Fix a timing attack issue with CSRF token validation.

[katanacrimson]

Replacing the lazy string comparison with a constant-time string comparison provided by nodejs's internal crypto module.