New sign-in required on every single use

[ursetto]

Information

Tmux version: 3.2 1Password CLI version: 2.12.0 Operating system: macOS Catalina 10.15.7 running with iTerm2 or Terminal

Description

Current behavior: On every use of the plugin (prefix + u), the modal dialog pops up 1password is trying to authorize CLI access. You must click to proceed.

Expected behavior: Requesting a password within 10 minutes of the last activity shouldn't force you to reauthorize the CLI.

For me, after opening another window or pane in tmux, reauthorization is immediately required the first time op is used in that tab, including with the plugin. In the same shell/window/pane or a subshell, it is not required for at least 10 minutes.

The developer's guide documents that opening a new terminal will always require reauthorization, but opening a subshell will not. It is not clear how this applies to tmux, or if there is some tmux configuration issue on my side. It's not really usable like this though, since the dialog box requires a click and does not refocus on the terminal afterward, so you have to command-tab to get back.

I suspect this is because it's using a different TTY, and therefore, this might not be working correctly for anybody?

Steps to reproduce

1. Authorize the CLI once by requesting a password with the plugin, or just typing op item list
2. Use the plugin again, or manually open a new window/pane in tmux and type op item list
3. Receive another authorization prompt

[ursetto]

Looking at the doc in more detail, it says the session is based on the tty and the start time, implying new tmux panes will always force you to reauthorize. If that's so, I guess this issue cannot be fixed.

---

Session credentials

Session credentials are used to identify the terminal window or application where 1Password CLI is invoked. The goal is to restrict the granted authorization to a single terminal. If a user authorizes account X in one terminal window, using account y in another terminal window requires another approval from the user. These credentials don't consist of any sensitive or secret information.

The session credential for macOS is an ID that's based on the current tty, plus the start time. This way every session credential is unique, even after an ID gets reused.

[yardnsm]

Looking at the doc in more detail, it says the session is based on the tty and the start time, implying new tmux panes will always force you to reauthorize. If that's so, I guess this issue cannot be fixed.

The only "easy" solution I can come up with is to have a persistent TTY in the background as a hidden tmux pane, probably in a different session. This sounds pretty hacky though.

I've found that if you disable the "Connect with 1Password CLI" option in the Settings -> Developer menu, the issue resolves and you get back to the "legacy" way of authenticating by typing the master password in the pane. The session persist for some time (30 minutes as documented in the op's v1 docs).

Personally, I'm using the Touch ID method and I'm fine authenticating with it every single time (it feels more secure to me).

[ursetto]

Thanks for your response! I had a similar discussion with the author of k1pwit, and we determined the "legacy" method does exactly what you suggest. I agree though that it's probably more secure to leave the new-style biometric auth enabled.

[bvalente]

I know this is a old and closed thread, but I had the same problem as above, so I forked this repository and made some changes. It's very hacky, as I can only use one session at a time, but it works for me. What I did was create a special session with a window which only purpose is to run the script of this repository. That way op is always being run in the same console and doesn't constantly ask for a password.

You can see my changes here: https://github.com/yardnsm/tmux-1password/compare/bb1bbd2acfe1b4d5dcf917f6ddf3b0f634a13362...bvalente:tmux-1password:abf7abc631af617b141f370ca796290542299fd1