From bf0ad1c66909633c40c20da9d01f4466e40ef768 Mon Sep 17 00:00:00 2001
From: Daniele Paolini <dan.floyd111@gmail.com>
Date: Wed, 2 Jul 2025 15:54:12 +0200
Subject: [PATCH] Handle JSON.parse failures in verify.js

To reproduce the issue that I'm trying to fix, please try to verify a "bad" token like "foo-bar-baz": it will trigger an "unhandled promise rejection" that can't be captured in client code.
---
 lib/jws/verify.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/jws/verify.js b/lib/jws/verify.js
index 9e6fe7d..27f3561 100644
--- a/lib/jws/verify.js
+++ b/lib/jws/verify.js
@@ -87,12 +87,15 @@ var JWSVerifier = function(ks, globalOpts) {
       // combine fields and decode signature per signatory
       sigList = sigList.map(function(s) {
         var header = clone(s.header || {});
-        var protect = s.protected ?
-                      JSON.parse(base64url.decode(s.protected, "utf8")) :
-                      {};
+        try {
+          var protect = s.protected ?
+                        JSON.parse(base64url.decode(s.protected, "utf8")) :
+                        {};
+        } catch (error) {
+          return Promise.reject(new Error("Parsing error: " + error));
+        }
         header = merge(header, protect);
         var signature = base64url.decode(s.signature);
-
         // process allowed algorithims
         if (!algSpec.match(header.alg)) {
           return Promise.reject(new Error("Algorithm not allowed: " + header.alg));