Admin password timeout compares client and server clocks instead of server and server #2961
Description
When checking the timeout for certain admin actions like creating a user or adding an app, it seems that NextCloud compares the last authentication time on the server against the client's current time. If the server and client clocks are not synchronized and are off by more than the timeout, it is impossible to authenticate because the server always sees the new authentication as happening too long ago already. Of course, it is good practice to keep clocks synchronized any way, but NextCloud should compare two times on the server, not one on the server and one on the client. Otherwise, the timeout could be bypassed by someone setting the client's clock back.
If you need more information, see #2734 which I created for this problem. It was opened with a generic title about password authentication and then closed with a fix for an LDAP problem that was identified, but this is a separate password authentication problem from that.