
        <p className='system-xs-regular mt-1 text-text-tertiary'>{t('login.webapp.noLoginMethodTip')}</p>
      </div>
      <div className="relative my-2 py-2">
        <div className="absolute inset-0 flex items-center" aria-hidden="true">
          <div className='h-px w-full bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent'></div>
        </div>
      </div>
    </div>
  }
-  else {
+  if (webAppAccessMode && (webAppAccessMode === AccessMode.ORGANIZATION || webAppAccessMode === AccessMode.SPECIFIC_GROUPS_MEMBERS)) {
-    return <div className="flex h-full items-center justify-center">
+    return <div className='w-full max-w-[400px]'>
-      <p className='system-xs-regular text-text-tertiary'>{t('login.webapp.disabled')}</p>
+      <NormalForm />
    </div>
  }
  if (webAppAccessMode && webAppAccessMode === AccessMode.EXTERNAL_MEMBERS)
    return <ExternalMemberSsoAuth />
  return <div className='flex h-full flex-col items-center justify-center gap-y-4'>
    <AppUnavailable className='h-auto w-auto' isUnknownReason={true} />
    <span className='system-sm-regular cursor-pointer text-text-tertiary' onClick={backToHome}>{t('share.login.backToHome')}</span>
  </div>
 }
 export default React.memo(WebSSOForm)
--- a/web/app/components/app/app-access-control/index.tsx
+++ b/web/app/components/app/app-access-control/index.tsx
@ -1,6 +1,6 @@
 'use client'
-import { Dialog } from '@headlessui/react'
+import { Description as DialogDescription, DialogTitle } from '@headlessui/react'
-import { RiBuildingLine, RiGlobalLine } from '@remixicon/react'
+import { RiBuildingLine, RiGlobalLine, RiVerifiedBadgeLine } from '@remixicon/react'
 import { useTranslation } from 'react-i18next'
 import { useCallback, useEffect } from 'react'
 import Button from '../../base/button'
@ -67,8 +67,8 @@ export default function AccessControl(props: AccessControlProps) {
  return <AccessControlDialog show onClose={onClose}>
    <div className='flex flex-col gap-y-3'>
      <div className='pb-3 pl-6 pr-14 pt-6'>
-        <Dialog.Title className='title-2xl-semi-bold text-text-primary'>{t('app.accessControlDialog.title')}</Dialog.Title>
+        <DialogTitle className='title-2xl-semi-bold text-text-primary'>{t('app.accessControlDialog.title')}</DialogTitle>
-        <Dialog.Description className='system-xs-regular mt-1 text-text-tertiary'>{t('app.accessControlDialog.description')}</Dialog.Description>
+        <DialogDescription className='system-xs-regular mt-1 text-text-tertiary'>{t('app.accessControlDialog.description')}</DialogDescription>
      </div>
      <div className='flex flex-col gap-y-1 px-6 pb-3'>
        <div className='leading-6'>
@ -80,12 +80,20 @@ export default function AccessControl(props: AccessControlProps) {
              <RiBuildingLine className='h-4 w-4 text-text-primary' />
              <p className='system-sm-medium text-text-primary'>{t('app.accessControlDialog.accessItems.organization')}</p>
            </div>
            {!hideTip && <WebAppSSONotEnabledTip />}
          </div>
        </AccessControlItem>
        <AccessControlItem type={AccessMode.SPECIFIC_GROUPS_MEMBERS}>
          <SpecificGroupsOrMembers />
        </AccessControlItem>
        <AccessControlItem type={AccessMode.EXTERNAL_MEMBERS}>
          <div className='flex items-center p-3'>
            <div className='flex grow items-center gap-x-2'>
              <RiVerifiedBadgeLine className='h-4 w-4 text-text-primary' />
              <p className='system-sm-medium text-text-primary'>{t('app.accessControlDialog.accessItems.external')}</p>
            </div>
            {!hideTip && <WebAppSSONotEnabledTip />}
          </div>
        </AccessControlItem>
        <AccessControlItem type={AccessMode.PUBLIC}>
          <div className='flex items-center gap-x-2 p-3'>
            <RiGlobalLine className='h-4 w-4 text-text-primary' />
--- a/web/app/components/app/app-access-control/specific-groups-or-members.tsx
+++ b/web/app/components/app/app-access-control/specific-groups-or-members.tsx
@ -3,12 +3,10 @@ import { RiAlertFill, RiCloseCircleFill, RiLockLine, RiOrganizationChart } from
 import { useTranslation } from 'react-i18next'
 import { useCallback, useEffect } from 'react'
 import Avatar from '../../base/avatar'
 import Divider from '../../base/divider'
 import Tooltip from '../../base/tooltip'
 import Loading from '../../base/loading'
 import useAccessControlStore from '../../../../context/access-control-store'
 import AddMemberOrGroupDialog from './add-member-or-group-pop'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 import type { AccessControlAccount, AccessControlGroup } from '@/models/access-control'
 import { AccessMode } from '@/models/access-control'
 import { useAppWhiteListSubjects } from '@/service/access-control'
@ -19,11 +17,6 @@ export default function SpecificGroupsOrMembers() {
  const setSpecificGroups = useAccessControlStore(s => s.setSpecificGroups)
  const setSpecificMembers = useAccessControlStore(s => s.setSpecificMembers)
  const { t } = useTranslation()
  const systemFeatures = useGlobalPublicStore(s => s.systemFeatures)
  const hideTip = systemFeatures.webapp_auth.enabled
    && (systemFeatures.webapp_auth.allow_sso
      || systemFeatures.webapp_auth.allow_email_password_login
      || systemFeatures.webapp_auth.allow_email_code_login)
  const { isPending, data } = useAppWhiteListSubjects(appId, Boolean(appId) && currentMenu === AccessMode.SPECIFIC_GROUPS_MEMBERS)
  useEffect(() => {
@ -37,7 +30,6 @@ export default function SpecificGroupsOrMembers() {
        <RiLockLine className='h-4 w-4 text-text-primary' />
        <p className='system-sm-medium text-text-primary'>{t('app.accessControlDialog.accessItems.specific')}</p>
      </div>
      {!hideTip && <WebAppSSONotEnabledTip />}
    </div>
  }
@ -48,10 +40,6 @@ export default function SpecificGroupsOrMembers() {
        <p className='system-sm-medium text-text-primary'>{t('app.accessControlDialog.accessItems.specific')}</p>
      </div>
      <div className='flex items-center gap-x-1'>
        {!hideTip && <>
          <WebAppSSONotEnabledTip />
          <Divider className='ml-2 mr-0 h-[14px]' type="vertical" />
        </>}
        <AddMemberOrGroupDialog />
      </div>
    </div>
--- a/web/app/components/app/app-publisher/index.tsx
+++ b/web/app/components/app/app-publisher/index.tsx
@ -9,11 +9,14 @@ import dayjs from 'dayjs'
 import {
  RiArrowDownSLine,
  RiArrowRightSLine,
  RiBuildingLine,
  RiGlobalLine,
  RiLockLine,
  RiPlanetLine,
  RiPlayCircleLine,
  RiPlayList2Line,
  RiTerminalBoxLine,
  RiVerifiedBadgeLine,
 } from '@remixicon/react'
 import { useKeyPress } from 'ahooks'
 import { getKeyboardKeyCodeBySystem } from '../../workflow/utils'
@ -276,10 +279,30 @@ const AppPublisher = ({
                      setShowAppAccessControl(true)
                    }}>
                    <div className='flex grow items-center gap-x-1.5 pr-1'>
                      {appDetail?.access_mode === AccessMode.ORGANIZATION
                        && <>
                          <RiBuildingLine className='h-4 w-4 shrink-0 text-text-secondary' />
                          <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.organization')}</p>
                        </>
                      }
                      {appDetail?.access_mode === AccessMode.SPECIFIC_GROUPS_MEMBERS
                        && <>
                          <RiLockLine className='h-4 w-4 shrink-0 text-text-secondary' />
-                      {appDetail?.access_mode === AccessMode.ORGANIZATION && <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.organization')}</p>}
+                          <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.specific')}</p>
-                      {appDetail?.access_mode === AccessMode.SPECIFIC_GROUPS_MEMBERS && <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.specific')}</p>}
+                        </>
-                      {appDetail?.access_mode === AccessMode.PUBLIC && <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.anyone')}</p>}
+                      }
                      {appDetail?.access_mode === AccessMode.PUBLIC
                        && <>
                          <RiGlobalLine className='h-4 w-4 shrink-0 text-text-secondary' />
