update quic-go dependency from v0.53.0 to v0.55.0

2026-03-21 01:09:27 +08:00 · 2025-10-28 17:48:11 +08:00
50 changed files with 318 additions and 793 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -39,7 +39,6 @@ linters:
      - G404
      - G501
      - G115
-      - G204
      severity: low
      confidence: low
    govet:
--- a/README.md
+++ b/README.md
@@ -13,24 +13,6 @@ frp is an open source project with its ongoing development made possible entirel

 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
-<p align="center">
-  <a href="https://jb.gg/frp" target="_blank">
-    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
-	<br>
-	<b>The complete IDE crafted for professional Go developers</b>
-  </a>
-</p>
-
-<p align="center">
-  <a href="https://github.com/beclab/Olares" target="_blank">
-    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
-	<br>
-	<b>The sovereign cloud that puts you in control</b>
-	<br>
-	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
-  </a>
-</p>
-
 <div align="center">

 ## Recall.ai - API for meeting recordings
@@ -58,6 +40,29 @@ an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and
 	<sub>Available for macOS, Linux and Windows</sub>
  </a>
 </p>
+<p align="center">
+  <a href="https://jb.gg/frp" target="_blank">
+    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
+	<br>
+	<b>The complete IDE crafted for professional Go developers</b>
+  </a>
+</p>
+<p align="center">
+  <a href="https://github.com/daytonaio/daytona" target="_blank">
+    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
+	<br>
+	<b>Secure and Elastic Infrastructure for Running Your AI-Generated Code</b>
+  </a>
+</p>
+<p align="center">
+  <a href="https://github.com/beclab/Olares" target="_blank">
+    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
+	<br>
+	<b>The sovereign cloud that puts you in control</b>
+	<br>
+	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
+  </a>
+</p>
 <!--gold sponsors end-->

 ## What is frp?
--- a/README_zh.md
+++ b/README_zh.md
@@ -15,23 +15,6 @@ frp 是一个完全开源的项目，我们的开发工作完全依靠赞助者

 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
-<p align="center">
-  <a href="https://jb.gg/frp" target="_blank">
-    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
-	<br>
-	<b>The complete IDE crafted for professional Go developers</b>
-  </a>
-</p>
-
-<p align="center">
-  <a href="https://github.com/beclab/Olares" target="_blank">
-    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
-	<br>
-	<b>The sovereign cloud that puts you in control</b>
-	<br>
-	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
-  </a>
-</p>
 <div align="center">

 ## Recall.ai - API for meeting recordings
@@ -59,6 +42,29 @@ an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and
 	<sub>Available for macOS, Linux and Windows</sub>
  </a>
 </p>
+<p align="center">
+  <a href="https://jb.gg/frp" target="_blank">
+    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
+	<br>
+	<b>The complete IDE crafted for professional Go developers</b>
+  </a>
+</p>
+<p align="center">
+  <a href="https://github.com/daytonaio/daytona" target="_blank">
+    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
+	<br>
+	<b>Secure and Elastic Infrastructure for Running Your AI-Generated Code</b>
+  </a>
+</p>
+<p align="center">
+  <a href="https://github.com/beclab/Olares" target="_blank">
+    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
+	<br>
+	<b>The sovereign cloud that puts you in control</b>
+	<br>
+	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
+  </a>
+</p>
 <!--gold sponsors end-->

 ## 为什么使用 frp ？
@@ -131,3 +137,9 @@ frp 是一个免费且开源的项目，我们欢迎任何人为其开发和进
 国内用户可以通过 [爱发电](https://afdian.com/a/fatedier) 赞助我们。

 企业赞助者可以将贵公司的 Logo 以及链接放置在项目 README 文件中。
+
+### 知识星球
+
+如果您想了解更多 frp 相关技术以及更新详解，或者寻求任何 frp 使用方面的帮助，都可以通过微信扫描下方的二维码付费加入知识星球的官方社群：
+
+![zsxq](/doc/pic/zsxq.jpg)
--- a/Release.md
+++ b/Release.md
@@ -1,13 +1,3 @@
 ## Features

 * HTTPS proxies now support load balancing groups. Multiple HTTPS proxies can be configured with the same `loadBalancer.group` and `loadBalancer.groupKey` to share the same custom domain and distribute traffic across multiple backend services, similar to the existing TCP and HTTP load balancing capabilities.
-* Individual frpc proxies and visitors now accept an `enabled` flag (defaults to true), letting you disable specific entries without relying on the global `start` list—disabled blocks are skipped when client configs load.
-* OIDC authentication now supports a `tokenSource` field to dynamically obtain tokens from external sources. You can use `type = "file"` to read a token from a file, or `type = "exec"` to run an external command (e.g., a cloud CLI or secrets manager) and capture its stdout as the token. The `exec` type requires the `--allow-unsafe=TokenSourceExec` CLI flag for security reasons.
-
-## Improvements
-
-* **VirtualNet**: Implemented intelligent reconnection with exponential backoff. When connection errors occur repeatedly, the reconnect interval increases from 60s to 300s (max), reducing unnecessary reconnection attempts. Normal disconnections still reconnect quickly at 10s intervals.
-
-## Fixes
-
-* Fix deadlock issue when TCP connection is closed. Previously, sending messages could block forever if the connection handler had already stopped.
--- a/client/admin_api.go
+++ b/client/admin_api.go
@@ -92,7 +92,7 @@ func (svr *Service) apiReload(w http.ResponseWriter, r *http.Request) {
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
-	if _, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs, svr.unsafeFeatures); err != nil {
+	if _, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs); err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
--- a/client/control.go
+++ b/client/control.go
@@ -43,8 +43,8 @@ type SessionContext struct {
 	Conn net.Conn
 	// Indicates whether the connection is encrypted.
 	ConnEncrypted bool
-	// Auth runtime used for login, heartbeats, and encryption.
-	Auth *auth.ClientAuth
+	// Sets authentication based on selected method
+	AuthSetter auth.Setter
 	// Connector is used to create new connections, which could be real TCP connections or virtual streams.
 	Connector Connector
 	// Virtual net controller
@@ -91,7 +91,7 @@ func NewControl(ctx context.Context, sessionCtx *SessionContext) (*Control, erro
 	ctl.lastPong.Store(time.Now())

 	if sessionCtx.ConnEncrypted {
-		cryptoRW, err := netpkg.NewCryptoReadWriter(sessionCtx.Conn, sessionCtx.Auth.EncryptionKey())
+		cryptoRW, err := netpkg.NewCryptoReadWriter(sessionCtx.Conn, []byte(sessionCtx.Common.Auth.Token))
 		if err != nil {
 			return nil, err
 		}
@@ -100,9 +100,9 @@ func NewControl(ctx context.Context, sessionCtx *SessionContext) (*Control, erro
 		ctl.msgDispatcher = msg.NewDispatcher(sessionCtx.Conn)
 	}
 	ctl.registerMsgHandlers()
-	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher)
+	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher.SendChannel())

-	ctl.pm = proxy.NewManager(ctl.ctx, sessionCtx.Common, sessionCtx.Auth.EncryptionKey(), ctl.msgTransporter, sessionCtx.VnetController)
+	ctl.pm = proxy.NewManager(ctl.ctx, sessionCtx.Common, ctl.msgTransporter, sessionCtx.VnetController)
 	ctl.vm = visitor.NewManager(ctl.ctx, sessionCtx.RunID, sessionCtx.Common,
 		ctl.connectServer, ctl.msgTransporter, sessionCtx.VnetController)
 	return ctl, nil
@@ -133,7 +133,7 @@ func (ctl *Control) handleReqWorkConn(_ msg.Message) {
 	m := &msg.NewWorkConn{
 		RunID: ctl.sessionCtx.RunID,
 	}
-	if err = ctl.sessionCtx.Auth.Setter.SetNewWorkConn(m); err != nil {
+	if err = ctl.sessionCtx.AuthSetter.SetNewWorkConn(m); err != nil {
 		xl.Warnf("error during NewWorkConn authentication: %v", err)
 		workConn.Close()
 		return
@@ -243,7 +243,7 @@ func (ctl *Control) heartbeatWorker() {
 		sendHeartBeat := func() (bool, error) {
 			xl.Debugf("send heartbeat to server")
 			pingMsg := &msg.Ping{}
-			if err := ctl.sessionCtx.Auth.Setter.SetPing(pingMsg); err != nil {
+			if err := ctl.sessionCtx.AuthSetter.SetPing(pingMsg); err != nil {
 				xl.Warnf("error during ping authentication: %v, skip sending ping message", err)
 				return false, err
 			}
--- a/client/proxy/proxy.go
+++ b/client/proxy/proxy.go
@@ -57,7 +57,6 @@ func NewProxy(
 	ctx context.Context,
 	pxyConf v1.ProxyConfigurer,
 	clientCfg *v1.ClientCommonConfig,
-	encryptionKey []byte,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
 ) (pxy Proxy) {
@@ -70,7 +69,6 @@ func NewProxy(
 	baseProxy := BaseProxy{
 		baseCfg:        pxyConf.GetBaseConfig(),
 		clientCfg:      clientCfg,
-		encryptionKey:  encryptionKey,
 		limiter:        limiter,
 		msgTransporter: msgTransporter,
 		vnetController: vnetController,
@@ -88,7 +86,6 @@ func NewProxy(
 type BaseProxy struct {
 	baseCfg        *v1.ProxyBaseConfig
 	clientCfg      *v1.ClientCommonConfig
-	encryptionKey  []byte
 	msgTransporter transport.MessageTransporter
 	vnetController *vnet.Controller
 	limiter        *rate.Limiter
@@ -132,7 +129,7 @@ func (pxy *BaseProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
 			return
 		}
 	}
-	pxy.HandleTCPWorkConnection(conn, m, pxy.encryptionKey)
+	pxy.HandleTCPWorkConnection(conn, m, []byte(pxy.clientCfg.Auth.Token))
 }

