Fix credential/UseDefaultCredentials property order on HttpClientHandler (#2353)

In .NET Core, HttpClientHandler.Credentials and UseDefaultCredentials share
a backing field, so setting one overwrites the other. Previously, Credentials
was set first (often null), then UseDefaultCredentials — which worked. But
setting Credentials = CredentialCache.DefaultCredentials explicitly would get
overwritten by UseDefaultCredentials = false.

Now UseDefaultCredentials is set first, and Credentials is only set when
non-null, so neither property can silently clobber the other.

Fixes #2236

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: alexeyzimarev

src/RestSharp/RestClient.cs

@@ -234,8 +234,8 @@ internal static void ConfigureHttpMessageHandler(HttpClientHandler handler, Rest
         if (!OperatingSystem.IsBrowser()) {
 #endif
         handler.UseCookies             = false;
-        handler.Credentials            = options.Credentials;
-        handler.UseDefaultCredentials  = options.UseDefaultCredentials;
+        handler.UseDefaultCredentials = options.UseDefaultCredentials;
+        if (options.Credentials != null) handler.Credentials = options.Credentials;
         handler.AutomaticDecompression = options.AutomaticDecompression;
         handler.PreAuthenticate        = options.PreAuthenticate;
         if (options.MaxRedirects.HasValue) handler.MaxAutomaticRedirections = options.MaxRedirects.Value;

test/RestSharp.Tests/CredentialConfigurationTests.cs

@@ -0,0 +1,44 @@
+using System.Net;
+
+namespace RestSharp.Tests;
+
+public class CredentialConfigurationTests {
+    [Fact]
+    public void Explicit_credentials_are_not_overwritten_by_UseDefaultCredentials() {
+        var credentials = new NetworkCredential("user", "password");
+        var options = new RestClientOptions("https://dummy.org") {
+            Credentials           = credentials,
+            UseDefaultCredentials = false
+        };
+
+        var handler = new HttpClientHandler();
+        RestClient.ConfigureHttpMessageHandler(handler, options);
+
+        handler.Credentials.Should().BeSameAs(credentials);
+    }
+
+    [Fact]
+    public void DefaultCredentials_set_explicitly_are_not_overwritten() {
+        var options = new RestClientOptions("https://dummy.org") {
+            Credentials           = CredentialCache.DefaultCredentials,
+            UseDefaultCredentials = false
+        };
+
+        var handler = new HttpClientHandler();
+        RestClient.ConfigureHttpMessageHandler(handler, options);
+
+        handler.Credentials.Should().BeSameAs(CredentialCache.DefaultCredentials);
+    }
+
+    [Fact]
+    public void UseDefaultCredentials_sets_credentials_when_no_explicit_credentials() {
+        var options = new RestClientOptions("https://dummy.org") {
+            UseDefaultCredentials = true
+        };
+
+        var handler = new HttpClientHandler();
+        RestClient.ConfigureHttpMessageHandler(handler, options);
+
+        handler.UseDefaultCredentials.Should().BeTrue();
+    }
+}