finxol.io
+2
-2
.github/workflows/deploy.yaml
+2
-2
.github/workflows/deploy.yaml
······
-2
app/app.vue
-2
app/app.vue
+8
app/plugins/simpleanalytics.client.js
+8
app/plugins/simpleanalytics.client.js
+11
-9
blog.config.ts
+11
-9
blog.config.ts
···
+10
-2
content/pages/about.md
+10
-2
content/pages/about.md
···+I also have a [travel blog](https://colinswanderlustchronicles.com/) I've written a fair bit for.+I'm still a student so I don't have heaps to show for myself yet, but some good stuff is yet to come.<br>+Among the few things I can share, I've built a complete [carpool platform for students](https://github.com/unicovoit/unicovoit).+Staying on the topic of carpool platforms, I'm currently building a federated carpool platform called [Karr](https://karr.mobi/?utm_source=finxol-blog&utm_content=about-page).+I've kept it up to date, but haven't actively worked on it in a couple of years but it still looks decent.
+3
-4
content/pages/index.md
+3
-4
content/pages/index.md
···
+135
content/posts/blog-rewrite.md
+135
content/posts/blog-rewrite.md
···+description: The last time I changed anything on my previous blog was almost exactly 2 years ago. Wayyy too long. So I rewrote it completely.+When I first set it up I didn't want to bother much with it so I took the first template I found in a language and framework I knew: Nuxt.js.+If you're curious, I'm keeping the original version up and running for a bit on [v1.finxol.io](https://v1.finxol.io/)+The starter package I used to get my blog up and running was [some random npm package](https://www.npmjs.com/package/@jsilva-pt/nuxt-content-theme-blog)+Last published version was _4 years ago_, which means it was already 2 years old when I used it.+I mentioned it was built with Nuxt, which is perfectly fine in itself, but the problem is with the version.+You see, Nuxt 3 was officially released almost exactly 2 years ago, so basically when I had last committed on this blog.+I started it only a few months before, so Nuxt 3 was already at the Release Candidate stage, yet I stuck with Nuxt 2 despite the much closer EOL to come.+Nuxt 3 is a complete rewrite, so the API changed A LOT, enough for lazy me to stick with the soon-to-be-killed framework.+Anyway, all this to say I made a bad choice when I initially built it, so I decided to start over.+I'm after a simple theme, but I want to have things like external links in the nav bar, a list of posts on the home page, and an about page.+I don't consider these to be unreasonable asks — _please let me know if any of these sound outrageous._+I don't want to bother with manual hosting, copying the files by hand everytime I make a little change,+but I also don't want to have a full Node server running on an expensive VPS just for a simple blog.+With these more-or-less well defined requirements in mind, I started looking at things I'd heard good things about before.+To be fair though, it does seem fairly straightfoward to use only with markdown files and a template.+My starting point with Hugo was the same. I'd seen a few of my [peers](https://blog.itarow.xyz/)+For some reason I deliberately chose to stay clear of it in the past, but I don't remember why.+It's not a bad format, it's quite readable, but somehow I can't wrap my head around it and use it properly.+I was quite surprised by the nuber of themes available though: 181 themes listed under "blog" on the official themes website.+I managed to find one that was close enough to what I wanted, but I really struggled to customise it and make it work with my info.+Lately, I've been using and loving Deno quite a bit, so when I saw [\*the\* Deno guy's](https://tinyclouds.org/) blog was built with a [simple Deno lib](https://deno.land/x/blog@0.7.0),+Looking at it again now, it doesn't seem very customisable, if at all, so I suppose it wouldn't've been a good fit anyway.+Next one I tried was VitePress. I'd barely heard of that one before, only in passing, but it's built on Vue, which I really like and know decently well.+It's supposed to be built rather for documentation websites, but I came accross a few tutorials on how to make a blog out of it,+Turns out I couldn't break free from the default "docs" style template — even though I quite liked it visually,+I can picture Nuxt looking at me laughing while I come running back to it after trying out other option.+Nuxt is a solid choice for Static Site Generation (SSG), it comes with all sorts of bells and whistles,+However, I couldn't find anything that I really liked during my (not hugely) extensive research.+To be clear, I didn't completely rewrite everything because that's way too time consuming for a little blog like this.+I just made the UI and pages, and used [Nuxt Content](https://content.nuxt.com/) along with [Tailwind](https://tailwindcss.nuxtjs.org/).+I want to help out the comunity along the way, so I'll adjust a few things to make it into a template repo to use as a starter,
