twenty
twenty copied to clipboard
twentyhq
Lost Access When Creating New User via API
Bug Description
I honestly can't say what happened exactly or how. I was playing around trying to create new users via API in order to see, if I can log in with them (by using forgot password). Not sure how it happened, but suddenly I lost (almost) all access to 20. Whenever I try to log in with my user, I get the error message "User workspace not found". But when I get all users via API, my user is still there. Using "forgot password" gets me a reset link and everything, but I still can't log in once I set a new password, getting the same error over and over again.
BTW: Creating other / new users works via the API works and I can use the PW forgotten procedure with them. But it's the same story as with my user: They get an email and can actually set a password. But they cannot log in afterwords and get the same error message.
I then figured out that my users had the same "position" (still not sure what this variable is for). And as soon as I was the only user in the workspace, things worked again.
Get workspace members API request: [ { "data": { "workspaceMembers": [ { "position": 0, "name": { "firstName": "first name", "lastName": "last name" }, "colorScheme": "System", "locale": "en", "avatarUrl": "profile-picture/original/b43ffcd8-8897-4049-a79b-8b17bec9527f.png", "userEmail": "[email protected]", "userId": "a13727a7-ae91-44dd-a7eb-1b2e19fc7f60", "timeZone": "system", "dateFormat": "SYSTEM", "timeFormat": "SYSTEM", "searchVector": "'[email protected]':3 'first name':1 'last name':2", "id": "04cea7bb-ecf2-4347-bcff-0050ddd9025f", "createdAt": "2025-06-24T08:53:19.923Z", "updatedAt": "2025-06-25T08:25:21.832Z", "deletedAt": null }, { "position": 0, "name": { "firstName": "Test", "lastName": "User" }, "colorScheme": "System", "locale": "en", "avatarUrl": "", "userEmail": "[email protected]", "userId": "cf5325e7-a0cf-4294-be8a-928ee09c0a08", "timeZone": "system", "dateFormat": "SYSTEM", "timeFormat": "SYSTEM", "searchVector": "'[email protected]':3 'test':1 'user':2", "id": "f1274b9a-230b-43c5-8cb8-61e1af6eed1d", "createdAt": "2025-06-29T15:23:20.778Z", "updatedAt": "2025-06-29T15:23:20.778Z", "deletedAt": null } ] }, "pageInfo": { "hasNextPage": false, "startCursor": "eyJpZCI6IjA0Y2VhN2JiLWVjZjItNDM0Ny1iY2ZmLTAwNTBkZGQ5MDI1ZiJ9", "endCursor": "eyJpZCI6ImYxMjc0YjlhLTIzMGItNDNjNS04Y2I4LTYxZTFhZjZlZWQxZCJ9" }, "totalCount": 2 } ]
Expected behavior
I feel that we should be able to create users via API with (accidentally) causing this kind of disruption for existing users.
Technical inputs
Here's my server log when I tried logging in with my primary user:
2025-06-29T15:37:40.739474049Z Exception Captured
2025-06-29T15:37:40.740061980Z {
2025-06-29T15:37:40.740072741Z operation: { name: 'GetCurrentUser', type: 'query' },
2025-06-29T15:37:40.740077440Z document: 'query GetCurrentUser {\n' +
2025-06-29T15:37:40.740081208Z ' currentUser {\n' +
2025-06-29T15:37:40.740095075Z ' ...UserQueryFragment\n' +
2025-06-29T15:37:40.740097500Z ' __typename\n' +
2025-06-29T15:37:40.740099704Z ' }\n' +
2025-06-29T15:37:40.740101837Z '}\n' +
2025-06-29T15:37:40.740104032Z '\n' +
2025-06-29T15:37:40.740106156Z 'fragment UserQueryFragment on User {\n' +
2025-06-29T15:37:40.740108481Z ' id\n' +
2025-06-29T15:37:40.740111136Z ' firstName\n' +
2025-06-29T15:37:40.740113370Z ' lastName\n' +
2025-06-29T15:37:40.740115504Z ' email\n' +
2025-06-29T15:37:40.740117608Z ' canAccessFullAdminPanel\n' +
2025-06-29T15:37:40.740119763Z ' canImpersonate\n' +
2025-06-29T15:37:40.740121906Z ' supportUserHash\n' +
2025-06-29T15:37:40.740123981Z ' onboardingStatus\n' +
2025-06-29T15:37:40.740126105Z ' workspaceMember {\n' +
2025-06-29T15:37:40.740128229Z ' ...WorkspaceMemberQueryFragment\n' +
2025-06-29T15:37:40.740130343Z ' __typename\n' +
2025-06-29T15:37:40.740132427Z ' }\n' +
2025-06-29T15:37:40.740134651Z ' workspaceMembers {\n' +
2025-06-29T15:37:40.740136976Z ' ...WorkspaceMemberQueryFragment\n' +
2025-06-29T15:37:40.740139081Z ' __typename\n' +
2025-06-29T15:37:40.740141175Z ' }\n' +
2025-06-29T15:37:40.740143278Z ' deletedWorkspaceMembers {\n' +
2025-06-29T15:37:40.740145402Z ' ...DeletedWorkspaceMemberQueryFragment\n' +
