fix: use timing-safe comparison for OPER credentials

Replace plain != string comparison with crypto/subtle.ConstantTimeCompare
for both operator name and password checks in handleOper to prevent
timing-based side-channel attacks.

Closes review feedback on PR #82.

internal/handlers/api.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -3186,7 +3187,8 @@ func (hdlr *Handlers) handleOper(
 	cfgPass := hdlr.params.Config.OperPassword
 
 	if cfgName == "" || cfgPass == "" ||
-		operName != cfgName || operPass != cfgPass {
+		subtle.ConstantTimeCompare([]byte(operName), []byte(cfgName)) != 1 ||
+		subtle.ConstantTimeCompare([]byte(operPass), []byte(cfgPass)) != 1 {
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.ErrNoOperHost, nick,
 			nil, "No O-lines for your host",