+104
content/posts/extending-openauth.md
+104
content/posts/extending-openauth.md
···+description: I needed a self-hostable auth solution for the project I'm working on. OpenAuth's beautiful simplicity looked really promising. There were just a couple things I wanted adjusted, so I spent a weekend fixing then.+I'm currently building [Karr](https://karr.mobi/?utm_source=finxol-blog&utm_content=openauth-post), an open-source federated carpool platform—it's still very early days, not much there yet.+Since I'm building a federated platform for companies, I don't want instance admins to have to rely on some arbitrary external auth service.+If you haven't already heard of it, [OpenAuth](https://openauth.js.org/) is a pretty new open-source authentication library by the authors of [SST](https://sst.dev/).+They also mention right on the home page that it can be "embed it into an existing application".+Running OpenAuth from anything other than the root path (`/`) isn't supported yet, but I really wanted to avoid making a whole other Docker container or crazy path rewrites with the reverse proxy, so I went and implemented it myself.+Some people have already been [thinking of solutions](https://github.com/toolbeam/openauth/issues/125) for a couple months.+It involved looking through the codebase and finding every redirect, and adding the base path to them.+It would involve all future contributors and maintainers remembering to add the base path to each local url.+For example, a redirect to `/github/authorize` will be rewritten as `/auth/github/authorize` if OpenAuth is mounted at `/auth`.+All that was left to do was include the base path in the issuer, and remove it when building well-known routes.+I managed to get it working 45-ish lines of actual code—the rest is docs and tests—so it's a pretty minimal solution!+The first spec they mentioned in the issue, [RFC 5785](https://www.rfc-editor.org/rfc/rfc5785.txt), states that all Well-Known URIs must be at the root, so at `/.well-known/`.+[RFC 8414](https://www.rfc-editor.org/rfc/rfc8414.txt) also states that the Well-Known URI is obtained by "inserting a well-known URI string into the authorization server's issuer identifier between the host component and the path component, if any", e.g. if the issuer is `https://example.org/auth`, the well-known paths would be under `https://example.org/.well-known/*`+This means there needs to be some sort of rewrite/redirect from the root well-known URIs to the path where OpenAuth is mounted.+This is an annoying caveat, but I don't see any way to manage it directly inside OpenAuth since the whole point of this base path stuff is to not have it manage the root path.+It needs to be handled externally by whatever manages the root path, whether it be by a reverse proxy, a router, or a switchboard operator.+Now I just need to wait for feedback [on my PR](https://github.com/toolbeam/openauth/pull/236) and hopefully a merge.+but the other 2 aren't any good to me either for the same reason as my self-hosted auth requirement.+Building the adapter was simply a case of copy-pasting OpenAuth's `MemoryAdapter` and replacing the `Map` function calls with those of unstorage.+However, when calling `.getKeys(base)`, the base is treated as a prefix and gets normalized, aka. it gets appended a semicolon.+The Storage API here has its own `joinKey(key)` method which joins the keys with `String.fromCharCode(0x1f)` as a separator, not a semicolon.+This difference means the keys won't be found when calling `.getKeys(base)`, so for the purposes of OpenAuth, unstorage needs a small patch to remove the semicolon addition for its internal `normalizeBaseKey(base)` function.+Since unstorage opens up a lot of possibilities for storage, I also [opened a PR](https://github.com/toolbeam/openauth/pull/235) for this one.
