Reject OPTIONS requests with a body

[albertzaharovits]

Instead of not authN and letting them through, this PR rejects OPTIONS requests with a body (400).

Relates #95112

[albertzaharovits]

To reviewers:
I struggled a bit more than expected with this one PR.
The reasons are:

• OPTIONS requests without a body that go through unauthenticated, must still have the thread-context populated with the request headers, like regular requests have (not really important, but nice to have for tracing purposes....)
• I wanted to have the logic that denies OPTIONS request with a body and the logic that lets OPTIONS request without a body through unauthenticated, close to each other.
• Testing OPTIONS requests with a body is not possible in an IT because the apache http lib (that our rest client uses internally) doesn't allow it (but HTTP allows it and curl can issue those).

So it's funkier than I expected.

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[elasticsearchmachine]

Pinging @elastic/es-distributed (Team:Distributed)

[jakelandis]

LGTM.

I originally thought this might be a breaking change but now I am pretty sure it is not breaking in a way anyone would ever notice. I spent some time understanding CORS preflight requests (the primary workflow for unauthenticated OPTIONS call) and since the Browser typically makes that call and there is no reason for it send a body we can be pretty confident they don't. Similarly, JS library don't really have a reason to make the preflight call but if they do I could not find any evidence to why they might include a body.

[Tim-Brooks]

LGTM

[Tim-Brooks]

Browser typically makes that call and there is no reason for it send a body we can be pretty confident they don't

Also the RFC does not allow for bodies in OPTION requests. Most server implementations would already be rejecting this.