                          <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.anyone')}</p>
                        </>
                      }
                      {appDetail?.access_mode === AccessMode.EXTERNAL_MEMBERS
                        && <>
                          <RiVerifiedBadgeLine className='h-4 w-4 shrink-0 text-text-secondary' />
                          <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.external')}</p>
                        </>
                      }
                    </div>
                    {!isAppAccessSet && <p className='system-xs-regular shrink-0 text-text-tertiary'>{t('app.publishApp.notSet')}</p>}
                    <div className='flex h-4 w-4 shrink-0 items-center justify-center'>
--- a/web/app/components/app/overview/appCard.tsx
+++ b/web/app/components/app/overview/appCard.tsx
@ -5,10 +5,13 @@ import { useTranslation } from 'react-i18next'
 import {
  RiArrowRightSLine,
  RiBookOpenLine,
  RiBuildingLine,
  RiEqualizer2Line,
  RiExternalLinkLine,
  RiGlobalLine,
  RiLockLine,
  RiPaintBrushLine,
  RiVerifiedBadgeLine,
  RiWindowLine,
 } from '@remixicon/react'
 import SettingsModal from './settings'
@ -248,11 +251,30 @@ function AppCard({
            <div className='flex h-9 w-full cursor-pointer items-center gap-x-0.5  rounded-lg bg-components-input-bg-normal py-1 pl-2.5 pr-2'
              onClick={handleClickAccessControl}>
              <div className='flex grow items-center gap-x-1.5 pr-1'>
                {appDetail?.access_mode === AccessMode.ORGANIZATION
                  && <>
                    <RiBuildingLine className='h-4 w-4 shrink-0 text-text-secondary' />
                    <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.organization')}</p>
                  </>
                }
                {appDetail?.access_mode === AccessMode.SPECIFIC_GROUPS_MEMBERS
                  && <>
                    <RiLockLine className='h-4 w-4 shrink-0 text-text-secondary' />
-                {appDetail?.access_mode === AccessMode.ORGANIZATION && <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.organization')}</p>}
+                    <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.specific')}</p>
-                {appDetail?.access_mode === AccessMode.SPECIFIC_GROUPS_MEMBERS && <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.specific')}</p>}
+                  </>
-                {appDetail?.access_mode === AccessMode.PUBLIC && <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.anyone')}</p>}
+                }
-              </div>
+                {appDetail?.access_mode === AccessMode.PUBLIC
                  && <>
                    <RiGlobalLine className='h-4 w-4 shrink-0 text-text-secondary' />
                    <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.anyone')}</p>
                  </>
                }
                {appDetail?.access_mode === AccessMode.EXTERNAL_MEMBERS
                  && <>
                    <RiVerifiedBadgeLine className='h-4 w-4 shrink-0 text-text-secondary' />
                    <p className='system-sm-medium text-text-secondary'>{t('app.accessControlDialog.accessItems.external')}</p>
                  </>
                }</div>
              {!isAppAccessSet && <p className='system-xs-regular shrink-0 text-text-tertiary'>{t('app.publishApp.notSet')}</p>}
              <div className='flex h-4 w-4 shrink-0 items-center justify-center'>
                <RiArrowRightSLine className='h-4 w-4 text-text-quaternary' />
--- a/web/app/components/base/app-unavailable.tsx
+++ b/web/app/components/base/app-unavailable.tsx
@ -1,4 +1,5 @@
 'use client'
 import classNames from '@/utils/classnames'
 import type { FC } from 'react'
 import React from 'react'
 import { useTranslation } from 'react-i18next'
@ -7,17 +8,19 @@ type IAppUnavailableProps = {
  code?: number | string
  isUnknownReason?: boolean
  unknownReason?: string
  className?: string
 }
 const AppUnavailable: FC<IAppUnavailableProps> = ({
  code = 404,
  isUnknownReason,
  unknownReason,
  className,
 }) => {
  const { t } = useTranslation()
  return (
-    <div className='flex h-screen w-screen items-center justify-center'>
+    <div className={classNames('flex h-screen w-screen items-center justify-center', className)}>
      <h1 className='mr-5 h-[50px] pr-5 text-[24px] font-medium leading-[50px]'
        style={{
          borderRight: '1px solid rgba(0,0,0,.3)',
--- a/web/app/components/base/chat/chat-with-history/context.tsx
+++ b/web/app/components/base/chat/chat-with-history/context.tsx
@ -16,14 +16,12 @@ import type {
  ConversationItem,
 } from '@/models/share'
 import { noop } from 'lodash-es'
 import { AccessMode } from '@/models/access-control'
 export type ChatWithHistoryContextValue = {
  appInfoError?: any
  appInfoLoading?: boolean
  appMeta?: AppMeta
  appData?: AppData
  accessMode?: AccessMode
  userCanAccess?: boolean
  appParams?: ChatConfig
  appChatListDataLoading?: boolean
@ -64,7 +62,6 @@ export type ChatWithHistoryContextValue = {
 }
 export const ChatWithHistoryContext = createContext<ChatWithHistoryContextValue>({
  accessMode: AccessMode.SPECIFIC_GROUPS_MEMBERS,
  userCanAccess: false,
  currentConversationId: '',
  appPrevChatTree: [],
--- a/web/app/components/base/chat/chat-with-history/hooks.tsx
+++ b/web/app/components/base/chat/chat-with-history/hooks.tsx
@ -16,7 +16,7 @@ import type {
  Feedback,
 } from '../types'
 import { CONVERSATION_ID_INFO } from '../constants'
-import { buildChatItemTree, getProcessedSystemVariablesFromUrlParams } from '../utils'
+import { buildChatItemTree, getProcessedSystemVariablesFromUrlParams, getRawInputsFromUrlParams } from '../utils'
 import { addFileInfos, sortAgentSorts } from '../../../tools/utils'
 import { getProcessedFilesFromResponse } from '@/app/components/base/file-uploader/utils'
 import {
@ -43,9 +43,8 @@ import { useAppFavicon } from '@/hooks/use-app-favicon'
 import { InputVarType } from '@/app/components/workflow/types'
 import { TransferMethod } from '@/types/app'
 import { noop } from 'lodash-es'
-import { useGetAppAccessMode, useGetUserCanAccessApp } from '@/service/access-control'
+import { useGetUserCanAccessApp } from '@/service/access-control'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 import { AccessMode } from '@/models/access-control'
 function getFormattedChatList(messages: any[]) {
  const newChatList: ChatItem[] = []
@ -77,11 +76,6 @@ export const useChatWithHistory = (installedAppInfo?: InstalledApp) => {
  const isInstalledApp = useMemo(() => !!installedAppInfo, [installedAppInfo])
  const systemFeatures = useGlobalPublicStore(s => s.systemFeatures)
  const { data: appInfo, isLoading: appInfoLoading, error: appInfoError } = useSWR(installedAppInfo ? null : 'appInfo', fetchAppInfo)
  const { isPending: isGettingAccessMode, data: appAccessMode } = useGetAppAccessMode({
    appId: installedAppInfo?.app.id || appInfo?.app_id,
    isInstalledApp,
    enabled: systemFeatures.webapp_auth.enabled,
  })
  const { isPending: isCheckingPermission, data: userCanAccessResult } = useGetUserCanAccessApp({
    appId: installedAppInfo?.app.id || appInfo?.app_id,
    isInstalledApp,
@ -195,6 +189,7 @@ export const useChatWithHistory = (installedAppInfo?: InstalledApp) => {
  const { t } = useTranslation()
  const newConversationInputsRef = useRef<Record<string, any>>({})
  const [newConversationInputs, setNewConversationInputs] = useState<Record<string, any>>({})
  const [initInputs, setInitInputs] = useState<Record<string, any>>({})
  const handleNewConversationInputsChange = useCallback((newInputs: Record<string, any>) => {
    newConversationInputsRef.current = newInputs
    setNewConversationInputs(newInputs)
@ -202,20 +197,29 @@ export const useChatWithHistory = (installedAppInfo?: InstalledApp) => {
  const inputsForms = useMemo(() => {
    return (appParams?.user_input_form || []).filter((item: any) => !item.external_data_tool).map((item: any) => {
      if (item.paragraph) {
        let value = initInputs[item.paragraph.variable]
        if (value && item.paragraph.max_length && value.length > item.paragraph.max_length)
          value = value.slice(0, item.paragraph.max_length)
        return {
          ...item.paragraph,
          default: value || item.default,
