fix: preserve api key configuration on flow export

[HimavarshaVS]

Summary

-Ensure api_key values are preserved across exports and imports, whether they are raw secrets or environment variable names.
-When exporting without API keys, strip only sensitive values while preserving environment variable names (e.g. OPENAI_API_KEY, ANTHROPIC_API_KEY) so flows continue to reference external configuration.

Exporting flows:

• If “Save with API keys” is enabled, the flow is exported as‑is: api_key fields keep whatever the user entered (raw secret or env var name).
  -If “Save with API keys” is disabled, password fields are cleared, but api_key fields that look like environment variable names are preserved; other API‑like password fields are cleared.

Testing

Screen.Recording.2026-03-11.at.4.26.44.AM.mov

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ca41b264-3d75-4e71-a192-06b913564db8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-api-key-components

📝 Coding Plan for PR comments

• Generate coding plan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 37.50000% with 25 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-1.8.1@e1e1313). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
...d/src/CustomNodes/hooks/use-fetch-data-on-mount.ts	0.00%	11 Missing ⚠️
src/backend/base/langflow/api/utils/core.py	12.50%	7 Missing ⚠️
...omponent/components/inputGlobalComponent/index.tsx	14.28%	6 Missing ⚠️
src/frontend/src/utils/reactflowUtils.ts	92.30%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@               Coverage Diff                @@
##             release-1.8.1   #12129   +/-   ##
================================================
  Coverage                 ?   37.35%           
================================================
  Files                    ?     1592           
  Lines                    ?    78338           
  Branches                 ?    11884           
================================================
  Hits                     ?    29265           
  Misses                   ?    47400           
  Partials                 ?     1673           

Flag	Coverage Δ
backend	57.47% <12.50%> (?)
frontend	21.05% <43.75%> (?)
lfx	41.65% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/frontend/src/constants/constants.ts	95.04% <ø> (ø)
src/frontend/src/modals/exportModal/index.tsx	65.95% <100.00%> (ø)
src/lfx/src/lfx/base/models/unified_models.py	29.74% <ø> (ø)
src/frontend/src/utils/reactflowUtils.ts	12.73% <92.30%> (ø)
...omponent/components/inputGlobalComponent/index.tsx	22.64% <14.28%> (ø)
src/backend/base/langflow/api/utils/core.py	62.65% <12.50%> (ø)
...d/src/CustomNodes/hooks/use-fetch-data-on-mount.ts	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Adam-Aghili]

Ruff errors

[erichare]

@coderabbitai Can you assess the merge-worthiness of this PR? note that it's a critical bugfix, so dont be overly picky as this was a rushed prioritized patch, just if there's any major major concerns.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me gather the PR details to give you a proper assessment.

---

🏁 Script executed:

#!/bin/bash
# Get PR details
gh pr view 12129 --repo langflow-ai/langflow --json title,state,additions,deletions,changedFiles,files,reviews,checksums 2>/dev/null || true

# Get PR files changed
gh pr view 12129 --repo langflow-ai/langflow --json files 2>/dev/null | jq '.files[] | {path: .path, additions: .additions, deletions: .deletions}' 2>/dev/null || true

# Get PR checks status
gh pr checks 12129 --repo langflow-ai/langflow 2>/dev/null || true

Length of output: 5526

---

Let me look at the actual code changes in the key files.

---

🏁 Script executed:

#!/bin/bash
# Get the diff for the core fix files
gh api repos/langflow-ai/langflow/pulls/12129/files --jq '.[] | select(.filename == "src/backend/base/langflow/api/utils/core.py") | .patch' 2>/dev/null

echo "---REACTFLOW---"
gh api repos/langflow-ai/langflow/pulls/12129/files --jq '.[] | select(.filename == "src/frontend/src/utils/reactflowUtils.ts") | .patch' 2>/dev/null

echo "---EXPORT MODAL---"
gh api repos/langflow-ai/langflow/pulls/12129/files --jq '.[] | select(.filename == "src/frontend/src/modals/exportModal/index.tsx") | .patch' 2>/dev/null