-21
content/posts/first-post.md
-21
content/posts/first-post.md
···-description: Write a short description for the post to show it on the home page and at the top of the post.-All markdown is supported, including [links](https://example.com), **bold**, *italic*, and `code`.-Find out more about MDC syntax [in the Nuxt Content documentation](https://content.nuxt.com/docs/files/markdown).
+115
content/posts/gdpr.md
+115
content/posts/gdpr.md
···+description: GDPR is a series of laws and regulations adopted in May 2016 by the European Parliament and Council to enable EU citizens to have better control over their data online.+The GDPR, or General Data Protection Regulation, is a series of laws and regulations adopted in May 2016 by the European+Parliament and Council to enable European Union citizens to have better control over their data online.+To all non-european readers, this article is mainly intended to europeans, but you can still read the first two parts to+You're not directly affected by it, but this initiative has sparked other data protection laws like+The intent of GDPR was to gives european citizens more control over what data about them is stored and for how long.+That way, european citizens are legally backed up by the EU in terms of data protection and people or organisations who+use digital services are obliged to state what data they keep about you and what they do with it.+The other great point about GDPR is that it applies to everyone operating in the EU, so european citizens aren't only+Over the 4 and a half years since it has been acted, it has enabled several Courts of Justice within the EU to deliver+You can't really draw up a typical profile for people who received the 410 fines given out so far.+Some were given to companies, others to individuals, political parties, restaurants, universities, airports,+Recently, H&M got fined 35,258,707.95€ in Germany for tracking its employees, and British Airways got fined 22,000,000€+The Dutch National Credit Register BKR was also fined 830,000€ by the Dutch Data Protection Authority for making their+Even an individual person was hit by an 8,000€ fine for having CCTV cameras monitoring public space in Greece.+The largest fine given so far was by French Data Protection Authority CNIL to Google, who had to pay 50,000,000€.+The smallest was given by the Estonian Data Protection Authority to a police officer in Estonia, who was fined 48€.+GDPR, [the EU also fined Google 1,490,000,000€](https://www.theguardian.com/technology/2019/mar/20/google-fined-149bn-by-eu-for-advertising-violations)+called ['dark patterns'](https://www.wired.com/story/how-to-spot-avoid-dark-patterns/) to try and discourage you from+Concretely, they offer these options (because they are legally obliged to) but hide them in lots of different sub-menus+Still, we're not going to go into much detail about that problem in this article, so let's move on to how to use your+- With [JustDeleteMe](https://justdeleteme.xyz/), you can find information on how easy it is to delete your account+Before you do so, you should know that this procedure will download everything you have ever saved with Google+so if you've had your account for a long time the file will be very big, and you will need a lot of time ahead of you+As for Google this will download everything, so if you use social media a lot — not only posts, but also comments,+For other online services or companies which don't directly offer a retrieval or deletion option from their website, you+the [ICO's website](https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/preparing-and-submitting-your-subject-access-request/)+They should answer favourably to your request, but if they don't reply after several enquiries or refuse to comply with+You should only go that far if the data is very sensitive or if the company isn't too big, as that kind of procedure is+They can usually talk with companies more easily than individuals, or group together the requests of several people to+[GDPR Information from the European Commission website](https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en)+[What counts as personal data ?](https://www.which.co.uk/consumer-rights/advice/what-counts-as-personal-data-according-to-gdpr)*
+23
content/posts/tiny-auth-server.md
+23
content/posts/tiny-auth-server.md
···+description: I've fallen in love with Deno and its Deploy service, but also OpenAuth, so I made a simple template to deploy OpenAuth to Deno Deploy, using Deno KV for storage.+I'm currently messing around with Deno Deploy to build a tiny little service for myself, and I needed authentication—all apps need auth nowadays, url scanners are out of control.+I didn't really want to have the auth server coupled with the main service, so I just made it into a [separate repository](https://github.com/finxol/auth).+It's just a very basic wrapper around OpenAuth, using Deno KV for storage. It took me an afternoon to put together properly,+but if you need a little auth server and not bother too much, this might be a good starting point.+With that, I can now use my own domain to authenticate users, and I only need my url and client id key.+So go crazy, [follow the instructions](https://github.com/finxol/auth#deploy) in the README, and deploy it to Deno Deploy!
