18 files changed, 307 insertions, 28 deletions

diff --git a/lib/config/default.js b/lib/config/default.js
index cfde9ae9..ec7c7451 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -23,6 +23,7 @@ module.exports = {
   protocolusessl: false,
   usecdn: true,
   allowanonymous: true,
+  allowanonymousedits: false,
   allowfreeurl: false,
   defaultpermission: 'editable',
   dburl: '',
@@ -81,10 +82,16 @@ module.exports = {
     clientSecret: undefined,
     scope: undefined
   },
-  dropbox: {
+  mattermost: {
+    baseURL: undefined,
     clientID: undefined,
     clientSecret: undefined
   },
+  dropbox: {
+    clientID: undefined,
+    clientSecret: undefined,
+    appKey: undefined
+  },
   google: {
     clientID: undefined,
     clientSecret: undefined
@@ -98,8 +105,24 @@ module.exports = {
     searchBase: undefined,
     searchFilter: undefined,
     searchAttributes: undefined,
+    usernameField: undefined,
     tlsca: undefined
   },
+  saml: {
+    idpSsoUrl: undefined,
+    idpCert: undefined,
+    issuer: undefined,
+    identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    groupAttribute: undefined,
+    externalGroups: [],
+    requiredGroups: [],
+    attribute: {
+      id: undefined,
+      username: undefined,
+      email: undefined
+    }
+  },
   email: true,
-  allowemailregister: true
+  allowemailregister: true,
+  allowpdfexport: true
 }
diff --git a/lib/config/defaultSSL.js b/lib/config/defaultSSL.js
index 1f1d5590..362c62a1 100644
--- a/lib/config/defaultSSL.js
+++ b/lib/config/defaultSSL.js
@@ -12,6 +12,6 @@ function getFile (path) {
 module.exports = {
   sslkeypath: getFile('/run/secrets/key.pem'),
   sslcertpath: getFile('/run/secrets/cert.pem'),
-  sslcapath: getFile('/run/secrets/ca.pem'),
+  sslcapath: getFile('/run/secrets/ca.pem') !== undefined ? [getFile('/run/secrets/ca.pem')] : [],
   dhparampath: getFile('/run/secrets/dhparam.pem')
 }
diff --git a/lib/config/dockerSecret.js b/lib/config/dockerSecret.js
index eea2fafd..b9116cd3 100644
--- a/lib/config/dockerSecret.js
+++ b/lib/config/dockerSecret.js
@@ -38,9 +38,14 @@ if (fs.existsSync(basePath)) {
       clientID: getSecret('gitlab_clientID'),
       clientSecret: getSecret('gitlab_clientSecret')
     },
+    mattermost: {
+      clientID: getSecret('mattermost_clientID'),
+      clientSecret: getSecret('mattermost_clientSecret')
+    },
     dropbox: {
       clientID: getSecret('dropbox_clientID'),
-      clientSecret: getSecret('dropbox_clientSecret')
+      clientSecret: getSecret('dropbox_clientSecret'),
+      appKey: getSecret('dropbox_appKey')
     },
     google: {
       clientID: getSecret('google_clientID'),
diff --git a/lib/config/environment.js b/lib/config/environment.js
index fa9698f6..24a85d65 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -1,6 +1,6 @@
 'use strict'
 
-const {toBooleanConfig} = require('./utils')
+const {toBooleanConfig, toArrayConfig} = require('./utils')
 
