feat: add IAuthenticator interface and TokenAuthenticator with constant-time comparison

src/NATS.Server/Auth/TokenAuthenticator.cs

@@ -0,0 +1,28 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace NATS.Server.Auth;
+
+public sealed class TokenAuthenticator : IAuthenticator
+{
+    private readonly byte[] _expectedToken;
+
+    public TokenAuthenticator(string token)
+    {
+        _expectedToken = Encoding.UTF8.GetBytes(token);
+    }
+
+    public AuthResult? Authenticate(ClientAuthContext context)
+    {
+        var clientToken = context.Opts.Token;
+        if (string.IsNullOrEmpty(clientToken))
+            return null;
+
+        var clientBytes = Encoding.UTF8.GetBytes(clientToken);
+
+        if (!CryptographicOperations.FixedTimeEquals(clientBytes, _expectedToken))
+            return null;
+
+        return new AuthResult { Identity = "token" };
+    }
+}