'--reveal' what am I missing here
I've got a few helper scripts that fetch details out of my 1Password via the op cli tool and put them into variables and command lines and the like. I have never, until today apparently, been required to use the '--reveal' flag for the contents returned from a get operation on a password field to actually be the password but today the resulting stdout value from any call I make to op item get <item name> --fields password returns this string [use 'op item get <long hash> --reveal' to reveal] which is categorically not my password, much to my surprise I assure you. What is the purpose of being able to "get" the field at all if you're not returning the contents of the field?
$ op item get <redacted> --fields password [use 'op item get <redacted hash> --reveal' to reveal] $ echo $? 0 $ op item get <redacted> --fields password --reveal <redacted actual password> $ echo $? 0
If you're going to lean into this particular piece of security theater, then anything requiring the '--reveal' flag that would intuitively AND PREVIOUSLY have produced the actual contents of the field on stdout needs to exit on an error code when you non-intuitively decline to return the actual contents of the field so it's clear there's a problem that needs to be investigated. There was no indication I was being fed a throw away informational string until I debug echo'd the string value and saw with my eyes like a savage, sadly after I had locked myself out of my VPN for an hour, much appreciated for that.
Really though, what are we even doing here? I had to authenticate to get access to the field. It's not like you're double verifying my identity when I append --reveal to the command line. I'm authorized to have the contents of the field or I'm not, that's the security model, right? So what, as the title says, am I missing here?
1Password Version: 8.10.40
Extension Version: 2.30.0
OS Version: macOS 14.6.1
Browser: n/a