 // Common handler for tcp work connections.
--- a/client/proxy/proxy_manager.go
+++ b/client/proxy/proxy_manager.go
@@ -40,8 +40,7 @@ type Manager struct {
 	closed bool
 	mu     sync.RWMutex

-	encryptionKey []byte
-	clientCfg     *v1.ClientCommonConfig
+	clientCfg *v1.ClientCommonConfig

 	ctx context.Context
 }
@@ -49,7 +48,6 @@ type Manager struct {
 func NewManager(
 	ctx context.Context,
 	clientCfg *v1.ClientCommonConfig,
-	encryptionKey []byte,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
 ) *Manager {
@@ -58,7 +56,6 @@ func NewManager(
 		msgTransporter: msgTransporter,
 		vnetController: vnetController,
 		closed:         false,
-		encryptionKey:  encryptionKey,
 		clientCfg:      clientCfg,
 		ctx:            ctx,
 	}
@@ -166,7 +163,7 @@ func (pm *Manager) UpdateAll(proxyCfgs []v1.ProxyConfigurer) {
 	for _, cfg := range proxyCfgs {
 		name := cfg.GetBaseConfig().Name
 		if _, ok := pm.proxies[name]; !ok {
-			pxy := NewWrapper(pm.ctx, cfg, pm.clientCfg, pm.encryptionKey, pm.HandleEvent, pm.msgTransporter, pm.vnetController)
+			pxy := NewWrapper(pm.ctx, cfg, pm.clientCfg, pm.HandleEvent, pm.msgTransporter, pm.vnetController)
 			if pm.inWorkConnCallback != nil {
 				pxy.SetInWorkConnCallback(pm.inWorkConnCallback)
 			}
--- a/client/proxy/proxy_wrapper.go
+++ b/client/proxy/proxy_wrapper.go
@@ -92,7 +92,6 @@ func NewWrapper(
 	ctx context.Context,
 	cfg v1.ProxyConfigurer,
 	clientCfg *v1.ClientCommonConfig,
-	encryptionKey []byte,
 	eventHandler event.Handler,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
@@ -123,7 +122,7 @@ func NewWrapper(
 		xl.Tracef("enable health check monitor")
 	}

-	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, encryptionKey, pw.msgTransporter, pw.vnetController)
+	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, pw.msgTransporter, pw.vnetController)
 	return pw
 }

--- a/client/proxy/sudp.go
+++ b/client/proxy/sudp.go
@@ -91,7 +91,7 @@ func (pxy *SUDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 		})
 	}
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
+		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Auth.Token))
 		if err != nil {
 			conn.Close()
 			xl.Errorf("create encryption stream error: %v", err)
--- a/client/proxy/udp.go
+++ b/client/proxy/udp.go
@@ -102,7 +102,7 @@ func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 		})
 	}
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
+		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Auth.Token))
 		if err != nil {
 			conn.Close()
 			xl.Errorf("create encryption stream error: %v", err)
--- a/client/service.go
+++ b/client/service.go
@@ -31,7 +31,6 @@ import (
 	"github.com/fatedier/frp/pkg/auth"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/policy/security"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
@@ -65,8 +64,6 @@ type ServiceOptions struct {
 	ProxyCfgs   []v1.ProxyConfigurer
 	VisitorCfgs []v1.VisitorConfigurer

-	UnsafeFeatures *security.UnsafeFeatures
-
 	// ConfigFilePath is the path to the configuration file used to initialize.
 	// If it is empty, it means that the configuration file is not used for initialization.
 	// It may be initialized using command line parameters or called directly.
@@ -111,8 +108,8 @@ type Service struct {
 	// Uniq id got from frps, it will be attached to loginMsg.
 	runID string

-	// Auth runtime and encryption materials
-	auth *auth.ClientAuth
+	// Sets authentication based on selected method
+	authSetter auth.Setter

 	// web server for admin UI and apis
 	webServer *httppkg.Server
@@ -125,8 +122,6 @@ type Service struct {
 	visitorCfgs []v1.VisitorConfigurer
 	clientSpec  *msg.ClientSpec

-	unsafeFeatures *security.UnsafeFeatures
-
 	// The configuration file used to initialize this client, or an empty
 	// string if no configuration file was used.
 	configFilePath string
@@ -155,18 +150,17 @@ func NewService(options ServiceOptions) (*Service, error) {
 		webServer = ws
 	}

-	authRuntime, err := auth.BuildClientAuth(&options.Common.Auth)
+	authSetter, err := auth.NewAuthSetter(options.Common.Auth)
 	if err != nil {
 		return nil, err
 	}

 	s := &Service{
 		ctx:              context.Background(),
-		auth:             authRuntime,
+		authSetter:       authSetter,
 		webServer:        webServer,
 		common:           options.Common,
 		configFilePath:   options.ConfigFilePath,
-		unsafeFeatures:   options.UnsafeFeatures,
 		proxyCfgs:        options.ProxyCfgs,
 		visitorCfgs:      options.VisitorCfgs,
 		clientSpec:       options.ClientSpec,
@@ -296,7 +290,7 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 	}

 	// Add auth
-	if err = svr.auth.Setter.SetLogin(loginMsg); err != nil {
+	if err = svr.authSetter.SetLogin(loginMsg); err != nil {
 		return
 	}

@@ -350,7 +344,7 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 			RunID:          svr.runID,
 			Conn:           conn,
 			ConnEncrypted:  connEncrypted,
-			Auth:           svr.auth,
+			AuthSetter:     svr.authSetter,
 			Connector:      connector,
 			VnetController: svr.vnetController,
 		}
--- a/client/visitor/stcp.go
+++ b/client/visitor/stcp.go
@@ -15,7 +15,6 @@
 package visitor

 import (
-	"fmt"
 	"io"
 	"net"
 	"strconv"
@@ -82,22 +81,11 @@ func (sv *STCPVisitor) internalConnWorker() {

 func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
-	var tunnelErr error
-	defer func() {
-		// If there was an error and connection supports CloseWithError, use it
-		if tunnelErr != nil {
-			if eConn, ok := userConn.(interface{ CloseWithError(error) error }); ok {
-				_ = eConn.CloseWithError(tunnelErr)
-				return
-			}
-		}
-		userConn.Close()
-	}()
+	defer userConn.Close()

 	xl.Debugf("get a new stcp user connection")
 	visitorConn, err := sv.helper.ConnectServer()
 	if err != nil {
-		tunnelErr = err
 		return
 	}
 	defer visitorConn.Close()
@@ -114,7 +102,6 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
 	if err != nil {
 		xl.Warnf("send newVisitorConnMsg to server error: %v", err)
-		tunnelErr = err
 		return
 	}

@@ -123,14 +110,12 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
 	if err != nil {
 		xl.Warnf("get newVisitorConnRespMsg error: %v", err)
-		tunnelErr = err
 		return
 	}
 	_ = visitorConn.SetReadDeadline(time.Time{})

 	if newVisitorConnRespMsg.Error != "" {
 		xl.Warnf("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
-		tunnelErr = fmt.Errorf("%s", newVisitorConnRespMsg.Error)
 		return
 	}

@@ -140,7 +125,6 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 		remote, err = libio.WithEncryption(remote, []byte(sv.cfg.SecretKey))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
-			tunnelErr = err
 			return
 		}
 	}
--- a/client/visitor/visitor.go
+++ b/client/visitor/visitor.go
@@ -71,7 +71,7 @@ func NewVisitor(
 				Name:           cfg.GetBaseConfig().Name,
 				Ctx:            ctx,
 				VnetController: helper.VNetController(),
-				SendConnToVisitor: func(conn net.Conn) {
+				HandleConn: func(conn net.Conn) {
 					_ = baseVisitor.AcceptConn(conn)
 				},
 			},
--- a/client/visitor/xtcp.go
+++ b/client/visitor/xtcp.go
@@ -162,16 +162,8 @@ func (sv *XTCPVisitor) keepTunnelOpenWorker() {
 func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
 	isConnTransferred := false
-	var tunnelErr error
 	defer func() {
 		if !isConnTransferred {
-			// If there was an error and connection supports CloseWithError, use it
-			if tunnelErr != nil {
-				if eConn, ok := userConn.(interface{ CloseWithError(error) error }); ok {
-					_ = eConn.CloseWithError(tunnelErr)
-					return
-				}
-			}
 			userConn.Close()
 		}
 	}()
@@ -189,8 +181,6 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	tunnelConn, err := sv.openTunnel(ctx)
 	if err != nil {
 		xl.Errorf("open tunnel error: %v", err)
-		tunnelErr = err
-
 		// no fallback, just return
 		if sv.cfg.FallbackTo == "" {
 			return
@@ -210,7 +200,6 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 		muxConnRWCloser, err = libio.WithEncryption(muxConnRWCloser, []byte(sv.cfg.SecretKey))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
-			tunnelErr = err
 			return
 		}
 	}
--- a/cmd/frpc/sub/proxy.go
+++ b/cmd/frpc/sub/proxy.go
@@ -24,7 +24,6 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/policy/security"
 )

