Test Connection in UI sends masked password placeholder instead of stored password value #61670
Description
Apache Airflow version
Other Airflow 3 version (please specify below)
If "Other Airflow 3 version" selected, which one?
3.1.4
What happened?
When testing a saved connection via the UI "Test" button, the API endpoint /api/v2/connections/test receives *** as the literal password value instead of the actual stored password. This causes every saved connection test to fail with "Authentication failed" even though the connection works correctly when used in DAGs.
Evidence from debugging inside the API server pod:
Connection.get_connection_from_secrets('testsftp').passwordreturns the correct password (16 chars)- Direct Paramiko connection using the stored password succeeds:
"Authentication (password) successful!" - The UI Test button sends a POST to
/api/v2/connections/testwithpassword: "***"in the request payload (visible in browser DevTools) - The API returns
{status: false, message: "Authentication failed."}because it tests with the literal***string
This appears related to #52301 (literal asterisks for sensitive Extra fields), but that fix only addressed Extra fields — the password form field still sends the masked placeholder when testing.
What you think should happen instead?
The Test Connection button should either:
- Retrieve the stored password from the database for the test (when the password field still contains the masked placeholder), or
- Allow the user to clearly re-enter the password in the form before testing
Currently, the password field appears masked and the masked value is sent as the literal password, making it impossible to test saved connections without workarounds.
How to reproduce
- Create any connection with a password (e.g., SFTP with
conn_type: sftp) via the Airflow UI - Save the connection successfully
- Open the saved connection for editing
- Click "Test" without re-entering the password
- Observe in browser DevTools (Network tab -> Payload) that the POST body to
/api/v2/connections/testcontainspassword: "***" - Connection test fails with
{status: false, message: "Authentication failed."} - Meanwhile, using the same stored password directly with Paramiko from inside the pod succeeds
Operating System
Debian 12 (container: apache/airflow:3.1.4)
Versions of Apache Airflow Providers
apache-airflow-providers-sftp==5.5.0
apache-airflow-providers-ssh==4.3.1
apache-airflow-providers-microsoft-azure==12.7.1
apache-airflow-providers-cncf-kubernetes==10.6.1
apache-airflow-providers-trino==6.3.3
Deployment
Official Apache Airflow Helm Chart
Deployment details
Official Apache Airflow Helm Chart
Deployed via helm upgrade --install airflow apache-airflow/airflow with custom values. Airflow 3.1.4 using KubernetesExecutor. The connection test endpoint /api/v2/connections/test is called from the React-based Airflow UI.
Anything else?
Workaround: Test connections from inside the pod using the CLI or direct Python/Paramiko, which correctly retrieves the stored password from the database:
from airflow.models import Connection
import paramiko
conn = Connection.get_connection_from_secrets('my_conn_id')
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(conn.host, port=conn.port or 22, username=conn.login, password=conn.password, look_for_keys=False, allow_agent=False)
sftp = ssh.open_sftp()
print('Connected:', sftp.listdir('.'))Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct