security(api): fix format string injection in logger calls

Replace template string interpolation in logger calls with object-based
logging to prevent format string injection vulnerabilities detected by CodeQL.

- Use object-based logging instead of template strings
- Prevents external control of format strings in logs
- Maintains same logging functionality with better security

Author: oriondesign2015

src/api/guards/auth.guard.ts

@@ -37,7 +37,7 @@ async function apikey(req: Request, _: Response, next: NextFunction) {
         if (key.length > 255 && instance.integration === Integration.WHATSAPP_BUSINESS) {
           const cacheKey = `instance:${param.instanceName}:fullToken`;
           await cache.set(cacheKey, key, 0);
-          logger.log(`Stored full token in cache for ${param.instanceName} from request`);
+          logger.log({ message: 'Stored full token in cache from request', instanceName: param.instanceName });
 
           // Atualiza a instância em memória se existir
           if (waMonitor.waInstances[param.instanceName]) {
@@ -52,9 +52,9 @@ async function apikey(req: Request, _: Response, next: NextFunction) {
                   number: instance.number,
                   businessId: instance.businessId,
                 });
-                logger.log(`Updated full token in memory for ${param.instanceName}`);
+                logger.log({ message: 'Updated full token in memory', instanceName: param.instanceName });
               } catch (error) {
-                logger.error(`Error updating token in memory: ${error}`);
+                logger.error({ message: 'Error updating token in memory', error, instanceName: param.instanceName });
               }
             }
           }
@@ -72,7 +72,7 @@ async function apikey(req: Request, _: Response, next: NextFunction) {
           if (key.length > 255 && instanceByKey.integration === Integration.WHATSAPP_BUSINESS) {
             const cacheKey = `instance:${instanceByKey.name}:fullToken`;
             await cache.set(cacheKey, key, 0);
-            logger.log(`Stored full token in cache for ${instanceByKey.name} from request`);
+            logger.log({ message: 'Stored full token in cache from request', instanceName: instanceByKey.name });
 
             // Atualiza a instância em memória se existir
             if (waMonitor.waInstances[instanceByKey.name]) {
@@ -87,9 +87,9 @@ async function apikey(req: Request, _: Response, next: NextFunction) {
                     number: instanceByKey.number,
                     businessId: instanceByKey.businessId,
                   });
-                  logger.log(`Updated full token in memory for ${instanceByKey.name}`);
+                  logger.log({ message: 'Updated full token in memory', instanceName: instanceByKey.name });
                 } catch (error) {
-                  logger.error(`Error updating token in memory: ${error}`);
+                  logger.error({ message: 'Error updating token in memory', error, instanceName: instanceByKey.name });
                 }
               }
             }

src/api/integrations/channel/meta/whatsapp.business.service.ts

@@ -66,16 +66,19 @@ export class BusinessStartupService extends ChannelStartupService {
       this.fullToken = instance.token;
       const cacheKey = `instance:${instance.instanceName}:fullToken`;
       await this.cache.set(cacheKey, instance.token, 0);
-      this.logger.log(`Stored full token in cache for ${instance.instanceName}`);
+      this.logger.log({ message: 'Stored full token in cache', instanceName: instance.instanceName });
     } else {
       // Tenta carregar token completo do cache
       const cacheKey = `instance:${instance.instanceName}:fullToken`;
       const fullToken = await this.cache.get(cacheKey);
       if (fullToken) {
         this.fullToken = fullToken;
-        this.logger.log(`Loaded full token from cache for ${instance.instanceName}`);
+        this.logger.log({ message: 'Loaded full token from cache', instanceName: instance.instanceName });
       } else {
-        this.logger.warn(`Full token not found in cache for ${instance.instanceName}, using truncated token`);
+        this.logger.warn({
+          message: 'Full token not found in cache, using truncated token',
+          instanceName: instance.instanceName,
+        });
       }
     }
   }