fix: typ checking edge-cases when it contains a slash (/) character

Author: panva

src/lib/jwt_claims_set.ts

@@ -14,7 +14,13 @@ function validateInput(label: string, input: number) {
   return input
 }
 
-const normalizeTyp = (value: string) => value.toLowerCase().replace(/^application\//, '')
+const normalizeTyp = (value: string) => {
+  if (value.includes('/')) {
+    return value.toLowerCase()
+  }
+
+  return `application/${value.toLowerCase()}`
+}
 
 const checkAudiencePresence = (audPayload: unknown, audOption: unknown[]) => {
   if (typeof audPayload === 'string') {

test/jwt/verify.test.ts

@@ -176,6 +176,25 @@ test('typ verification', async (t) => {
       { code: 'ERR_JWT_CLAIM_VALIDATION_FAILED', message: 'unexpected "typ" JWT header value' },
     )
   }
+  {
+    const typ = 'text/plain'
+    const jwt = await new SignJWT(t.context.payload)
+      .setProtectedHeader({ alg: 'HS256', typ })
+      .sign(t.context.secret)
+
+    await t.notThrowsAsync(
+      jwtVerify(jwt, t.context.secret, {
+        typ: 'text/plain',
+      }),
+    )
+
+    await t.throwsAsync(
+      jwtVerify(jwt, t.context.secret, {
+        typ: 'application/text/plain',
+      }),
+      { code: 'ERR_JWT_CLAIM_VALIDATION_FAILED', message: 'unexpected "typ" JWT header value' },
+    )
+  }
 })
 
 test('Issuer[] verification', async (t) => {