Why this matters
The bug. Python's string __eq__ (and most languages') compares left-to-right and bails on the first non-matching byte. A 32-char token rejected at byte 1 returns faster than one rejected at byte 16. Over many requests, an attacker measures the median time per first-byte guess and brute-forces the token in O(len * alphabet) rather than O(alphabet ** len).
The fix. hmac.compare_digest (also available as secrets.compare_digest) takes the same time regardless of where bytes differ. It compares every position before returning.
Reality check. Modern networks add jitter that masks single-request timing, but attackers compensate with sample size. Don't rely on the network being noisy — use the constant-time API.
Review heuristic
Every endpoint that accepts an id parameter needs a sentence in the diff or the spec answering: who is allowed to access objects with this id? If the answer is "any authenticated user," that's an IDOR. If the answer is "the owner," verify the query enforces it at the database layer.
External reference: CWE-639: Authorization Bypass Through User-Controlled Key.
↳ CWE-208; Python docs explicitly recommend `compare_digest`.