          type: 'paragraph',
        }
      }
      if (item.number) {
        const convertedNumber = Number(initInputs[item.number.variable]) ?? undefined
        return {
          ...item.number,
          default: convertedNumber || item.default,
          type: 'number',
        }
      }
      if (item.select) {
        const isInputInOptions = item.select.options.includes(initInputs[item.select.variable])
        return {
          ...item.select,
          default: (isInputInOptions ? initInputs[item.select.variable] : undefined) || item.default,
          type: 'select',
        }
      }
@ -234,17 +238,30 @@ export const useChatWithHistory = (installedAppInfo?: InstalledApp) => {
        }
      }
      let value = initInputs[item['text-input'].variable]
      if (value && item['text-input'].max_length && value.length > item['text-input'].max_length)
        value = value.slice(0, item['text-input'].max_length)
      return {
        ...item['text-input'],
        default: value || item.default,
        type: 'text-input',
      }
    })
-  }, [appParams])
+  }, [initInputs, appParams])
  const allInputsHidden = useMemo(() => {
    return inputsForms.length > 0 && inputsForms.every(item => item.hide === true)
  }, [inputsForms])
  useEffect(() => {
    // init inputs from url params
    (async () => {
      const inputs = await getRawInputsFromUrlParams()
      setInitInputs(inputs)
    })()
  }, [])
  useEffect(() => {
    const conversationInputs: Record<string, any> = {}
@ -362,11 +379,11 @@ export const useChatWithHistory = (installedAppInfo?: InstalledApp) => {
    if (conversationId)
      setClearChatList(false)
  }, [handleConversationIdInfoChange, setClearChatList])
-  const handleNewConversation = useCallback(() => {
+  const handleNewConversation = useCallback(async () => {
    currentChatInstanceRef.current.handleStop()
    setShowNewConversationItemInList(true)
    handleChangeConversation('')
-    handleNewConversationInputsChange({})
+    handleNewConversationInputsChange(await getRawInputsFromUrlParams())
    setClearChatList(true)
  }, [handleChangeConversation, setShowNewConversationItemInList, handleNewConversationInputsChange, setClearChatList])
  const handleUpdateConversationList = useCallback(() => {
@ -469,8 +486,7 @@ export const useChatWithHistory = (installedAppInfo?: InstalledApp) => {
  return {
    appInfoError,
-    appInfoLoading: appInfoLoading || (systemFeatures.webapp_auth.enabled && (isGettingAccessMode || isCheckingPermission)),
+    appInfoLoading: appInfoLoading || (systemFeatures.webapp_auth.enabled && isCheckingPermission),
    accessMode: systemFeatures.webapp_auth.enabled ? appAccessMode?.accessMode : AccessMode.PUBLIC,
    userCanAccess: systemFeatures.webapp_auth.enabled ? userCanAccessResult?.result : true,
    isInstalledApp,
    appId,
--- a/web/app/components/base/chat/chat-with-history/index.tsx
+++ b/web/app/components/base/chat/chat-with-history/index.tsx
@ -124,7 +124,6 @@ const ChatWithHistoryWrap: FC<ChatWithHistoryWrapProps> = ({
  const {
    appInfoError,
    appInfoLoading,
    accessMode,
    userCanAccess,
    appData,
    appParams,
@ -169,7 +168,6 @@ const ChatWithHistoryWrap: FC<ChatWithHistoryWrapProps> = ({
      appInfoError,
      appInfoLoading,
      appData,
      accessMode,
      userCanAccess,
      appParams,
      appMeta,
--- a/web/app/components/base/chat/chat-with-history/sidebar/index.tsx
+++ b/web/app/components/base/chat/chat-with-history/sidebar/index.tsx
@ -19,7 +19,6 @@ import RenameModal from '@/app/components/base/chat/chat-with-history/sidebar/re
 import DifyLogo from '@/app/components/base/logo/dify-logo'
 import type { ConversationItem } from '@/models/share'
 import cn from '@/utils/classnames'
 import { AccessMode } from '@/models/access-control'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 type Props = {
@ -30,7 +29,6 @@ const Sidebar = ({ isPanel }: Props) => {
  const { t } = useTranslation()
  const {
    isInstalledApp,
    accessMode,
    appData,
    handleNewConversation,
    pinnedConversationList,
@ -140,7 +138,7 @@ const Sidebar = ({ isPanel }: Props) => {
        )}
      </div>
      <div className='flex shrink-0 items-center justify-between p-3'>
-        <MenuDropdown hideLogout={isInstalledApp || accessMode === AccessMode.PUBLIC} placement='top-start' data={appData?.site} />
+        <MenuDropdown hideLogout={isInstalledApp} placement='top-start' data={appData?.site} />
        {/* powered by */}
        <div className='shrink-0'>
          {!appData?.custom_config?.remove_webapp_brand && (
--- a/web/app/components/base/chat/chat/hooks.ts
+++ b/web/app/components/base/chat/chat/hooks.ts
@ -366,8 +366,9 @@ export const useChat = (
            if (!newResponseItem)
              return
            const isUseAgentThought = newResponseItem.agent_thoughts?.length > 0
            updateChatTreeNode(responseItem.id, {
-              content: newResponseItem.answer,
+              content: isUseAgentThought ? '' : newResponseItem.answer,
              log: [
                ...newResponseItem.message,
                ...(newResponseItem.message[newResponseItem.message.length - 1].role !== 'assistant'
--- a/web/app/components/base/chat/embedded-chatbot/context.tsx
+++ b/web/app/components/base/chat/embedded-chatbot/context.tsx
@ -15,10 +15,8 @@ import type {
  ConversationItem,
 } from '@/models/share'
 import { noop } from 'lodash-es'
 import { AccessMode } from '@/models/access-control'
 export type EmbeddedChatbotContextValue = {
  accessMode?: AccessMode
  userCanAccess?: boolean
  appInfoError?: any
  appInfoLoading?: boolean
@ -58,7 +56,6 @@ export type EmbeddedChatbotContextValue = {
 export const EmbeddedChatbotContext = createContext<EmbeddedChatbotContextValue>({
  userCanAccess: false,
  accessMode: AccessMode.SPECIFIC_GROUPS_MEMBERS,
  currentConversationId: '',
  appPrevChatList: [],
  pinnedConversationList: [],
--- a/web/app/components/base/chat/embedded-chatbot/hooks.tsx
+++ b/web/app/components/base/chat/embedded-chatbot/hooks.tsx
@ -36,9 +36,8 @@ import { InputVarType } from '@/app/components/workflow/types'
 import { TransferMethod } from '@/types/app'
 import { addFileInfos, sortAgentSorts } from '@/app/components/tools/utils'
 import { noop } from 'lodash-es'
-import { useGetAppAccessMode, useGetUserCanAccessApp } from '@/service/access-control'
+import { useGetUserCanAccessApp } from '@/service/access-control'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 import { AccessMode } from '@/models/access-control'
 function getFormattedChatList(messages: any[]) {
  const newChatList: ChatItem[] = []
@ -70,11 +69,6 @@ export const useEmbeddedChatbot = () => {
  const isInstalledApp = false
  const systemFeatures = useGlobalPublicStore(s => s.systemFeatures)
  const { data: appInfo, isLoading: appInfoLoading, error: appInfoError } = useSWR('appInfo', fetchAppInfo)
  const { isPending: isGettingAccessMode, data: appAccessMode } = useGetAppAccessMode({
    appId: appInfo?.app_id,
    isInstalledApp,
    enabled: systemFeatures.webapp_auth.enabled,
  })
  const { isPending: isCheckingPermission, data: userCanAccessResult } = useGetUserCanAccessApp({
    appId: appInfo?.app_id,
    isInstalledApp,
@ -385,8 +379,7 @@ export const useEmbeddedChatbot = () => {
  return {
    appInfoError,
-    appInfoLoading: appInfoLoading || (systemFeatures.webapp_auth.enabled && (isGettingAccessMode || isCheckingPermission)),
+    appInfoLoading: appInfoLoading || (systemFeatures.webapp_auth.enabled && isCheckingPermission),
    accessMode: systemFeatures.webapp_auth.enabled ? appAccessMode?.accessMode : AccessMode.PUBLIC,
    userCanAccess: systemFeatures.webapp_auth.enabled ? userCanAccessResult?.result : true,
    isInstalledApp,
    allowResetChat,
--- a/web/app/components/base/chat/utils.ts
+++ b/web/app/components/base/chat/utils.ts
@ -15,6 +15,17 @@ async function decodeBase64AndDecompress(base64String: string) {
  }
 }
 async function getRawInputsFromUrlParams(): Promise<Record<string, any>> {
  const urlParams = new URLSearchParams(window.location.search)
  const inputs: Record<string, any> = {}
  const entriesArray = Array.from(urlParams.entries())
  entriesArray.forEach(([key, value]) => {
    if (!key.startsWith('sys.'))
