op login --refresh option to sign in only if not currently signed in?

ringerc
ringerc
Community Member

I use the new 1password CLI (which is great!) heavily in shell scripts an aliases, to help me keep sensitive information out of my command-line history file, off the screen, away from possible clipboard attacks, etc.

It would be a lot easier and more convenient to do so if the CLI offered an option to "log in only if a valid session is not already established, otherwise no-op". I want to have

op signin --account myaccount --refresh

that checks for the existing OP_SESSION_foo env-var, checks the session isn't expired, and simply returns 0 without doing anything if the existing session is valid.

I presently work around this with a shell alias like

alias opsignin='if [ -z "$(op account list --format json | jq -r "(.[]|select(.shorthand==\"MY_TEAM_NAME\")|.user_uuid|(\"OP_SESSION_\"+.)|env[.]) // \"\"")" ]; then eval $(op signin --account MY_TEAM_NAME); else echo "already signed in to account MY_TEAM_NAME"; fi'

which is really something I'd like the CLI to provide. It should be a pretty trivial feature, and doesn't have significant security implications. Thoughts?


1Password Version: 2.0.1
Extension Version: Not Provided
OS Version: Fedora 36

Comments

  • Hey @ringerc thank you for suggesting this!

    We have an internal issue investigating adding such a feature.
    We'll make sure to update the thread with any developments around this.

    Thank you, once again, for reaching out to us!

    Best,
    Horia

  • ringerc
    ringerc
    Community Member

    Thanks @Horia.Culea_1P

    It looks like the "biometric" CLI integration partly meets this need, and the "op whoami" command helps too.

    The alias can now be

    if op whoami --account $MYACC &>/dev/null; then echo "already signed in to account $MYACC"; else eval $(op signin --account $MYACC); fi

    Enabling https://developer.1password.com/docs/cli/about-biometric-unlock/ seems to let "op signin" re-use a recently validated set of credentials within the same session, too. It still does a new login, but doesn't prompt for a password a second time.

    For other readers, note that despite the name the "biometric" signin option is really "operating system keyring unlock for my 1password CLI" - it will happily use a password if that's what your OS is configured to use to unlock your OS keyring.

  • Thanks for the feedback and details @ringerc! It is really valuable!

  • mickael
    mickael
    Community Member

    For other readers, note that despite the name the "biometric" signin option is really "operating system keyring unlock for my 1password CLI" - it will happily use a password if that's what your OS is configured to use to unlock your OS keyring.

    @ringerc Could you elaborate ?

    Are you meaning that the old OP_SESSION env variable are in fact stored in the keychain ?

    I indeed found old "1Password:dsecret-UUID" in my keychain, but was unable to see newer versions.

    I have created tools that need the old OP_SESSION values to locally decrypt things and would like to find a way to do it with "biometric" auth.

  • Thanks for you valuable feedback!

This discussion has been closed.