 module.exports = {
   domain: process.env.HMD_DOMAIN,
@@ -18,9 +18,10 @@ module.exports = {
     enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
   },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
-  alloworigin: process.env.HMD_ALLOW_ORIGIN ? process.env.HMD_ALLOW_ORIGIN.split(',') : undefined,
+  alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
   usecdn: toBooleanConfig(process.env.HMD_USECDN),
   allowanonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
+  allowanonymousedits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
   allowfreeurl: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
   defaultpermission: process.env.HMD_DEFAULT_PERMISSION,
   dburl: process.env.HMD_DB_URL,
@@ -52,9 +53,15 @@ module.exports = {
     clientSecret: process.env.HMD_GITLAB_CLIENTSECRET,
     scope: process.env.HMD_GITLAB_SCOPE
   },
+  mattermost: {
+    baseURL: process.env.HMD_MATTERMOST_BASEURL,
+    clientID: process.env.HMD_MATTERMOST_CLIENTID,
+    clientSecret: process.env.HMD_MATTERMOST_CLIENTSECRET
+  },
   dropbox: {
     clientID: process.env.HMD_DROPBOX_CLIENTID,
-    clientSecret: process.env.HMD_DROPBOX_CLIENTSECRET
+    clientSecret: process.env.HMD_DROPBOX_CLIENTSECRET,
+    appKey: process.env.HMD_DROPBOX_APPKEY
   },
   google: {
     clientID: process.env.HMD_GOOGLE_CLIENTID,
@@ -68,9 +75,25 @@ module.exports = {
     tokenSecret: process.env.HMD_LDAP_TOKENSECRET,
     searchBase: process.env.HMD_LDAP_SEARCHBASE,
     searchFilter: process.env.HMD_LDAP_SEARCHFILTER,
-    searchAttributes: process.env.HMD_LDAP_SEARCHATTRIBUTES,
+    searchAttributes: toArrayConfig(process.env.HMD_LDAP_SEARCHATTRIBUTES),
+    usernameField: process.env.HMD_LDAP_USERNAMEFIELD,
     tlsca: process.env.HMD_LDAP_TLS_CA
   },
+  saml: {
+    idpSsoUrl: process.env.HMD_SAML_IDPSSOURL,
+    idpCert: process.env.HMD_SAML_IDPCERT,
+    issuer: process.env.HMD_SAML_ISSUER,
+    identifierFormat: process.env.HMD_SAML_IDENTIFIERFORMAT,
+    groupAttribute: process.env.HMD_SAML_GROUPATTRIBUTE,
+    externalGroups: toArrayConfig(process.env.HMD_SAML_EXTERNALGROUPS, '|', []),
+    requiredGroups: toArrayConfig(process.env.HMD_SAML_REQUIREDGROUPS, '|', []),
+    attribute: {
+      id: process.env.HMD_SAML_ATTRIBUTE_ID,
+      username: process.env.HMD_SAML_ATTRIBUTE_USERNAME,
+      email: process.env.HMD_SAML_ATTRIBUTE_EMAIL
+    }
+  },
   email: toBooleanConfig(process.env.HMD_EMAIL),
-  allowemailregister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER)
+  allowemailregister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER),
+  allowpdfexport: toBooleanConfig(process.env.HMD_ALLOW_PDF_EXPORT)
 }
diff --git a/lib/config/index.js b/lib/config/index.js
index bea5a6af..3d22c3c3 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -1,3 +1,4 @@
+
 'use strict'
 
 const fs = require('fs')
@@ -12,8 +13,10 @@ const debugConfig = {
   debug: (env === Environment.development)
 }
 
+const {version} = require(path.join(appRootPath, 'package.json'))
+
 const packageConfig = {
-  version: '0.5.1',
+  version: version,
   minimumCompatibleVersion: '0.5.0'
 }
 
@@ -46,7 +49,7 @@ if (config.ldap.tlsca) {
 
 // Permission
 config.permission = Permission
-if (!config.allowanonymous) {
+if (!config.allowanonymous && !config.allowanonymousedits) {
   delete config.permission.freely
 }
 if (!(config.defaultpermission in config.permission)) {
@@ -89,10 +92,16 @@ config.isTwitterEnable = config.twitter.consumerKey && config.twitter.consumerSe
 config.isEmailEnable = config.email
 config.isGitHubEnable = config.github.clientID && config.github.clientSecret
 config.isGitLabEnable = config.gitlab.clientID && config.gitlab.clientSecret
+config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clientSecret
 config.isLDAPEnable = config.ldap.url
+config.isSAMLEnable = config.saml.idpSsoUrl
+config.isPDFExportEnable = config.allowpdfexport
 
 // generate correct path
-config.sslcapath = path.join(appRootPath, config.sslcapath)
+config.sslcapath.forEach(function (capath, i, array) {
+  array[i] = path.resolve(appRootPath, capath)
+})
+
 config.sslcertpath = path.join(appRootPath, config.sslcertpath)
 config.sslkeypath = path.join(appRootPath, config.sslkeypath)
 config.dhparampath = path.join(appRootPath, config.dhparampath)
@@ -106,7 +115,7 @@ config.errorpath = path.join(appRootPath, config.errorpath)
 config.prettypath = path.join(appRootPath, config.prettypath)
 config.slidepath = path.join(appRootPath, config.slidepath)
 
