Prevent timing attack on CSRF, completing wonderful pr by @eutopian

[jhartzler]

Attempting to complete the CSRF fix introduced in #123 by @eutopian
It looks like that PR has been untouched since 2021 so opening a new one that is up to date with latest master and implements the renamed test that was suggested

[jhartzler]

@BobbyMcWho @nov do either of you have write access? 🙏
New contributor just trying to fix a vuln, if you are around thank you so much in advance for your time!

[jhartzler]

Let me fix this build error

[BobbyMcWho]

Suggested change

	elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || !secure_compare(request.params["state"], session.delete("omniauth.state")))
	if !options.provider_ignores_state && (request.params["state"].to_s.empty? || !secure_compare(request.params["state"], session.delete("omniauth.state")))

[jhartzler]

Thanks for the review. Looks like I didn't copy from the initial PR properly

[jhartzler]

Running specs locally it looks like there might be some more work to reconcile this PR with master. I'm looking into it

[jhartzler]

Alright everything should be fixed now as far as I can tell. Specs pass locally.

[jhartzler]

@BobbyMcWho thank you for the earlier review and code suggestion
Not sure what your cadence/availability is but when you get a chance could I get a workflow kickoff and a re review?

[jhartzler]

I will buy someone a coffee if they review this PR lol

[BobbyMcWho]

No coffee needed, I don't mind merging, but the whole release process is the headache

[jhartzler]

Haha thank you for the review + merge
I'm guessing there's nothing I can do to help the release process along?

[BobbyMcWho]

I just haven't released on this laptop yet so I gotta do some pre requisite installs, that's all

[BobbyMcWho]

Release v1.9.0 available on Rubygems