Function ct_eq_bytes 

pub fn ct_eq_bytes(a: &[u8], b: &[u8]) -> bool

Constant-time equality for two byte slices.

Compares every byte of the shorter slice — the time taken depends only on min(a.len(), b.len()) and on whether the lengths match, never on the position of the first mismatching byte.

Leaking the length of the secret is unavoidable in HTTP Basic Auth (the credentials live in a fixed-length header), and any attempt to hide the length would either dilate runtime for legitimate requests or still be observable. What this protects against is the byte-wise prefix oracle.