auth0 · ej-shafran · Nov 3, 2023 · dubzzz · Jan 31, 2024
diff --git a/sign.js b/sign.js
@@ -45,13 +45,13 @@ function validate(schema, allowUnknown, object, parameterName) {
   }
   Object.keys(object)
     .forEach(function(key) {
-      const validator = schema[key];
-      if (!validator) {
+      if (!Object.prototype.hasOwnProperty.call(schema, key)) {
         if (!allowUnknown) {
           throw new Error('"' + key + '" is not allowed in "' + parameterName + '"');
         }
         return;
       }
+      const validator = schema[key];
       if (!validator.isValid(object[key])) {
         throw new Error(validator.message);
       }

diff --git a/test/issue_945.tests.js b/test/issue_945.tests.js
@@ -0,0 +1,12 @@
+const jwt = require("..");
+
+const KEY = "any_key";
+
+describe("issue 945 - validator.isValid is not a function", () => {
+  it("should work", () => {
+    jwt.sign({ hasOwnProperty: null }, KEY);
+    jwt.sign({ valueOf: null }, KEY);
+    jwt.sign({ toString: null }, KEY);
+    jwt.sign({ __proto__: null }, KEY);
+  });
+});