 var proxyTypes = []v1.ProxyType{
@@ -78,10 +77,7 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 				fmt.Println(err)
 				os.Exit(1)
 			}
-
-			unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
-			validator := validation.NewConfigValidator(unsafeFeatures)
-			if _, err := validator.ValidateClientCommonConfig(clientCfg); err != nil {
+			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
@@ -92,7 +88,7 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, []v1.ProxyConfigurer{c}, nil, unsafeFeatures, "")
+			err := startService(clientCfg, []v1.ProxyConfigurer{c}, nil, "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
@@ -110,9 +106,7 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
-			validator := validation.NewConfigValidator(unsafeFeatures)
-			if _, err := validator.ValidateClientCommonConfig(clientCfg); err != nil {
+			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
@@ -123,7 +117,7 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, nil, []v1.VisitorConfigurer{c}, unsafeFeatures, "")
+			err := startService(clientCfg, nil, []v1.VisitorConfigurer{c}, "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
--- a/cmd/frpc/sub/root.go
+++ b/cmd/frpc/sub/root.go
@@ -21,7 +21,6 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
-	"strings"
 	"sync"
 	"syscall"
 	"time"
@@ -32,8 +31,7 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/policy/featuregate"
-	"github.com/fatedier/frp/pkg/policy/security"
+	"github.com/fatedier/frp/pkg/featuregate"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 )
@@ -43,7 +41,6 @@ var (
 	cfgDir           string
 	showVersion      bool
 	strictConfigMode bool
-	allowUnsafe      []string
 )

 func init() {
@@ -51,9 +48,6 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgDir, "config_dir", "", "", "config directory, run one frpc service for each file in config directory")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frpc")
 	rootCmd.PersistentFlags().BoolVarP(&strictConfigMode, "strict_config", "", true, "strict config parsing mode, unknown fields will cause an errors")
-
-	rootCmd.PersistentFlags().StringSliceVarP(&allowUnsafe, "allow-unsafe", "", []string{},
-		fmt.Sprintf("allowed unsafe features, one or more of: %s", strings.Join(security.ClientUnsafeFeatures, ", ")))
 }

 var rootCmd = &cobra.Command{
@@ -65,17 +59,15 @@ var rootCmd = &cobra.Command{
 			return nil
 		}

-		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
-
 		// If cfgDir is not empty, run multiple frpc service for each config file in cfgDir.
 		// Note that it's only designed for testing. It's not guaranteed to be stable.
 		if cfgDir != "" {
-			_ = runMultipleClients(cfgDir, unsafeFeatures)
+			_ = runMultipleClients(cfgDir)
 			return nil
 		}

 		// Do not show command usage here.
-		err := runClient(cfgFile, unsafeFeatures)
+		err := runClient(cfgFile)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@@ -84,7 +76,7 @@ var rootCmd = &cobra.Command{
 	},
 }

-func runMultipleClients(cfgDir string, unsafeFeatures *security.UnsafeFeatures) error {
+func runMultipleClients(cfgDir string) error {
 	var wg sync.WaitGroup
 	err := filepath.WalkDir(cfgDir, func(path string, d fs.DirEntry, err error) error {
 		if err != nil || d.IsDir() {
@@ -94,7 +86,7 @@ func runMultipleClients(cfgDir string, unsafeFeatures *security.UnsafeFeatures)
 		time.Sleep(time.Millisecond)
 		go func() {
 			defer wg.Done()
-			err := runClient(path, unsafeFeatures)
+			err := runClient(path)
 			if err != nil {
 				fmt.Printf("frpc service error for config file [%s]\n", path)
 			}
@@ -119,7 +111,7 @@ func handleTermSignal(svr *client.Service) {
 	svr.GracefulClose(500 * time.Millisecond)
 }

-func runClient(cfgFilePath string, unsafeFeatures *security.UnsafeFeatures) error {
+func runClient(cfgFilePath string) error {
 	cfg, proxyCfgs, visitorCfgs, isLegacyFormat, err := config.LoadClientConfig(cfgFilePath, strictConfigMode)
 	if err != nil {
 		return err
@@ -135,22 +127,20 @@ func runClient(cfgFilePath string, unsafeFeatures *security.UnsafeFeatures) erro
 		}
 	}

-	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs, unsafeFeatures)
+	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs)
 	if warning != nil {
 		fmt.Printf("WARNING: %v\n", warning)
 	}
 	if err != nil {
 		return err
 	}
-
-	return startService(cfg, proxyCfgs, visitorCfgs, unsafeFeatures, cfgFilePath)
+	return startService(cfg, proxyCfgs, visitorCfgs, cfgFilePath)
 }

 func startService(
 	cfg *v1.ClientCommonConfig,
 	proxyCfgs []v1.ProxyConfigurer,
 	visitorCfgs []v1.VisitorConfigurer,
-	unsafeFeatures *security.UnsafeFeatures,
 	cfgFile string,
 ) error {
 	log.InitLogger(cfg.Log.To, cfg.Log.Level, int(cfg.Log.MaxDays), cfg.Log.DisablePrintColor)
@@ -163,7 +153,6 @@ func startService(
 		Common:         cfg,
 		ProxyCfgs:      proxyCfgs,
 		VisitorCfgs:    visitorCfgs,
-		UnsafeFeatures: unsafeFeatures,
 		ConfigFilePath: cfgFile,
 	})
 	if err != nil {
--- a/cmd/frpc/sub/verify.go
+++ b/cmd/frpc/sub/verify.go
@@ -22,7 +22,6 @@ import (

 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/policy/security"
 )

 func init() {
@@ -43,8 +42,7 @@ var verifyCmd = &cobra.Command{
 			fmt.Println(err)
 			os.Exit(1)
 		}
-		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
-		warning, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs, unsafeFeatures)
+		warning, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/cmd/frps/root.go
+++ b/cmd/frps/root.go
@@ -18,14 +18,12 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"strings"

 	"github.com/spf13/cobra"

 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/policy/security"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 	"github.com/fatedier/frp/server"
@@ -35,7 +33,6 @@ var (
 	cfgFile          string
 	showVersion      bool
 	strictConfigMode bool
-	allowUnsafe      []string

 	serverCfg v1.ServerConfig
 )
@@ -44,8 +41,6 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "", "config file of frps")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frps")
 	rootCmd.PersistentFlags().BoolVarP(&strictConfigMode, "strict_config", "", true, "strict config parsing mode, unknown fields will cause errors")
-	rootCmd.PersistentFlags().StringSliceVarP(&allowUnsafe, "allow-unsafe", "", []string{},
-		fmt.Sprintf("allowed unsafe features, one or more of: %s", strings.Join(security.ServerUnsafeFeatures, ", ")))

 	config.RegisterServerConfigFlags(rootCmd, &serverCfg)
 }
@@ -82,9 +77,7 @@ var rootCmd = &cobra.Command{
 			svrCfg = &serverCfg
 		}

-		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
-		validator := validation.NewConfigValidator(unsafeFeatures)
-		warning, err := validator.ValidateServerConfig(svrCfg)
+		warning, err := validation.ValidateServerConfig(svrCfg)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/cmd/frps/verify.go
+++ b/cmd/frps/verify.go
@@ -22,7 +22,6 @@ import (

 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/policy/security"
 )

 func init() {
@@ -43,9 +42,7 @@ var verifyCmd = &cobra.Command{
 			os.Exit(1)
 		}

-		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
-		validator := validation.NewConfigValidator(unsafeFeatures)
-		warning, err := validator.ValidateServerConfig(svrCfg)
+		warning, err := validation.ValidateServerConfig(svrCfg)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/conf/frpc_full_example.toml
+++ b/conf/frpc_full_example.toml
@@ -143,11 +143,6 @@ transport.tls.enable = true
 # Default is empty, means all proxies.
 # start = ["ssh", "dns"]

-# Alternative to 'start': You can control each proxy individually using the 'enabled' field.
-# Set 'enabled = false' in a proxy configuration to disable it.
-# If 'enabled' is not set or set to true, the proxy is enabled by default.
-# The 'enabled' field provides more granular control and is recommended over 'start'.
-
 # Specify udp packet size, unit is byte. If not set, the default value is 1500.
 # This parameter should be same between client and server.
 # It affects the udp and sudp proxy.
@@ -174,8 +169,6 @@ metadatas.var2 = "123"
 # If global user is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
 name = "ssh"
 type = "tcp"
-# Enable or disable this proxy. true or omit this field to enable, false to disable.
-# enabled = true
 localIP = "127.0.0.1"
 localPort = 22
 # Limit bandwidth for this proxy, unit is KB and MB
@@ -260,8 +253,6 @@ healthCheck.httpHeaders=[
 [[proxies]]
 name = "web02"
 type = "https"
-# Disable this proxy by setting enabled to false
-# enabled = false
 localIP = "127.0.0.1"
 localPort = 8000
 subdomain = "web02"
--- a/doc/pic/zsxq.jpg
+++ b/doc/pic/zsxq.jpg
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -15,7 +15,6 @@
 package auth

 import (
-	"context"
 	"fmt"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
@@ -28,51 +27,14 @@ type Setter interface {
 	SetNewWorkConn(*msg.NewWorkConn) error
 }

-type ClientAuth struct {
-	Setter Setter
-	key    []byte
-}
-
-func (a *ClientAuth) EncryptionKey() []byte {
-	return a.key
-}
-
-// BuildClientAuth resolves any dynamic auth values and returns a prepared auth runtime.
-// Caller must run validation before calling this function.
-func BuildClientAuth(cfg *v1.AuthClientConfig) (*ClientAuth, error) {
-	if cfg == nil {
-		return nil, fmt.Errorf("auth config is nil")
-	}
-	resolved := *cfg
-	if resolved.Method == v1.AuthMethodToken && resolved.TokenSource != nil {
-		token, err := resolved.TokenSource.Resolve(context.Background())
-		if err != nil {
-			return nil, fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
-		}
-		resolved.Token = token
-	}
-	setter, err := NewAuthSetter(resolved)
-	if err != nil {
-		return nil, err
-	}
-	return &ClientAuth{
-		Setter: setter,
-		key:    []byte(resolved.Token),
-	}, nil
-}
-
 func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter, err error) {
 	switch cfg.Method {
 	case v1.AuthMethodToken:
 		authProvider = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)
 	case v1.AuthMethodOIDC:
-		if cfg.OIDC.TokenSource != nil {
-			authProvider = NewOidcTokenSourceAuthSetter(cfg.AdditionalScopes, cfg.OIDC.TokenSource)
-		} else {
-			authProvider, err = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
-			if err != nil {
-				return nil, err
-			}
+		authProvider, err = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
+		if err != nil {
+			return nil, err
 		}
 	default:
 		return nil, fmt.Errorf("unsupported auth method: %s", cfg.Method)
@@ -86,35 +48,6 @@ type Verifier interface {
 	VerifyNewWorkConn(*msg.NewWorkConn) error
 }

