Add HTTP middleware and logging cleanup to authserver

[jhrozek]

Context

The authserver (pkg/authserver/) chi router in handler.go currently registers routes with zero middleware. This is foundational work that enables audit logging and telemetry.

Scope

HTTP middleware stack

The authserver's Routes() method needs a proper middleware chain:

• Panic recovery using existing pkg/recovery.Middleware (every other HTTP server in the codebase has this)
• Request ID injection (chi/middleware.RequestID) for log correlation across audit and telemetry
• Request timeout (default 30s) to protect against slow upstream IDP calls holding connections
• Request body size limiting as a safety net (the DCR handler has its own 64KB limit, but authorize/token endpoints have none)

Middleware ordering: recovery (outermost) → request ID → timeout → size limit → routes

Logging cleanup

Fix existing logging to follow project conventions (docs/logging.md):

• Downgrade all Info-level success logs to Debug (silent-success principle):
  • upstream/oauth2.go: 6 Info logs for provider creation, code exchange, token refresh
  • handlers/callback.go: "authorization successful, redirecting to client"
  • handlers/user.go: "created new user with provider identity"
• Add structured fields (client_id, session_id, user_id, upstream_provider) for log correlation

Acceptance criteria

• Panic recovery, request ID, timeout, and size limiting middleware applied to chi router
• All Info-level success logs in pkg/authserver/ downgraded to Debug
• Structured fields added to log statements for correlation
• No sensitive data (tokens, codes) in any log or response