Use constant-time comparison for admin basic auth password checks

[prk-Jr]

Description

enforce_basic_auth currently validates credentials using standard string equality (credentials.password == expected_password), which is a non-constant-time comparison path. This creates a timing side-channel that can leak password prefix information and aid brute-force attempts against admin credentials.

Steps to reproduce

1. Configure trusted-server.toml with a non-empty admin password.
2. Send multiple Authorization: Basic ... requests with incorrect passwords that progressively match longer prefixes of the real password.
3. Compare response latency across attempts.
4. Observe measurable timing differences correlated with partial matches.

Expected behavior

Admin authentication should use constant-time comparison so valid and invalid credentials have equivalent timing characteristics.

Affected area

• Fastly runtime

Version

HEAD on main at time of report.

Relevant log output

Not applicable (timing behavior is behavioral, not an exception/error path).

Additional context

Parent issue: #396 (Production readiness)

Source: test_gap.md — "Timing attack in password comparison" finding.

Done when

• Replace password equality check with constant-time comparison in auth enforcement.
• Add unit test coverage that exercises both valid/invalid credentials and documents constant-time intent.
• Confirm no behavior change for valid/invalid auth response codes.