fix: use constant-time comparison for auth token (CWE-208)

Replace direct === comparison with crypto.timingSafeEqual via SHA-256
digest to prevent timing-based token extraction attacks.

- No behavioral change for valid authentication flows
- Uses stdlib only (crypto) — no new dependencies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: spidershield-contrib

src/mcp/auth/AuthMiddleware.ts

@@ -3,6 +3,17 @@
  */
 
 import { IncomingMessage, ServerResponse } from "http";
+import { timingSafeEqual, createHash } from "crypto";
+
+function safeEqual(a: string, b: string): boolean {
+	try {
+		const hashA = createHash("sha256").update(a).digest();
+		const hashB = createHash("sha256").update(b).digest();
+		return timingSafeEqual(hashA, hashB);
+	} catch {
+		return false;
+	}
+}
 
 export class AuthMiddleware {
 	constructor(private authToken: string) {}
@@ -19,7 +30,7 @@ export class AuthMiddleware {
 		if (!parsed) {
 			return false;
 		}
-		return parsed.token === this.authToken;
+		return safeEqual(parsed.token, this.authToken);
 	}
 
 	/**