      inputs[key] = decodeURIComponent(value)
  })
  return inputs
 }
 async function getProcessedInputsFromUrlParams(): Promise<Record<string, any>> {
  const urlParams = new URLSearchParams(window.location.search)
  const inputs: Record<string, any> = {}
@ -184,6 +195,7 @@ function getThreadMessages(tree: ChatItemInTree[], targetMessageId?: string): Ch
 }
 export {
  getRawInputsFromUrlParams,
  getProcessedInputsFromUrlParams,
  getProcessedSystemVariablesFromUrlParams,
  isValidGeneratedAnswer,
--- a/web/app/components/base/file-uploader/hooks.ts
+++ b/web/app/components/base/file-uploader/hooks.ts
@ -231,7 +231,7 @@ export const useFile = (fileConfig: FileUpload) => {
        url: res.url,
      }
      if (!isAllowedFileExtension(res.name, res.mime_type, fileConfig.allowed_file_types || [], fileConfig.allowed_file_extensions || [])) {
-        notify({ type: 'error', message: t('common.fileUploader.fileExtensionNotSupport') })
+        notify({ type: 'error', message: `${t('common.fileUploader.fileExtensionNotSupport')} ${file.type}` })
        handleRemoveFile(uploadingFile.id)
      }
      if (!checkSizeLimit(newFile.supportFileType, newFile.size))
@ -257,7 +257,7 @@ export const useFile = (fileConfig: FileUpload) => {
  const handleLocalFileUpload = useCallback((file: File) => {
    if (!isAllowedFileExtension(file.name, file.type, fileConfig.allowed_file_types || [], fileConfig.allowed_file_extensions || [])) {
-      notify({ type: 'error', message: t('common.fileUploader.fileExtensionNotSupport') })
+      notify({ type: 'error', message: `${t('common.fileUploader.fileExtensionNotSupport')} ${file.type}` })
      return
    }
    const allowedFileTypes = fileConfig.allowed_file_types
--- a/web/app/components/base/file-uploader/utils.spec.ts
+++ b/web/app/components/base/file-uploader/utils.spec.ts
@ -22,7 +22,7 @@ import { FILE_EXTS } from '../prompt-editor/constants'
 jest.mock('mime', () => ({
  __esModule: true,
  default: {
-    getExtension: jest.fn(),
+    getAllExtensions: jest.fn(),
  },
 }))
@ -58,12 +58,27 @@ describe('file-uploader utils', () => {
  describe('getFileExtension', () => {
    it('should get extension from mimetype', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('pdf')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['pdf']))
      expect(getFileExtension('file', 'application/pdf')).toBe('pdf')
    })
    it('should get extension from mimetype and file name 1', () => {
      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['pdf']))
      expect(getFileExtension('file.pdf', 'application/pdf')).toBe('pdf')
    })
    it('should get extension from mimetype with multiple ext candidates with filename hint', () => {
      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['der', 'crt', 'pem']))
      expect(getFileExtension('file.pem', 'application/x-x509-ca-cert')).toBe('pem')
    })
    it('should get extension from mimetype with multiple ext candidates without filename hint', () => {
      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['der', 'crt', 'pem']))
      expect(getFileExtension('file', 'application/x-x509-ca-cert')).toBe('der')
    })
    it('should get extension from filename if mimetype fails', () => {
-      jest.mocked(mime.getExtension).mockReturnValue(null)
+      jest.mocked(mime.getAllExtensions).mockReturnValue(null)
      expect(getFileExtension('file.txt', '')).toBe('txt')
      expect(getFileExtension('file.txt.docx', '')).toBe('docx')
      expect(getFileExtension('file', '')).toBe('')
@ -76,157 +91,157 @@ describe('file-uploader utils', () => {
  describe('getFileAppearanceType', () => {
    it('should identify gif files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('gif')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['gif']))
      expect(getFileAppearanceType('image.gif', 'image/gif'))
        .toBe(FileAppearanceTypeEnum.gif)
    })
    it('should identify image files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('jpg')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['jpg']))
      expect(getFileAppearanceType('image.jpg', 'image/jpeg'))
        .toBe(FileAppearanceTypeEnum.image)
-      jest.mocked(mime.getExtension).mockReturnValue('jpeg')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['jpeg']))
      expect(getFileAppearanceType('image.jpeg', 'image/jpeg'))
        .toBe(FileAppearanceTypeEnum.image)
-      jest.mocked(mime.getExtension).mockReturnValue('png')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['png']))
      expect(getFileAppearanceType('image.png', 'image/png'))
        .toBe(FileAppearanceTypeEnum.image)
-      jest.mocked(mime.getExtension).mockReturnValue('webp')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['webp']))
      expect(getFileAppearanceType('image.webp', 'image/webp'))
        .toBe(FileAppearanceTypeEnum.image)
-      jest.mocked(mime.getExtension).mockReturnValue('svg')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['svg']))
      expect(getFileAppearanceType('image.svg', 'image/svgxml'))
        .toBe(FileAppearanceTypeEnum.image)
    })
    it('should identify video files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('mp4')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['mp4']))
      expect(getFileAppearanceType('video.mp4', 'video/mp4'))
        .toBe(FileAppearanceTypeEnum.video)
-      jest.mocked(mime.getExtension).mockReturnValue('mov')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['mov']))
      expect(getFileAppearanceType('video.mov', 'video/quicktime'))
        .toBe(FileAppearanceTypeEnum.video)
-      jest.mocked(mime.getExtension).mockReturnValue('mpeg')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['mpeg']))
      expect(getFileAppearanceType('video.mpeg', 'video/mpeg'))
        .toBe(FileAppearanceTypeEnum.video)
-      jest.mocked(mime.getExtension).mockReturnValue('webm')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['webm']))
      expect(getFileAppearanceType('video.web', 'video/webm'))
        .toBe(FileAppearanceTypeEnum.video)
    })
    it('should identify audio files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('mp3')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['mp3']))
      expect(getFileAppearanceType('audio.mp3', 'audio/mpeg'))
        .toBe(FileAppearanceTypeEnum.audio)
-      jest.mocked(mime.getExtension).mockReturnValue('m4a')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['m4a']))
      expect(getFileAppearanceType('audio.m4a', 'audio/mp4'))
        .toBe(FileAppearanceTypeEnum.audio)
-      jest.mocked(mime.getExtension).mockReturnValue('wav')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['wav']))
