Allow tokens to be used to create other tokens

[simonw]

I'm going to drop the thing about tokens not being able to create other tokens too - I'm not actually convinced that's a good requirement, so I'm going to leave that up to users of this plugin to decide on or not.

Originally posted by @simonw in #24 (comment)

[simonw]

Annoyingly I can't find my notes on exactly why I decided this rule in the first place:

datasette-auth-tokens/datasette_auth_tokens/views.py

Lines 121 to 124 in d85fc52

	if actor.get("token"):
	raise Forbidden(
	"Token authentication cannot be used to create additional tokens"
	)

I think it was out of fear that someone could steal a token and then use that token to create more tokens, making it harder to lock the attacker out of the system.

But... those extra tokens created by the attacker would still be visible in the admin UI, so the admin can still revoke those as well.

There's also a strong argument for allowing tokens to create other tokens - the pattern where you create a single root token, but then have that token create restricted-access tokens on demand for other purposes.

I'm going to remove this rule from the core datasette-auth-tokens code, but since the auth-tokens-create permission is managed by Datasette permissions end users still have the option to re-introduce that rule if they want to via another plugin.