fix: prevent double callback invocation on payload conflict

[abhu85]

Summary

When jwt.sign() is called with a callback and the payload already contains a claim (iss, sub, aud, jti) that conflicts with a corresponding option (issuer, subject, audience, jwtid), the callback was being invoked twice: once with the error, and again with the signed token.

Root Cause

The forEach loop at sign.js:217-225 used return failure() to report the error, but return inside a forEach callback only exits that callback function, not the outer sign() function. The loop continued processing remaining keys, and execution proceeded to sign and return the token via callback.

Fix

Replace forEach with a for...of loop so that return failure() correctly exits the outer function immediately upon detecting a conflict.

Before

Object.keys(options_to_payload).forEach(function (key) {
  const claim = options_to_payload[key];
  if (typeof options[key] !== 'undefined') {
    if (typeof payload[claim] !== 'undefined') {
      return failure(new Error('Bad "options.' + key + '" option...'));
    }
    payload[claim] = options[key];
  }
});

After

for (const key of Object.keys(options_to_payload)) {
  const claim = options_to_payload[key];
  if (typeof options[key] !== 'undefined') {
    if (typeof payload[claim] !== 'undefined') {
      return failure(new Error('Bad "options.' + key + '" option...'));
    }
    payload[claim] = options[key];
  }
}

Test Plan

• Added test/issue_1000.tests.js with 9 test cases covering:
  • Callback is called exactly once for each conflicting claim type (iss, sub, aud, jti)
  • Callback is called exactly once with multiple simultaneous conflicts
  • Valid tokens still work correctly (no regressions)
  • Synchronous sign behavior unchanged
• All 520 tests pass

Fixes #1000