PAT creation API for admins with max allowable token lifetime fails to create PATs

The PAT creation API for admins on SM https://docs.gitlab.com/ee/api/users.html#create-a-personal-access-token suggests passing in a expires_at field optionally to create a PAT. This works correctly both with a expires_at parameter passed in to set a shorter due date or without it, to use the default 365 day expiration. We identified that setting the Max allowable lifetime for access token option (on GitLab Ultimate SM) breaks this and once a limit is set, a PAT cannot be created with or without passing in an expires_at

To reproduce:

• Enable an Ultimate licence on GitLab SM
• Head over to Admin settings > Accounts and Limits > Max allowable lifetime for access token
• Add in 40 days as the max limit and save
• Try create a PAT with or without an expires_at e.g

curl --request POST --header "PRIVATE-TOKEN: REDACTED" --data "name=mytoken45"\
   --data "scopes[]=api" "http://127.0.0.1:3000/api/v4/users/1/personal_access_tokens"

Response

{"message":"Expiration date must be before 2023-12-14"}

And with expires_at passed that less than the max expiration setting

curl --request POST --header "PRIVATE-TOKEN: REDACTED" --data "name=mytoken45" --data "expires_at":"2023-12-11"\
   --data "scopes[]=api" "http://127.0.0.1:3000/api/v4/users/1/personal_access_tokens"

Response

{"message":"Expiration date must be before 2023-12-14"}`

• Now remove the Max allowable lifetime for access tokenlimit, the above curls will work correctly.