op login --refresh option to sign in only if not currently signed in?
I use the new 1password CLI (which is great!) heavily in shell scripts an aliases, to help me keep sensitive information out of my command-line history file, off the screen, away from possible clipboard attacks, etc.
It would be a lot easier and more convenient to do so if the CLI offered an option to "log in only if a valid session is not already established, otherwise no-op". I want to have
op signin --account myaccount --refresh
that checks for the existing OP_SESSION_foo env-var, checks the session isn't expired, and simply returns 0 without doing anything if the existing session is valid.
I presently work around this with a shell alias like
alias opsignin='if [ -z "$(op account list --format json | jq -r "(.[]|select(.shorthand==\"MY_TEAM_NAME\")|.user_uuid|(\"OP_SESSION_\"+.)|env[.]) // \"\"")" ]; then eval $(op signin --account MY_TEAM_NAME); else echo "already signed in to account MY_TEAM_NAME"; fi'
which is really something I'd like the CLI to provide. It should be a pretty trivial feature, and doesn't have significant security implications. Thoughts?
1Password Version: 2.0.1
Extension Version: Not Provided
OS Version: Fedora 36
Comments
-
Hey @ringerc thank you for suggesting this!
We have an internal issue investigating adding such a feature.
We'll make sure to update the thread with any developments around this.Thank you, once again, for reaching out to us!
Best,
Horia0 -
Thanks @Horia.Culea_1P
It looks like the "biometric" CLI integration partly meets this need, and the "op whoami" command helps too.
The alias can now be
if op whoami --account $MYACC &>/dev/null; then echo "already signed in to account $MYACC"; else eval $(op signin --account $MYACC); fi
Enabling https://developer.1password.com/docs/cli/about-biometric-unlock/ seems to let "op signin" re-use a recently validated set of credentials within the same session, too. It still does a new login, but doesn't prompt for a password a second time.
For other readers, note that despite the name the "biometric" signin option is really "operating system keyring unlock for my 1password CLI" - it will happily use a password if that's what your OS is configured to use to unlock your OS keyring.
0 -
For other readers, note that despite the name the "biometric" signin option is really "operating system keyring unlock for my 1password CLI" - it will happily use a password if that's what your OS is configured to use to unlock your OS keyring.
@ringerc Could you elaborate ?
Are you meaning that the old OP_SESSION env variable are in fact stored in the keychain ?
I indeed found old "1Password:dsecret-UUID" in my keychain, but was unable to see newer versions.
I have created tools that need the old OP_SESSION values to locally decrypt things and would like to find a way to do it with "biometric" auth.
0 -
Thanks for you valuable feedback!
0