feat: add API key support for SPCS authentication

[costrouc]

Summary

Prior to recent changes on the Snowflake side, proxied authentication headers carried enough information for Connect running in Snowflake SPCS to identify users. With the move to OIDC, Connect servers no longer trust Snowflake headers for username identification. This requires users to provide both a Snowflake connection (for proxied authentication) and a Connect API key (for OIDC authentication).

Adds API key support for Snowflake SPCS (Snowpark Container Services) authentication due to changes in native application authentication using OIDC. Connect within the SPCS native application no longer relies on Snowflake headers to determine the user. You can think of the SPCS private key now only being used for proxied authentication to pass the request through and the api key is used by connect

Problem

SPCS deployments require a dual authentication model:

• Snowflake tokens provide proxied authentication to reach the Connect server
• API keys identify the user to the Connect server itself

Previously, connectSPCSUser() only handled Snowflake token authentication through the
snowflakeConnectionName parameter. The API key was not captured or transmitted,
preventing proper user identification by the Connect server.

Solution

• Added apiKey as a required parameter to connectSPCSUser()
• Updated authHeaders() to include the API key in the X-RSC-Authorization header when
  both snowflakeToken and apiKey are present
• Store apiKey in account registration alongside snowflakeConnectionName
• Updated documentation to explain the dual authentication model

This mirrors the authentication pattern implemented in
rsconnect-python#715.

Changes

• R/http.R: Modified authHeaders() to add X-RSC-Authorization header for SPCS
• R/accounts.R: Updated connectSPCSUser() and getSPCSAuthedUser() to accept and use
  API key
• man/connectSPCSUser.Rd: Updated function documentation
• tests/testthat/test-spcs.R: Added test coverage for API key handling
• NEWS.md: Documented the breaking change

Breaking Change

connectSPCSUser() now requires an apiKey parameter. Existing code will need to
be updated:

# Before
connectSPCSUser(
  server = "my-spcs-server",
  snowflakeConnectionName = "my_connection"
)

# After
connectSPCSUser(
  server = "my-spcs-server",
  apiKey = "my-api-key",
  snowflakeConnectionName = "my_connection"
)

Testing

• Added test for X-RSC-Authorization header inclusion
• Added test for storing both apiKey and snowflakeConnectionName in account registration
• All existing SPCS tests continue to pass

[costrouc]

I will be testing this out on Monday

[costrouc]

Related PR posit-dev/rsconnect-python#715

[aronatkins]

To test, install this branch like:

remotes::install_github("costrouc/rsconnect", "feat-support-snowflake-spcs-oidc")

[aronatkins]

Replaced by #1248