-type ServerAuth struct {
-	Verifier Verifier
-	key      []byte
-}
-
-func (a *ServerAuth) EncryptionKey() []byte {
-	return a.key
-}
-
-// BuildServerAuth resolves any dynamic auth values and returns a prepared auth runtime.
-// Caller must run validation before calling this function.
-func BuildServerAuth(cfg *v1.AuthServerConfig) (*ServerAuth, error) {
-	if cfg == nil {
-		return nil, fmt.Errorf("auth config is nil")
-	}
-	resolved := *cfg
-	if resolved.Method == v1.AuthMethodToken && resolved.TokenSource != nil {
-		token, err := resolved.TokenSource.Resolve(context.Background())
-		if err != nil {
-			return nil, fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
-		}
-		resolved.Token = token
-	}
-	return &ServerAuth{
-		Verifier: NewAuthVerifier(resolved),
-		key:      []byte(resolved.Token),
-	}, nil
-}
-
 func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) {
 	switch cfg.Method {
 	case v1.AuthMethodToken:
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -152,51 +152,6 @@ func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (e
 	return err
 }

-type OidcTokenSourceAuthProvider struct {
-	additionalAuthScopes []v1.AuthScope
-
-	valueSource *v1.ValueSource
-}
-
-func NewOidcTokenSourceAuthSetter(additionalAuthScopes []v1.AuthScope, valueSource *v1.ValueSource) *OidcTokenSourceAuthProvider {
-	return &OidcTokenSourceAuthProvider{
-		additionalAuthScopes: additionalAuthScopes,
-		valueSource:          valueSource,
-	}
-}
-
-func (auth *OidcTokenSourceAuthProvider) generateAccessToken() (accessToken string, err error) {
-	ctx := context.Background()
-	accessToken, err = auth.valueSource.Resolve(ctx)
-	if err != nil {
-		return "", fmt.Errorf("couldn't acquire OIDC token for login: %v", err)
-	}
-	return
-}
-
-func (auth *OidcTokenSourceAuthProvider) SetLogin(loginMsg *msg.Login) (err error) {
-	loginMsg.PrivilegeKey, err = auth.generateAccessToken()
-	return err
-}
-
-func (auth *OidcTokenSourceAuthProvider) SetPing(pingMsg *msg.Ping) (err error) {
-	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {
-		return nil
-	}
-
-	pingMsg.PrivilegeKey, err = auth.generateAccessToken()
-	return err
-}
-
-func (auth *OidcTokenSourceAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (err error) {
-	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {
-		return nil
-	}
-
-	newWorkConnMsg.PrivilegeKey, err = auth.generateAccessToken()
-	return err
-}
-
 type TokenVerifier interface {
 	Verify(context.Context, string) (*oidc.IDToken, error)
 }
--- a/pkg/config/load.go
+++ b/pkg/config/load.go
@@ -281,17 +281,6 @@ func LoadClientConfig(path string, strict bool) (
 		})
 	}

-	// Filter by enabled field in each proxy
-	// nil or true means enabled, false means disabled
-	proxyCfgs = lo.Filter(proxyCfgs, func(c v1.ProxyConfigurer, _ int) bool {
-		enabled := c.GetBaseConfig().Enabled
-		return enabled == nil || *enabled
-	})
-	visitorCfgs = lo.Filter(visitorCfgs, func(c v1.VisitorConfigurer, _ int) bool {
-		enabled := c.GetBaseConfig().Enabled
-		return enabled == nil || *enabled
-	})
-
 	if cliCfg != nil {
 		if err := cliCfg.Complete(); err != nil {
 			return nil, nil, nil, isLegacyFormat, err
--- a/pkg/config/v1/client.go
+++ b/pkg/config/v1/client.go
@@ -15,6 +15,8 @@
 package v1

 import (
+	"context"
+	"fmt"
 	"os"

 	"github.com/samber/lo"
@@ -196,6 +198,17 @@ type AuthClientConfig struct {

 func (c *AuthClientConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
+
+	// Resolve tokenSource during configuration loading
+	if c.Method == AuthMethodToken && c.TokenSource != nil {
+		token, err := c.TokenSource.Resolve(context.Background())
+		if err != nil {
+			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
+		}
+		// Move the resolved token to the Token field and clear TokenSource
+		c.Token = token
+		c.TokenSource = nil
+	}
 	return nil
 }

@@ -226,10 +239,6 @@ type AuthOIDCClientConfig struct {
 	// Supports http, https, socks5, and socks5h proxy protocols.
 	// If empty, no proxy is used for OIDC connections.
 	ProxyURL string `json:"proxyURL,omitempty"`
-
-	// TokenSource specifies a custom dynamic source for the authorization token.
-	// This is mutually exclusive with every other field of this structure.
-	TokenSource *ValueSource `json:"tokenSource,omitempty"`
 }

 type VirtualNetConfig struct {
--- a/pkg/config/v1/client_test.go
+++ b/pkg/config/v1/client_test.go
@@ -15,6 +15,8 @@
 package v1

 import (
+	"os"
+	"path/filepath"
 	"testing"

 	"github.com/samber/lo"
@@ -36,9 +38,68 @@ func TestClientConfigComplete(t *testing.T) {
 }

 func TestAuthClientConfig_Complete(t *testing.T) {
-	require := require.New(t)
-	cfg := &AuthClientConfig{}
-	err := cfg.Complete()
-	require.NoError(err)
-	require.EqualValues("token", cfg.Method)
+	// Create a temporary file for testing
+	tmpDir := t.TempDir()
+	testFile := filepath.Join(tmpDir, "test_token")
+	testContent := "client-token-value"
+	err := os.WriteFile(testFile, []byte(testContent), 0o600)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name        string
+		config      AuthClientConfig
+		expectToken string
+		expectPanic bool
+	}{
+		{
+			name: "tokenSource resolved to token",
+			config: AuthClientConfig{
+				Method: AuthMethodToken,
+				TokenSource: &ValueSource{
+					Type: "file",
+					File: &FileSource{
+						Path: testFile,
+					},
+				},
+			},
+			expectToken: testContent,
+			expectPanic: false,
+		},
+		{
+			name: "direct token unchanged",
+			config: AuthClientConfig{
+				Method: AuthMethodToken,
+				Token:  "direct-token",
+			},
+			expectToken: "direct-token",
+			expectPanic: false,
+		},
+		{
+			name: "invalid tokenSource should panic",
+			config: AuthClientConfig{
+				Method: AuthMethodToken,
+				TokenSource: &ValueSource{
+					Type: "file",
+					File: &FileSource{
+						Path: "/non/existent/file",
+					},
+				},
+			},
+			expectPanic: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.expectPanic {
+				err := tt.config.Complete()
+				require.Error(t, err)
+			} else {
+				err := tt.config.Complete()
+				require.NoError(t, err)
+				require.Equal(t, tt.expectToken, tt.config.Token)
+				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
+			}
+		})
+	}
 }
--- a/pkg/config/v1/proxy.go
+++ b/pkg/config/v1/proxy.go
@@ -108,11 +108,8 @@ type DomainConfig struct {
 }

 type ProxyBaseConfig struct {
-	Name string `json:"name"`
-	Type string `json:"type"`
-	// Enabled controls whether this proxy is enabled. nil or true means enabled, false means disabled.
-	// This allows individual control over each proxy, complementing the global "start" field.
-	Enabled     *bool             `json:"enabled,omitempty"`
+	Name        string            `json:"name"`
+	Type        string            `json:"type"`
 	Annotations map[string]string `json:"annotations,omitempty"`
 	Transport   ProxyTransport    `json:"transport,omitempty"`
 	// metadata info for each proxy
--- a/pkg/config/v1/server.go
+++ b/pkg/config/v1/server.go
@@ -15,6 +15,9 @@
 package v1

 import (
+	"context"
+	"fmt"
+
 	"github.com/samber/lo"

 	"github.com/fatedier/frp/pkg/config/types"
@@ -135,6 +138,17 @@ type AuthServerConfig struct {

 func (c *AuthServerConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
+
+	// Resolve tokenSource during configuration loading
+	if c.Method == AuthMethodToken && c.TokenSource != nil {
+		token, err := c.TokenSource.Resolve(context.Background())
+		if err != nil {
+			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
+		}
+		// Move the resolved token to the Token field and clear TokenSource
+		c.Token = token
+		c.TokenSource = nil
+	}
 	return nil
 }

--- a/pkg/config/v1/server_test.go
+++ b/pkg/config/v1/server_test.go
@@ -15,6 +15,8 @@
 package v1

 import (
+	"os"
+	"path/filepath"
 	"testing"

