Partial issuer matches instead of InvalidTokenError in 2.10.0

[awoimbee]

Impacts 2.10.0, previous release (2.9.0) is not impacted.
Seems like if issuer is given as a string then any partial match is allowed.

Expected Result

InvalidTokenError due to bad iss.

Actual Result

Token is accepted and decoded 😬

Reproduction Steps

This is incomplete:

def decode_token(
    encoded_token: str
) -> dict[str, Any]:
    signing_key = _fetch_jwt_signing_key(encoded_token)
    decode_options = {
        "verify_signature": True,
        "require": ["exp", "iss", "sub", "iat", "aud"],
    }
    return jwt.decode(
        encoded_token,
        key=signing_key.key,
        algorithms=["RS256", "ES256"],
        options=decode_options,
        issuer="https://test.example.com/auth",
    )

decode_token({
    ...,
    "iss": "http"
})

Note: this is fixed by replacing issuer="https://test.example.com/auth" by issuer=["https://test.example.com/auth"] (relates to #913).

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "43.0.3"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.12.7"
  },
  "platform": {
    "release": "6.11.8-1-default",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.10.0"
  }
}

This command is only available on PyJWT v1.6.3 and greater. Otherwise,
please provide some basic information about your system.

[awoimbee]

Caused by #970 that replaced list by Sequence in isinstance.

>>> from collections.abc import Sequence
>>> isinstance("bugged", list)
False
>>> isinstance("bugged", Sequence)
True

[awoimbee]

Fixed in 33022c2
GHSA-75c5-xw7c-p5pm