replace timing attack prone sample auth code

[jkraemer]

It's just sample code but I guess everybody just copy'n'pastes this anyway, so it might as well be safe :)

[andyatkinson]

@jkraemer This looks straightforward to merge, however would you be able to amend the commit and put a link to some details on the timing attack and why this approach prevents it? Thanks.

[jkraemer]

Hi, basically the problem is that == takes different time to execute depending on what strings are compared. The relevant Rails-related CVE that led to the introduction of the variable_size_secure_compare method is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576

[litenup]

Here's an example with Devise (warden) for reference. Perhaps consider adding to readme too?

match "/delayed_job" => DelayedJobWeb, :anchor => false, via: [:get, :post], :constraints => lambda 
  { |request|
    request.env['warden'].authenticate! unless request.env['warden'].authenticated?
  }

or with rolify support.

match "/delayed_job" => DelayedJobWeb, :anchor => false, via: [:get, :post], :constraints => lambda 
  { |request|
    if request.env['warden'].authenticated?
      request.env['warden'].user.has_role? :admin
    else
      request.env['warden'].authenticate! 
    end
  }