feat: sanitize external identity provider user data (#681)

* feat: sanitize external user data

* remove config option to disable Sanitization: sanitize_external_user_data

* cleanup

---------

Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>

internal/sanitize/log.go

@@ -0,0 +1,32 @@
+package sanitize
+
+import (
+	"log/slog"
+
+	"github.com/h44z/wg-portal/internal/domain"
+)
+
+// LogChange applies sanitizeFn to raw, logs when the value changes, and writes
+// the sanitized value to dest. Raw and sanitized values are intentionally omitted.
+func LogChange(
+	providerType string,
+	providerName string,
+	field string,
+	raw string,
+	sanitizeFn func() string,
+	dest *string,
+) {
+	sanitized := sanitizeFn()
+	if sanitized != raw {
+		message := "sanitization modified field value from external provider"
+		if sanitized == "" {
+			message = "sanitization cleared field value from external provider"
+		}
+		slog.Warn(message,
+			"provider_type", domain.SanitizeString(providerType, 64),
+			"provider", domain.SanitizeString(providerName, 128),
+			"field", domain.SanitizeString(field, 64),
+		)
+	}
+	*dest = sanitized
+}