Questions about the CSRF protection implementation

[bbaterdene-gh]

In this csrf.ts file the secret option is described as:

/**
* A secret to use for signing the CSRF token.
*/
secret?: string;

However, in the sign function:

private sign(token: string) {
	if (!this.secret) return token;
	return encodeBase64url(sha256(new TextEncoder().encode(token)));
}

If the secret is not defined, it returns the token directly — which seems fine.

But if the secret is defined, it hashes the token with SHA-256. It doesn't use the secret. Shouldn’t it use HMAC-SHA256 with the secret to ensure authenticity?
Hashing the token with SHA-256 guarentee integrity but not authenticity.

Also, in verifySignature:

private verifySignature(token: string) {
	if (!this.secret) return true;
	let [value, signature] = token.split(".");
	if (!value) return false;
	let expectedSignature = this.sign(value);
	return signature === expectedSignature;
}

If the secret is not defined, it just returns true. So doesn’t that mean the signature is effectively ignored?
Additionally, it compares signatures using ===. Isn’t this vulnerable to timing attacks?

And the CSRF token isn’t masked — doesn’t that make it vulnerable to BREACH attacks?

Could you clarify the reasoning here? Are these intentional design choices or potential oversights?

Reference:
https://github.com/rails/rails/blob/main/actionpack/lib/action_controller/metal/request_forgery_protection.rb