Description

When using API Token authentication, uWSGI logs show a dash (-) instead
of the username, making it impossible to trace which user made which API
request. This breaks audit trails and forensic analysis.

Web interface requests correctly log the username, but API token requests do not.

Fix: Added ApiTokenUsernameLoggingMiddleware that sets REMOTE_USER in the
request metadata after authentication is complete, so uWSGI can log the
correct username regardless of the authentication method used.

Fixes #13751

Test results

Manually traced the middleware execution. The middleware runs after
AuthenticationMiddleware so the user is always authenticated before
we attempt to set REMOTE_USER.

Documentation

No documentation changes needed.