jwt.verify is not async based on callback

[jazelly]

Description

jwt.verify(token, secretOrPublicKey, [options, callback])
(Asynchronous) If a callback is supplied, function acts asynchronously. The callback is called with the decoded payload if the signature is valid and optional expiration, audience, or issuer are valid. If not, it will be called with the error.
(Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature is valid and optional expiration, audience, or issuer are valid. If not, it will throw the error.

Based on the doc, if a callback is supplied, function acts asynchronously. However, it is still a sync operation, considering the following example

jwt.verify(
  'token',
  'secret',
  () => {
    console.log(1);
  }
)
console.log(0);
// 1
// 0

I would expect it's 1 after 0 if it does async operation.

By looking at the implementation, looks like whether or not jwt.verify does async operation is purely based on the behaviour in secretOrPublicKey when it's provided as a function.

node-jsonwebtoken/verify.js

Line 101 in bc28861

return getSecret(header, function(err, secretOrPublicKey) {

[nikwen]

By looking at the implementation, looks like whether or not jwt.verify does async operation is purely based on the behaviour in secretOrPublicKey when it's provided as a function.

Related: #566 (comment)