-// maek config readonly
+// make config readonly
 config = deepFreeze(config)
 
 module.exports = config
diff --git a/lib/config/utils.js b/lib/config/utils.js
index 11bbd8cb..9ff2f96d 100644
--- a/lib/config/utils.js
+++ b/lib/config/utils.js
@@ -6,3 +6,10 @@ exports.toBooleanConfig = function toBooleanConfig (configValue) {
   }
   return configValue
 }
+
+exports.toArrayConfig = function toArrayConfig (configValue, separator = ',', fallback) {
+  if (configValue && typeof configValue === 'string') {
+    return (configValue.split(separator).map(arrayItem => arrayItem.trim()))
+  }
+  return fallback
+}
diff --git a/lib/migrations/20171009121200-longtext-for-mysql.js b/lib/migrations/20171009121200-longtext-for-mysql.js
new file mode 100644
index 00000000..61b409ca
--- /dev/null
+++ b/lib/migrations/20171009121200-longtext-for-mysql.js
@@ -0,0 +1,16 @@
+'use strict'
+module.exports = {
+  up: function (queryInterface, Sequelize) {
+    queryInterface.changeColumn('Notes', 'content', {type: Sequelize.TEXT('long')})
+    queryInterface.changeColumn('Revisions', 'patch', {type: Sequelize.TEXT('long')})
+    queryInterface.changeColumn('Revisions', 'content', {type: Sequelize.TEXT('long')})
+    queryInterface.changeColumn('Revisions', 'latContent', {type: Sequelize.TEXT('long')})
+  },
+
+  down: function (queryInterface, Sequelize) {
+    queryInterface.changeColumn('Notes', 'content', {type: Sequelize.TEXT})
+    queryInterface.changeColumn('Revisions', 'patch', {type: Sequelize.TEXT})
+    queryInterface.changeColumn('Revisions', 'content', {type: Sequelize.TEXT})
+    queryInterface.changeColumn('Revisions', 'latContent', {type: Sequelize.TEXT})
+  }
+}
diff --git a/lib/models/note.js b/lib/models/note.js
index c0ef1374..33dde80d 100644
--- a/lib/models/note.js
+++ b/lib/models/note.js
@@ -60,7 +60,7 @@ module.exports = function (sequelize, DataTypes) {
       }
     },
     content: {
-      type: DataTypes.TEXT,
+      type: DataTypes.TEXT('long'),
       get: function () {
         return sequelize.processData(this.getDataValue('content'), '')
       },
diff --git a/lib/models/revision.js b/lib/models/revision.js
index 225a95d4..170931b8 100644
--- a/lib/models/revision.js
+++ b/lib/models/revision.js
@@ -58,7 +58,7 @@ module.exports = function (sequelize, DataTypes) {
       defaultValue: Sequelize.UUIDV4
     },
     patch: {
-      type: DataTypes.TEXT,
+      type: DataTypes.TEXT('long'),
       get: function () {
         return sequelize.processData(this.getDataValue('patch'), '')
       },
@@ -67,7 +67,7 @@ module.exports = function (sequelize, DataTypes) {
       }
     },
     lastContent: {
-      type: DataTypes.TEXT,
+      type: DataTypes.TEXT('long'),
       get: function () {
         return sequelize.processData(this.getDataValue('lastContent'), '')
       },
@@ -76,7 +76,7 @@ module.exports = function (sequelize, DataTypes) {
       }
     },
     content: {
-      type: DataTypes.TEXT,
+      type: DataTypes.TEXT('long'),
       get: function () {
         return sequelize.processData(this.getDataValue('content'), '')
       },
@@ -237,8 +237,8 @@ module.exports = function (sequelize, DataTypes) {
             // if no revision available
             Revision.create({
               noteId: note.id,
-              lastContent: note.content,
-              length: note.content.length,
+              lastContent: note.content ? note.content : '',
+              length: note.content ? note.content.length : 0,
               authorship: note.authorship
             }).then(function (revision) {
               Revision.finishSaveNoteRevision(note, revision, callback)
diff --git a/lib/models/user.js b/lib/models/user.js
index e59b86cc..f421fe43 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -111,6 +111,15 @@ module.exports = function (sequelize, DataTypes) {
               photo = letterAvatars(profile.username)
             }
             break
+          case 'mattermost':
+            photo = profile.avatarUrl
+            if (photo) {
+              if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400')
+              else photo = photo.replace(/(\?s=)\d*$/i, '$196')
+            } else {
+              photo = letterAvatars(profile.username)
+            }
+            break
           case 'dropbox':
             // no image api provided, use gravatar
             photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0].value)
@@ -134,6 +143,15 @@ module.exports = function (sequelize, DataTypes) {
               photo = letterAvatars(profile.username)
             }
             break
+          case 'saml':
+            if (profile.emails[0]) {
+              photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0])
+              if (bigger) photo += '?s=400'
+              else photo += '?s=96'
+            } else {
+              photo = letterAvatars(profile.username)
+            }
+            break
         }
         return photo
       },
diff --git a/lib/realtime.js b/lib/realtime.js
index 361bbf09..c731e5b0 100644
--- a/lib/realtime.js
+++ b/lib/realtime.js
@@ -709,7 +709,7 @@ function connection (socket) {
       return failConnection(404, 'note id not found', socket)
     }
 
