feat: add IAuthenticator interface and TokenAuthenticator with constant-time comparison

tests/NATS.Server.Tests/TokenAuthenticatorTests.cs

@@ -0,0 +1,62 @@
+using NATS.Server.Auth;
+using NATS.Server.Protocol;
+
+namespace NATS.Server.Tests;
+
+public class TokenAuthenticatorTests
+{
+    [Fact]
+    public void Returns_result_for_correct_token()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions { Token = "secret-token" },
+            Nonce = [],
+        };
+
+        var result = auth.Authenticate(ctx);
+
+        result.ShouldNotBeNull();
+        result.Identity.ShouldBe("token");
+    }
+
+    [Fact]
+    public void Returns_null_for_wrong_token()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions { Token = "wrong-token" },
+            Nonce = [],
+        };
+
+        auth.Authenticate(ctx).ShouldBeNull();
+    }
+
+    [Fact]
+    public void Returns_null_when_no_token_provided()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions(),
+            Nonce = [],
+        };
+
+        auth.Authenticate(ctx).ShouldBeNull();
+    }
+
+    [Fact]
+    public void Returns_null_for_different_length_token()
+    {
+        var auth = new TokenAuthenticator("secret-token");
+        var ctx = new ClientAuthContext
+        {
+            Opts = new ClientOptions { Token = "short" },
+            Nonce = [],
+        };
+
+        auth.Authenticate(ctx).ShouldBeNull();
+    }
+}