Merged thibault's changes

package.json

@@ -56,7 +56,7 @@
 		"wrangler": "3.60.3"
 	},
 	"dependencies": {
-		"@cloudflare/privacypass-ts": "0.7.0-beta.0",
+		"@cloudflare/privacypass-ts": "file:/Users/lina/workspace/privacypass-ts/cloudflare-privacypass-ts-0.7.0-beta.0.tgz",
 		"@sentry/cli": "2.26.0",
 		"@sentry/types": "7.95.0",
 		"cron-parser": "4.9.0",

preseeded-key.json

@@ -0,0 +1,5 @@
+{
+  "tokenKey": 43,
+  "privateKeyBase64": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzaien/z4vdy2fRnkLIJaadtCo/Iv48nhK2HzlFqPFcwCgYuatCCk+fadBdIL19CEQnWqDHbmb0Suf3L/bv2li+HYqcXXOX28ru6E5omoyeDRURR3L69NENVZ2qtNcuHzHH26i5o2nI+WoMYzlyM37nwpuwn2FpDtLExudB8Ac5d6iC4D3J4+OKBihVn8FMvBvna0JNc3ZzfO3mVqBOPweOvWNPtOmsrfDgicgL+7Or8Sw452WpZYYsRC4wQ2C938Fa3ZJ69F6z0OzQTlrdU0L0v8Z1z886pgQef/n2Cz2SCyz0ET3TCr27mTuKnR71FnpzMQo5X30Mv+yLm9fBlaFAgMBAAECggEAHzAuaZlItZaZkyz8gK8vDvXliuKv8FwyBgzBFU/Ms1es/bSDlgOrq8XLC+lVlKzWDJ3YtKc3qzr+wuDsZyZMixxW6kTj7jaPzEHnIm412MUlj5qeNeMuTBabi7BhYqZdZn3zzRSX/jySwRyv+gfgqsN4XE2p5U/p0MCnFbKRtlQCQHdGth7HVn0jJzx5eDKU1rRfCcuPdD4u1uniB7OP7hIwAheEJijEy8yiZTNY/dXLRc9XqLFIHtNN86GDIKG5SPiJbHk401WdBlUJnqjng5wriZUu69lI9GF3qSMAJlFsWIgSnbWpkDPH785knVNBQst9EYDD2N/LeTY9rMn7twKBgQDyM9pmSb4cDZmcIrnegkjP1/Jn7M+RuQ3hSF95GCy6mQJHL+Zxy//dOmjq2saZdClqQWiE578Lx0HqSTLeAjJS6VVyBkjuk4t+/7zVXGJ+8HyvMIEvL040Zwxpd48p454KLNVjOAOciFzSUycRDVZlN8qKQR6P8eE8piDDL6hmUwKBgQC9oqNo6Yh5JcktWtXSdduZWyONJiNml1ZmkD37k2orkxVVIzZg2bNWeO6rzyzcHm5f1l9j9cORikPMKQf+oCG4fhAwFQ/f9Vr5Bqh90T6B1DOI+2AYi+SSAR9jTb5nqCaY/rfZBarWi00cpHdRU41kNMirhMBfH+NPO1axxLSExwKBgQCRrtbjR9/uB9AptkmOqVcajY3lLO/9ew36QAoNUJk28+oG360BLe+NJiENguKKUvDGVOmFZ8/mSchAIB9UooWakXcvys/7kQwLK9BtldA5AnY8+jP6Kb4kjwdMOPoH/D2HaUhBEeQ6N1t9tz58Z0VcRJ6zYk/7zUXpsRNr1DK6uQKBgE0HjHMoMYxsYdyvgh18TFht4fIK5OReYvVEcDkJt1294DN2GzeaFrPwaZqWjDVZkyIQ1SyofulWjZWXsSyn5Sqo4nB1jb4+TtbK8pQw88AO72QcH/u4j38TP6m5wbcfYZZSGWHpYGzHpuoUkHcThmKG4mBxiybYsB/WDbAmI+GvAoGBAJMuLUSfeMpWoGA3SUIexcD1ccfBtsk3TaJJ52SyiSHojdNX2lg/tf2PMG8Nm/QPSQ2eRQvZCURBOaVZFg8fTcgGEkbNIYK+Cc9KgKXWFsegAzadHyihu1hSBLsBdmkjRHCEJaWIW3LRvuehuqtdIoGltquloP3mCqrIi2qMyjHX",
+  "publicKeyBase64": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2onp/8+L3ctn0Z5CyCWmnbQqPyL+PJ4Sth85RajxXMAoGLmrQgpPn2nQXSC9fQhEJ1qgx25m9Ern9y/279pYvh2KnF1zl9vK7uhOaJqMng0VEUdy+vTRDVWdqrTXLh8xx9uouaNpyPlqDGM5cjN+58KbsJ9haQ7SxMbnQfAHOXeoguA9yePjigYoVZ/BTLwb52tCTXN2c3zt5lagTj8Hjr1jT7TprK3w4InIC/uzq/EsOOdlqWWGLEQuMENgvd/BWt2SevRes9Ds0E5a3VNC9L/Gdc/POqYEHn/59gs9kgss9BE90wq9u5k7ip0e9RZ6czEKOV99DL/si5vXwZWhQIDAQAB"
+}

src/index.ts

@@ -78,9 +78,11 @@ export const handleSingleTokenRequest = async (ctx: Context, request: Request) =
 	}
 
 	const keyID = tokenRequest.truncatedTokenKeyId;
+
 	const { sk, pk } = await getBlindRSAKeyPair(ctx, keyID);
 
 	const domain = new URL(request.url).host;
+
 	const issuer = new Issuer(BlindRSAMode.PSS, domain, sk, pk, { supportsRSARAW: true });
 	const signedToken = await issuer.issue(tokenRequest);
 	ctx.metrics.signedTokenTotal.inc({ key_id: keyID });
@@ -95,49 +97,65 @@ export const handleSingleTokenRequest = async (ctx: Context, request: Request) =
 };
 
 const handleBatchedTokenRequest = async (ctx: Context, request: Request): Promise<Response> => {
-	const buffer = await request.arrayBuffer();
-	const batchedTokenRequest = BatchedTokenRequest.deserialize(new Uint8Array(buffer));
+	try {
+		// Read request body
+		const buffer = await request.arrayBuffer();
 