 	"github.com/samber/lo"
@@ -33,9 +35,68 @@ func TestServerConfigComplete(t *testing.T) {
 }

 func TestAuthServerConfig_Complete(t *testing.T) {
-	require := require.New(t)
-	cfg := &AuthServerConfig{}
-	err := cfg.Complete()
-	require.NoError(err)
-	require.EqualValues("token", cfg.Method)
+	// Create a temporary file for testing
+	tmpDir := t.TempDir()
+	testFile := filepath.Join(tmpDir, "test_token")
+	testContent := "file-token-value"
+	err := os.WriteFile(testFile, []byte(testContent), 0o600)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name        string
+		config      AuthServerConfig
+		expectToken string
+		expectPanic bool
+	}{
+		{
+			name: "tokenSource resolved to token",
+			config: AuthServerConfig{
+				Method: AuthMethodToken,
+				TokenSource: &ValueSource{
+					Type: "file",
+					File: &FileSource{
+						Path: testFile,
+					},
+				},
+			},
+			expectToken: testContent,
+			expectPanic: false,
+		},
+		{
+			name: "direct token unchanged",
+			config: AuthServerConfig{
+				Method: AuthMethodToken,
+				Token:  "direct-token",
+			},
+			expectToken: "direct-token",
+			expectPanic: false,
+		},
+		{
+			name: "invalid tokenSource should panic",
+			config: AuthServerConfig{
+				Method: AuthMethodToken,
+				TokenSource: &ValueSource{
+					Type: "file",
+					File: &FileSource{
+						Path: "/non/existent/file",
+					},
+				},
+			},
+			expectPanic: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.expectPanic {
+				err := tt.config.Complete()
+				require.Error(t, err)
+			} else {
+				err := tt.config.Complete()
+				require.NoError(t, err)
+				require.Equal(t, tt.expectToken, tt.config.Token)
+				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
+			}
+		})
+	}
 }
--- a/pkg/config/v1/validation/client.go
+++ b/pkg/config/v1/validation/client.go
@@ -23,109 +23,55 @@ import (
 	"github.com/samber/lo"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/policy/featuregate"
-	"github.com/fatedier/frp/pkg/policy/security"
+	"github.com/fatedier/frp/pkg/featuregate"
 )

-func (v *ConfigValidator) ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
+func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 	var (
 		warnings Warning
 		errs     error
 	)
-
-	validators := []func() (Warning, error){
-		func() (Warning, error) { return validateFeatureGates(c) },
-		func() (Warning, error) { return v.validateAuthConfig(&c.Auth) },
-		func() (Warning, error) { return nil, validateLogConfig(&c.Log) },
-		func() (Warning, error) { return nil, validateWebServerConfig(&c.WebServer) },
-		func() (Warning, error) { return validateTransportConfig(&c.Transport) },
-		func() (Warning, error) { return validateIncludeFiles(c.IncludeConfigFiles) },
-	}
-
-	for _, validator := range validators {
-		w, err := validator()
-		warnings = AppendError(warnings, w)
-		errs = AppendError(errs, err)
-	}
-	return warnings, errs
-}
-
-func validateFeatureGates(c *v1.ClientCommonConfig) (Warning, error) {
+	// validate feature gates
 	if c.VirtualNet.Address != "" {
 		if !featuregate.Enabled(featuregate.VirtualNet) {
-			return nil, fmt.Errorf("VirtualNet feature is not enabled; enable it by setting the appropriate feature gate flag")
+			return warnings, fmt.Errorf("VirtualNet feature is not enabled; enable it by setting the appropriate feature gate flag")
 		}
 	}
-	return nil, nil
-}

-func (v *ConfigValidator) validateAuthConfig(c *v1.AuthClientConfig) (Warning, error) {
-	var errs error
-	if !slices.Contains(SupportedAuthMethods, c.Method) {
+	if !slices.Contains(SupportedAuthMethods, c.Auth.Method) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth method, optional values are %v", SupportedAuthMethods))
 	}
-	if !lo.Every(SupportedAuthAdditionalScopes, c.AdditionalScopes) {
+	if !lo.Every(SupportedAuthAdditionalScopes, c.Auth.AdditionalScopes) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth additional scopes, optional values are %v", SupportedAuthAdditionalScopes))
 	}

 	// Validate token/tokenSource mutual exclusivity
-	if c.Token != "" && c.TokenSource != nil {
+	if c.Auth.Token != "" && c.Auth.TokenSource != nil {
 		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.token and auth.tokenSource"))
 	}

 	// Validate tokenSource if specified
-	if c.TokenSource != nil {
-		if c.TokenSource.Type == "exec" {
-			if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
-				errs = AppendError(errs, err)
-			}
-		}
-		if err := c.TokenSource.Validate(); err != nil {
+	if c.Auth.TokenSource != nil {
+		if err := c.Auth.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
 	}

-	if err := v.validateOIDCConfig(&c.OIDC); err != nil {
+	if err := validateLogConfig(&c.Log); err != nil {
 		errs = AppendError(errs, err)
 	}
-	return nil, errs
-}

-func (v *ConfigValidator) validateOIDCConfig(c *v1.AuthOIDCClientConfig) error {
-	if c.TokenSource == nil {
-		return nil
+	if err := validateWebServerConfig(&c.WebServer); err != nil {
+		errs = AppendError(errs, err)
 	}
-	var errs error
-	// Validate oidc.tokenSource mutual exclusivity with other fields of oidc
-	if c.ClientID != "" || c.ClientSecret != "" || c.Audience != "" ||
-		c.Scope != "" || c.TokenEndpointURL != "" || len(c.AdditionalEndpointParams) > 0 ||
-		c.TrustedCaFile != "" || c.InsecureSkipVerify || c.ProxyURL != "" {
-		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.oidc.tokenSource and any other field of auth.oidc"))
-	}
-	if c.TokenSource.Type == "exec" {
-		if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
-			errs = AppendError(errs, err)
-		}
-	}
-	if err := c.TokenSource.Validate(); err != nil {
-		errs = AppendError(errs, fmt.Errorf("invalid auth.oidc.tokenSource: %v", err))
-	}
-	return errs
-}

-func validateTransportConfig(c *v1.ClientTransportConfig) (Warning, error) {
-	var (
-		warnings Warning
-		errs     error
-	)
-
-	if c.HeartbeatTimeout > 0 && c.HeartbeatInterval > 0 {
-		if c.HeartbeatTimeout < c.HeartbeatInterval {
+	if c.Transport.HeartbeatTimeout > 0 && c.Transport.HeartbeatInterval > 0 {
+		if c.Transport.HeartbeatTimeout < c.Transport.HeartbeatInterval {
 			errs = AppendError(errs, fmt.Errorf("invalid transport.heartbeatTimeout, heartbeat timeout should not less than heartbeat interval"))
 		}
 	}

-	if !lo.FromPtr(c.TLS.Enable) {
+	if !lo.FromPtr(c.Transport.TLS.Enable) {
 		checkTLSConfig := func(name string, value string) Warning {
 			if value != "" {
 				return fmt.Errorf("%s is invalid when transport.tls.enable is false", name)
@@ -133,20 +79,16 @@ func validateTransportConfig(c *v1.ClientTransportConfig) (Warning, error) {
 			return nil
 		}

-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.certFile", c.TLS.CertFile))
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.keyFile", c.TLS.KeyFile))
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.trustedCaFile", c.TLS.TrustedCaFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.certFile", c.Transport.TLS.CertFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.keyFile", c.Transport.TLS.KeyFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.trustedCaFile", c.Transport.TLS.TrustedCaFile))
 	}

-	if !slices.Contains(SupportedTransportProtocols, c.Protocol) {
+	if !slices.Contains(SupportedTransportProtocols, c.Transport.Protocol) {
 		errs = AppendError(errs, fmt.Errorf("invalid transport.protocol, optional values are %v", SupportedTransportProtocols))
 	}
-	return warnings, errs
-}

-func validateIncludeFiles(files []string) (Warning, error) {
-	var errs error
-	for _, f := range files {
+	for _, f := range c.IncludeConfigFiles {
 		absDir, err := filepath.Abs(filepath.Dir(f))
 		if err != nil {
 			errs = AppendError(errs, fmt.Errorf("include: parse directory of %s failed: %v", f, err))
@@ -156,19 +98,13 @@ func validateIncludeFiles(files []string) (Warning, error) {
 			errs = AppendError(errs, fmt.Errorf("include: directory of %s not exist", f))
 		}
 	}
-	return nil, errs
+	return warnings, errs
 }

-func ValidateAllClientConfig(
-	c *v1.ClientCommonConfig,
-	proxyCfgs []v1.ProxyConfigurer,
-	visitorCfgs []v1.VisitorConfigurer,
-	unsafeFeatures *security.UnsafeFeatures,
-) (Warning, error) {
-	validator := NewConfigValidator(unsafeFeatures)
+func ValidateAllClientConfig(c *v1.ClientCommonConfig, proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) (Warning, error) {
 	var warnings Warning
 	if c != nil {
-		warning, err := validator.ValidateClientCommonConfig(c)
+		warning, err := ValidateClientCommonConfig(c)
 		warnings = AppendError(warnings, warning)
 		if err != nil {
 			return warnings, err
--- a/pkg/config/v1/validation/server.go
+++ b/pkg/config/v1/validation/server.go
@@ -21,10 +21,9 @@ import (
 	"github.com/samber/lo"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/policy/security"
 )

-func (v *ConfigValidator) ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
+func ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
 	var (
 		warnings Warning
 		errs     error
@@ -43,11 +42,6 @@ func (v *ConfigValidator) ValidateServerConfig(c *v1.ServerConfig) (Warning, err

