[Bug]: App passwords fail on `PasswordConfirmationRequired` OCS / admin endpoints

[saw-jan]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Requests with app-password to admin endpoints that are annotated #[PasswordConfirmationRequired] fails with Password confirmation is required error.

👉 The change was introduced in PR #61322

Examples:

1. ❌ Failing request:

curl -XDELETE 'https://nextcloud.local/ocs/v2.php/cloud/users/alice/groups?groupid=grp1' \
-H 'OCS-APIRequest: true' \
-u demo:'mngot-jQsq9-3rqFX-i4PEL-32jiy' -vk

403
...
<status>failure</status>
<statuscode>403</statuscode>
<message>Password confirmation is required</message>

Source dode:

#[PasswordConfirmationRequired]
#[NoAdminRequired]
public function removeFromGroup(string $userId, string $groupid): DataResponse {
...

2. ✔️ WebDAV endpoints work:

curl -XPUT 'https://nextcloud.local/remote.php/dav/files/demo/lorem.txt' \                            
-d 'lorem epsum' \
-u demo:'mngot-jQsq9-3rqFX-i4PEL-32jiy' -vk

201 Created

Open Questions:

1. Is it the intended behavior?
2. If yes, why do on patch releases as it breaks the working behavior?
3. What are the limitations of app-password?

Steps to reproduce

1. Create an app password
2. Make groups sub-admin and add some users
3. Try to remove user from the group using the app password

Expected behavior

Expect to work as it used to in previous versions: 34.0.0, 33.0.5 and 32.0.11

Nextcloud Server version

34.0.1
33.0.6
32.0.12

[come-nc]

Hello, this change was made on purpose, endpoints flagged with PasswordConfirmationRequired require a password confirmation and will not work without it.