From dd53082f54267924a4543cc0249dd64e3760ba5f Mon Sep 17 00:00:00 2001
From: Nadav0077 <18245584+Nadav0077@users.noreply.github.com>
Date: Fri, 17 Apr 2026 21:12:40 +0300
Subject: [PATCH] fix: propagate errors from async trusted callback

---
 jwt.js           |  5 ++++-
 test/jwt.test.js | 34 +++++++++++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/jwt.js b/jwt.js
index 9dad95b..931b65a 100644
--- a/jwt.js
+++ b/jwt.js
@@ -520,7 +520,10 @@ function fastifyJwt (fastify, options, next) {
 
           if (maybePromise?.then) {
             maybePromise
-              .then(trusted => trusted ? callback(null, result) : callback(new AuthorizationTokenUntrustedError()))
+              .then(
+                trusted => trusted ? callback(null, result) : callback(new AuthorizationTokenUntrustedError()),
+                err => callback(err)
+              )
           } else if (maybePromise) {
             callback(null, result)
           } else {
diff --git a/test/jwt.test.js b/test/jwt.test.js
index fd8b703..d536d00 100644
--- a/test/jwt.test.js
+++ b/test/jwt.test.js
@@ -1280,7 +1280,7 @@ test('sign and verify with RSA/ECDSA certificates and global options', async fun
 })
 
 test('sign and verify with trusted token', async function (t) {
-  t.plan(2)
+  t.plan(3)
   await t.test('Trusted token verification', async function (t) {
     t.plan(2)
 
@@ -1340,6 +1340,38 @@ test('sign and verify with trusted token', async function (t) {
 
     t.assert.strictEqual(response.statusCode, 200)
   })
+
+  await t.test('Trusted token - async verification rejects', async function (t) {
+    t.plan(2)
+
+    const f = Fastify()
+    f.register(jwt, {
+      secret: 'test',
+      trusted: () => Promise.reject(new Error('boom'))
+    })
+    f.get('/', (request, reply) => {
+      request.jwtVerify()
+        .then(function (decodedToken) {
+          return reply.send(decodedToken)
+        })
+        .catch(function (error) {
+          return reply.code(500).send({ message: error.message })
+        })
+    })
+
+    const signer = createSigner({ key: 'test', jti: 'trusted' })
+    const token = signer({ foo: 'bar' })
+    const response = await f.inject({
+      method: 'get',
+      url: '/',
+      headers: {
+        authorization: `Bearer ${token}`
+      }
+    })
+
+    t.assert.strictEqual(response.statusCode, 500)
+    t.assert.strictEqual(response.json().message, 'boom')
+  })
 })
 
 test('decode', async function (t) {