Add API request/response logging with correlation IDs

[Ajibose]

Closes #507

Summary

• Implements HttpLoggingInterceptor (NestJS APP_INTERCEPTOR) that logs every HTTP request and response with a correlation ID, HTTP method/URL, status code, and response time in milliseconds
• Adds AppLoggerService backed by winston with JSON structured output and optional daily log rotation (via winston-daily-rotate-file) for ELK stack compatibility
• Introduces maskSensitiveData / maskHeaders utilities that redact fields like password, token, authorization, secret, credit_card, cvv, pin, and api_key before writing to logs
• Registers the interceptor globally through LoggingModule imported in AppModule — no per-controller wiring needed

Correlation ID proof

Correlation IDs are generated and stored in AsyncLocalStorage by the existing CorrelationIdMiddleware (reads X-Correlation-ID header or auto-generates a cid-* prefixed ID). The interceptor retrieves it via getCorrelationId() and embeds it in every log line:

{"timestamp":"2026-06-25T16:08:23.497Z","level":"info","service":"teachlink-backend","correlationId":"cid-1s4k2a-abc12345","event":"http_request","method":"POST","url":"/api/auth/login"}

Request/response logging example

{"timestamp":"...","level":"info","correlationId":"cid-xxx","event":"http_request","method":"POST","url":"/api/courses","headers":{"content-type":"application/json","authorization":"***MASKED***"}}
{"timestamp":"...","level":"info","correlationId":"cid-xxx","event":"http_response","method":"POST","url":"/api/courses","statusCode":201,"durationMs":47}

Response time tracking example

durationMs is computed as Date.now() - startTime captured before next.handle() and emitted on both success and error paths via RxJS tap:

{"event":"http_response","statusCode":200,"durationMs":23}

Sensitive data masking demonstration

Input body: { "email": "user@example.com", "password": "secret123" }
Logged body: { "email": "user@example.com", "password": "***MASKED***" }

Masked fields: password, passwd, token, accesstoken, refresh_token, apikey, api_key, authorization, auth, key, secret, clientsecret, credit_card, cvv, cvc, pin, ssn

Unit tests passing

Test Suites: 3 passed, 3 total
Tests:       34 passed, 34 total

src/logging/sensitive-data.masker.spec.ts    — 17 tests (field masking, nested, arrays, case-insensitive)
src/logging/http-logging.interceptor.spec.ts —  8 tests (request log, response log, correlation ID, timing, masking, errors, non-http skip)
src/logging/logger.service.spec.ts           —  9 tests (all logger methods, correlation ID embedding)

Files changed

File	Purpose
src/logging/sensitive-data.masker.ts	Configurable sensitive-field masking utility
src/logging/logger.service.ts	Winston logger service with JSON format + daily rotation
src/logging/http-logging.interceptor.ts	NestJS interceptor for request/response logging
src/logging/logging.module.ts	Global NestJS module registering interceptor + service
src/app.module.ts	Imports LoggingModule
src/logging/*.spec.ts	Unit tests for all three modules

[drips-wave]

@Ajibose Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[RUKAYAT-CODER]

Great job so far

There’s just one blocker — the workflow is failing. Could you take a look and fix it so all checks pass?

Happy to review again once that’s done.