initial commit to enable token validation and key download

public/TokenManager.php

@@ -8,7 +8,8 @@ class TokenManager {
     /*
      * VARIABLES
      */
-    private string $storagePath; // Subdirectory under Tresor's /private directory to use to store all the token information
+    private string $tokenStoragePath; // Subdirectory under Tresor's /public directory to use to store all the token information
+    private string $keyStoragePath;   // Subdirectory under Tresor's /private directory to store all keyfiles
     private int $expireDays;     // number of dates for a token to expire
     private int $maxDownloads;   // maximum number of downloads before a token becomes invalid
     private int $tokenLength;    // number of random bytes to use to create the token name
@@ -19,34 +20,44 @@ class TokenManager {
      */
 
     // initialize the token instance in PHP
-    public __contruct(
+    public function __construct(
         string $storagePath = '/tokens',
-        int $exireDays = 1,
+        string $keyStoragePath = '/keys',
+        int $expireDays = 1,
         int $maxDownloads = 1,
         int $tokenLength = 32
     ) {
-        $this->storagePath = $storagePath;
-        $this->$expireDays = $expireDays;
-        $this->$maxDownloads = $maxDownloads;
-        $this->$tokenLength = $tokenLength;
+        $this->tokenStoragePath = __DIR__ . $storagePath;
+        $this->keyStoragePath = substr(__DIR__, 0, strrpos(__DIR__, '/') + 1) . 'private' . $keyStoragePath;
+        $this->expireDays = $expireDays;
+        $this->maxDownloads = $maxDownloads;
+        $this->tokenLength = $tokenLength;
+
+        if(!is_dir($this->tokenStoragePath))
+            mkdir($this->tokenStoragePath, 0755, true);
     }
 
     // generate a new token and save it to the file system
-    public generateToken(
+    public function generateToken(
         string $filename,
         string $ownerName,
         string $allowedUser
     ) {
-        return (['error'=>'no token generated', 'status'=>'500']);
+        return (['error'=>'no token generated', 'status'=>500]);
     }
 
     // retrieve/download the key file connected with the token
-    public retrieveToken(string $tokenName) {
+    public function retrieveToken(string $tokenName) {
+	$result = $this->validateToken($tokenName);
+        if(!isset($result['success']))
+            return ['error'=>'token invalid', 'status'=>422];
 
+        // send the file name of the designated key for download
+        return ['success'=>$result['success'], 'status'=>200];
     }
 
     // check a token and remove it when it's expired
-    public cleanupToken(string $tokenName) {
+    public function cleanupToken(string $tokenName) {
 
     }
 
@@ -55,12 +66,49 @@ class TokenManager {
      */
     
     // check whether a token is still valid and accessible by the user requesting it
-    private validateToken($tokenName) {
-        return null;
+    private function validateToken($tokenName) {
+        // check if tokenName is a valid hexadecimal string
+        if(!ctype_xdigit($tokenName))
+             return false;
+
+        // check if token file exists and read data if so
+        $tokenPath = $this->getTokenFilePath($tokenName);
+        if(!file_exists($tokenPath))
+            return false;
+        $tokenData = json_decode(file_get_contents($tokenPath));
+
+        // check expiry of the token
+        if( new DateTime() > new DateTime($tokenData->expires))
+            return false;
+
+        // safety-check if requesting user name is matching the allowed characters (a-zA-Z0-9)
+        if(preg_match('/[^a-zA-Z0-9]/', $_SERVER['PHP_AUTH_USER']))
+            return false;
+        // check if the requesting user is allowed to query the token
+        if(levenshtein($_SERVER['PHP_AUTH_USER'], $tokenData->allowedUser))
+            return false;
+        // check if requesting user is allowed to retrieve the key
+        $allowedUsersFilePath = __DIR__ . '/../private/keys/allowedUsers.json';
+        if(!file_exists($allowedUsersFilePath))
+            return false;
+        $allowedUsers = json_decode(file_get_contents($allowedUsersFilePath))->{$tokenData->owner}->{$tokenData->file};
+        if(array_search($_SERVER['PHP_AUTH_USER'], $allowedUsers, true) === false)
+            return false;
+
+        //all checks completed successfully
+        $path = substr( __DIR__, 0, strrpos(__DIR__, '/') + 1 );
+        return ['success'=>$this->keyStoragePath . '/' . $tokenData->owner . '/' . $tokenData->file, 'status'=>200];
     }
 
