-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe 1password integration #60
Comments
Related to #46? |
I agree, if these options are now available (and reliably working) we should definitely utilize the newest version of the 1Password CLI (also assuming that there are no other downsides/showstoppers) @SixFive7 would you be able to create a PR and/or test for that? |
I modified the existing code, removing historic stuff (v1 vs v2 CLI, login/logout, etc). Code reduced to about 25% of the original. Seems to work for me on my Mac. Have not done extensive testing yet, and untested on Windows. Biometric 1Password popup works as expected. The only limitation (for now) is that it doesn't support multiple 1Password-accounts in the same dynamic folder. Also, the I have not created a PR yet, as I'm not sure if it should be added as a separate script, or modify the existing one (as this script will only work on 1Password v8 or above).
The script should probably also be updated to be able to filter on tag(s). |
@joachimtingvold I've just tested this on Windows and it's working |
@joachimtingvold I've updated your scripts to allow for multiple vaults |
Hello, in my case it doesn't work Details: we still need to disable biometric usage for this to work ? I'm in Windows 11 |
Absolute lifesaver, can confirm this works PERFECTLY after months of trying just about anything to get multi-vault working with 1password 8 + Touch ID, cheers man, just made my evening! Should definitely be PR'd into the main branch! |
Excellent. I updated my gist with your changes, so people get the same result regardless of which gist they find (= |
Hi guys, this is amazing! Thank you. Would it be possible for the script to get all vaults automatically in a way that we don't have to maintain the vault list? |
…upport, solves royalapplications#60, improves upon PR royalapplications#69
@elbcloudhh, the version in PR #71 solves this (blank/undefined Vaults variable == use all vaults). |
@joachimtingvold thanks for your work. Using your PR I have RoyalTS working with 1Password using a dynamic folder and its really really neat. I also use 1Password SSH agent, so that linux connections get the ssh key automatically. From a user perspective the SSH agent will approve the app (requiring re-auth) for the request and then subsequent requests for the same key are allowed automatically. So I only need to auth once. With the dynamic folder, I have to re-auth 1Password every time I connect to a server, is there any way for it to cache the credentials for a period or an option in 1Password to allow a similar experience to the SSH agent? |
I think the problem is that Royal spawns a new iTerm2-process for each window/tab, which from 1Passwords perspective is not the same instance already authenticated. I notice that the 1Password authorization popup explicitly mentions Royal as the app (and not iTerm), so I guess there could be room for improvements in Royal. |
Actually, come to think of it, I do not need to re-auth to 1Password for each connection. I have to do it at launch, and when opening new connections after a while (i.e. it's been idle, or screensaver has been triggered, etc). Other than that I don't need to authorize in 1Password much. |
…upport, solves royalapplications#60, improves upon PR royalapplications#69
Closing this now that the new implementation has been merged. If the issue is still present in the new version, please create a new GH issue. |
The current version of the 1password dynamic folder script requires the 1password windows hello and biometric unlock functions to be disabled. This is considered unsafe.
Even more important, the script requires one to save the secret key and master password in the Royal TS script configuration fields. This is considered very insecure and (correctly so) actively advised against by 1Password itself.
With the new version of the 1Password CLI tool these credentials are also not required. If the 1Password desktop app and CLI are installed one can just run
op item list --vault Private
and let 1Password handle all the (secure desktop) prompts for logging in and authorizing the request. Hence the need to store master password credentials inside Royal TS is no longer there.We should not ask for or store credentials and use the CLI securely and as intended.
The text was updated successfully, but these errors were encountered: