Skip to content

fix(sign): prevent double callback when payload already has a property #1002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(sign): prevent double callback when payload already has a property #1002

wants to merge 1 commit into from

Conversation

@maishivamhoo123
Copy link

@maishivamhoo123 maishivamhoo123 commented Nov 7, 2025

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR fixes a bug in jwt.sign() where the callback is called twice when the payload already contains a property that conflicts with options. For example, when payload.iss exists and options.issuer is also provided, the callback was triggered once with an error and then again with a token.

The root cause was that Object.keys(options_to_payload).forEach(...) with return failure(err) only returned from the callback, not the parent function, allowing the signing logic to continue and call the callback a second time.

Solution:

Replaced .forEach() with a for...of loop so return failure(err) exits the sign() function immediately.

Added a regression test to ensure the callback is called only once in conflict scenarios.

No breaking changes to the API.

References

Fixes GitHub issue: #1000

Screenshot 2025-11-07 192917

Include any links supporting this change such as a:

  • GitHub Issue/PR number addressed or fixed
  • Auth0 Community post
  • StackOverflow post
  • Support forum thread
  • Related pull requests/issues from other repos

If there are no references, simply delete this section.

Added a regression test in test/callback-issue.test.js:

const assert = require('assert');
const jwt = require('../index.js');

describe('jwt.sign callback fix', function () {
it('should call callback only once on payload/options conflict', function (done) {
let callbackCount = 0;

jwt.sign(
  { iss: 'bar', iat: 1757476476 },
  'secret',
  { algorithm: 'HS256', issuer: 'foo' },
  (err) => {
    callbackCount++;
    assert.ok(err);
    assert.strictEqual(
      err.message,
      'Bad "options.issuer" option. The payload already has an "iss" property.'
    );
    assert.strictEqual(callbackCount, 1);
    done();
  }
);

});
});

All existing tests pass.

Regression test verifies callback is called only once.

Developed and tested in Node.js v22.19.0 on Linux (WSL/Debian).

This change adds test coverage for the fixed functionality.

Checklist

I have added tests for the fixed functionality

All active GitHub checks for tests, formatting, and security are passing

The correct base branch is being used (master).

@maishivamhoo123
Copy link
Author

maishivamhoo123 commented Nov 11, 2025
edited
Loading

@jpadilla @siacomuzzi and @team can you please review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maishivamhoo123