+43
content/posts/unicovoit-initial-release.md
+43
content/posts/unicovoit-initial-release.md
···+description: After four and half months, countless hours of work and 872 commits, the carpool app made for students by students is finally out!+At my university, there is a student group chat that allows students to exchange and in particular to get in touch with travelers for carpooling.+The process is quite cumbersome, only works if the driver sees the message before it gets lost in other conversations, and only reaches a small group of people.+So began the IUCovoit project, a contraction of the words IUT and Carpooling, later renamed UniCovoit, more inclusive of any university.+I started working on the project a couple of weeks after getting the idea, just the time to let it settle in my head.+I was also motivated by the fact that I had to isolate for a week after testing positive for Covid-19.+I chose these technologies for the very simple reason that someone at my university had used them extensively to build a website to access our timetables easier, which meant I had an exit strategy in case I got hopelessly stuck.+I've got to say that was a pretty good idea for the beginning, it came in handy a couple times.+Then came the summer break, which weren't much of a break for the most part, as I was working tirelessly on UniCovoit.+I wanted to be ready for a big launch at the beginning of September when we go back to university.+While working over the summer was definitely worth it and I managed to finish everything on time, I am absolutely exhausted for September.+Nonetheless, I am very proud to announce that UniCovoit is now open for business! (not literally business, I don't actually make any money)
+83
content/posts/writeup-404ctf-osint-aube-d-un-echange.md
+83
content/posts/writeup-404ctf-osint-aube-d-un-echange.md
···+The [404CTF](https://404ctf.fr) is a CTF organized by the Direction Générale de la Sécurité Extérieure (DGSE), Télécom SudParis and+This 2022 edition marked the double anniversary of "the 80th anniversary of the BCRA, the secret service of the Free France and+One of our agents has just intercepted a short telephone conversation between two Hallebarde agents.+An important exchange of confidential documents is to take place and to indicate the location of the meeting,+one of the enemy agents has sent the following picture to his colleague with the following message:+style="border-left: 4px solid #e0e0e0; padding: 0 0 0 1rem;border-radius: 0.1rem; margin: 1rem 2rem;line-height: 1.5rem"+What a beautiful sunrise, isn't it? I'll be waiting in the street between the building in the foreground and those in the background.+The street name must be in lower case, include the type of street (e.g. avenue, street, boulevard...),+For example: if the street is Avenue de Saint-Mandé in Paris, the correct flag is `404CTF{129af9edde5659143536427f9a5f659a}`.+According to the instructions, it is a rising sun, so we can assume that the picture was taken facing east.+Before going further, we will assume that this is a French city and look for a list of the tallest buildings in France.+We then come across the Wikipedia page on [France's tallest skyscrapers](https://fr.wikipedia.org/wiki/Liste_des_plus_hauts_gratte-ciel_de_France).+Looking at the images associated with the towers, we notice that the third one looks remarkably similar to the one in our photo.++By simply reading the Wikipedia description of the Tour Incity, we find a link to the Part-Dieu district page.+Fortunately for us, the viewpoint of the description image is very similar to the one of our photo.++We can now start to search with [Google Earth](https://earth.google.com/web/@45.7589869,4.82472116,199.71703945a,1402.6169008d,35y,9.91010942h,69.22260348t,0r) for places around Fourvière or further west,++Exploring the surroundings, we soon find a building on the East side of the hill which looks like the one in the background of our photo.++We can then format and hash this street name with `echo -n "montee-saint-barthelemy" | md5sum`,
+82
content/posts/writeup-404ctf-web-fiche-js.md
+82
content/posts/writeup-404ctf-web-fiche-js.md
···+The [404CTF](https://404ctf.fr) is a CTF organized by the Direction Générale de la Sécurité Extérieure (DGSE), Télécom SudParis and+This 2022 edition marked the double anniversary of "the 80th anniversary of the BCRA, the secret service of the Free France and+After several months of digging into Hallebarde's past, we found an old file hosting platform that they used up until 2010.+Security practices have changed radically since then and what seemed unbreakable then may not be so at all anymore.+Your move: find a way to bypass the existing protection system and recover the files still hosted on this site!+From there, we can open our browser's developer console in order to find what is hidden behind this numpad.+We can therefore set a breakpoint here by clicking on line number 129 to examine the behaviour of the `confirmPin()` function.+The code check is just a simple comparison, but it is not the code that we are interested in here.+It is indeed on this mystery page that we find the flag, as well as the list of all the agents of Hallebarde.
