Perform constant equal comparison for shared Shields secret

This should prevent timing attacks.

lib/github-auth.js

@@ -59,7 +59,6 @@ function setRoutes(server) {
       if (!token) {
         return end('The GitHub OAuth process did not return a user token.');
       }
-      console.log('GitHub OAuth: ' + token);
 
       ask.res.setHeader('Content-Type', 'text/html');
       end('<p>Shields.io has received your app-specific GitHub user token. ' +
@@ -80,8 +79,7 @@ function setRoutes(server) {
   });
 
   server.route(/^\/github-auth\/add-token$/, function(data, match, end, ask) {
-    console.log('GitHub add token called with', JSON.stringify(data));
-    if (data.shieldsSecret !== serverSecrets.shieldsSecret) {
+    if (constEq(data.shieldsSecret, serverSecrets.shieldsSecret)) {
       // An unknown entity tries to connect. Let the connection linger for a minute.
       return setTimeout(function() { end('Invalid secret.'); }, 60000);
     }
@@ -249,5 +247,14 @@ function githubRequest(request, url, query, cb) {
   });
 }
 
+function constEq(a, b) {
+  if (a.length !== b.length) { return false; }
+  var zero = 0;
+  for (var i = 0; i < a.length; i++) {
+    zero |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return (zero === 0);
+}
+
 exports.setRoutes = setRoutes;
 exports.request = githubRequest;