Refactor auth filter to use temporary search pipeline

[mbklein]

Hybrid queries cannot be nested inside other queries (such as bool queries). Instead, we should use a search pipeline to add a request_processors[].filter_query processor to the query. Our dc-v2-work-pipeline already does this, limiting the search to published results with a visibility of public or institution. This PR updates the search preprocessor to respect the search pipeline (if provided), or to add one on the fly if not. This is safe to do in this context because:

• users can't create named search pipelines
• OpenSearch will error if a nonexistent search pipeline is specified

This PR also strips out any search_pipeline stanza included in the query DSL to prevent users from circumventing the built-in restrictions.

In the future, we may want to create multiple saved search pipelines to handle each of our four use cases (anonymous/institution search, superuser search, reading room search, and hybrid search) and simply update the search_pipeline query param on the way to OpenSearch. But this is our best option for now.

To test, run the API using sam local start-api and then use Postman to post some search requests.

• Use a superuser token to make sure you get private & unpublished results back
• Update your READING_ROOM_IPS server environment variable to match your own IP to make sure you get private, published works back

Remember that you may have to narrow your search or increase the size in the search DSL to make sure you're not just excluding private/unpublished due to a result size cutoff.

[kdid]

👍