[7153 + 7166] Follow Ups: 500 error when setting npm configuration file or Node Catalogues entry on remote instance + Cannot set environment variables from settings page in immersive mode

[n-lark]

Description

Fixes #7153 & #7166

✅ All tests passed!

• 7153 hosted env-var save (regression case): hosted instance whose stored settings have no env key (fresh instance, or one whose env was never persisted) → Settings → Environment → add a hidden: true env var with empty value → Save. Returns 200 (used to 500 with Cannot read properties of undefined (reading 'find')).
• 7153 happy path (no-regression): instance with existing env vars → add/edit/save normal env vars. Behavior unchanged (existing values preserved, hidden-empty entries still merge in previous values).
• 7166 npmrc / Node Catalogues save (regression case): remote instance with an existing security.httpNodeAuth or localAuth block → Settings → Palette → save npmrc or Node Catalogues changes (do not set a new password). Returns 200 (used to 500 with the bcrypt data must be a string or Buffer… error).
• 7166 set new password (no-regression): remote instance Security settings → enter a new httpNodeAuth or localAuth password → Save. Password is hashed and stored as before.
• 7166 unchanged-password save (no-regression): remote instance Security settings → save without touching the password field. Existing hashed pass preserved (not re-hashed, not cleared).

Related Issue(s)

Resolves #7153
Resolves #7166

Checklist

• I have read the contribution guidelines
• Suitable unit/system level tests have been added and they pass
• Documentation has been updated
  • Upgrade instructions
  • Configuration details
  • Concepts
• Changes flowforge.yml?
  • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
  • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
• Link to Changelog Entry PR, or note why one is not needed.

Labels

• Includes a DB migration? -> add the area:migration label

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 76.58%. Comparing base (8fabb21) to head (0679c24).

Files with missing lines	Patch %	Lines
forge/routes/api/project.js	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7173   +/-   ##
=======================================
  Coverage   76.58%   76.58%           
=======================================
  Files         405      405           
  Lines       20580    20580           
  Branches     4974     4974           
=======================================
  Hits        15762    15762           
  Misses       4818     4818           

Flag	Coverage Δ
backend	76.58% <66.66%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hardillb]

Hi I fixed #7166 in #7175 on the client side, sorry should have tagged you and not just thrown it at @cstns

[n-lark]

Hey @hardillb lmk if we think I should remove my change - I think its fine to leave as is:

// forge/routes/api/device.js

if (typeof request.body.security.httpNodeAuth.pass !== 'string' || !request.body.security.httpNodeAuth.pass) {
// No new password provided (or non-string round-tripped from existing settings) — preserve current value