get() returned more than one User

[DesertCookie]

Describe the bug
Creating a new user causes two users with this same ID to be created in the database, then causing errors whenever trying to access them. See reproduction.

Upon clicking into a user this error is logged in the browser:

UserForm.ts:42 GET https://auth.turningheadsfilme.de/api/v3/core/users/62/ 500 (Internal Server Error)
runtime.js:159  Uncaught (in promise) ResponseError: Response returned an error code
    at so.<anonymous> (runtime.js:159:19)
    at Generator.next (<anonymous>)
    at s (runtime.js:17:58)

The server logs show this:

{"action": "system_exception", "auth_via": "session", "client_ip": "79.254.12.100", "context": {"asn": {"as_org": "Deutsche Telekom AG", "asn": 3320, "network": "79.224.0.0/11"}, "geo": {"city": "Dresden", "continent": "EU", "country": "DE", "lat": 51.0289, "long": 13.8222}, "http_request": {"args": {}, "method": "GET", "path": "/api/v3/core/users/62/", "request_id": "d7261df5ca364e30b58896a7d6aba34f", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"}, "message": "Traceback (most recent call last):\n  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 518, in thread_handler\n    raise exc_info[1]\n  File \"/ak-root/venv/lib/python3.12/site-packages/django/core/handlers/base.py\", line 253, in _get_response_async\n    response = await wrapped_callback(\n               ^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 468, in __call__\n    ret = await asyncio.shield(exec_coro)\n          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/current_thread_executor.py\", line 40, in run\n    result = self.fn(*self.args, **self.kwargs)\n             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 522, in thread_handler\n    return func(*args, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/sentry_sdk/integrations/django/views.py\", line 94, in sentry_wrapped_callback\n    return callback(request, *args, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/django/views/decorators/csrf.py\", line 65, in _view_wrapper\n    return view_func(request, *args, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/viewsets.py\", line 125, in view\n    return self.dispatch(request, *args, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 509, in dispatch\n    response = self.handle_exception(exc)\n               ^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 469, in handle_exception\n    self.raise_uncaught_exception(exc)\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 480, in raise_uncaught_exception\n    raise exc\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 506, in dispatch\n    response = handler(request, *args, **kwargs)\n               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/mixins.py\", line 54, in retrieve\n    instance = self.get_object()\n               ^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/generics.py\", line 96, in get_object\n    obj = get_object_or_404(queryset, **filter_kwargs)\n          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/generics.py\", line 19, in get_object_or_404\n    return _get_object_or_404(queryset, *filter_args, **filter_kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/django/shortcuts.py\", line 86, in get_object_or_404\n    return queryset.get(*args, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/ak-root/venv/lib/python3.12/site-packages/django/db/models/query.py\", line 652, in get\n    raise self.model.MultipleObjectsReturned(\nauthentik.core.models.MultipleObjectsReturned: get() returned more than one User -- it returned 2!"}, "domain_url": "auth.turningheadsfilme.de", "event": "Created Event", "host": "auth.turningheadsfilme.de", "level": "info", "logger": "authentik.events.models", "pid": 56, "request_id": "d7261df5ca364e30b58896a7d6aba34f", "schema_name": "public", "timestamp": "2025-01-05T08:51:14.034772", "user": {"email": "", "pk": 6, "username": "akadmin"}}
// authentik.core.models.MultipleObjectsReturned: get() returned more than one User -- it returned 2!

I restored to a backup from two days ago (when I last created two users that worked) to see if this would still happen and it did. Furthermore, I had to do so to get rid of the broken user as deleting it does not work:

UserListPage.ts:188 DELETE https://auth.turningheadsfilme.de/api/v3/core/users/62/ 405 (Method Not Allowed)

I became aware of this issue due to this last user telling me he got an error upon visiting the page from the email he got sent by Authentik when I created his account.

I then tested by creating test user which worked correctly. It seems it's always this user with ID 62 that fails. I'd simply recreate this specific user, but since it's username and email are now is taken, I can't.

To Reproduce

1. Create a new user. I gave it username, name, email, and a custom path of users/myorg.
2. Click Create. A unauthorized error will be shown in the browser console. Upon reloading the page the user will exist in the list, though.
3. Attempt to edit, impersonate, or click into the user and the page will endlessly load and display above's errors.

Expected behavior
A user should be created without errors and be able to set his password. Furthermore, the admin should be able to edit this account.

Screenshots

My user's perspective. The connection issue (top right) was an Nginx Proxy Manager misconfiguration. I removed that since, but the application had worked without issues for months with it and I don't think it contributed to the issue, as the reproduction on my end after I restored from backup showed the same behavior.

Version and Deployment (please complete the following information):

• authentik version: 2024.12.1
• Deployment: Docker in unRAID

Additional context

• Nginx Proxy Manager on local machine
• Cloudflare as DNS (without tunnel or proxy)

[DesertCookie]

I just noticed I get

fetch.ts:51  POST https://authentik.error-reporting.a7k.io/api/4504163677503489/envelope/?sentry_key=151ba72610234c4c97c5bcff4e1cffd8&sentry_version=7&sentry_client=sentry.javascript.browser%2F8.33.1 net::ERR_BLOCKED_BY_CLIENT

in Edge when attempting to load the users list page. This doesn't happen in Firefox.

My first attempt to create the user was in a Firefox private window, while the second one was in Edge. Both created the broken user with double-ID 62.