-    if (isDuplicatedInSocketQueue(socket, connectionSocketQueue)) return
+    if (isDuplicatedInSocketQueue(connectionSocketQueue, socket)) return
 
     // store noteId in this socket session
     socket.noteId = noteId
@@ -723,8 +723,8 @@ function connection (socket) {
       var maxrandomcount = 10
       var found = false
       do {
-        Object.keys(notes[noteId].users).forEach(function (user) {
-          if (user.color === color) {
+        Object.keys(notes[noteId].users).forEach(function (userId) {
+          if (notes[noteId].users[userId].color === color) {
             found = true
           }
         })
@@ -781,7 +781,7 @@ function connection (socket) {
       var note = notes[noteId]
       // Only owner can change permission
       if (note.owner && note.owner === socket.request.user.id) {
-        if (permission === 'freely' && !config.allowanonymous) return
+        if (permission === 'freely' && !config.allowanonymous && !config.allowanonymousedits) return
         note.permission = permission
         models.Note.update({
           permission: permission
diff --git a/lib/response.js b/lib/response.js
index 287d53e0..445aa0d7 100755..100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -60,15 +60,19 @@ function showIndex (req, res, next) {
     url: config.serverurl,
     useCDN: config.usecdn,
     allowAnonymous: config.allowanonymous,
+    allowAnonymousEdits: config.allowanonymousedits,
     facebook: config.isFacebookEnable,
     twitter: config.isTwitterEnable,
     github: config.isGitHubEnable,
     gitlab: config.isGitLabEnable,
+    mattermost: config.isMattermostEnable,
     dropbox: config.isDropboxEnable,
     google: config.isGoogleEnable,
     ldap: config.isLDAPEnable,
+    saml: config.isSAMLEnable,
     email: config.isEmailEnable,
     allowemailregister: config.allowemailregister,
+    allowpdfexport: config.allowpdfexport,
     signin: req.isAuthenticated(),
     infoMessage: req.flash('info'),
     errorMessage: req.flash('error')
@@ -90,15 +94,19 @@ function responseHackMD (res, note) {
     title: title,
     useCDN: config.usecdn,
     allowAnonymous: config.allowanonymous,
+    allowAnonymousEdits: config.allowanonymousedits,
     facebook: config.isFacebookEnable,
     twitter: config.isTwitterEnable,
     github: config.isGitHubEnable,
     gitlab: config.isGitLabEnable,
+    mattermost: config.isMattermostEnable,
     dropbox: config.isDropboxEnable,
     google: config.isGoogleEnable,
     ldap: config.isLDAPEnable,
+    saml: config.isSAMLEnable,
     email: config.isEmailEnable,
-    allowemailregister: config.allowemailregister
+    allowemailregister: config.allowemailregister,
+    allowpdfexport: config.allowpdfexport
   })
 }
 
