diff --git a/internal/lua/socket_test.go b/internal/lua/socket_test.go
index 471c591..66d50f0 100644
--- a/internal/lua/socket_test.go
+++ b/internal/lua/socket_test.go
@@ -623,8 +623,8 @@ func TestCosocketManager_Stress(t *testing.T) {
 	cm := NewCosocketManager()
 	defer cm.Close()
 
-	const totalConnections = 10000
-	const concurrency = 1000
+	const totalConnections = 1000
+	const concurrency = 100
 
 	var wg sync.WaitGroup
 	var successCount int32
@@ -655,8 +655,13 @@ func TestCosocketManager_Stress(t *testing.T) {
 				return
 			}
 
-			// 等待连接完成
-			time.Sleep(10 * time.Millisecond)
+			// 等待连接状态就绪（最多 50ms）
+			for retry := 0; retry < 10; retry++ {
+				if socket.State() == SocketStateConnected {
+					break
+				}
+				time.Sleep(5 * time.Millisecond)
+			}
 
 			// 简单数据交换
 			if _, err := socket.Send([]byte("hello")); err == nil {
diff --git a/internal/middleware/security/auth.go b/internal/middleware/security/auth.go
index 7731e29..ce3c9e7 100644
--- a/internal/middleware/security/auth.go
+++ b/internal/middleware/security/auth.go
@@ -29,6 +29,7 @@ package security
 
 import (
 	"crypto/rand"
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -261,17 +262,7 @@ func authenticateArgon2id(password, hash string) bool {
 		params.time, params.memory, params.threads, params.keyLen)
 
 	// 常量时间比较
-	if len(actualHash) != len(expectedHash) {
-		return false
-	}
-
-	for i := range actualHash {
-		if actualHash[i] != expectedHash[i] {
-			return false
-		}
-	}
-
-	return true
+	return subtle.ConstantTimeCompare(actualHash, expectedHash) == 1
 }
 
 // parseArgon2idHash 解析 Argon2id 哈希字符串。