fix(auth): clarify token_auth_enforced semantics and add auth token revoke occ command

[joshtrichards]

• Resolves: [Bug]: Some users can access webdav with their password with token_auth_enforced set #50279

Summary

Clarify the documented behavior of token_auth_enforced and add a new occ command to revoke existing auth tokens/sessions when admins want to enforce the policy on already-authenticated users.

Changes:

• update config/config.sample.php to clarify that token_auth_enforced:
  • blocks new client logins using the account password
  • does not automatically revoke existing sessions/tokens
  • can be paired with occ user:auth-tokens:revoke --sessions
• add occ user:auth-tokens:revoke with mode flags:
  • --sessions: all temporary session tokens (including remembered)
  • --remembered-sessions: remembered session tokens only
  • --all-except-app-passwords: everything except permanent app passwords
  • --all: everything including app passwords
  • supports single-user and --all-users
  • supports --dry-run and --force
• add bulk mapper helpers for efficient all-users revocation
• add PHPUnit tests for command validation, per-user revoke behavior, and bulk path routing

Motivation:

The previous documentation suggested immediate full enforcement for all client access. In practice, token_auth_enforced is only checked in logClientIn(), so already-issued sessions/tokens are not re-checked against it. Existing TEMPORARY_TOKEN entries can therefore remain valid as long as clients keep using them, since each request refreshes last_activity and prevents age-based cleanup.

This change makes that behavior explicit and provides admins with a supported way to revoke existing auth state if they want full enforcement after enabling the setting.

Notes:

• No change to runtime semantics of token_auth_enforced; this adds an explicit admin action instead of introducing implicit mass logout on config toggle.
• Existing user:auth-tokens:delete is token-id/uid/date oriented. The new revoke command is policy-oriented and targets token classes directly, which fits the "enabled token_auth_enforced and need to clean up" admin workflow.
• For --all-users in non-dry-run mode, revocation uses bulk SQL deletes instead of per-token invalidateTokenById(). This intentionally skips per-token TokenInvalidatedEvent dispatch for performance. The token cache is short-lived (TOKEN_CACHE_TTL / 10s), and similar bulk invalidation patterns already exist elsewhere in the code base (e.g. invalidateOld() and deleteTempToken() in PublicKeyTokenMapper).

TODO

• Test test test

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI