Reintroduce Timing-Safe Signature Verification in v2 Webhook Parser

[Yang-33]

Resolve #428

In v1, we had a constant-time signature comparison to mitigate timing attacks.

• line-bot-sdk-ruby/lib/line/bot/v1/client.rb

  Lines 1654 to 1691 in a6db291

  	# Validate signature of a webhook event.
  	#
  	# https://developers.line.biz/en/reference/messaging-api/#signature-validation
  	#
  	# @param content [String] Request's body
  	# @param channel_signature [String] Request'header 'X-LINE-Signature' # HTTP_X_LINE_SIGNATURE
  	#
  	# @return [Boolean]
  	def validate_signature(content, channel_signature)
  	return false if !channel_signature || !channel_secret
  	hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), channel_secret, content)
  	signature = Base64.strict_encode64(hash)
  	variable_secure_compare(channel_signature, signature)
  	end
  	private
  	# Constant time string comparison.
  	#
  	# via timing attacks.
  	# reference: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
  	# @return [Boolean]
  	def variable_secure_compare(a, b)
  	secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
  	end
  	# @return [Boolean]
  	def secure_compare(a, b)
  	return false unless a.bytesize == b.bytesize
  	l = a.unpack "C#{a.bytesize}"
  	res = 0
  	b.each_byte { |byte| res |= byte ^ l.shift }
  	res == 0
  	end

In v2(before release), this check was removed. This patch reintroduces timing-safe verification, ensuring that the request body and the x-line-signature header are validated without leaking timing information.