jwt_split() hard-requires header$typ == "JWT", rejecting technically valid tokens

[erlris]

The jwt_split function requires the typ parameter of the header to equal “JWT” . Because the jwt_split function is used when decoding tokens, for example here, this means that token decoding fails when typ is present but not equal to “JWT”. This can be unfortunate because the typ parameter is optional and may contain values other than "JWT". The validation thus causes the function to reject tokens that are technically valid. This example illustrates the issue:

library(jsonlite)
library(jose)
#> Warning: package 'jose' was built under R version 4.5.1
#> Loading required package: openssl
#> Linking to: OpenSSL 3.4.1 11 Feb 2025

# Construct a JWT-like string with no 'typ' header
header <- toJSON(list(alg = "HS256", typ = "at+jwt"), auto_unbox = TRUE)
payload <- toJSON(list(sub = "123"), auto_unbox = TRUE)


jwt <- paste(base64_enc(header),
  base64_enc(payload),
  base64_enc("dummy-signature"),
  sep = "."
)


jwt |> jwt_split()
#> Error in jwt_split(jwt): toupper(header$typ) == "JWT" is not TRUE

^{Created on 2025-10-13 with reprex v2.1.1}

Possible solutions include making the check less strict, optional or removing it altogether.