      expect(getFileAppearanceType('audio.wav', 'audio/vnd.wav'))
        .toBe(FileAppearanceTypeEnum.audio)
-      jest.mocked(mime.getExtension).mockReturnValue('amr')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['amr']))
      expect(getFileAppearanceType('audio.amr', 'audio/AMR'))
        .toBe(FileAppearanceTypeEnum.audio)
-      jest.mocked(mime.getExtension).mockReturnValue('mpga')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['mpga']))
      expect(getFileAppearanceType('audio.mpga', 'audio/mpeg'))
        .toBe(FileAppearanceTypeEnum.audio)
    })
    it('should identify code files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('html')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['html']))
      expect(getFileAppearanceType('index.html', 'text/html'))
        .toBe(FileAppearanceTypeEnum.code)
    })
    it('should identify PDF files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('pdf')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['pdf']))
      expect(getFileAppearanceType('doc.pdf', 'application/pdf'))
        .toBe(FileAppearanceTypeEnum.pdf)
    })
    it('should identify markdown files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('md')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['md']))
      expect(getFileAppearanceType('file.md', 'text/markdown'))
        .toBe(FileAppearanceTypeEnum.markdown)
-      jest.mocked(mime.getExtension).mockReturnValue('markdown')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['markdown']))
      expect(getFileAppearanceType('file.markdown', 'text/markdown'))
        .toBe(FileAppearanceTypeEnum.markdown)
-      jest.mocked(mime.getExtension).mockReturnValue('mdx')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['mdx']))
      expect(getFileAppearanceType('file.mdx', 'text/mdx'))
        .toBe(FileAppearanceTypeEnum.markdown)
    })
    it('should identify excel files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('xlsx')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['xlsx']))
      expect(getFileAppearanceType('doc.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'))
        .toBe(FileAppearanceTypeEnum.excel)
-      jest.mocked(mime.getExtension).mockReturnValue('xls')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['xls']))
      expect(getFileAppearanceType('doc.xls', 'application/vnd.ms-excel'))
        .toBe(FileAppearanceTypeEnum.excel)
    })
    it('should identify word files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('doc')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['doc']))
      expect(getFileAppearanceType('doc.doc', 'application/msword'))
        .toBe(FileAppearanceTypeEnum.word)
-      jest.mocked(mime.getExtension).mockReturnValue('docx')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['docx']))
      expect(getFileAppearanceType('doc.docx', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'))
        .toBe(FileAppearanceTypeEnum.word)
    })
    it('should identify word files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('ppt')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['ppt']))
      expect(getFileAppearanceType('doc.ppt', 'application/vnd.ms-powerpoint'))
        .toBe(FileAppearanceTypeEnum.ppt)
-      jest.mocked(mime.getExtension).mockReturnValue('pptx')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['pptx']))
      expect(getFileAppearanceType('doc.pptx', 'application/vnd.openxmlformats-officedocument.presentationml.presentation'))
        .toBe(FileAppearanceTypeEnum.ppt)
    })
    it('should identify document files', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('txt')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['txt']))
      expect(getFileAppearanceType('file.txt', 'text/plain'))
        .toBe(FileAppearanceTypeEnum.document)
-      jest.mocked(mime.getExtension).mockReturnValue('csv')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['csv']))
      expect(getFileAppearanceType('file.csv', 'text/csv'))
        .toBe(FileAppearanceTypeEnum.document)
-      jest.mocked(mime.getExtension).mockReturnValue('msg')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['msg']))
      expect(getFileAppearanceType('file.msg', 'application/vnd.ms-outlook'))
        .toBe(FileAppearanceTypeEnum.document)
-      jest.mocked(mime.getExtension).mockReturnValue('eml')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['eml']))
      expect(getFileAppearanceType('file.eml', 'message/rfc822'))
        .toBe(FileAppearanceTypeEnum.document)
-      jest.mocked(mime.getExtension).mockReturnValue('xml')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['xml']))
      expect(getFileAppearanceType('file.xml', 'application/rssxml'))
        .toBe(FileAppearanceTypeEnum.document)
-      jest.mocked(mime.getExtension).mockReturnValue('epub')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['epub']))
      expect(getFileAppearanceType('file.epub', 'application/epubzip'))
        .toBe(FileAppearanceTypeEnum.document)
    })
    it('should handle null mime extension', () => {
-      jest.mocked(mime.getExtension).mockReturnValue(null)
+      jest.mocked(mime.getAllExtensions).mockReturnValue(null)
      expect(getFileAppearanceType('file.txt', 'text/plain'))
        .toBe(FileAppearanceTypeEnum.document)
    })
@ -360,7 +375,7 @@ describe('file-uploader utils', () => {
  describe('isAllowedFileExtension', () => {
    it('should validate allowed file extensions', () => {
-      jest.mocked(mime.getExtension).mockReturnValue('pdf')
+      jest.mocked(mime.getAllExtensions).mockReturnValue(new Set(['pdf']))
      expect(isAllowedFileExtension(
        'test.pdf',
        'application/pdf',
--- a/web/app/components/base/file-uploader/utils.ts
+++ b/web/app/components/base/file-uploader/utils.ts
@ -42,19 +42,38 @@ export const fileUpload: FileUpload = ({
    })
 }
 const additionalExtensionMap = new Map<string, string[]>([
  ['text/x-markdown', ['md']],
 ])
 export const getFileExtension = (fileName: string, fileMimetype: string, isRemote?: boolean) => {
  let extension = ''
-  if (fileMimetype)
+  let extensions = new Set<string>()
-    extension = mime.getExtension(fileMimetype) || ''
+  if (fileMimetype) {
-
+    const extensionsFromMimeType = mime.getAllExtensions(fileMimetype) || new Set<string>()
-  if (fileName && !extension) {
+    const additionalExtensions = additionalExtensionMap.get(fileMimetype) || []
    extensions = new Set<string>([
      ...extensionsFromMimeType,
      ...additionalExtensions,
    ])
  }
  let extensionInFileName = ''
  if (fileName) {
    const fileNamePair = fileName.split('.')
