NocoDB OAuth PKCE race condition fix

Fixed a race condition in OAuth token exchange where two concurrent requests using the same authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. The fix introduces an atomic compare-and-swap in OAuthAuthorizationCode.claimByCode that marks the code as used immediately before token insertion, so only the first concurrent caller succeeds.

Applications using NocoDB's OAuth flow with PKCE, particularly those where an attacker could observe an authorization code and PKCE verifier (e.g., via a malicious OAuth-aware client or by racing a real exchange).

Update NocoDB to the latest version that includes this fix to prevent potential token theft.