Passwords: check in constant time

The default password comparison logic does not use
constant time validation. Switching to constant time
offers a meager improvement by removing a timing
oracle.

A prepatory step in moving to Argon2id password storage, since we'll need this change anyway after
for validating existing passwords.

Co-authored-by: Graham Christensen <graham@grahamc.com>

src/lib/Hydra/Schema/Users.pm

@@ -195,6 +195,9 @@ __PACKAGE__->many_to_many("projects", "projectmembers", "project");
 # Created by DBIx::Class::Schema::Loader v0.07049 @ 2020-02-06 12:22:36
 # DO NOT MODIFY THIS OR ANYTHING ABOVE! md5sum:4/WZ95asbnGmK+nEHb4sLQ
 
+use Digest::SHA1 qw(sha1_hex);
+use String::Compare::ConstantTime;
+
 my %hint = (
     columns => [
         "fullname",
@@ -210,4 +213,10 @@ sub json_hint {
     return \%hint;
 }
 
+sub check_password {
+    my ($self, $password) = @_;
+
+    return String::Compare::ConstantTime::equals($self->password, sha1_hex($password));
+}
+
 1;