fix: resolve scurity vulnerabilites

README.md

@@ -1,26 +1,30 @@
 # External JWT Plugin for Directus
+
 ## This plugin serves as a way to make Directus trust externally signed JWT tokens from an OIDC or OAuth2 provider.
 
-The plugin expects to resolve the following new configuration option
+The plugin expects to resolve the following new configuration options.
 
-The provider must issues Access tokens as JWT since this is used for verification right now. Might add support for general tokens later.
+The provider must issue Access tokens as JWT since this is used for verification right now. (Support for general tokens may be added later.)
 
-If USEDB are enabled the extension will try to search for the user in the database by looking at the sub in the JWT token. The user must exists and all roles for that use will be used. 
+If USEDB is enabled the extension will try to search for the user in the database by looking at the sub in the JWT token. The user must exist and all roles for that user will be used.
 
-When using USEDB you should also enable the caching option to reduce the time spent against the api and reduce the number of db lookups. The cache stores the user object in the cache based on the sub in the token. 
+When using USEDB you should also enable the caching option to reduce the time spent against the API and reduce the number of DB lookups. The cache stores the user object based on the sub in the token.
 
-USEDB also validates that the issuer is the same as assigned to the user. 
+USEDB also validates that the issuer is the same as assigned to the user.
 
 ## Configuration
-all configuration options listed here are an extension to directus default config.
 
-| ENV Variable                 | Supported values  | Description  |
-|------------------------------|-------------------|--------------|
-| AUTH_PROVIDER_TRUSTED        | True/False        | Must be true for the provider to be considered as trusted. Note, do not trust public providers as these can generate tokens that you cannot control.  
-| AUTH_PROVIDER_JWT_ROLE_KEY   | String            | What key in the JWT payload contains the role  |
-| AUTH_PROVIDER_JWT_ADMIN_KEY  | String            | What key in the JWT payload contains a bool to grant admin rights  |
-| AUTH_PROVIDER_JWT_APP_KEY    | String            | What key in the JWT payload contains a bool to allow app access
-| AUTH_PROVIDER_JWT_USEDB      | Bool              | If enabled/true the plugin will resolve the user and roles from the directus database using the token. For OIDC the sub is used. Should not be used without a Redis Cache enabled.
-| CACHE_JWT_NAMESPACE          | String            | What namespace to use in cache store.
-| CACHE_JWT_TTL                | Number            | Time to live for the cached user entry, default 5000 (5 seconds)
-| REDIS_JWT_DB                 | Number            | What database to use in Redis cache, default 2
+All configuration options listed here are an extension to Directus' default config.
+
+| ENV Variable                 | Supported values        | Description  |
+|------------------------------|-------------------------|--------------|
+| AUTH_PROVIDER_TRUSTED        | `true`/`false`          | Must be true for the provider to be considered trusted. **Warning:** Do not trust public providers as they can generate tokens that you cannot control.  |
+| AUTH_PROVIDER_JWT_ROLE_KEY   | String                  | The key in the JWT payload that contains the role information.  |
+| AUTH_PROVIDER_JWT_ADMIN_KEY  | String                  | The key in the JWT payload that indicates if admin rights should be granted.  |
+| AUTH_PROVIDER_JWT_APP_KEY    | String                  | The key in the JWT payload that allows app access if set to true.  |
+| AUTH_PROVIDER_JWT_USEDB      | Boolean                 | If enabled, the plugin resolves the user and roles from the Directus database using the token (“sub” for OIDC). Should be used only with an enabled Redis Cache. |
+| AUTH_PROVIDER_JWKS_URL       | String                  | The URL from which to fetch the JSON Web Key Set (JWKS) for token verification.  |
+| AUTH_PROVIDER_JWKS_KEYS      | JSON                    | Inline JSON Web Keys for token verification if not using a JWKS URL.  |
+| CACHE_JWT_NAMESPACE          | String                  | The namespace used in the cache store for JWT-related entries.  |
+| CACHE_JWT_TTL                | Number                  | Time to live (in milliseconds) for the cached user entry. Default is 5000 (5 seconds).  |
+| REDIS_JWT_DB                 | Number                  | The Redis database number to use for JWT caching. Default is 2.  |

package.json

@@ -149,7 +149,21 @@
 			"vite@<4.3.9": "^4.3.9",
 			"vite@>4.3.9": "^4.5.3",
 			"zod@<=3.22.2": ">=3.22.3",
-			"axios@<=1.4.0": ">=1.4.1"
+			"axios@<=1.4.0": ">=1.4.1",
+			"axios@>=1.3.2 <=1.7.3": ">=1.7.4",
+			"micromatch@<4.0.8": ">=4.0.8",
+			"vite@>=4.0.0 <4.5.4": ">=4.5.4",
+			"vite@>=4.0.0 <=4.5.3": ">=4.5.4",
+			"rollup@>=3.0.0 <3.29.5": ">=3.29.5",
+			"cross-spawn@>=7.0.0 <7.0.5": ">=7.0.5",
+			"nanoid@<3.3.8": ">=3.3.8",
+			"@octokit/request-error@>=1.0.0 <5.1.1": ">=5.1.1",
+			"@octokit/endpoint@>=9.0.5 <9.0.6": ">=9.0.6",
+			"@octokit/request@>=1.0.0 <9.2.1": ">=9.2.1",
+			"@octokit/plugin-paginate-rest@>=1.0.0 <11.4.1": ">=11.4.1",
+			"serialize-javascript@<6.0.2": ">=6.0.2",
+			"esbuild@<=0.24.2": ">=0.25.0",
+			"vite@<=4.5.5": ">=4.5.6"
 		}
 	}
 }