Validate OIDC allowed hosts before authenticator reuse

[NguyenCong2k]

Summary

• validate MONGODB-OIDC allowed hosts before reusing a cached authenticator
• apply the same ordering fix to sync and async OIDC auth helpers
• add regression coverage for cached authenticator reuse with a disallowed host

Test

python -m pytest test\test_auth_oidc.py::TestOIDCAllowedHostsCache -m auth_oidc -q
python -m pytest test\asynchronous\test_auth_oidc.py::TestOIDCAllowedHostsCache -m auth_oidc -q

[Copilot]

Pull request overview

This PR tightens MONGODB-OIDC host allowlisting by ensuring authOIDCAllowedHosts is validated before reusing a cached OIDC authenticator, preventing a cached authenticator from bypassing host restrictions when connecting to a different (disallowed) host. It applies the same ordering change to both the synchronous and asynchronous OIDC auth helpers and adds regression tests for the cached-authenticator scenario.

Changes:

• Reordered _get_authenticator logic so allowed-host validation happens before returning credentials.cache.data (sync + async).
• Added regression tests verifying that a cached authenticator cannot be reused when the requested host is not in ALLOWED_HOSTS (sync + async tests).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
test/test_auth_oidc.py	Adds a regression test covering cached authenticator reuse with a disallowed host.
test/asynchronous/test_auth_oidc.py	Adds the async-side equivalent regression test for cached authenticator reuse.
pymongo/synchronous/auth_oidc.py	Moves cached-authenticator reuse to occur after allowed-host validation.
pymongo/asynchronous/auth_oidc.py	Mirrors the sync fix by moving cached-authenticator reuse to occur after allowed-host validation.