    const fileNamePairLength = fileNamePair.length
-    if (fileNamePairLength > 1)
+    if (fileNamePairLength > 1) {
-      extension = fileNamePair[fileNamePairLength - 1]
+      extensionInFileName = fileNamePair[fileNamePairLength - 1].toLowerCase()
      if (extensions.has(extensionInFileName))
        extension = extensionInFileName
    }
  }
  if (!extension) {
    if (extensions.size > 0)
      extension = extensions.values().next().value.toLowerCase()
    else
-      extension = ''
+      extension = extensionInFileName
  }
  if (isRemote)
--- a/web/app/components/base/markdown-blocks/button.tsx
+++ b/web/app/components/base/markdown-blocks/button.tsx
@ -1,7 +1,7 @@
 import { useChatContext } from '@/app/components/base/chat/chat/context'
 import Button from '@/app/components/base/button'
 import cn from '@/utils/classnames'
-
+import { isValidUrl } from './utils'
 const MarkdownButton = ({ node }: any) => {
  const { onSend } = useChatContext()
  const variant = node.properties.dataVariant
@ -9,25 +9,17 @@ const MarkdownButton = ({ node }: any) => {
  const link = node.properties.dataLink
  const size = node.properties.dataSize
  function is_valid_url(url: string): boolean {
    try {
      const parsed_url = new URL(url)
      return ['http:', 'https:'].includes(parsed_url.protocol)
    }
    catch {
      return false
    }
  }
  return <Button
    variant={variant}
    size={size}
    className={cn('!h-auto min-h-8 select-none whitespace-normal !px-3')}
    onClick={() => {
-      if (is_valid_url(link)) {
+      if (isValidUrl(link)) {
        window.open(link, '_blank')
        return
      }
      if(!message)
        return
      onSend?.(message)
    }}
  >
--- a/web/app/components/base/markdown-blocks/link.tsx
+++ b/web/app/components/base/markdown-blocks/link.tsx
@ -5,6 +5,7 @@
 */
 import React from 'react'
 import { useChatContext } from '@/app/components/base/chat/chat/context'
 import { isValidUrl } from './utils'
 const Link = ({ node, children, ...props }: any) => {
  const { onSend } = useChatContext()
@ -14,7 +15,11 @@ const Link = ({ node, children, ...props }: any) => {
    return <abbr className="cursor-pointer underline !decoration-primary-700 decoration-dashed" onClick={() => onSend?.(hidden_text)} title={node.children[0]?.value || ''}>{node.children[0]?.value || ''}</abbr>
  }
  else {
-    return <a {...props} target="_blank" className="cursor-pointer underline !decoration-primary-700 decoration-dashed">{children || 'Download'}</a>
+    const href = props.href || node.properties?.href
    if(!isValidUrl(href))
      return <span>{children}</span>
    return <a href={href} target="_blank" className="cursor-pointer underline !decoration-primary-700 decoration-dashed">{children || 'Download'}</a>
  }
 }
--- a/web/app/components/base/markdown-blocks/utils.ts
+++ b/web/app/components/base/markdown-blocks/utils.ts
@ -0,0 +1,3 @@
 export const isValidUrl = (url: string): boolean => {
  return ['http:', 'https:', '//', 'mailto:'].some(prefix => url.startsWith(prefix))
 }
--- a/web/app/components/base/markdown/index.tsx
+++ b/web/app/components/base/markdown/index.tsx
@ -7,7 +7,7 @@ import RemarkGfm from 'remark-gfm'
 import RehypeRaw from 'rehype-raw'
 import { flow } from 'lodash-es'
 import cn from '@/utils/classnames'
-import { preprocessLaTeX, preprocessThinkTag } from './markdown-utils'
+import { customUrlTransform, preprocessLaTeX, preprocessThinkTag } from './markdown-utils'
 import {
  AudioBlock,
  CodeBlock,
@ -65,6 +65,7 @@ export function Markdown(props: { content: string; className?: string; customDis
            }
          },
        ]}
        urlTransform={customUrlTransform}
        disallowedElements={['iframe', 'head', 'html', 'meta', 'link', 'style', 'body', ...(props.customDisallowedElements || [])]}
        components={{
          code: CodeBlock,
--- a/web/app/components/base/markdown/markdown-utils.ts
+++ b/web/app/components/base/markdown/markdown-utils.ts
@ -33,5 +33,55 @@ export const preprocessThinkTag = (content: string) => {
  return flow([
    (str: string) => str.replace(thinkOpenTagRegex, '<details data-think=true>\n'),
    (str: string) => str.replace(thinkCloseTagRegex, '\n[ENDTHINKFLAG]</details>'),
    (str: string) => str.replace(/(<\/details>)(?![^\S\r\n]*[\r\n])(?![^\S\r\n]*$)/g, '$1\n'),
  ])(content)
 }
 /**
 * Transforms a URI for use in react-markdown, ensuring security and compatibility.
 * This function is designed to work with react-markdown v9+ which has stricter
 * default URL handling.
 *
 * Behavior:
 * 1. Always allows the custom 'abbr:' protocol.
 * 2. Always allows page-local fragments (e.g., "#some-id").
 * 3. Always allows protocol-relative URLs (e.g., "//example.com/path").
 * 4. Always allows purely relative paths (e.g., "path/to/file", "/abs/path").
 * 5. Allows absolute URLs if their scheme is in a permitted list (case-insensitive):
 *    'http:', 'https:', 'mailto:', 'xmpp:', 'irc:', 'ircs:'.
 * 6. Intelligently distinguishes colons used for schemes from colons within
 *    paths, query parameters, or fragments of relative-like URLs.
 * 7. Returns the original URI if allowed, otherwise returns `undefined` to
 *    signal that the URI should be removed/disallowed by react-markdown.
 */
 export const customUrlTransform = (uri: string): string | undefined => {
  const PERMITTED_SCHEME_REGEX = /^(https?|ircs?|mailto|xmpp|abbr):$/i
  if (uri.startsWith('#'))
    return uri
  if (uri.startsWith('//'))
    return uri
  const colonIndex = uri.indexOf(':')
  if (colonIndex === -1)
    return uri
  const slashIndex = uri.indexOf('/')
  const questionMarkIndex = uri.indexOf('?')
  const hashIndex = uri.indexOf('#')
  if (
    (slashIndex !== -1 && colonIndex > slashIndex)
    || (questionMarkIndex !== -1 && colonIndex > questionMarkIndex)
    || (hashIndex !== -1 && colonIndex > hashIndex)
  )
    return uri
  const scheme = uri.substring(0, colonIndex + 1).toLowerCase()
  if (PERMITTED_SCHEME_REGEX.test(scheme))
    return uri
  return undefined
 }
--- a/web/app/components/base/mermaid/index.tsx
+++ b/web/app/components/base/mermaid/index.tsx
@ -487,15 +487,15 @@ const Flowchart = React.forwardRef((props: {
      'bg-white': currentTheme === Theme.light,
      'bg-slate-900': currentTheme === Theme.dark,
    }),
-    mermaidDiv: cn('mermaid cursor-pointer h-auto w-full relative', {
+    mermaidDiv: cn('mermaid relative h-auto w-full cursor-pointer', {
      'bg-white': currentTheme === Theme.light,
      'bg-slate-900': currentTheme === Theme.dark,
    }),
-    errorMessage: cn('py-4 px-[26px]', {
+    errorMessage: cn('px-[26px] py-4', {
      'text-red-500': currentTheme === Theme.light,
      'text-red-400': currentTheme === Theme.dark,
    }),
-    errorIcon: cn('w-6 h-6', {
+    errorIcon: cn('h-6 w-6', {
      'text-red-500': currentTheme === Theme.light,
      'text-red-400': currentTheme === Theme.dark,
    }),
@ -503,7 +503,7 @@ const Flowchart = React.forwardRef((props: {
      'text-gray-700': currentTheme === Theme.light,
      'text-gray-300': currentTheme === Theme.dark,
    }),
-    themeToggle: cn('flex items-center justify-center w-10 h-10 rounded-full transition-all duration-300 shadow-md backdrop-blur-sm', {
+    themeToggle: cn('flex h-10 w-10 items-center justify-center rounded-full shadow-md backdrop-blur-sm transition-all duration-300', {
      'bg-white/80 hover:bg-white hover:shadow-lg text-gray-700 border border-gray-200': currentTheme === Theme.light,
      'bg-slate-800/80 hover:bg-slate-700 hover:shadow-lg text-yellow-300 border border-slate-600': currentTheme === Theme.dark,
    }),
@ -512,7 +512,7 @@ const Flowchart = React.forwardRef((props: {
  // Style classes for look options