-    private getDownloadFileInfo ($tokenName) {
+    private function getDownloadFileInfo ($tokenName) {
         $fileInfo = [];
         return null;
     }
-}
+
+    private function getTokenFilePath($tokenName) {
+        $filePath = $this->tokenStoragePath . '/' . $tokenName . '.json';
+        if(!file_exists($filePath))
+            return false;
+        return $filePath;
+    }
+}

public/index.php

@@ -12,13 +12,19 @@ $method = $_SERVER['REQUEST_METHOD'];
 $path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
 $path = str_replace('/index.php', '', $path);
 $path = rtrim($path, '/');
+$path = ltrim($path, '/');
+
+$tokenManager = new TokenManager();
 
 switch ($path) {
-    case '/request': // request access to another user's emergency / legacy key file
-        request_access();
+    case 'request': // request access to another user's emergency / legacy key file
+        requestAccess();
         break;
-    case 'deny': //deny access
-        deny_access();
+    case 'deny': // deny requested access
+        denyAccess();
+        break;
+    case 'download':
+        downloadKey();
         break;
     default:
         user_interface();
@@ -29,21 +35,51 @@ function ReturnJsonResponse($data, $status = 200) {
     http_response_code($status);
     header('Content-Type: application/json');
     header('Cache-Control: no-cache, no-store, must-revalidate');
-    echo json_encode($data);
+    print json_encode($data);
     exit;
 }
 
-function request_access() {
+function requestAccess() {
     $data = ['request access' => 'request not allowed'];
     ReturnJsonResponse($data, 403);
 }
 
-function deny_access() {
+function denyAccess() {
     $data = ['deny access'=>'emergency user request revoked'];
     ReturnJsonResponse($data);
 }
 
+function downloadKey() {
+    global $tokenManager;
+    if(!isset($_REQUEST['token']) || !ctype_xdigit($_REQUEST['token']))
+        ReturnJsonResponse(['error'=>'missing or invalid token'], 400);
+    $result = $tokenManager->retrieveToken($_REQUEST['token']);
+    if(isset($result['error']))
+        ReturnJsonResponse(['error'=>$result['error']], $result['status']);
+
+    if(!isset($result['success']))
+        ReturnJsonResponse(['error'=>'token could not be validated'], 400);
+
+    //check if returned keyfile exists
+    if(!file_exists($result['success']))
+        ReturnJsonResponse(['error'=>'keyfile not found'], 404);
+
+    $filePath = $result['success'];
+    $fileName = basename($filePath);
+    $fileSize = filesize($filePath);
+    
+    header('Content-Type: application/octet-stream');
+    header("Content-Disposition: attachment; filename=\"{$fileName}\"");
+    header("Content-Length: {$fileSize}");
+    header('Cache-Control: no-cache, no-store, must-revalidate');
+    header('Pragma: no-cache');
+    header('Expires: 0');
+
+    readfile($filePath);
+    exit;
+}
+
 function user_interface() {
     print('<!DOCTYPE html><html><head><title>DigiErbe Tresor</title></head><body><h1>Willkommen beim DigiErbe Tresor</h1></body></html>');
 }
-?>
+?>

public/requests/ownerName.json

@@ -0,0 +1,4 @@
+{
+    "requested_key": "myKey.pem",
+    "created": "2026-04-04T12:00:00+00:00"
+}

public/tokens/12d96f25badfd0b13218db90677bded035134c71ba972a26cef1c67417fb663a.json

@@ -5,4 +5,4 @@
     "created": "2026-04-04T16:54:26+00:00",
     "expires": "2026-04-07T16:54:26+00:00",
     "allowedUser": "allowedName"
-}
+}