Success: check authentication, process data, commit, return 2xx status.
Failure: check authentication, return 4xx status.
The reason that you don't get any information from the difference in timing between the two branches is because you already get that information from the status code.
Now on the other hand, if you use naive string comparison, different failure branches will take different amounts of time. That is a security hole, and it's not what we're talking about here.
Success: check authentication, process data, commit, return 2xx status.
Failure: check authentication, return 4xx status.
The reason that you don't get any information from the difference in timing between the two branches is because you already get that information from the status code.
Now on the other hand, if you use naive string comparison, different failure branches will take different amounts of time. That is a security hole, and it's not what we're talking about here.