Apply subtle.WithDataIndependentTiming to token check

Once again, I am forced to trust myself with this power. It's not, like,
some horrible violation that there's an `==` in here, right?

Either way, since I am generally running this on arm64, I suppose some
weird things could start to happen without this.

Author: ahamlinman

go.mod

@@ -1,6 +1,6 @@
 module github.com/ahamlinman/randomizer
 
-go 1.23
+go 1.24.0
 
 require (
 	cloud.google.com/go/firestore v1.18.0

internal/slack/slack.go

@@ -73,14 +73,17 @@ func (a App) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	a.writeResult(w, result)
 }
 
-func (a App) isTokenValid(ctx context.Context, params url.Values) (bool, error) {
+func (a App) isTokenValid(ctx context.Context, params url.Values) (ok bool, _ error) {
 	gotToken := params.Get("token")
 	wantToken, err := a.TokenProvider(ctx)
 	if err != nil {
 		return false, err
 	}
 
-	return subtle.ConstantTimeCompare([]byte(gotToken), []byte(wantToken)) == 1, nil
+	subtle.WithDataIndependentTiming(func() {
+		ok = subtle.ConstantTimeCompare([]byte(gotToken), []byte(wantToken)) == 1
+	})
+	return
 }
 
 func (a App) runRandomizer(ctx context.Context, params url.Values) (randomizer.Result, error) {