Remove API token from logs

[josecelano]

We are using a token query param for API authentication and we are logging the whole request URL.

2024-03-11T16:53:33.249051604+00:00 [API][INFO] request; method=GET uri=/api/v1/torrents?token=MyAccessToken&info_hash=2b66980093bc11806fab50cb3cb41835b95a0362 request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41
2024-03-11T16:53:33.249113794+00:00 [API][INFO] response; latency=0 status=200 OK request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41

That means tokens are included in the logs.

We should hide those tokens with **** or change the way we pass the token. We could use an HTTP header like in the Index. I prefer the second option because other proxies could also log the URLs.

[josecelano]

Instead of removing the token from the logs we could add a new authentication method. We could use a bearer token authentication scheme. We are using it in the Index, so we only need to adapt that code:

https://github.com/torrust/torrust-index/blob/develop/src/web/api/server/v1/auth.rs

Maybe we can keep the GET param token for testing because it makes it easier to load API resources. However, I would remove it, we can use https://www.postman.com/ or curl.