 	// Validate tokenSource if specified
 	if c.Auth.TokenSource != nil {
-		if c.Auth.TokenSource.Type == "exec" {
-			if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
-				errs = AppendError(errs, err)
-			}
-		}
 		if err := c.Auth.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
--- a/pkg/config/v1/validation/validator.go
+++ b/pkg/config/v1/validation/validator.go
@@ -1,28 +0,0 @@
-package validation
-
-import (
-	"fmt"
-
-	"github.com/fatedier/frp/pkg/policy/security"
-)
-
-// ConfigValidator holds the context dependencies for configuration validation.
-type ConfigValidator struct {
-	unsafeFeatures *security.UnsafeFeatures
-}
-
-// NewConfigValidator creates a new ConfigValidator instance.
-func NewConfigValidator(unsafeFeatures *security.UnsafeFeatures) *ConfigValidator {
-	return &ConfigValidator{
-		unsafeFeatures: unsafeFeatures,
-	}
-}
-
-// ValidateUnsafeFeature checks if a specific unsafe feature is enabled.
-func (v *ConfigValidator) ValidateUnsafeFeature(feature string) error {
-	if !v.unsafeFeatures.IsEnabled(feature) {
-		return fmt.Errorf("unsafe feature %q is not enabled. "+
-			"To enable it, ensure it is allowed in the configuration or command line flags", feature)
-	}
-	return nil
-}
--- a/pkg/config/v1/value_source.go
+++ b/pkg/config/v1/value_source.go
@@ -19,7 +19,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"os/exec"
 	"strings"
 )

@@ -28,7 +27,6 @@ import (
 type ValueSource struct {
 	Type string      `json:"type"`
 	File *FileSource `json:"file,omitempty"`
-	Exec *ExecSource `json:"exec,omitempty"`
 }

 // FileSource specifies how to load a value from a file.
@@ -36,18 +34,6 @@ type FileSource struct {
 	Path string `json:"path"`
 }

-// ExecSource specifies how to get a value from another program launched as subprocess.
-type ExecSource struct {
-	Command string       `json:"command"`
-	Args    []string     `json:"args,omitempty"`
-	Env     []ExecEnvVar `json:"env,omitempty"`
-}
-
-type ExecEnvVar struct {
-	Name  string `json:"name"`
-	Value string `json:"value"`
-}
-
 // Validate validates the ValueSource configuration.
 func (v *ValueSource) Validate() error {
 	if v == nil {
@@ -60,13 +46,8 @@ func (v *ValueSource) Validate() error {
 			return errors.New("file configuration is required when type is 'file'")
 		}
 		return v.File.Validate()
-	case "exec":
-		if v.Exec == nil {
-			return errors.New("exec configuration is required when type is 'exec'")
-		}
-		return v.Exec.Validate()
 	default:
-		return fmt.Errorf("unsupported value source type: %s (only 'file' and 'exec' are supported)", v.Type)
+		return fmt.Errorf("unsupported value source type: %s (only 'file' is supported)", v.Type)
 	}
 }

@@ -79,8 +60,6 @@ func (v *ValueSource) Resolve(ctx context.Context) (string, error) {
 	switch v.Type {
 	case "file":
 		return v.File.Resolve(ctx)
-	case "exec":
-		return v.Exec.Resolve(ctx)
 	default:
 		return "", fmt.Errorf("unsupported value source type: %s", v.Type)
 	}
@@ -112,47 +91,3 @@ func (f *FileSource) Resolve(_ context.Context) (string, error) {
 	// Trim whitespace, which is important for file-based tokens
 	return strings.TrimSpace(string(content)), nil
 }
-
-// Validate validates the ExecSource configuration.
-func (e *ExecSource) Validate() error {
-	if e == nil {
-		return errors.New("execSource cannot be nil")
-	}
-
-	if e.Command == "" {
-		return errors.New("exec command cannot be empty")
-	}
-
-	for _, env := range e.Env {
-		if env.Name == "" {
-			return errors.New("exec env name cannot be empty")
-		}
-		if strings.Contains(env.Name, "=") {
-			return errors.New("exec env name cannot contain '='")
-		}
-	}
-	return nil
-}
-
-// Resolve reads and returns the content captured from stdout of launched subprocess.
-func (e *ExecSource) Resolve(ctx context.Context) (string, error) {
-	if err := e.Validate(); err != nil {
-		return "", err
-	}
-
-	cmd := exec.CommandContext(ctx, e.Command, e.Args...)
-	if len(e.Env) != 0 {
-		cmd.Env = os.Environ()
-		for _, env := range e.Env {
-			cmd.Env = append(cmd.Env, env.Name+"="+env.Value)
-		}
-	}
-
-	content, err := cmd.Output()
-	if err != nil {
-		return "", fmt.Errorf("failed to execute command %v: %v", e.Command, err)
-	}
-
-	// Trim whitespace, which is important for exec-based tokens
-	return strings.TrimSpace(string(content)), nil
-}
--- a/pkg/config/v1/visitor.go
+++ b/pkg/config/v1/visitor.go
@@ -32,11 +32,8 @@ type VisitorTransport struct {
 }

 type VisitorBaseConfig struct {
-	Name string `json:"name"`
-	Type string `json:"type"`
-	// Enabled controls whether this visitor is enabled. nil or true means enabled, false means disabled.
-	// This allows individual control over each visitor, complementing the global "start" field.
-	Enabled   *bool            `json:"enabled,omitempty"`
+	Name      string           `json:"name"`
+	Type      string           `json:"type"`
 	Transport VisitorTransport `json:"transport,omitempty"`
 	SecretKey string           `json:"secretKey,omitempty"`
 	// if the server user is not set, it defaults to the current user
--- a/pkg/policy/featuregate/feature_gate.go
+++ b/pkg/policy/featuregate/feature_gate.go
--- a/pkg/msg/handler.go
+++ b/pkg/msg/handler.go
@@ -86,6 +86,10 @@ func (d *Dispatcher) Send(m Message) error {
 	}
 }

+func (d *Dispatcher) SendChannel() chan Message {
+	return d.sendCh
+}
+
 func (d *Dispatcher) RegisterHandler(msg Message, handler func(Message)) {
 	d.msgHandlers[reflect.TypeOf(msg)] = handler
 }
--- a/pkg/plugin/visitor/plugin.go
+++ b/pkg/plugin/visitor/plugin.go
@@ -23,20 +23,11 @@ import (
 	"github.com/fatedier/frp/pkg/vnet"
 )

-// PluginContext provides the necessary context and callbacks for visitor plugins.
 type PluginContext struct {
-	// Name is the unique identifier for this visitor, used for logging and routing.
-	Name string
-
-	// Ctx manages the plugin's lifecycle and carries the logger for structured logging.
-	Ctx context.Context
-
-	// VnetController manages TUN device routing. May be nil if virtual networking is disabled.
+	Name           string
+	Ctx            context.Context
 	VnetController *vnet.Controller
-
-	// SendConnToVisitor sends a connection to the visitor's internal processing queue.
-	// Does not return error; failures are handled by closing the connection.
-	SendConnToVisitor func(net.Conn)
+	HandleConn     func(net.Conn)
 }

 // Creators is used for create plugins to handle connections.
--- a/pkg/plugin/visitor/virtual_net.go
+++ b/pkg/plugin/visitor/virtual_net.go
@@ -42,8 +42,6 @@ type VirtualNetPlugin struct {
 	controllerConn net.Conn
 	closeSignal    chan struct{}

-	consecutiveErrors int // Tracks consecutive connection errors for exponential backoff
-
 	ctx    context.Context
 	cancel context.CancelFunc
 }
@@ -100,6 +98,7 @@ func (p *VirtualNetPlugin) Start() {

 func (p *VirtualNetPlugin) run() {
 	xl := xlog.FromContextSafe(p.ctx)
+	reconnectDelay := 10 * time.Second

 	for {
 		currentCloseSignal := make(chan struct{})
@@ -122,10 +121,7 @@ func (p *VirtualNetPlugin) run() {
 		p.controllerConn = controllerConn
 		p.mu.Unlock()

-		// Wrap with CloseNotifyConn which supports both close notification and error recording
-		var closeErr error
-		pluginNotifyConn := netutil.WrapCloseNotifyConn(pluginConn, func(err error) {
-			closeErr = err
+		pluginNotifyConn := netutil.WrapCloseNotifyConn(pluginConn, func() {
 			close(currentCloseSignal) // Signal the run loop on close.
 		})

@@ -133,9 +129,9 @@ func (p *VirtualNetPlugin) run() {
 		p.pluginCtx.VnetController.RegisterClientRoute(p.ctx, p.pluginCtx.Name, p.routes, controllerConn)
 		xl.Infof("successfully registered client route for visitor [%s]. Starting connection handler with CloseNotifyConn.", p.pluginCtx.Name)

-		// Pass the CloseNotifyConn to the visitor for handling.
-		// The visitor can call CloseWithError to record the failure reason.
-		p.pluginCtx.SendConnToVisitor(pluginNotifyConn)
+		// Pass the CloseNotifyConn to HandleConn.
+		// HandleConn is responsible for calling Close() on pluginNotifyConn.
+		p.pluginCtx.HandleConn(pluginNotifyConn)

 		// Wait for context cancellation or connection close.
 		select {
@@ -144,32 +140,8 @@ func (p *VirtualNetPlugin) run() {
 			p.cleanupControllerConn(xl)
 			return
 		case <-currentCloseSignal:
-			// Determine reconnect delay based on error with exponential backoff
-			var reconnectDelay time.Duration
-			if closeErr != nil {
-				p.consecutiveErrors++
-				xl.Warnf("connection closed with error for visitor [%s] (consecutive errors: %d): %v",
-					p.pluginCtx.Name, p.consecutiveErrors, closeErr)
-
-				// Exponential backoff: 60s, 120s, 240s, 300s (capped)
-				baseDelay := 60 * time.Second
-				reconnectDelay = baseDelay * time.Duration(1<<uint(p.consecutiveErrors-1))
-				if reconnectDelay > 300*time.Second {
-					reconnectDelay = 300 * time.Second
-				}
-			} else {
-				// Reset consecutive errors on successful connection
-				if p.consecutiveErrors > 0 {
-					xl.Infof("connection closed normally for visitor [%s], resetting error counter (was %d)",
-						p.pluginCtx.Name, p.consecutiveErrors)
-					p.consecutiveErrors = 0
-				} else {
-					xl.Infof("connection closed normally for visitor [%s]", p.pluginCtx.Name)
-				}
-				reconnectDelay = 10 * time.Second
-			}
-
-			// The visitor closed the plugin side. Close the controller side.
+			xl.Infof("detected connection closed via CloseNotifyConn for visitor [%s].", p.pluginCtx.Name)
+			// HandleConn closed the plugin side. Close the controller side.
 			p.cleanupControllerConn(xl)

 			xl.Infof("waiting %v before attempting reconnection for visitor [%s]...", reconnectDelay, p.pluginCtx.Name)
@@ -212,7 +184,7 @@ func (p *VirtualNetPlugin) Close() error {
 	}

