API: fix: inject header prior to AuthManager (#2656)

<!--
Thanks for opening a pull request!
-->

<!-- In the case this PR will resolve an issue, please replace
${GITHUB_ISSUE_ID} below with the actual Github issue id. -->
Closes #2655 

# Rationale for this change

Headers should be injected before creating auth manager in order for
Polaris catalog to work.

## Are these changes tested?
Yes, with following code:

```python
from pyiceberg.catalog import load_catalog
param = {
    "type": "rest",
    "uri": "http://localhost:8181/api/catalog",
    "warehouse": "s3://...",
    "s3.access-key-id": "***",
    "s3.secret-access-key": "***",
    "s3.path-style-access": True,
    "header.X-Iceberg-Access-Delegation": "",
    "scope": "PRINCIPAL_ROLE:ALL",
    "credential": "***:***",
}

catalog = load_catalog("default", **param)

print(catalog.list_namespaces())
```
* With version 0.10.0 I have: `pyiceberg.exceptions.RESTError:
MissingOrInvalidRealm`
* With this development (using `poetry run ...`) I can connect to the
catalog

## Are there any user-facing changes?
No

<!-- In the case of user-facing changes, please add the changelog label.
-->

---------

Co-authored-by: Quentin FLEURENT NAMBOT <[email protected]>

Author: rinzool

pyiceberg/catalog/rest/__init__.py

@@ -238,6 +238,9 @@ def _create_session(self) -> Session:
         """Create a request session with provided catalog configuration."""
         session = Session()
 
+        # Set HTTP headers
+        self._config_headers(session)
+
         # Sets the client side and server side SSL cert verification, if provided as properties.
         if ssl_config := self.properties.get(SSL):
             if ssl_ca_bundle := ssl_config.get(CA_BUNDLE):
@@ -265,9 +268,6 @@ def _create_session(self) -> Session:
         else:
             session.auth = AuthManagerAdapter(self._create_legacy_oauth2_auth_manager(session))
 
-        # Set HTTP headers
-        self._config_headers(session)
-
         # Configure SigV4 Request Signing
         if property_as_bool(self.properties, SIGV4, False):
             self._init_sigv4(session)

tests/catalog/test_rest.py

@@ -1899,6 +1899,28 @@ def test_rest_catalog_with_google_credentials_path(
     assert actual_headers["Authorization"] == expected_auth_header
 
 
+@pytest.mark.filterwarnings(
+    "ignore:Deprecated in 0.8.0, will be removed in 1.0.0. Iceberg REST client is missing the OAuth2 server URI:DeprecationWarning"
+)
+def test_auth_header(rest_mock: Mocker) -> None:
+    mock_request = rest_mock.post(
+        f"{TEST_URI}v1/oauth/tokens",
+        json={
+            "access_token": TEST_TOKEN,
+            "token_type": "Bearer",
+            "expires_in": 86400,
+            "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
+            "scope": "openid offline",
+            "refresh_token": "refresh_token",
+        },
+        status_code=200,
+        request_headers={**OAUTH_TEST_HEADERS, "Custom": "Value"},
+    )
+
+    RestCatalog("rest", uri=TEST_URI, credential=TEST_CREDENTIALS, audience="", resource="", **{"header.Custom": "Value"})
+    assert mock_request.last_request.text == "grant_type=client_credentials&client_id=client&client_secret=secret&scope=catalog"
+
+
 class TestRestCatalogClose:
     """Tests RestCatalog close functionality"""