3.1 environment credentials always return __PWRD__ placeholder

[sarrala]

Current Behavior

Upgraded from 3.0.2 to 3.1.0.

• Projects feature is enabled.
• editorTheme.header.title added with some info text
• apiMaxLength: '32mb'
• other than that default configuration with some extra nodes installed.
• Running nodered/node-red:latest Docker image.

Tried to add environment credentials like this:

And then use it like this:

[{"id":"5fc48ad328d81f1b","type":"inject","z":"d005e303e68c6631","name":"","props":[{"p":"payload"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"SOMETHING","payloadType":"env","x":790,"y":600,"wires":[["d38f2ec5e2d6f967"]]},{"id":"d38f2ec5e2d6f967","type":"debug","z":"d005e303e68c6631","name":"debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":950,"y":600,"wires":[]}]

This always results in string __PWRD__ which AFAIK is placeholder for credentials, doesn't seem to be actually reading credentials at all but just returns placeholder.

Expected Behavior

Env variable should return qwerty instead of __PWRD__.

Steps To Reproduce

Route I took to hit this issue:

1. Have projects enabled on 3.0.2 (I'd assume using projects might affect outcome).
2. Upgrade to 3.1
3. Add some credentials to global environment.
4. Try to use those credentials.

Example flow

No response

Environment

• Node-RED version: v3.1.0
• Node.js version: v16.20.2 (comes with official Docker image)
• npm version: 8.19.4 (comes with official Docker image)
• Platform/OS: Docker nodered/node-red:latest on debian host.
• Browser: Chrome 118

[dceejay]

This is working as designed. Credentials are never returned to the browser client. They are read correctly on the server side.

[sarrala]

This is working as designed. Credentials are never returned to the browser client. They are read correctly on the server side.

AFAIK described use case is not client side but server side unless inject and debug nodes nowdays get executed on browser.

If you like I can add another example that does not use inject or debug nodes for testing?

[sarrala]

So here's another case that should be simple enough to understand and is 100% guaranteed to be server side:

Environment:

Flow as a screenshot:

Change node configuration:

Flow as a JSON (click to show):

[
    {
        "id": "f297cdd440c6cb1b",
        "type": "http in",
        "z": "d005e303e68c6631",
        "name": "",
        "url": "get-creds",
        "method": "get",
        "upload": false,
        "swaggerDoc": "",
        "x": 160,
        "y": 720,
        "wires": [
            [
                "a861534fa8a9ef4d"
            ]
        ]
    },
    {
        "id": "b5969a967ccb3e26",
        "type": "http response",
        "z": "d005e303e68c6631",
        "name": "",
        "statusCode": "",
        "headers": {},
        "x": 530,
        "y": 720,
        "wires": []
    },
    {
        "id": "a861534fa8a9ef4d",
        "type": "change",
        "z": "d005e303e68c6631",
        "name": "",
        "rules": [
            {
                "t": "set",
                "p": "payload",
                "pt": "msg",
                "to": "SOMETHING",
                "tot": "env"
            }
        ],
        "action": "",
        "property": "",
        "from": "",
        "to": "",
        "reg": false,
        "x": 360,
        "y": 740,
        "wires": [
            [
                "b5969a967ccb3e26"
            ]
        ]
    }
]

Results:

[hardillb]

This is broken.

The value should not be displayed when editing the env var, it should be passing the right value as part of a message.

[sarrala]

@hardillb thanks for confirming I'm not losing my mind here 👍

The value should not be displayed when editing the env var

Value is hidden in form when editing, screenshots here are taken when replacing or creating credentials.
It just isn't passing correct value / is passing placeholder when attempting to inject creds into message.

[hardillb]

I've followed the code, back to cause, but I can't work out a fix just yet. Will need to chat to @knolleary next week

We end up

node-red/packages/node_modules/@node-red/util/lib/util.js

Line 555 in ee48a2f

return flow.getSetting(name);

which in turn takes us to

node-red/packages/node_modules/@node-red/runtime/lib/flows/Flow.js

Line 487 in ee48a2f

return this._env[key]

[knolleary]

Fixed via #4405 - will be in 3.1.1