Add per-HTTP-attempt timeout for non-JWT authentication

Mirror the existing JWTClient / JWTClientTimeout pattern for general
(non-JWT) authentication so callers can bound per-HTTP-attempt time for
auth requests independently of the query timeout.

Before this change, gosnowflake routed JWT auth through a dedicated
JWTClient (default 10s) but every other authenticator (warehouse password,
native OAuth, MFA, SSO, PAT, external browser) shared the main Client
with the query path (default ClientTimeout = 900s). That meant downstream
callers like dbt-fusion could not tighten the per-attempt auth timeout
without also limiting how long queries can run.

Changes:
- New AuthClient *http.Client field on snowflakeRestful, instantiated
  from sc.cfg.AuthClientTimeout in connection.go.
- getClientFor() now returns AuthClient for any non-JWT authenticator,
  falling back to Client when AuthClient is nil (for tests/callers that
  build snowflakeRestful directly without going through the standard
  connection path).
- New Config.AuthClientTimeout field with defaultAuthClientTimeout = 60s
  (matches snowflake-connector-python's per-call requests timeout for
  auth requests; see auth/by_plugin.py).
- DSN serialization and parsing for the authClientTimeout key, plus
  default-fill logic in FillMissingConfigParameters.

JWT auth path is unchanged. Query path is unchanged. Existing fixtures
in dsn_test.go are extended with the new defaulted field.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: akbog

connection.go

@@ -916,6 +916,15 @@ func buildSnowflakeConn(ctx context.Context, config Config) (*snowflakeConn, err
 			Timeout:   sc.cfg.JWTClientTimeout,
 			Transport: st,
 		},
+		AuthClient: &http.Client{
+			// Per-HTTP-attempt timeout for non-JWT authentication (warehouse
+			// password, native OAuth, MFA, SSO, PAT, external browser, etc.).
+			// Allows callers to bound auth roundtrips without also bounding
+			// query roundtrips, mirroring `snowflake-connector-python`'s
+			// `requests` per-call timeout for auth requests.
+			Timeout:   sc.cfg.AuthClientTimeout,
+			Transport: st,
+		},
 		TokenAccessor:       tokenAccessor,
 		LoginTimeout:        sc.cfg.LoginTimeout,
 		RequestTimeout:      sc.cfg.RequestTimeout,

dsn.go

@@ -20,6 +20,7 @@ import (
 const (
 	defaultClientTimeout          = 900 * time.Second // Timeout for network round trip + read out http response
 	defaultJWTClientTimeout       = 10 * time.Second  // Timeout for network round trip + read out http response but used for JWT auth
+	defaultAuthClientTimeout      = 60 * time.Second  // Timeout for network round trip + read out http response used for non-JWT authentication requests
 	defaultLoginTimeout           = 300 * time.Second // Timeout for retry for login EXCLUDING clientTimeout
 	defaultRequestTimeout         = 0 * time.Second   // Timeout for retry for request EXCLUDING clientTimeout
 	defaultJWTTimeout             = 60 * time.Second
@@ -103,6 +104,8 @@ type Config struct {
 	// Deprecated: timeouts may be reorganized in a future release.
 	JWTClientTimeout time.Duration // Timeout for network round trip + read out http response used when JWT token auth is taking place
 	// Deprecated: timeouts may be reorganized in a future release.
+	AuthClientTimeout time.Duration // Timeout for network round trip + read out http response used for non-JWT authentication requests
+	// Deprecated: timeouts may be reorganized in a future release.
 	ExternalBrowserTimeout time.Duration // Timeout for external browser login
 	// Deprecated: timeouts may be reorganized in a future release.
 	CloudStorageTimeout time.Duration // Timeout for a single call to a cloud storage provider
@@ -303,6 +306,9 @@ func DSN(cfg *Config) (dsn string, err error) {
 	if cfg.JWTClientTimeout != defaultJWTClientTimeout {
 		params.Add("jwtClientTimeout", strconv.FormatInt(int64(cfg.JWTClientTimeout/time.Second), 10))
 	}
+	if cfg.AuthClientTimeout != defaultAuthClientTimeout {
+		params.Add("authClientTimeout", strconv.FormatInt(int64(cfg.AuthClientTimeout/time.Second), 10))
+	}
 	if cfg.LoginTimeout != defaultLoginTimeout {
 		params.Add("loginTimeout", strconv.FormatInt(int64(cfg.LoginTimeout/time.Second), 10))
 	}
@@ -651,6 +657,9 @@ func fillMissingConfigParameters(cfg *Config) error {
 	if cfg.JWTClientTimeout == 0 {
 		cfg.JWTClientTimeout = defaultJWTClientTimeout
 	}
+	if cfg.AuthClientTimeout == 0 {
+		cfg.AuthClientTimeout = defaultAuthClientTimeout
+	}
 	if cfg.ExternalBrowserTimeout == 0 {
 		cfg.ExternalBrowserTimeout = defaultExternalBrowserTimeout
 	}
@@ -918,6 +927,11 @@ func parseDSNParams(cfg *Config, params string) (err error) {
 			if err != nil {
 				return
 			}
+		case "authClientTimeout":
+			cfg.AuthClientTimeout, err = parseTimeout(value)
+			if err != nil {
+				return
+			}
 		case "loginTimeout":
 			cfg.LoginTimeout, err = parseTimeout(value)
 			if err != nil {