fix: Require header to be a Map when decoding JWT (#69)

tp · jonasroussel · web-flow · commit b979c71f6e82 · 2025-10-01T10:19:18.000+02:00
Even though the header's contents are not checked.

Co-authored-by: Jonas Roussel &lt;dev@jonas.bzh&gt;
diff --git a/lib/src/jwt.dart b/lib/src/jwt.dart
@@ -210,7 +210,8 @@ class JWT {
   static JWT decode(String token) {
     try {
       final parts = token.split('.');
-      final header = jsonBase64.decode(base64Padded(parts[0]));
+      var header =
+          jsonBase64.decode(base64Padded(parts[0])) as Map<String, dynamic>;
 
       final payload =
           (jsonBase64.decode(base64Padded(parts[1])) as Map<String, dynamic>);
@@ -222,8 +223,8 @@ class JWT {
 
       return JWT(
         payload,
-        header: header is! Map<String, dynamic> ? null : header,
-        audience: audience,
+        header: header,
+        audience: audiance,
         issuer: issuer,
         subject: subject,
         jwtId: jwtId,
diff --git a/test/header_test.dart b/test/header_test.dart
@@ -147,5 +147,18 @@ void main() {
         });
       });
     });
+
+    group('invalid header', () {
+      test('invalid (non map) header should fail to decode', () {
+        final token =
+            'W10' + // base64 for `[]`, which can JSON decode but is not valid
+                '.eyJmb28iOiJiYXIifQ' +
+                '.'; // signature is not checked here
+
+        final jwt = JWT.tryDecode(token);
+
+        expect(jwt, isNull);
+      });
+    });
   });
 }
