Merge commit from fork

This is a bug introduced in version 2.10.0: checking the "iss" claim
changed from `isinstance(issuer, list)` to `isinstance(issuer,
Sequence)`.

```diff
-        if isinstance(issuer, list):
+        if isinstance(issuer, Sequence):
            if payload["iss"] not in issuer:
                raise InvalidIssuerError("Invalid issuer")
        else:
```

Since str is a Sequnce, but not a list, `in` is also used for string
comparison. This results in `if "abc" not in "__abcd__":` being
checked instead of `if "abc" != "__abc__":`.

Co-authored-by: Fabian Badoi <[email protected]>

Author: jpadilla

jwt/api_jwt.py

@@ -419,11 +419,11 @@ def _validate_iss(self, payload: dict[str, Any], issuer: Any) -> None:
         if "iss" not in payload:
             raise MissingRequiredClaimError("iss")
 
-        if isinstance(issuer, Sequence):
-            if payload["iss"] not in issuer:
+        if isinstance(issuer, str):
+            if payload["iss"] != issuer:
                 raise InvalidIssuerError("Invalid issuer")
         else:
-            if payload["iss"] != issuer:
+            if payload["iss"] not in issuer:
                 raise InvalidIssuerError("Invalid issuer")
 
 

tests/test_api_jwt.py

@@ -464,6 +464,16 @@ def test_raise_exception_token_without_issuer(self, jwt):
 
         assert exc.value.claim == "iss"
 
+    def test_rasise_exception_on_partial_issuer_match(self, jwt):
+        issuer = "urn:expected"
+
+        payload = {"iss": "urn:"}
+
+        token = jwt.encode(payload, "secret")
+
+        with pytest.raises(InvalidIssuerError):
+            jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"])
+        
     def test_raise_exception_token_without_audience(self, jwt):
         payload = {"some": "payload"}
         token = jwt.encode(payload, "secret")