api: Add support for Private Network Access header preflight requests

[nullun]

Summary

During development of Algorand smart contracts and platforms users will often run local environments consisting of algod, kmd, and indexer via sandbox or more recently algokit. By default all of these services are running on local/private network addresses (e.g. 127.0.0.1), however popular tools such as DappFlow and Lora are hosted on public network addresses and require the user to specify their local endpoints. Additionally some dapps allow their users to provide their own endpoints for a more decentralised experience.

Schedule for Google Chrome 130 (although many users are already experiencing it), PNA protections will be enabled by default, disallowing public websites from making requests to local/private resources without a specific header response during a preflight request. This PR introduces a new configuration option that will add middleware to the API handler to support responding to the Private Network Access request header.

Test Plan

I've currently just compiled this branch locally and tested it by changing the indexer.yml config and passing the command line flag.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.44%. Comparing base (249016c) to head (1aa69a6).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1620      +/-   ##
==========================================
+ Coverage   69.39%   69.44%   +0.04%     
==========================================
  Files          37       38       +1     
  Lines        7375     7386      +11     
==========================================
+ Hits         5118     5129      +11     
  Misses       1839     1839              
  Partials      418      418              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cce]

I know this is a small change — but in general, it would be nice to have tests and test coverage for new features, which the codecov linter is calling out as 0% test coverage for this PR. The codecov linter doesn't block merge, but if you wanted to improve that statistic, there are some examples of HTTP server tests in indexer/api/handlers_e2e_test.go you could follow, or directly in the middleware package (like in indexer/api/middlewares/migration_middleware_test.go).

Basically, following TDD and writing Go unit tests for both this and the matching PNA algod PR would help improve coverage and quickly prove to the reviewer that new features are generally hooked up & plumbed through correctly.

[nullun]

I rebased on the latest main, as the removal of rewind (changing DeveloperMode) had caused some conflicts.

[gmalouf]

Thanks for the work on this @nullun