 	// Explicitly close the controller side of the pipe.
-	// This ensures the pipe is broken even if the run loop is stuck or the visitor hasn't closed its end.
+	// This ensures the pipe is broken even if the run loop is stuck or HandleConn hasn't closed its end.
 	p.cleanupControllerConn(xl)
 	xl.Infof("finished cleaning up connections during close for visitor [%s]", p.pluginCtx.Name)

--- a/pkg/policy/security/unsafe.go
+++ b/pkg/policy/security/unsafe.go
@@ -1,34 +0,0 @@
-package security
-
-const (
-	TokenSourceExec = "TokenSourceExec"
-)
-
-var (
-	ClientUnsafeFeatures = []string{
-		TokenSourceExec,
-	}
-
-	ServerUnsafeFeatures = []string{
-		TokenSourceExec,
-	}
-)
-
-type UnsafeFeatures struct {
-	features map[string]bool
-}
-
-func NewUnsafeFeatures(allowed []string) *UnsafeFeatures {
-	features := make(map[string]bool)
-	for _, f := range allowed {
-		features[f] = true
-	}
-	return &UnsafeFeatures{features: features}
-}
-
-func (u *UnsafeFeatures) IsEnabled(feature string) bool {
-	if u == nil {
-		return false
-	}
-	return u.features[feature]
-}
--- a/pkg/transport/message.go
+++ b/pkg/transport/message.go
@@ -35,19 +35,15 @@ type MessageTransporter interface {
 	DispatchWithType(m msg.Message, msgType, laneKey string) bool
 }

-type MessageSender interface {
-	Send(msg.Message) error
-}
-
-func NewMessageTransporter(sender MessageSender) MessageTransporter {
+func NewMessageTransporter(sendCh chan msg.Message) MessageTransporter {
 	return &transporterImpl{
-		sender:   sender,
+		sendCh:   sendCh,
 		registry: make(map[string]map[string]chan msg.Message),
 	}
 }

 type transporterImpl struct {
-	sender MessageSender
+	sendCh chan msg.Message

 	// First key is message type and second key is lane key.
 	// Dispatch will dispatch message to related channel by its message type
@@ -57,7 +53,9 @@ type transporterImpl struct {
 }

 func (impl *transporterImpl) Send(m msg.Message) error {
-	return impl.sender.Send(m)
+	return errors.PanicToError(func() {
+		impl.sendCh <- m
+	})
 }

 func (impl *transporterImpl) Do(ctx context.Context, req msg.Message, laneKey, recvMsgType string) (msg.Message, error) {
--- a/pkg/util/net/conn.go
+++ b/pkg/util/net/conn.go
@@ -135,11 +135,11 @@ type CloseNotifyConn struct {
 	// 1 means closed
 	closeFlag int32

-	closeFn func(error)
+	closeFn func()
 }

-// closeFn will be only called once with the error (nil if Close() was called, non-nil if CloseWithError() was called)
-func WrapCloseNotifyConn(c net.Conn, closeFn func(error)) *CloseNotifyConn {
+// closeFn will be only called once
+func WrapCloseNotifyConn(c net.Conn, closeFn func()) net.Conn {
 	return &CloseNotifyConn{
 		Conn:    c,
 		closeFn: closeFn,
@@ -151,25 +151,12 @@ func (cc *CloseNotifyConn) Close() (err error) {
 	if pflag == 0 {
 		err = cc.Conn.Close()
 		if cc.closeFn != nil {
-			cc.closeFn(nil)
+			cc.closeFn()
 		}
 	}
 	return
 }

-// CloseWithError closes the connection and passes the error to the close callback.
-func (cc *CloseNotifyConn) CloseWithError(err error) error {
-	pflag := atomic.SwapInt32(&cc.closeFlag, 1)
-	if pflag == 0 {
-		closeErr := cc.Conn.Close()
-		if cc.closeFn != nil {
-			cc.closeFn(err)
-		}
-		return closeErr
-	}
-	return nil
-}
-
 type StatsConn struct {
 	net.Conn

--- a/pkg/util/net/websocket.go
+++ b/pkg/util/net/websocket.go
@@ -32,7 +32,7 @@ func NewWebsocketListener(ln net.Listener) (wl *WebsocketListener) {
 	muxer := http.NewServeMux()
 	muxer.Handle(FrpWebsocketPath, websocket.Handler(func(c *websocket.Conn) {
 		notifyCh := make(chan struct{})
-		conn := WrapCloseNotifyConn(c, func(_ error) {
+		conn := WrapCloseNotifyConn(c, func() {
 			close(notifyCh)
 		})
 		wl.acceptCh <- conn
--- a/pkg/util/version/version.go
+++ b/pkg/util/version/version.go
@@ -14,7 +14,7 @@

 package version

-var version = "0.66.0"
+var version = "0.65.0"

 func Full() string {
 	return version
--- a/server/control.go
+++ b/server/control.go
@@ -106,8 +106,6 @@ type Control struct {

 	// verifies authentication based on selected method
 	authVerifier auth.Verifier
-	// key used for connection encryption
-	encryptionKey []byte

 	// other components can use this to communicate with client
 	msgTransporter transport.MessageTransporter
@@ -159,7 +157,6 @@ func NewControl(
 	pxyManager *proxy.Manager,
 	pluginManager *plugin.Manager,
 	authVerifier auth.Verifier,
-	encryptionKey []byte,
 	ctlConn net.Conn,
 	ctlConnEncrypted bool,
 	loginMsg *msg.Login,
@@ -174,7 +171,6 @@ func NewControl(
 		pxyManager:    pxyManager,
 		pluginManager: pluginManager,
 		authVerifier:  authVerifier,
-		encryptionKey: encryptionKey,
 		conn:          ctlConn,
 		loginMsg:      loginMsg,
 		workConnCh:    make(chan net.Conn, poolCount+10),
@@ -190,7 +186,7 @@ func NewControl(
 	ctl.lastPing.Store(time.Now())

 	if ctlConnEncrypted {
-		cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, ctl.encryptionKey)
+		cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, []byte(ctl.serverCfg.Auth.Token))
 		if err != nil {
 			return nil, err
 		}
@@ -199,7 +195,7 @@ func NewControl(
 		ctl.msgDispatcher = msg.NewDispatcher(ctl.conn)
 	}
 	ctl.registerMsgHandlers()
-	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher)
+	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher.SendChannel())
 	return ctl, nil
 }

@@ -482,7 +478,6 @@ func (ctl *Control) RegisterProxy(pxyMsg *msg.NewProxy) (remoteAddr string, err
 		GetWorkConnFn:      ctl.GetWorkConn,
 		Configurer:         pxyConf,
 		ServerCfg:          ctl.serverCfg,
-		EncryptionKey:      ctl.encryptionKey,
 	})
 	if err != nil {
 		return remoteAddr, err
--- a/server/proxy/http.go
+++ b/server/proxy/http.go
@@ -165,7 +165,7 @@ func (pxy *HTTPProxy) GetRealConn(remoteAddr string) (workConn net.Conn, err err

 	var rwc io.ReadWriteCloser = tmpConn
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
+		rwc, err = libio.WithEncryption(rwc, []byte(pxy.serverCfg.Auth.Token))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			return
--- a/server/proxy/proxy.go
+++ b/server/proxy/proxy.go
@@ -68,7 +68,6 @@ type BaseProxy struct {
 	poolCount     int
 	getWorkConnFn GetWorkConnFn
 	serverCfg     *v1.ServerConfig
-	encryptionKey []byte
 	limiter       *rate.Limiter
 	userInfo      plugin.UserInfo
 	loginMsg      *msg.Login
@@ -214,6 +213,7 @@ func (pxy *BaseProxy) handleUserTCPConnection(userConn net.Conn) {
 	xl := xlog.FromContextSafe(pxy.Context())
 	defer userConn.Close()

+	serverCfg := pxy.serverCfg
 	cfg := pxy.configurer.GetBaseConfig()
 	// server plugin hook
 	rc := pxy.GetResourceController()
@@ -240,7 +240,7 @@ func (pxy *BaseProxy) handleUserTCPConnection(userConn net.Conn) {
 	xl.Tracef("handler user tcp connection, use_encryption: %t, use_compression: %t",
 		cfg.Transport.UseEncryption, cfg.Transport.UseCompression)
 	if cfg.Transport.UseEncryption {
-		local, err = libio.WithEncryption(local, pxy.encryptionKey)
+		local, err = libio.WithEncryption(local, []byte(serverCfg.Auth.Token))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			return
@@ -279,7 +279,6 @@ type Options struct {
 	GetWorkConnFn      GetWorkConnFn
 	Configurer         v1.ProxyConfigurer
 	ServerCfg          *v1.ServerConfig
-	EncryptionKey      []byte
 }

 func NewProxy(ctx context.Context, options *Options) (pxy Proxy, err error) {
@@ -299,7 +298,6 @@ func NewProxy(ctx context.Context, options *Options) (pxy Proxy, err error) {
 		poolCount:     options.PoolCount,
 		getWorkConnFn: options.GetWorkConnFn,
 		serverCfg:     options.ServerCfg,
-		encryptionKey: options.EncryptionKey,
 		limiter:       limiter,
 		xl:            xl,
 		ctx:           xlog.NewContext(ctx, xl),
--- a/server/proxy/udp.go
+++ b/server/proxy/udp.go
@@ -205,7 +205,7 @@ func (pxy *UDPProxy) Run() (remoteAddr string, err error) {

 			var rwc io.ReadWriteCloser = workConn
 			if pxy.cfg.Transport.UseEncryption {
-				rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
+				rwc, err = libio.WithEncryption(rwc, []byte(pxy.serverCfg.Auth.Token))
 				if err != nil {
 					xl.Errorf("create encryption stream error: %v", err)
 					workConn.Close()
--- a/server/service.go
+++ b/server/service.go
@@ -113,8 +113,8 @@ type Service struct {

 	sshTunnelGateway *ssh.Gateway

-	// Auth runtime and encryption materials
-	auth *auth.ServerAuth
+	// Verifies authentication based on selected method
+	authVerifier auth.Verifier

 	tlsConfig *tls.Config

@@ -149,11 +149,6 @@ func NewService(cfg *v1.ServerConfig) (*Service, error) {
 		}
 	}

-	authRuntime, err := auth.BuildServerAuth(&cfg.Auth)
-	if err != nil {
-		return nil, err
-	}
-
 	svr := &Service{
 		ctlManager:    NewControlManager(),
 		pxyManager:    proxy.NewManager(),
@@ -165,7 +160,7 @@ func NewService(cfg *v1.ServerConfig) (*Service, error) {
 		},
 		sshTunnelListener: netpkg.NewInternalListener(),
 		httpVhostRouter:   vhost.NewRouters(),
-		auth:              authRuntime,
+		authVerifier:      auth.NewAuthVerifier(cfg.Auth),
 		webServer:         webServer,
 		tlsConfig:         tlsConfig,
 		cfg:               cfg,
@@ -591,7 +586,7 @@ func (svr *Service) RegisterControl(ctlConn net.Conn, loginMsg *msg.Login, inter
 		ctlConn.RemoteAddr().String(), loginMsg.Version, loginMsg.Hostname, loginMsg.Os, loginMsg.Arch)

 	// Check auth.
-	authVerifier := svr.auth.Verifier
+	authVerifier := svr.authVerifier
 	if internal && loginMsg.ClientSpec.AlwaysAuthPass {
 		authVerifier = auth.AlwaysPassVerifier
 	}
@@ -600,7 +595,7 @@ func (svr *Service) RegisterControl(ctlConn net.Conn, loginMsg *msg.Login, inter
 	}

 	// TODO(fatedier): use SessionContext
-	ctl, err := NewControl(ctx, svr.rc, svr.pxyManager, svr.pluginManager, authVerifier, svr.auth.EncryptionKey(), ctlConn, !internal, loginMsg, svr.cfg)
+	ctl, err := NewControl(ctx, svr.rc, svr.pxyManager, svr.pluginManager, authVerifier, ctlConn, !internal, loginMsg, svr.cfg)
 	if err != nil {
 		xl.Warnf("create new controller error: %v", err)
 		// don't return detailed errors to client
--- a/test/e2e/v1/basic/token_source.go
+++ b/test/e2e/v1/basic/token_source.go
@@ -29,18 +29,6 @@ import (
 var _ = ginkgo.Describe("[Feature: TokenSource]", func() {
 	f := framework.NewDefaultFramework()

-	createExecTokenScript := func(name string) string {
-		scriptPath := filepath.Join(f.TempDirectory, name)
-		scriptContent := `#!/bin/sh
-printf '%s\n' "$1"
-`
-		err := os.WriteFile(scriptPath, []byte(scriptContent), 0o600)
-		framework.ExpectNoError(err)
-		err = os.Chmod(scriptPath, 0o700)
-		framework.ExpectNoError(err)
-		return scriptPath
-	}
-
 	ginkgo.Describe("File-based token loading", func() {
 		ginkgo.It("should work with file tokenSource", func() {
 			// Create a temporary token file
@@ -226,154 +214,4 @@ auth.tokenSource.file.path = "%s"
 			f.RunProcesses([]string{serverConf}, []string{})
 		})
 	})
-
-	ginkgo.Describe("Exec-based token loading", func() {
-		ginkgo.It("should work with server tokenSource", func() {
-			execValue := "exec-server-value"
-			scriptPath := createExecTokenScript("server_token_exec.sh")
-
-			serverPort := f.AllocPort()
-			remotePort := f.AllocPort()
-
-			serverConf := fmt.Sprintf(`
-bindAddr = "0.0.0.0"
-bindPort = %d
-
-auth.tokenSource.type = "exec"
-auth.tokenSource.exec.command = %q
-auth.tokenSource.exec.args = [%q]
-`, serverPort, scriptPath, execValue)
-
-			clientConf := fmt.Sprintf(`
-serverAddr = "127.0.0.1"
-serverPort = %d
-loginFailExit = false
-auth.token = %q
-
-[[proxies]]
-name = "tcp"
-type = "tcp"
-localPort = %d
-remotePort = %d
-`, serverPort, execValue, f.PortByName(framework.TCPEchoServerPort), remotePort)
-
-			serverConfigPath := f.GenerateConfigFile(serverConf)
-			clientConfigPath := f.GenerateConfigFile(clientConf)
-
-			_, _, err := f.RunFrps("-c", serverConfigPath, "--allow-unsafe=TokenSourceExec")
-			framework.ExpectNoError(err)
-
-			_, _, err = f.RunFrpc("-c", clientConfigPath, "--allow-unsafe=TokenSourceExec")
-			framework.ExpectNoError(err)
-
-			framework.NewRequestExpect(f).Port(remotePort).Ensure()
-		})
-
-		ginkgo.It("should work with client tokenSource", func() {
-			execValue := "exec-client-value"
-			scriptPath := createExecTokenScript("client_token_exec.sh")
-
-			serverPort := f.AllocPort()
-			remotePort := f.AllocPort()
-
-			serverConf := fmt.Sprintf(`
-bindAddr = "0.0.0.0"
-bindPort = %d
-
-auth.token = %q
-`, serverPort, execValue)
-
-			clientConf := fmt.Sprintf(`
-serverAddr = "127.0.0.1"
-serverPort = %d
-loginFailExit = false
-
-auth.tokenSource.type = "exec"
-auth.tokenSource.exec.command = %q
-auth.tokenSource.exec.args = [%q]
-
-[[proxies]]
-name = "tcp"
-type = "tcp"
-localPort = %d
-remotePort = %d
-`, serverPort, scriptPath, execValue, f.PortByName(framework.TCPEchoServerPort), remotePort)
-
-			serverConfigPath := f.GenerateConfigFile(serverConf)
-			clientConfigPath := f.GenerateConfigFile(clientConf)
-
-			_, _, err := f.RunFrps("-c", serverConfigPath, "--allow-unsafe=TokenSourceExec")
-			framework.ExpectNoError(err)
-
-			_, _, err = f.RunFrpc("-c", clientConfigPath, "--allow-unsafe=TokenSourceExec")
-			framework.ExpectNoError(err)
-
-			framework.NewRequestExpect(f).Port(remotePort).Ensure()
-		})
-
-		ginkgo.It("should work with both server and client tokenSource", func() {
-			execValue := "exec-shared-value"
-			scriptPath := createExecTokenScript("shared_token_exec.sh")
-
-			serverPort := f.AllocPort()
-			remotePort := f.AllocPort()
-
-			serverConf := fmt.Sprintf(`
-bindAddr = "0.0.0.0"
-bindPort = %d
-
-auth.tokenSource.type = "exec"
-auth.tokenSource.exec.command = %q
-auth.tokenSource.exec.args = [%q]
-`, serverPort, scriptPath, execValue)
-
-			clientConf := fmt.Sprintf(`
-serverAddr = "127.0.0.1"
-serverPort = %d
-loginFailExit = false
-
-auth.tokenSource.type = "exec"
-auth.tokenSource.exec.command = %q
-auth.tokenSource.exec.args = [%q]
-
-[[proxies]]
-name = "tcp"
-type = "tcp"
-localPort = %d
-remotePort = %d
-`, serverPort, scriptPath, execValue, f.PortByName(framework.TCPEchoServerPort), remotePort)
-
-			serverConfigPath := f.GenerateConfigFile(serverConf)
-			clientConfigPath := f.GenerateConfigFile(clientConf)
-
-			_, _, err := f.RunFrps("-c", serverConfigPath, "--allow-unsafe=TokenSourceExec")
-			framework.ExpectNoError(err)
-
-			_, _, err = f.RunFrpc("-c", clientConfigPath, "--allow-unsafe=TokenSourceExec")
-			framework.ExpectNoError(err)
-
-			framework.NewRequestExpect(f).Port(remotePort).Ensure()
-		})
-
-		ginkgo.It("should fail validation without allow-unsafe", func() {
-			execValue := "exec-unsafe-value"
-			scriptPath := createExecTokenScript("unsafe_token_exec.sh")
-
-			serverPort := f.AllocPort()
-			serverConf := fmt.Sprintf(`
-bindAddr = "0.0.0.0"
-bindPort = %d
-
-auth.tokenSource.type = "exec"
-auth.tokenSource.exec.command = %q
-auth.tokenSource.exec.args = [%q]
-`, serverPort, scriptPath, execValue)
-
-			serverConfigPath := f.GenerateConfigFile(serverConf)
-
-			_, output, err := f.RunFrps("verify", "-c", serverConfigPath)
-			framework.ExpectNoError(err)
-			framework.ExpectContainSubstring(output, "unsafe feature \"TokenSourceExec\" is not enabled")
-		})
-	})
 })