Only log authorization for public requests

This is the original behaviour [1]. Since all internal requests will
have corresponding logs from public-facing apps that are making them,
there's little value in logging them.

Logging internal requests doesn't lead to a significant increase in
our overall log ingestion: a rough estimate is its an extra 5000 logs
per minute, out of about 900K per minute.

[1]: e08d726f05/app/authentication/auth.py (L153)

app/authentication/auth.py

@@ -113,6 +113,13 @@ def requires_auth():
 
     api_key = _decode_jwt_token(auth_token, service.api_keys, service.id)
 
+    current_app.logger.info('API authorised for service {} with api key {}, using issuer {} for URL: {}'.format(
+        service_id,
+        api_key.id,
+        request.headers.get('User-Agent'),
+        request.base_url
+    ))
+
     g.api_user = api_key
     g.service_id = service_id
     g.authenticated_service = service
@@ -142,13 +149,6 @@ def _decode_jwt_token(auth_token, api_keys, service_id=None):
         if api_key.expiry_date:
             raise AuthError("Invalid token: API key revoked", 403, service_id=service_id, api_key_id=api_key.id)
 
-        current_app.logger.info('API authorised for service {} with api key {}, using issuer {} for URL: {}'.format(
-            service_id,
-            api_key.id,
-            request.headers.get('User-Agent'),
-            request.base_url
-        ))
-
         return api_key
     else:
         # service has API keys, but none matching the one the user provided