web/admin: allow users to create app password tokens

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/core/api/tokens.py

@@ -2,6 +2,7 @@
 from django.http.response import Http404
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -22,6 +23,12 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
 
     user = UserSerializer(required=False)
 
+    def validate_intent(self, value: str) -> str:
+        """Ensure only API or App password tokens are created."""
+        if value not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
+            raise ValidationError(f"Invalid intent {value}")
+        return value
+
     class Meta:
 
         model = Token
@@ -69,7 +76,6 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
     def perform_create(self, serializer: TokenSerializer):
         serializer.save(
             user=self.request.user,
-            intent=TokenIntents.INTENT_API,
             expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
         )