New AppPassword can be generated without password confirmation

There is protection on https://github.com/nextcloud/server/blob/master/apps/settings/lib/Controller/AuthSettingsController.php#L122 that you must have recently entered your password to be able to generate a new AppPassword. However if an attacker would obtain access to your system (say you forgot to lock it when taking a quick bathroom break). They can abuse a route to just obtain this. ```https://SERVER/ocs/v2.php/core/getapppassword``` Probably without you ever noticing. ## Impact The password confirmation to generate an app password is effectively useless as it is trivial to bypass.