auth: restrict default CORS origins to loopback

[TheodorNEngoy]

Auth routes currently wrap several OAuth endpoints with Starlette CORSMiddleware using wildcard origins (metadata, token, client registration, revocation; and cors_middleware() is also used by the simple-auth example for introspection).

This PR makes the default safer for network-exposed auth servers while keeping browser-based local tooling working:

• cors_middleware() now uses allow_origin_regex with a loopback-only default (localhost/127.0.0.1/[::1], any port), instead of wildcard origins.
• Adds cors_origin_regex plumbing:
  • create_auth_routes(..., cors_origin_regex=...)
  • AuthSettings.cors_origin_regex (optional)
  • passes through from both MCPServer and lowlevel Server.
• Adds integration tests asserting loopback origins are allowed and arbitrary origins are not.

Rationale: avoids the common wildcard-CORS footgun for auth endpoints; non-browser clients are unaffected (no Origin header). If you do want a remote browser client, set cors_origin_regex explicitly (e.g. ^https://your-ui\.example\.com$).

[maxisbey]

Closing — no linked issue. Per our contributing guidelines, please open an issue first and wait for maintainer feedback before submitting PRs.

_{AI Disclaimer}