Do not URL-decode refresh header

[eric-maynard]

Description

When the Iceberg client sends a request to refresh the auth token using a Basic header, the header is Base64-encoded but not URL-encoded.

This discrepancy between the client's formatting of the header and the way Polaris is parsing the header can lead to certain values failing the authorization check.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• Documentation update
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist:

Please delete options that are not relevant.

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings

[collado-mike]

Can you add a test for this in PolarisApplicationIntegrationTest? We should be able to do something simple like send the snowmanCredentials with something like this

AuthConfig authConfig = Mockito.mock(AuthConfig.class)
// configure auth
RESTClient client = HttpClient.builder(props).uri(...).build();
AuthSession parentSession = new OAuth2Util.AuthSession(Map.of(), AuthConfig.builder().credential(snowmanCredentialsString).scope("PRINCIPAL_ROLE:ALL").build());
AuthSession.fromAccessToken(client, null, userToken, 0L, parentSession).refresh(client)

It won't guarantee that the characters are always ones that would be url-decoded, but sometimes they will be.

[collado-mike]

Nice, thanks for the fix. I don't know why I thought the credentials would be URL encoded...