-	if (batchedTokenRequest.tokenRequests.length === 0) {
-		const responseBytes = (new BatchedTokenResponse([])).serialize()
-		return new Response(responseBytes, { headers: { 'Content-Type': MediaType.ARBITRARY_BATCHED_TOKEN_RESPONSE } })
-	}
+		// Deserialize the batched token request
+		const batchedTokenRequest = BatchedTokenRequest.deserialize(new Uint8Array(buffer));
 
-	// Validate that all token requests have the same key ID and correct token type
-	const keyID = batchedTokenRequest.tokenRequests[0].truncatedTokenKeyId;
-	for (const tokenRequest of batchedTokenRequest.tokenRequests) {
-		if (tokenRequest.tokenType !== TOKEN_TYPES.BLIND_RSA.value) {
-			throw new InvalidTokenTypeError();
+		if (batchedTokenRequest.tokenRequests.length === 0) {
+			const responseBytes = new BatchedTokenResponse([]).serialize();
+			return new Response(responseBytes, {
+				headers: { "Content-Type": MediaType.ARBITRARY_BATCHED_TOKEN_RESPONSE }
+			});
 		}
-		if (tokenRequest.truncatedTokenKeyId != keyID) {
-			throw new MismatchedTokenKeyIDError();
+
+		// Extract key ID and validate token requests
+		const keyID = batchedTokenRequest.tokenRequests[0].truncatedTokenKeyId;
+
+		for (let i = 0; i < batchedTokenRequest.tokenRequests.length; i++) {
+			const tokenRequest = batchedTokenRequest.tokenRequests[i];
+
+			if (tokenRequest.tokenType !== TOKEN_TYPES.BLIND_RSA.value) {
+				throw new InvalidTokenTypeError();
+			}
+			if (tokenRequest.truncatedTokenKeyId !== keyID) {
+				throw new MismatchedTokenKeyIDError();
+			}
 		}
-	}
 
-	const { sk, pk } = await getBlindRSAKeyPair(ctx, keyID);
-	const domain = new URL(request.url).host;
+		// Retrieve key pair
+		const { sk, pk } = await getBlindRSAKeyPair(ctx, keyID);
 
-	// We only support type 2 (Blind RSA, e.g. PSS) for now
-	const issuer = new Issuer(publicVerif.BlindRSAMode.PSS, domain, sk, pk, { supportsRSARAW: true });
-	const batchedTokenIssuer = new BatchedTokensIssuer(issuer);
-	const batchedTokenResponse = await batchedTokenIssuer.issue(batchedTokenRequest);
+		const domain = new URL(request.url).host;
+		const issuer = new Issuer(BlindRSAMode.PSS, domain, sk, pk, { supportsRSARAW: true });
 
-	const responseBytes = batchedTokenResponse.serialize();
+		const batchedTokenIssuer = new BatchedTokensIssuer(issuer);
+		const batchedTokenResponse = await batchedTokenIssuer.issue(batchedTokenRequest);
+		const responseBytes = batchedTokenResponse.serialize();
 
-	// Determine if any token response is empty (null) and choose the proper status code:
-	// If at least one token request failed, return HTTP 206 (Partial Content), otherwise 200.
-	const partial = batchedTokenResponse.tokenResponses.some((resp) => resp.tokenResponse === null);
-	const status = partial ? 206 : 200;
 
-	return new Response(responseBytes, {
-		status,
-		headers: {
-			"Content-Type": MediaType.ARBITRARY_BATCHED_TOKEN_RESPONSE,
-			"Content-Length": responseBytes.length.toString(),
-		},
-	});
+		// Determine if any token response is empty (null) and set the appropriate status code
+		const partial = batchedTokenResponse.tokenResponses.some((resp) => resp.tokenResponse === null);
+		const status = partial ? 206 : 200;
+		console.log(`[handleBatchedTokenRequest] Response status: ${status} (Partial: ${partial})`);
+
+		// Return response
+		return new Response(responseBytes, {
+			status,
+			headers: {
+				"Content-Type": MediaType.ARBITRARY_BATCHED_TOKEN_RESPONSE,
+				"Content-Length": responseBytes.length.toString(),
+			},
+		});
+	} catch (error) {
+		console.error("[handleBatchedTokenRequest] Error handling batched token request:", error);
+		return new Response("Internal Server Error", { status: 500 });
+	}
 };
 
+
 const getBlindRSAKeyPair = async (ctx: Context, keyID: number) => {
 	const key = await ctx.bucket.ISSUANCE_KEYS.get(keyID.toString());
 
@@ -162,7 +180,6 @@ const getBlindRSAKeyPair = async (ctx: Context, keyID: number) => {
 				'pkcs8',
 				privateKey,
 				{
-					// RSA-RAW is handled directly by blindrsa-ts
 					name: ctx.isTest() ? 'RSA-PSS' : 'RSA-RAW',
 					hash: 'SHA-384',
 					length: 2048,