fix(callback): add length pre-check before constant-time state comparison

- Fail fast when state parameter length differs from expected,
  avoiding unnecessary memory allocation from maliciously large
  query values before the constant-time comparison

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: appleboy

callback.go

@@ -74,7 +74,8 @@ func startCallbackServer(
 
 		// Validate state (CSRF protection) using constant-time comparison.
 		state := q.Get("state")
-		if subtle.ConstantTimeCompare([]byte(state), []byte(expectedState)) != 1 {
+		if len(state) != len(expectedState) ||
+			subtle.ConstantTimeCompare([]byte(state), []byte(expectedState)) != 1 {
 			writeCallbackPage(w, false, "state_mismatch",
 				"State parameter does not match. Possible CSRF attack.")
 			sendResult(callbackResult{