fix(security): compare poorman's auth token in constant time

[alhudz]

Description

hasPoormansAuth gates Alter over gRPC (edgraph/server.go) and the /admin/* HTTP routes (dgraph/cmd/alpha/admin.go) by checking the --security token against the caller-supplied auth-token gRPC metadata / X-Dgraph-AuthToken header. Both checks use != on strings, which short-circuits on the first differing byte, so the reply time tracks the length of the matching prefix and leaks the token a byte at a time to an unauthenticated caller.

Switch both checks to crypto/subtle.ConstantTimeCompare, the same primitive already used for the JWT audience check in graphql/authorization/auth.go. Keeping the constant-time compare inside the two hasPoormansAuth helpers covers every route behind the token without each handler repeating the guard.

repro: a microbenchmark of the naive != against a 61-byte token reads 2.2 ns/op when the first byte differs versus 3.7 ns/op when only the last byte differs (rising with the matching prefix); subtle.ConstantTimeCompare stays flat at ~21 ns/op wherever the mismatch falls.

Checklist

• The PR title follows the Conventional Commits syntax, leading with fix:, feat:, chore:, ci:, etc.
• Code compiles correctly and linting (via trunk) passes locally