@@ -111,7 +119,8 @@ function newNote (req, res, next) {
   }
   models.Note.create({
     ownerId: owner,
-    alias: req.alias ? req.alias : null
+    alias: req.alias ? req.alias : null,
+    content: req.body ? req.body : ''
   }).then(function (note) {
     return res.redirect(config.serverurl + '/' + LZString.compressToBase64(note.id))
   }).catch(function (err) {
@@ -382,7 +391,12 @@ function noteActions (req, res, next) {
         actionInfo(req, res, note)
         break
       case 'pdf':
-        actionPDF(req, res, note)
+        if (config.allowpdfexport) {
+          actionPDF(req, res, note)
+        } else {
+          logger.error('PDF export failed: Disabled by config. Set "allowpdfexport: true" to enable. Check the documentation for details')
+          response.errorForbidden(res)
+        }
         break
       case 'gist':
         actionGist(req, res, note)
diff --git a/lib/web/auth/index.js b/lib/web/auth/index.js
index b5ca8434..db5ff11d 100644
--- a/lib/web/auth/index.js
+++ b/lib/web/auth/index.js
@@ -33,9 +33,11 @@ if (config.isFacebookEnable) authRouter.use(require('./facebook'))
 if (config.isTwitterEnable) authRouter.use(require('./twitter'))
 if (config.isGitHubEnable) authRouter.use(require('./github'))
 if (config.isGitLabEnable) authRouter.use(require('./gitlab'))
+if (config.isMattermostEnable) authRouter.use(require('./mattermost'))
 if (config.isDropboxEnable) authRouter.use(require('./dropbox'))
 if (config.isGoogleEnable) authRouter.use(require('./google'))
 if (config.isLDAPEnable) authRouter.use(require('./ldap'))
+if (config.isSAMLEnable) authRouter.use(require('./saml'))
 if (config.isEmailEnable) authRouter.use(require('./email'))
 
