fix(sign): fix sign parameters type and usage

The payload and signOptions parameters have incorrect type checking,
therefore possibly breaking the jsonwebtoken source code
passing invalid payload and sign options.
Scenario: if "expiresIn" has been set in the nestjs module and uses payload
as a string, it'll break the code, because jsonwebtoken does not allow the use
of "expiresIn" option with a string payload.
In order to solve the problem, it is necessary predict the developer's behavior using types.
Also throw an error in case of incorrect use of the sign method of the JwtService class.

Author: hender-fp

lib/jwt.service.ts

@@ -18,6 +18,11 @@ export class JwtService {
     private readonly options: JwtModuleOptions = {}
   ) {}
 
+  sign(
+    payload: string,
+    options?: Omit<JwtSignOptions, keyof jwt.SignOptions>
+  ): string;
+  sign(payload: Buffer | object, options?: JwtSignOptions): string;
   sign(payload: string | Buffer | object, options?: JwtSignOptions): string {
     const signOptions = this.mergeJwtOptions(
       { ...options },
@@ -30,9 +35,29 @@ export class JwtService {
       JwtSecretRequestType.SIGN
     );
 
+    const allowedSignOptKeys = ['secret', 'privateKey'];
+    const signOptKeys = Object.keys(signOptions);
+    if (
+      typeof payload === 'string' &&
+      signOptKeys.some((k) => !allowedSignOptKeys.includes(k))
+    ) {
+      throw new Error(
+        'Not allowed payload as string with these sign options: ' +
+          signOptKeys.join(', ')
+      );
+    }
+
     return jwt.sign(payload, secret, signOptions);
   }
 
+  signAsync(
+    payload: string,
+    options?: Omit<JwtSignOptions, keyof jwt.SignOptions>
+  ): Promise<string>;
+  signAsync(
+    payload: Buffer | object,
+    options?: JwtSignOptions
+  ): Promise<string>;
   signAsync(
     payload: string | Buffer | object,
     options?: JwtSignOptions
@@ -48,6 +73,18 @@ export class JwtService {
       JwtSecretRequestType.SIGN
     );
 
+    const allowedSignOptKeys = ['secret', 'privateKey'];
+    const signOptKeys = Object.keys(signOptions);
+    if (
+      typeof payload === 'string' &&
+      signOptKeys.some((k) => !allowedSignOptKeys.includes(k))
+    ) {
+      throw new Error(
+        'Not allowed payload as string with these sign options: ' +
+          signOptKeys.join(', ')
+      );
+    }
+
     return new Promise((resolve, reject) =>
       jwt.sign(payload, secret, signOptions, (err, encoded) =>
         err ? reject(err) : resolve(encoded)