Fix/regex non deterministic validation

[antoatta85]

fix: reset RegExp lastIndex before claim validation to prevent non-deterministic verification

Vulnerability

RegExp.prototype.test() is stateful when the /g or /y flags are set — each call mutates lastIndex on the same object. ensureStringClaimMatcher() in src/verifier.js returned RegExp objects directly, and validateClaimValues() called .test() on them repeatedly without resetting lastIndex. This caused every second verification call to fail for perfectly valid tokens, producing an alternating PASS/FAIL pattern across all allowed* claim options (allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce).

The result is a logical denial-of-service: ~50% of valid authentication requests are rejected when any allowed* option uses a RegExp with /g or /y.

Fix

In ensureStringClaimMatcher() (src/verifier.js), RegExp instances are now wrapped in a closure that resets lastIndex = 0 before each .test() call:

if (r instanceof RegExp) {
  return { test: v => { r.lastIndex = 0; return r.test(v) } }
}

Custom matcher objects (anything else with a .test method) and string-based matchers are unaffected.

Tests added (test/verifier.spec.js)

• stateful RegExp /g flag must not cause non-deterministic claim validation - allowedAud
• stateful RegExp /y flag must not cause non-deterministic claim validation - allowedAud
• stateful RegExp /g flag must not cause non-deterministic claim validation - allowedIss
• stateful RegExp /g flag must not cause non-deterministic claim validation - allowedSub
• stateful RegExp /g flag must not cause non-deterministic claim validation - allowedJti
• stateful RegExp /g flag must not cause non-deterministic claim validation - allowedNonce

Each test verifies that 8 consecutive calls with the same valid token all succeed when a stateful RegExp is used in the corresponding allowed* option.

FIXES #592

[martin-badin]

@antoatta85 Could you fix this build?