fix(isJWT): reject tokens with non-JSON header or payload

[xxiaoxiong]

Description

The isJWT function currently only validates that a string has three dot-separated segments and that each segment is valid URL-safe base64. However, a JWT's header and payload must be valid JSON when decoded.

For example:

isJWT("foo.bar.dGVzdA"); // Currently true, but should be false

The string "foo" is valid base64 but is not valid JSON, meaning this is not a real JWT.

Changes

• Decode the header and payload base64 segments and parse as JSON
• Return false if either is not valid JSON

Related Issue

Fixes #2511

[codecov]

Codecov Report

❌ Patch coverage is 73.68421% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 99.80%. Comparing base (7fdc788) to head (6ce349b).

Files with missing lines	Patch %	Lines
src/lib/isJWT.js	73.68%	4 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##            master    #2723      +/-   ##
===========================================
- Coverage   100.00%   99.80%   -0.20%     
===========================================
  Files          114      114              
  Lines         2587     2605      +18     
  Branches       656      660       +4     
===========================================
+ Hits          2587     2600      +13     
- Misses           0        4       +4     
- Partials         0        1       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[xxiaoxiong]

Closing this PR as @abhu85's PR #2689 was submitted earlier and addresses the same issue (#2511). Their implementation is the original fix.