Add HTTP Digest authentication (RFC 7616)

[OmarAlJarrah]

Summary

Adds a Digest Access Authentication credential policy, completing the SDK's auth coverage alongside Bearer, Basic, and API-key.

DigestAuthPolicy is challenge-driven, as the protocol requires: it sends the request, and on a 401 carrying a WWW-Authenticate: Digest challenge it computes the keyed response and retries once. It then caches the challenge and applies Digest preemptively on later requests with an incrementing nonce count, re-challenging only when the server rotates the nonce. At most two sends per call, so the path is bounded.

• Algorithms: MD5 and SHA-256, plus their -sess variants, with qop=auth or no qop — covering effectively all real Digest servers. auth-int, SHA-512-256, userhash, and multi-scheme single-header challenges are intentionally out of scope.
• HTTPS-only, consistent with every other credential policy (auth.ErrInsecureTransport on a non-https URL).
• Concurrency-safe: the nonce count and cached challenge are guarded by a mutex held only around small critical sections, never across network I/O.
• Umbrella option WithDigestAuth(username, password), placed at the auth stage. Precedence when several auth options are set: WithCredential → WithBasicAuth → WithAPIKey → WithDigestAuth.

Test plan

• RFC 7616 §3.9.1 published vectors reproduced exactly for both SHA-256 and MD5 (deterministic via an injected cnonce)
• Round-trip test: an httptest TLS server issues a challenge and independently recomputes the response from the known password — asserts single-challenge → 200 and that the nonce count increments on the next request
• Insecure-transport guard returns ErrInsecureTransport before any hashing
• Quote-aware challenge parser is panic-free on malformed input (unterminated quotes, trailing =, empty headers)
• End-to-end WithDigestAuth through the client
• gofmt -l . clean, go vet ./... clean, go test -race ./... green across all packages

🤖 Generated with Claude Code