echo "---USE FETCH DATA---"
gh api repos/langflow-ai/langflow/pulls/12129/files --jq '.[] | select(.filename == "src/frontend/src/CustomNodes/hooks/use-fetch-data-on-mount.ts") | .patch' 2>/dev/null

echo "---INPUT GLOBAL COMPONENT---"
gh api repos/langflow-ai/langflow/pulls/12129/files --jq '.[] | select(.filename == "src/frontend/src/components/core/parameterRenderComponent/components/inputGlobalComponent/index.tsx") | .patch' 2>/dev/null

echo "---UNIFIED MODELS---"
gh api repos/langflow-ai/langflow/pulls/12129/files --jq '.[] | select(.filename == "src/lfx/src/lfx/base/models/unified_models.py") | .patch' 2>/dev/null

echo "---FAILING CI DETAILS---"
# Check why Update Component Index failed
gh run view 66705394039 --repo langflow-ai/langflow --log-failed 2>/dev/null | head -60 || true

Length of output: 12492

---

Let me investigate the failing CI jobs and the unused function.

---

🏁 Script executed:

#!/bin/bash
# Check what the failing CI jobs do
gh run view 66705394038 --repo langflow-ai/langflow --log-failed 2>/dev/null | head -80 || true

echo "=== JOB 2 ==="
gh run view 66705394039 --repo langflow-ai/langflow --log-failed 2>/dev/null | head -80 || true

echo "=== Check usage of _get_provider_from_template in core.py ==="
# Look at the full patch for core.py to see how the new function is used
gh api repos/langflow-ai/langflow/pulls/12129/files --jq '.[] | select(.filename == "src/backend/base/langflow/api/utils/core.py") | .patch' 2>/dev/null

echo "=== Check if remove_api_keys uses the new function ==="
# Also look at the remove_api_keys function in core.py in the repo
gh api repos/langflow-ai/langflow/contents/src/backend/base/langflow/api/utils/core.py?ref=refs/pull/12129/head --jq '.content' 2>/dev/null | base64 -d 2>/dev/null | grep -A 40 "def remove_api_keys"

Length of output: 2596

---

@erichare: Here's my merge-worthiness assessment, focusing only on the major concerns:

---

✅ Overall Verdict: Mergeable (with 2 minor flags to be aware of)

The core logic is sound and correctly addresses the bug across both frontend and backend. CI is mostly green — the two failing jobs ("Update Component Index" / "Update Starter Projects") are automated artifact-update workflows, not correctness tests. Their logs are empty, suggesting an infra/permissions issue unrelated to the code changes.

---

What the fix does (and it's correct):

Layer	Change	Assessment
Frontend reactflowUtils.ts	removeApiKeys now skips clearing api_key fields; adds looksLikeVariableName() helper	✅ Core fix, clean
Frontend inputGlobalComponent	Shows env var names in the dropdown even if not in DB global vars	✅ Correct UX handling
Backend unified_models.py	Stores env var key name (not raw value) with load_from_db=True; resolves at runtime in get_api_key_for_provider	✅ Sound approach
Backend use-fetch-data-on-mount.ts	Pre-fills api_key on mount when model is selected but key is empty	✅ Handles import scenario

---

🚩 Minor concerns (not blocking for a hotfix):

1. Dead code — _get_provider_from_template() was added to src/backend/base/langflow/api/utils/core.py but is never called anywhere. The remove_api_keys function in that file is also unchanged (it still uses the old has_api_terms path). This helper appears to be scaffolding that wasn't wired up. Low risk, but worth a follow-up cleanup.

2. No regression tests — Per standard practice for bug fixes, there are no automated tests covering the "export with env var name → re-import → resolves correctly" path. Given this is a prioritized hotfix, this is acceptable, but a follow-up test PR would be worth tracking.

---

No correctness bugs, no data loss risks, Ruff/mypy all pass. Safe to merge.

---

🧠 Learnings used

Learnt from: CR
Repo: langflow-ai/langflow PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2025-12-03T18:17:26.561Z
Learning: For bug fixes, verify that regression tests are included in the PR

[erichare]

LGTM!