Ensure strings are compared with hash_equals

For time-constant string comparison, we need to use a better comparison
than PHP's built-in `===` operator. WordPress has the hash_equals
function to do this, available since 3.9.2.

Thanks to @sarciszewski for reporting this responsibly, and apologies to
him for our late response.

Author: rmccue

lib/class-wp-json-authentication-oauth1.php

@@ -287,7 +287,7 @@ public function check_token( $token, $consumer_key ) {
 			return $consumer;
 		}
 
-		if ( $token['consumer'] !== $consumer->ID ) {
+		if ( ! hash_equals( $token['consumer'], $consumer->ID ) ) {
 			return new WP_Error( 'json_oauth1_consumer_mismatch', __( 'Token is not registered for the given consumer' ), array( 'status' => 401 ) );
 		}
 
@@ -559,7 +559,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul
 
 		$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $key, true ) );
 
-		if ( $signature !== $consumer_signature ) {
+		if ( ! hash_equals( $signature, $consumer_signature ) ) {
 			return new WP_Error( 'json_oauth1_signature_mismatch', __( 'OAuth signature does not match' ), array( 'status' => 401 ) );
 		}