2025-06-29T15:37:40.740147537Z ' __typename\n' +
2025-06-29T15:37:40.740149610Z ' }\n' +
2025-06-29T15:37:40.740151714Z ' currentUserWorkspace {\n' +
2025-06-29T15:37:40.740153819Z ' settingsPermissions\n' +
2025-06-29T15:37:40.740155903Z ' objectRecordsPermissions\n' +
2025-06-29T15:37:40.740157997Z ' objectPermissions {\n' +
2025-06-29T15:37:40.740160582Z ' ...ObjectPermissionFragment\n' +
2025-06-29T15:37:40.740162686Z ' __typename\n' +
2025-06-29T15:37:40.740164850Z ' }\n' +
2025-06-29T15:37:40.740166923Z ' __typename\n' +
2025-06-29T15:37:40.740169039Z ' }\n' +
2025-06-29T15:37:40.740171123Z ' currentWorkspace {\n' +
2025-06-29T15:37:40.740173206Z ' id\n' +
2025-06-29T15:37:40.740175281Z ' displayName\n' +
2025-06-29T15:37:40.740177384Z ' logo\n' +
2025-06-29T15:37:40.740179468Z ' inviteHash\n' +
2025-06-29T15:37:40.740185110Z ' allowImpersonation\n' +
2025-06-29T15:37:40.740187284Z ' activationStatus\n' +
2025-06-29T15:37:40.740189408Z ' isPublicInviteLinkEnabled\n' +
2025-06-29T15:37:40.740191532Z ' isGoogleAuthEnabled\n' +
2025-06-29T15:37:40.740193676Z ' isMicrosoftAuthEnabled\n' +
2025-06-29T15:37:40.740195790Z ' isPasswordAuthEnabled\n' +
2025-06-29T15:37:40.740199117Z ' subdomain\n' +
2025-06-29T15:37:40.740202404Z ' hasValidEnterpriseKey\n' +
2025-06-29T15:37:40.740205579Z ' customDomain\n' +
2025-06-29T15:37:40.740209016Z ' isCustomDomainEnabled\n' +
2025-06-29T15:37:40.740213886Z ' workspaceUrls {\n' +
2025-06-29T15:37:40.740221390Z ' ...WorkspaceUrlsFragment\n' +
2025-06-29T15:37:40.740225939Z ' __typename\n' +
2025-06-29T15:37:40.740229726Z ' }\n' +
2025-06-29T15:37:40.740233514Z ' featureFlags {\n' +
2025-06-29T15:37:40.740236890Z ' key\n' +
2025-06-29T15:37:40.740240647Z ' value\n' +
2025-06-29T15:37:40.740243864Z ' __typename\n' +
2025-06-29T15:37:40.740245908Z ' }\n' +
2025-06-29T15:37:40.740247942Z ' metadataVersion\n' +
2025-06-29T15:37:40.740250005Z ' currentBillingSubscription {\n' +
2025-06-29T15:37:40.740252100Z ' id\n' +
2025-06-29T15:37:40.740254504Z ' status\n' +
2025-06-29T15:37:40.740257641Z ' interval\n' +
2025-06-29T15:37:40.740260076Z ' metadata\n' +
2025-06-29T15:37:40.740262169Z ' billingSubscriptionItems {\n' +
2025-06-29T15:37:40.740264293Z ' id\n' +
2025-06-29T15:37:40.740266347Z ' hasReachedCurrentPeriodCap\n' +
2025-06-29T15:37:40.740268481Z ' quantity\n' +
2025-06-29T15:37:40.740270566Z ' billingProduct {\n' +
2025-06-29T15:37:40.740272800Z ' name\n' +
2025-06-29T15:37:40.740275044Z ' description\n' +
2025-06-29T15:37:40.740277138Z ' metadata {\n' +
2025-06-29T15:37:40.740279313Z ' planKey\n' +
2025-06-29T15:37:40.740281397Z ' priceUsageBased\n' +
2025-06-29T15:37:40.740283490Z ' productKey\n' +
2025-06-29T15:37:40.740285595Z ' __typename\n' +
2025-06-29T15:37:40.740287690Z ' }\n' +
2025-06-29T15:37:40.740289803Z ' __typename\n' +
2025-06-29T15:37:40.740291897Z ' }\n' +
2025-06-29T15:37:40.740298439Z [
2025-06-29T15:37:40.740300725Z ' __typename\n' +
2025-06-29T15:37:40.740302919Z ' }\n' +
2025-06-29T15:37:40.740309320Z Error: User workspace not found
2025-06-29T15:37:40.740312647Z at /app/packages/twenty-server/dist/src/engine/core-modules/user/user.resolver.js:183:23
2025-06-29T15:37:40.740315193Z at Array.map (
Tried creating a new user and gave a position "2" and suddenly it happened all over again. So while this value wasn't the cause, creating new users via API somehow disrupts my existing admin user.
I asked other employees to create users and that luckily worked out fine. I also retried creating a user via Tor and that also worked. I get the impression the error is somehow related to me being logged in to Twenty when creating a user with the API.
Closing it as it's hard to replicate. Keeping an eye on Sentry in case it comes back! 👀 Thanks for the issues @inside-mo
Replicated the issue with 1.6.7 (self hosted)
Step 1 : In REST API playground, created a workspaceMember with custom First Name and Last Name.
Step 2 : Logout or open incognito browser
Step 3 : Try to login. It fails.
Step 4 : Delete the workspaceMember with restAPI
Step 5 : Log in.
Technical inputs
Same behavior / logs as @inside-mo
In database, the New User line is added in table "workspace-abcde..."."workspaceMember", with an ID and a userID. However, it doesn't appear in the "core"."user" table.