  const getLookButtonClass = (lookType: 'classic' | 'handDrawn') => {
    return cn(
-      'flex items-center justify-center mb-4 w-[calc((100%-8px)/2)] h-8 rounded-lg border border-components-option-card-option-border bg-components-option-card-option-bg cursor-pointer system-sm-medium text-text-secondary',
+      'system-sm-medium mb-4 flex h-8 w-[calc((100%-8px)/2)] cursor-pointer items-center justify-center rounded-lg border border-components-option-card-option-border bg-components-option-card-option-bg text-text-secondary',
      look === lookType && 'border-[1.5px] border-components-option-card-option-selected-border bg-components-option-card-option-selected-bg text-text-primary',
      currentTheme === Theme.dark && 'border-slate-600 bg-slate-800 text-slate-300',
      look === lookType && currentTheme === Theme.dark && 'border-blue-500 bg-slate-700 text-white',
@ -523,7 +523,7 @@ const Flowchart = React.forwardRef((props: {
    <div ref={ref as React.RefObject<HTMLDivElement>} className={themeClasses.container}>
      <div className={themeClasses.segmented}>
        <div className="msh-segmented-group">
-          <label className="msh-segmented-item flex items-center space-x-1 m-2 w-[200px]">
+          <label className="msh-segmented-item m-2 flex w-[200px] items-center space-x-1">
            <div
              key='classic'
              className={getLookButtonClass('classic')}
@ -545,7 +545,7 @@ const Flowchart = React.forwardRef((props: {
      <div ref={containerRef} style={{ position: 'absolute', visibility: 'hidden', height: 0, overflow: 'hidden' }} />
      {isLoading && !svgCode && (
-        <div className='py-4 px-[26px]'>
+        <div className='px-[26px] py-4'>
          <LoadingAnim type='text'/>
          {!isCodeComplete && (
            <div className="mt-2 text-sm text-gray-500">
@ -557,7 +557,7 @@ const Flowchart = React.forwardRef((props: {
      {svgCode && (
        <div className={themeClasses.mermaidDiv} style={{ objectFit: 'cover' }} onClick={() => setImagePreviewUrl(svgCode)}>
-          <div className="absolute left-2 bottom-2 z-[100]">
+          <div className="absolute bottom-2 left-2 z-[100]">
            <button
              onClick={(e) => {
                e.stopPropagation()
--- a/web/app/components/base/radio/component/radio/index.tsx
+++ b/web/app/components/base/radio/component/radio/index.tsx
@ -37,14 +37,15 @@ export default function Radio({
  const isChecked = groupContext ? groupContext.value === value : checked
  const divClassName = `
    flex items-center py-1 relative
-    px-7 cursor-pointer hover:bg-gray-200 rounded
+    px-7 cursor-pointer text-text-secondary rounded
    bg-components-option-card-option-bg hover:bg-components-option-card-option-bg-hover hover:shadow-xs
  `
  return (
    <div className={cn(
      s.label,
      disabled ? s.disabled : '',
-      isChecked ? 'bg-white shadow' : '',
+      isChecked ? 'bg-components-option-card-option-bg-hover shadow-xs' : '',
      divClassName,
      className)}
    onClick={() => handleChange(value)}
--- a/web/app/components/develop/template/template.zh.mdx
+++ b/web/app/components/develop/template/template.zh.mdx
@ -60,7 +60,7 @@ import { Row, Col, Properties, Property, Heading, SubProperty } from '../md.tsx'
      <Property name='files' type='array[object]' key='files'>
          上传的文件。
          - `type` (string) 支持类型：图片 `image`（目前仅支持图片格式） 。
-          - `transfer_method` (string)  传递方式:
+          - `transfer_method` (string)  传递方式：
            - `remote_url`: 图片地址。
            - `local_file`: 上传文件。
          - `url` 图片地址。（仅当传递方式为 `remote_url` 时）。
@ -622,10 +622,10 @@ import { Row, Col, Properties, Property, Heading, SubProperty } from '../md.tsx'
  用于获取应用的 WebApp 设置
  ### Response
  - `title` (string) WebApp 名称
-  - `chat_color_theme` (string) 聊天颜色主题, hex 格式
+  - `chat_color_theme` (string) 聊天颜色主题，hex 格式
  - `chat_color_theme_inverted` (bool) 聊天颜色主题是否反转
-  - `icon_type` (string) 图标类型, `emoji`-表情, `image`-图片
+  - `icon_type` (string) 图标类型，`emoji`-表情，`image`-图片
-  - `icon` (string) 图标, 如果是 `emoji` 类型, 则是 emoji 表情符号, 如果是 `image` 类型, 则是图片 URL
+  - `icon` (string) 图标，如果是 `emoji` 类型，则是 emoji 表情符号，如果是 `image` 类型，则是图片 URL
  - `icon_background` (string) hex 格式的背景色
  - `icon_url` (string) 图标 URL
  - `description` (string) 描述
@ -879,7 +879,7 @@ ___
        动作，只能是 'enable' 或 'disable'
      </Property>
      <Property name='embedding_provider_name' type='string' key='embedding_provider_name'>
-        指定的嵌入模型提供商, 必须先在系统内设定好接入的模型，对应的是provider字段
+        指定的嵌入模型提供商，必须先在系统内设定好接入的模型，对应的是 provider 字段
      </Property>
      <Property name='embedding_model_name' type='string' key='embedding_model_name'>
        指定的嵌入模型，对应的是 model 字段
--- a/web/app/components/develop/template/template_advanced_chat.zh.mdx
+++ b/web/app/components/develop/template/template_advanced_chat.zh.mdx
@ -1347,10 +1347,10 @@ import { Row, Col, Properties, Property, Heading, SubProperty } from '../md.tsx'
  用于获取应用的 WebApp 设置
  ### Response
  - `title` (string) WebApp 名称
-  - `chat_color_theme` (string) 聊天颜色主题, hex 格式
+  - `chat_color_theme` (string) 聊天颜色主题，hex 格式
  - `chat_color_theme_inverted` (bool) 聊天颜色主题是否反转
-  - `icon_type` (string) 图标类型, `emoji`-表情, `image`-图片
+  - `icon_type` (string) 图标类型，`emoji`-表情，`image`-图片
-  - `icon` (string) 图标, 如果是 `emoji` 类型, 则是 emoji 表情符号, 如果是 `image` 类型, 则是图片 URL
+  - `icon` (string) 图标，如果是 `emoji` 类型，则是 emoji 表情符号，如果是 `image` 类型，则是图片 URL
  - `icon_background` (string) hex 格式的背景色
  - `icon_url` (string) 图标 URL
  - `description` (string) 描述
@ -1604,7 +1604,7 @@ ___
        动作，只能是 'enable' 或 'disable'
      </Property>
      <Property name='embedding_provider_name' type='string' key='embedding_provider_name'>
-        指定的嵌入模型提供商, 必须先在系统内设定好接入的模型，对应的是provider字段
+        指定的嵌入模型提供商，必须先在系统内设定好接入的模型，对应的是 provider 字段
      </Property>
      <Property name='embedding_model_name' type='string' key='embedding_model_name'>
        指定的嵌入模型，对应的是 model 字段
--- a/web/app/components/develop/template/template_chat.zh.mdx
+++ b/web/app/components/develop/template/template_chat.zh.mdx
@ -1353,10 +1353,10 @@ import { Row, Col, Properties, Property, Heading, SubProperty } from '../md.tsx'
  用于获取应用的 WebApp 设置
  ### Response
  - `title` (string) WebApp 名称
-  - `chat_color_theme` (string) 聊天颜色主题, hex 格式
+  - `chat_color_theme` (string) 聊天颜色主题，hex 格式
  - `chat_color_theme_inverted` (bool) 聊天颜色主题是否反转
-  - `icon_type` (string) 图标类型, `emoji`-表情, `image`-图片
+  - `icon_type` (string) 图标类型，`emoji`-表情，`image`-图片
-  - `icon` (string) 图标, 如果是 `emoji` 类型, 则是 emoji 表情符号, 如果是 `image` 类型, 则是图片 URL
+  - `icon` (string) 图标，如果是 `emoji` 类型，则是 emoji 表情符号，如果是 `image` 类型，则是图片 URL
  - `icon_background` (string) hex 格式的背景色
  - `icon_url` (string) 图标 URL
  - `description` (string) 描述
--- a/web/app/components/develop/template/template_workflow.zh.mdx
+++ b/web/app/components/develop/template/template_workflow.zh.mdx
@ -534,7 +534,7 @@ Workflow 应用无会话支持，适合用于翻译/文章写作/总结 AI 等
    - `workflow_run` (object) Workflow 执行日志
      - `id` (string) 标识
      - `version` (string) 版本
-      - `status` (string) 执行状态, `running` / `succeeded` / `failed` / `stopped`
+      - `status` (string) 执行状态，`running` / `succeeded` / `failed` / `stopped`
      - `error` (string) (可选) 错误
      - `elapsed_time` (float) 耗时，单位秒
      - `total_tokens` (int) 消耗的 token 数量
@ -741,8 +741,8 @@ Workflow 应用无会话支持，适合用于翻译/文章写作/总结 AI 等
  用于获取应用的 WebApp 设置
  ### Response
  - `title` (string) WebApp 名称
-  - `icon_type` (string) 图标类型, `emoji`-表情, `image`-图片
+  - `icon_type` (string) 图标类型，`emoji`-表情，`image`-图片
-  - `icon` (string) 图标, 如果是 `emoji` 类型, 则是 emoji 表情符号, 如果是 `image` 类型, 则是图片 URL
+  - `icon` (string) 图标，如果是 `emoji` 类型，则是 emoji 表情符号，如果是 `image` 类型，则是图片 URL
