fix: prevent unprotected header overwriting protected header

lepture · lepture · commit 2831990279c7 · 2025-08-27T15:51:56.000+09:00
authlib/authlib#337
diff --git a/src/joserfc/_rfc7515/model.py b/src/joserfc/_rfc7515/model.py
@@ -27,10 +27,12 @@ def __init__(self, protected: Header | None = None, header: Header | None = None
 
     def headers(self) -> Header:
         rv: Header = {}
-        if self.protected:
-            rv.update(self.protected)
         if self.header:
             rv.update(self.header)
+
+        # protected header is preferred
+        if self.protected:
+            rv.update(self.protected)
         return rv
 
     def set_kid(self, kid: str) -> None:
diff --git a/src/joserfc/_rfc7516/models.py b/src/joserfc/_rfc7516/models.py
@@ -41,11 +41,12 @@ def __init__(
 
     def headers(self) -> Header:
         rv: Header = {}
-        rv.update(self.__parent.protected)
         if isinstance(self.__parent, BaseJSONEncryption) and self.__parent.unprotected:
             rv.update(self.__parent.unprotected)
         if self.header:
             rv.update(self.header)
+
+        rv.update(self.__parent.protected)
         return rv
 
     def add_header(self, k: str, v: t.Any) -> None:
