feat: add IAuthenticator interface and TokenAuthenticator with constant-time comparison

src/NATS.Server/Auth/AuthResult.cs

@@ -0,0 +1,9 @@
+namespace NATS.Server.Auth;
+
+public sealed class AuthResult
+{
+    public required string Identity { get; init; }
+    public string? AccountName { get; init; }
+    public Permissions? Permissions { get; init; }
+    public DateTimeOffset? Expiry { get; init; }
+}

src/NATS.Server/Auth/IAuthenticator.cs

@@ -0,0 +1,14 @@
+using NATS.Server.Protocol;
+
+namespace NATS.Server.Auth;
+
+public interface IAuthenticator
+{
+    AuthResult? Authenticate(ClientAuthContext context);
+}
+
+public sealed class ClientAuthContext
+{
+    public required ClientOptions Opts { get; init; }
+    public required byte[] Nonce { get; init; }
+}

src/NATS.Server/Auth/TokenAuthenticator.cs

@@ -0,0 +1,28 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace NATS.Server.Auth;
+
+public sealed class TokenAuthenticator : IAuthenticator
+{
+    private readonly byte[] _expectedToken;
+
+    public TokenAuthenticator(string token)
+    {
+        _expectedToken = Encoding.UTF8.GetBytes(token);
+    }
+
+    public AuthResult? Authenticate(ClientAuthContext context)
+    {
+        var clientToken = context.Opts.Token;
+        if (string.IsNullOrEmpty(clientToken))
+            return null;
+
+        var clientBytes = Encoding.UTF8.GetBytes(clientToken);
+
+        if (!CryptographicOperations.FixedTimeEquals(clientBytes, _expectedToken))
+            return null;
+
+        return new AuthResult { Identity = "token" };
+    }
+}

tests/NATS.Server.Tests/TokenAuthenticatorTests.cs

@@ -0,0 +1,62 @@
+using NATS.Server.Auth;
+using NATS.Server.Protocol;
+
+namespace NATS.Server.Tests;
+
+public class TokenAuthenticatorTests
+{
+    [Fact]
+    public void Returns_result_for_correct_token()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions { Token = "secret-token" },
+            Nonce = [],
+        };
+
+        var result = auth.Authenticate(ctx);
+
+        result.ShouldNotBeNull();
+        result.Identity.ShouldBe("token");
+    }
+
+    [Fact]
+    public void Returns_null_for_wrong_token()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions { Token = "wrong-token" },
+            Nonce = [],
+        };
+
+        auth.Authenticate(ctx).ShouldBeNull();
+    }
+
+    [Fact]
+    public void Returns_null_when_no_token_provided()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions(),
+            Nonce = [],
+        };
+
+        auth.Authenticate(ctx).ShouldBeNull();
+    }
+
+    [Fact]
+    public void Returns_null_for_different_length_token()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions { Token = "short" },
+            Nonce = [],
+        };
+
+        auth.Authenticate(ctx).ShouldBeNull();
+    }
+}