Allow (scoped) token creation through the API

[LawnGnome]

Related to #5443, although not covered in there. This is from a thread on /r/rust last week, which I'll quote the pertinent bits of from /u/protestor:

My use case is to have a .toml config with the exact scope & affected crates for each token, so that the tokens can be re-generated when any of this change

something like

[serde] # token name
scope = "publish-update"
crates = ["serde", "serde-*"]

Both for self documentation (rather than checking the web UI to see if a token grants access to some crate or not), and to make it easier to update tokens

Since this config file doesn't actually contain any secrets, it can live in public github repos and be updated as part of PRs that create new crates, etc (rather than manually updating the token in the web UI after merging a PR that creates a new crate)

I don't think there's any real reason to require tokens to be created through the UI only, provided the API token used for token management has the right scope itself (probably a new one: user or user-token spring to mind as possible names?).

@Turbo87 Did you have a specific reason in mind for not allowing this? If not, I'm happy to convert this to an issue and take it on.

[Turbo87]

I don't remember exactly, but the RFC explicitly argued against that or did not mention it. I think in our code we currently have checks too that explicitly disable token auth for token creation.

We might want to check with some security-minded folks on what they think about the proposal or potentially even make such a change an RFC.

Before we add anything more to the current scopes I'd prefer to finish the beta testing period though and make the current scopes available to all users.