Stop logging OAuth secrets

[zerox80]

What changed

• Removed OAuth code, token and state values from auth logs.
• Redacted sensitive request and response fields in HTTP debug logs.
• Made token response toString output safe, so accidental logs do not dump tokens.

Why

Some debug/support logs could include OAuth credentials. This keeps the useful flow logs, but drops the secret values.

Checks

• git diff --check
• Targeted rg scans for the old token/code log messages
  Tests were fine

[guruz]

I agree with your general idea, but if i see this correctly then there is no way for the developer then to use the log (on his/her own machine) to develop or debug what is happening if those things are redacted?

What about having the stuff conditional behind some flag like debug build?
(Note: Check if OpenCloud QA build is with or without debug flag, should probably still not have the sensitive stuff there)

[zerox80]

good point. i checked this quickly: the qa apk is built as qadebug right now, so gating this with buildconfig.debug would also print the secrets in qa builds, which we probably don’t want.

i’d rather keep the actual oauth values redacted everywhere and make the logs a bit more useful around them instead, e.g. log whether code/state/token values are present, whether the state matched, status codes, token type/scope/expiresin, etc.