  - `icon_background` (string) hex 格式的背景色
  - `icon_url` (string) 图标 URL
  - `description` (string) 描述
--- a/web/app/components/header/maintenance-notice.tsx
+++ b/web/app/components/header/maintenance-notice.tsx
@ -1,11 +1,10 @@
 import { useState } from 'react'
 import { useContext } from 'use-context-selector'
 import I18n from '@/context/i18n'
 import { X } from '@/app/components/base/icons/src/vender/line/general'
 import { NOTICE_I18N } from '@/i18n/language'
 import { useLanguage } from '@/app/components/header/account-setting/model-provider-page/hooks'
 const MaintenanceNotice = () => {
-  const { locale } = useContext(I18n)
+  const locale = useLanguage()
  const [showNotice, setShowNotice] = useState(localStorage.getItem('hide-maintenance-notice') !== '1')
  const handleJumpNotice = () => {
--- a/web/app/components/plugins/plugin-item/index.tsx
+++ b/web/app/components/plugins/plugin-item/index.tsx
@ -108,7 +108,7 @@ const PluginItem: FC<Props> = ({
              }><RiErrorWarningLine color='red' className="ml-0.5 h-4 w-4 shrink-0 text-text-accent" /></Tooltip>}
              <Badge className='ml-1 shrink-0'
                text={source === PluginSource.github ? plugin.meta!.version : plugin.version}
-                hasRedCornerMark={(source === PluginSource.marketplace) && !!plugin.latest_unique_identifier && plugin.latest_unique_identifier !== plugin_unique_identifier}
+                hasRedCornerMark={(source === PluginSource.marketplace) && !!plugin.latest_version && plugin.latest_version !== plugin.version}
              />
            </div>
            <div className='flex items-center justify-between'>
--- a/web/app/components/share/text-generation/menu-dropdown.tsx
+++ b/web/app/components/share/text-generation/menu-dropdown.tsx
@ -6,9 +6,8 @@ import type { Placement } from '@floating-ui/react'
 import {
  RiEqualizer2Line,
 } from '@remixicon/react'
-import { useRouter } from 'next/navigation'
+import { usePathname, useRouter } from 'next/navigation'
 import Divider from '../../base/divider'
 import { removeAccessToken } from '../utils'
 import InfoModal from './info-modal'
 import ActionButton from '@/app/components/base/action-button'
 import {
@ -19,6 +18,8 @@ import {
 import ThemeSwitcher from '@/app/components/base/theme-switcher'
 import type { SiteInfo } from '@/models/share'
 import cn from '@/utils/classnames'
 import { useGlobalPublicStore } from '@/context/global-public-context'
 import { AccessMode } from '@/models/access-control'
 type Props = {
  data?: SiteInfo
@ -31,7 +32,9 @@ const MenuDropdown: FC<Props> = ({
  placement,
  hideLogout,
 }) => {
  const webAppAccessMode = useGlobalPublicStore(s => s.webAppAccessMode)
  const router = useRouter()
  const pathname = usePathname()
  const { t } = useTranslation()
  const [open, doSetOpen] = useState(false)
  const openRef = useRef(open)
@ -45,9 +48,10 @@ const MenuDropdown: FC<Props> = ({
  }, [setOpen])
  const handleLogout = useCallback(() => {
-    removeAccessToken()
+    localStorage.removeItem('token')
-    router.replace(`/webapp-signin?redirect_url=${window.location.href}`)
+    localStorage.removeItem('webapp_access_token')
-  }, [router])
+    router.replace(`/webapp-signin?redirect_url=${pathname}`)
  }, [router, pathname])
  const [show, setShow] = useState(false)
@ -92,6 +96,16 @@ const MenuDropdown: FC<Props> = ({
                className='system-md-regular cursor-pointer rounded-lg px-3 py-1.5 text-text-secondary hover:bg-state-base-hover'
              >{t('common.userProfile.about')}</div>
            </div>
            {!(hideLogout || webAppAccessMode === AccessMode.EXTERNAL_MEMBERS || webAppAccessMode === AccessMode.PUBLIC) && (
              <div className='p-1'>
                <div
                  onClick={handleLogout}
                  className='system-md-regular cursor-pointer rounded-lg px-3 py-1.5 text-text-secondary hover:bg-state-base-hover'
                >
                  {t('common.userProfile.logout')}
                </div>
              </div>
            )}
          </div>
        </PortalToFollowElemContent>
      </PortalToFollowElem>
--- a/web/app/components/share/utils.ts
+++ b/web/app/components/share/utils.ts
@ -10,8 +10,8 @@ export const getInitialTokenV2 = (): Record<string, any> => ({
  version: 2,
 })
-export const checkOrSetAccessToken = async () => {
+export const checkOrSetAccessToken = async (appCode?: string) => {
-  const sharedToken = globalThis.location.pathname.split('/').slice(-1)[0]
+  const sharedToken = appCode || globalThis.location.pathname.split('/').slice(-1)[0]
  const userId = (await getProcessedSystemVariablesFromUrlParams()).user_id
  const accessToken = localStorage.getItem('token') || JSON.stringify(getInitialTokenV2())
  let accessTokenJson = getInitialTokenV2()
@ -23,8 +23,10 @@ export const checkOrSetAccessToken = async () => {
  catch {
  }
  if (!accessTokenJson[sharedToken]?.[userId || 'DEFAULT']) {
-    const res = await fetchAccessToken(sharedToken, userId)
+    const webAppAccessToken = localStorage.getItem('webapp_access_token')
    const res = await fetchAccessToken({ appCode: sharedToken, userId, webAppAccessToken })
    accessTokenJson[sharedToken] = {
      ...accessTokenJson[sharedToken],
      [userId || 'DEFAULT']: res.access_token,
@ -33,7 +35,7 @@ export const checkOrSetAccessToken = async () => {
  }
 }
-export const setAccessToken = async (sharedToken: string, token: string, user_id?: string) => {
+export const setAccessToken = (sharedToken: string, token: string, user_id?: string) => {
  const accessToken = localStorage.getItem('token') || JSON.stringify(getInitialTokenV2())
  let accessTokenJson = getInitialTokenV2()
  try {
@ -69,6 +71,7 @@ export const removeAccessToken = () => {
  }
  localStorage.removeItem(CONVERSATION_ID_INFO)
  localStorage.removeItem('webapp_access_token')
  delete accessTokenJson[sharedToken]
  localStorage.setItem('token', JSON.stringify(accessTokenJson))
--- a/web/app/components/workflow/nodes/_base/components/editor/code-editor/editor-support-vars.tsx
+++ b/web/app/components/workflow/nodes/_base/components/editor/code-editor/editor-support-vars.tsx
@ -148,7 +148,7 @@ const CodeEditor: FC<Props> = ({
      {isShowVarPicker && (
        <div
          ref={popupRef}
-          className='w-[228px] space-y-1 rounded-lg border border-gray-200 bg-white p-1 shadow-lg'
+          className='w-[228px] space-y-1 rounded-lg border border-components-panel-border bg-components-panel-bg p-1 shadow-lg'
          style={{
            position: 'fixed',
            top: popupPosition.y,
--- a/web/app/components/workflow/nodes/_base/components/variable/var-type-picker.tsx
+++ b/web/app/components/workflow/nodes/_base/components/variable/var-type-picker.tsx
@ -43,7 +43,7 @@ const VarReferencePicker: FC<Props> = ({
        offset={4}
      >
        <PortalToFollowElemTrigger onClick={() => setOpen(!open)} className='w-[120px] cursor-pointer'>
-          <div className='flex h-8 items-center justify-between rounded-lg border-0 bg-components-button-secondary-bg px-2.5 text-[13px] text-text-primary'>
+          <div className='flex h-8 items-center justify-between rounded-lg border-0 bg-components-input-bg-normal px-2.5 text-[13px] text-text-primary'>
            <div className='w-0 grow truncate capitalize' title={value}>{value}</div>
            <RiArrowDownSLine className='h-3.5 w-3.5 shrink-0 text-text-secondary' />
          </div>
--- a/Show More
+++ b/Show More
     "〉",
     "〈",
     "…",
-    "　",
+    " ",
     "0",
     "1",
     "2",
     "7",
     "8",
     "9",
-    "０",
-    "１",
-    "２",
-    "３",
-    "４",
-    "５",
-    "６",
-    "７",
-    "８",
-    "９",
     "二",
     "三",
     "四",