\Drupal\Core\Access\CsrfTokenGenerator::validate() - ensure $token is a string before calling hash_equals()