fix(storage): apply metadata, headers, and cacheControl dedupe to uploadToSignedUrl

[oniani1]

Closes #2274.

Summary

uploadToSignedUrl silently drops three FileOptions that upload/update honor via uploadOrUpdate:

1. options.metadata is ignored. No form field on Blob/FormData bodies, no x-metadata header on raw bodies.
2. fileOptions.headers is ignored. The setHeader merge loop was missing.
3. cacheControl on caller-supplied FormData got appended unconditionally, producing two entries when the caller already added one.

This patch mirrors the handling from uploadOrUpdate across all three body branches (Blob, FormData, raw) and adds the post-branch headers merge. No behavioral change for the content-type / cache-control defaults on raw bodies, nor for the fallbacks when the options are absent.

Test plan

• uploadToSignedUrl with metadata (Blob body). FormData includes a metadata field.
• uploadToSignedUrl with metadata (FormData body). Caller's FormData keeps its own entries and gains metadata.
• uploadToSignedUrl with metadata (raw body sends x-metadata header). Base64-encoded JSON in the x-metadata request header.
• uploadToSignedUrl passes headers. fileOptions.headers keys reach the outgoing request.
• uploadToSignedUrl does not duplicate cacheControl when caller FormData has one. Caller's 7200 wins, SDK's 3600 default is skipped.

All 10 uploadToSignedUrl tests pass, including the 5 new ones. The fix was also reproduced end-to-end against a local supabase/storage Docker server.

[pkg-pr-new]

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2275

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2275

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2275

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2275

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2275

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2275

commit: 7085a5b