wai-extra: redact Authorization header when logging a request

[austin-artificial]

The Authorization request header normally contains sensitive data which we probably don't want to log.

This redacts it in a similar way to what is done for cookies.

Happy to bump the version number if needed and add a changelog if the idea is approved.

Before submitting your PR, check that you've:

• Bumped the version number
• Documented new APIs with Haddock markup
• Added @since declarations to the Haddock

After submitting your PR:

• Update the Changelog.md file with a link to your PR
• Check that CI passes (or if it fails, for reasons unrelated to your change, like CI timeouts)

[Vlix]

I don't see any problem with this change 🤔

When using a default logger, you'd probably want to err on the safe side, so not leak credentials. If anyone wants to log delicate data, they can implement it themselves.

I'd appreciate a bump in version, update to the ChangeLog and maybe find where describing this redaction (and maybe also the cookie redaction) would make sense and add it there?

EDIT: I just saw Snoyberg's comment on this exact change in #792 and they feel it's a major version bump. And I can see the reasoning behind that. It might be better to just provide a version of this function that takes a function to redact certain header values?

-- | Like 'requestHeadersToJSON', but takes a list of 'HeaderName's to redact
requestHeadersToJSONRedact :: [HeaderName] -> RequestHeaders -> Value
...

requestHeadersToJSON :: RequestHeaders -> Value
requestHeadersToJSON = requestHeadersToJSONRedact [hCookie]

🤷 Something like that?