module ActiveSupport::SecurityUtils

via timing attacks.
The values are first processed by SHA256, so that we don't leak length info

Constant time string comparison, for variable length strings.

def secure_compare(a, b)
  fixed_length_secure_compare(::Digest::SHA256.digest(a), ::Digest::SHA256.digest(b)) && a == b
end