 // logout
diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js
index 766c5cbc..cc0d29ad 100644
--- a/lib/web/auth/ldap/index.js
+++ b/lib/web/auth/ldap/index.js
@@ -23,9 +23,16 @@ passport.use(new LDAPStrategy({
     tlsOptions: config.ldap.tlsOptions || null
   }
 }, function (user, done) {
+  var uuid = user.uidNumber || user.uid || user.sAMAccountName
+  var username = uuid
+
+  if (config.ldap.usernameField && user[config.ldap.usernameField]) {
+    username = user[config.ldap.usernameField]
+  }
+
   var profile = {
-    id: 'LDAP-' + user.uidNumber,
-    username: user.uid,
+    id: 'LDAP-' + uuid,
+    username: username,
     displayName: user.displayName,
     emails: user.mail ? [user.mail] : [],
     avatarUrl: null,
diff --git a/lib/web/auth/mattermost/index.js b/lib/web/auth/mattermost/index.js
new file mode 100644
index 00000000..9ccf3de5
--- /dev/null
+++ b/lib/web/auth/mattermost/index.js
@@ -0,0 +1,49 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const Mattermost = require('mattermost')
+const OAuthStrategy = require('passport-oauth2').Strategy
+const config = require('../../../config')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+const mattermost = new Mattermost.Client()
+
+let mattermostAuth = module.exports = Router()
+
+let mattermostStrategy = new OAuthStrategy({
+  authorizationURL: config.mattermost.baseURL + '/oauth/authorize',
+  tokenURL: config.mattermost.baseURL + '/oauth/access_token',
+  clientID: config.mattermost.clientID,
+  clientSecret: config.mattermost.clientSecret,
+  callbackURL: config.serverurl + '/auth/mattermost/callback'
+}, passportGeneralCallback)
+
+mattermostStrategy.userProfile = (accessToken, done) => {
+  mattermost.setUrl(config.mattermost.baseURL)
+  mattermost.token = accessToken
+  mattermost.useHeaderToken()
+  mattermost.getMe(
+      (data) => {
+        done(null, data)
+      },
+      (err) => {
+        done(err)
+      }
+  )
+}
+
+passport.use(mattermostStrategy)
+
+mattermostAuth.get('/auth/mattermost', function (req, res, next) {
+  setReturnToFromReferer(req)
+  passport.authenticate('oauth2')(req, res, next)
+})
+
+// mattermost auth callback
+mattermostAuth.get('/auth/mattermost/callback',
+  passport.authenticate('oauth2', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js
new file mode 100644
index 00000000..386293ae
--- /dev/null
+++ b/lib/web/auth/saml/index.js
@@ -0,0 +1,95 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const SamlStrategy = require('passport-saml').Strategy
+const config = require('../../../config')
+const models = require('../../../models')
+const logger = require('../../../logger')
+const {urlencodedParser} = require('../../utils')
+const fs = require('fs')
+const intersection = function (array1, array2) { return array1.filter((n) => array2.includes(n)) }
+
+let samlAuth = module.exports = Router()
+
+passport.use(new SamlStrategy({
+  callbackUrl: config.serverurl + '/auth/saml/callback',
+  entryPoint: config.saml.idpSsoUrl,
+  issuer: config.saml.issuer || config.serverurl,
+  cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
+  identifierFormat: config.saml.identifierFormat
+}, function (user, done) {
+  // check authorization if needed
+  if (config.saml.externalGroups && config.saml.grouptAttribute) {
+    var externalGroups = intersection(config.saml.externalGroups, user[config.saml.groupAttribute])
+    if (externalGroups.length > 0) {
+      logger.error('saml permission denied: ' + externalGroups.join(', '))
+      return done('Permission denied', null)
+    }
+  }
+  if (config.saml.requiredGroups && config.saml.grouptAttribute) {
+    if (intersection(config.saml.requiredGroups, user[config.saml.groupAttribute]).length === 0) {
+      logger.error('saml permission denied')
+      return done('Permission denied', null)
+    }
+  }
+  // user creation
+  var uuid = user[config.saml.attribute.id] || user.nameID
+  var profile = {
+    provider: 'saml',
+    id: 'SAML-' + uuid,
+    username: user[config.saml.attribute.username] || user.nameID,
+    emails: user[config.saml.attribute.email] ? [user[config.saml.attribute.email]] : []
+  }
+  if (profile.emails.length === 0 && config.saml.identifierFormat === 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') {
+    profile.emails.push(user.nameID)
+  }
+  var stringifiedProfile = JSON.stringify(profile)
+  models.User.findOrCreate({
+    where: {
+      profileid: profile.id.toString()
+    },
+    defaults: {
+      profile: stringifiedProfile
+    }
+  }).spread(function (user, created) {
+    if (user) {
+      var needSave = false
+      if (user.profile !== stringifiedProfile) {
+        user.profile = stringifiedProfile
+        needSave = true
+      }
+      if (needSave) {
+        user.save().then(function () {
+          if (config.debug) { logger.debug('user login: ' + user.id) }
+          return done(null, user)
+        })
+      } else {
+        if (config.debug) { logger.debug('user login: ' + user.id) }
+        return done(null, user)
+      }
+    }
+  }).catch(function (err) {
+    logger.error('saml auth failed: ' + err)
+    return done(err, null)
+  })
+}))
+
+samlAuth.get('/auth/saml',
+  passport.authenticate('saml', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
+
+samlAuth.post('/auth/saml/callback', urlencodedParser,
+  passport.authenticate('saml', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
+
+samlAuth.get('/auth/saml/metadata', function (req, res) {
+  res.type('application/xml')
+  res.send(passport._strategy('saml').generateServiceProviderMetadata())
+})
diff --git a/lib/web/noteRouter.js b/lib/web/noteRouter.js
index 007c02c2..41bf5f73 100644
--- a/lib/web/noteRouter.js
+++ b/lib/web/noteRouter.js
@@ -4,10 +4,14 @@ const Router = require('express').Router
 
 const response = require('../response')
 
+const {markdownParser} = require('./utils')
+
 const noteRouter = module.exports = Router()
 
 // get new note
 noteRouter.get('/new', response.newNote)
+// post new note with content
+noteRouter.post('/new', markdownParser, response.newNote)
 // get publish note
 noteRouter.get('/s/:shortid', response.showPublishNote)
 // publish note actions
diff --git a/lib/web/utils.js b/lib/web/utils.js
index c9016523..d58294ad 100644
--- a/lib/web/utils.js
+++ b/lib/web/utils.js
@@ -7,3 +7,10 @@ exports.urlencodedParser = bodyParser.urlencoded({
   extended: false,
   limit: 1024 * 1024 * 10 // 10 mb
 })
+
+// create text/markdown parser
+exports.markdownParser = bodyParser.text({
+  inflate: true,
+  type: ['text/plain', 'text/markdown'],
+  limit: 1024 * 1024 * 10 // 10 mb
+})