Search API Decoupled endpoints are publicly accessible without domain restrictions

Problem/Motivation

Search API Decoupled endpoints are publicly accessible without domain restrictions, making it difficult to control which websites can consume the API. This can lead to unauthorized usage, increased server load, and potential security concerns for decoupled/headless architectures.

Steps to reproduce

1. Create a Search API Decoupled endpoint
2. Note that any domain can make requests to the endpoint
3. No way to restrict access by domain/origin

Proposed resolution

Add a configurable "Allowed Domains" field to Search API endpoints that:

• Restricts access based on Origin, Referer, or Host headers
• Supports wildcard patterns (e.g., *.example.com, *-dev.pantheonsite.io)
• Automatically strips protocols from entered URLs for convenience
• Falls back to allowing all domains when left empty (backward compatible)

Patches

For 1.0.0-alpha39: allowed-domains-per-endpoint-alpha39.patch

Adds domain restriction functionality to Search API Decoupled endpoints with wildcard support (e.g., *.example.com, *-dev.pantheonsite.io) for flexible domain matching.

User interface changes

Adds a new "Allowed domains" textarea field to the endpoint configuration form with:

• Multi-line input (one domain per line)
• Wildcard support using *
• Examples in field description
• Automatic URL parsing (strips protocols)

API changes

Adds two methods to SearchApiEndpointInterface:

• getAllowedDomains(): Returns array of allowed domains
• setAllowedDomains(array $domains): Sets allowed domains

Data model changes

Adds allowed_domains property to search_api_endpoint config entity (array of strings).