From c61e4024610542acf51a96e84d9f300ff54d4018 Mon Sep 17 00:00:00 2001
From: Ben Irvin <ben@innerdvations.com>
Date: Thu, 18 Aug 2022 12:03:25 +0200
Subject: [PATCH] disallow updating lastUsed from api

---
 packages/core/admin/server/controllers/api-token.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/packages/core/admin/server/controllers/api-token.js b/packages/core/admin/server/controllers/api-token.js
index 3c5c5be5dc..9f82f17e75 100644
--- a/packages/core/admin/server/controllers/api-token.js
+++ b/packages/core/admin/server/controllers/api-token.js
@@ -86,6 +86,11 @@ module.exports = {
       attributes.description = trim(body.description);
     }
 
+    // Don't allow updating lastUsed time
+    if (has(attributes, 'lastUsed')) {
+      throw new ApplicationError('lastUsed cannot be updated');
+    }
+
     await validateApiTokenUpdateInput(attributes);
 
     const apiTokenExists = await apiTokenService.getById(id);