+80
content/posts/writeup-heroctf-prog-ssh.md
+80
content/posts/writeup-heroctf-prog-ssh.md
···+Every user can read the private rsa key of the next user. You just have to grab it, and ssh as the next. But... there+Once logged in, we can see that in the home directory, there is an executable file called `getSSHKey`,+With this information, we can now write a simple bash script to automate the retrieval of the SSH keys and, in turn, the flag.+The use of `sshpass` instead of the plain old `ssh` for the first login enables us to give the password+The use of `1>` at the end of each command redirects the standard output (stdout not stderr) to a specified file;+# For each user, log in using the previously fetched key, and save the next key in a file name idX,+We can now simply wait for the programme to execute and the flag will magically appear a few seconds later!
+90
content/posts/writeup-midnightflag-osint-will-the-big-wheel.md
+90
content/posts/writeup-midnightflag-osint-will-the-big-wheel.md
···+The [MidnightFlag CTF](https://midnightflag.fr/) is a CTF organised by students from [ESNA](https://www.esna.bzh/)+Our intelligence services have just received a message from one of our agents in the USSR and according to the first elements,+With a simple `exiftool MessageRecover.png`, we get the following information *(some information was removed for clarity)* :+User Comment : WzUxLjQwMzA5LCAzMC4wNDQwMXw1MS40MDc4OSwgMzAuMDU1NjR8NTEuNDAwODksIDMwLjA2NDA4XSwgSSB3SUxsIHdBSXQgWW9VIGFUIHRIZSBjRW50RVIu+echo -n "WzUxLjQwMzA5LCAzMC4wNDQwMXw1MS40MDc4OSwgMzAuMDU1NjR8NTEuNDAwODksIDMwLjA2NDA4XSwgSSB3SUxsIHdBSXQgWW9VIGFUIHRIZSBjRW50RVIu" | base64 --decode++We can assume from this sentence that the agent will be waiting at center of these three coordinates.+With a quick search about averaging GPS coordinates, we land a javascript programme [on Github Gist](https://gist.github.com/tlhunter/0ea604b77775b3e7d7d25ea0f70a23eb).++By plotting these coordinates on a map, we land [near the amusement park](https://www.google.com/maps/place/Pripyat+amusement+park/@51.4053954,30.0488085,2337m/data=!3m1!1e3!4m13!1m7!3m6!1s0x0:0x8b035e1594d47a36!2zNTHCsDI0JzE0LjMiTiAzMMKwMDMnMTYuNSJF!3b1!8m2!3d51.403957!4d30.0545768!3m4!1s0x472a7c5de9f5c0fb:0x87aa178315dd0d18!8m2!3d51.4078925!4d30.055647)+We then look at the nearest point of interest, and we find **Чорнобиль**, which means Tchernobyl.+We then format the word with `echo -n "Чорнобиль" | md5sum` and get the flag `MCTF{3687016d7a89edc046069933f208e8c8}`.