CLI feedback
Hi,
I've spent the last couple days working on a 1Password integration into iTerm2. It will be an alternative data source to the mac Keychain that is currently used, but the same GUI for password management will be used by both. There's a lot to like about it - I was able to get up to speed quickly and the documentation is generally good. I thought you might like to know the problems I ran into:
- Performance is really poor. Getting a list of accounts (I have four) takes over 3 seconds. The command I'm running is
op item list --tags iTerm2 --format json | op item get --format=json. - It's surprisingly difficult to get a list of (title, user name, item ID) for all items containing a tag. I settled on the pipeline above because it was the simplest way I could find. If I didn't need the ID it'd be easy, but the ID is essential for managing the list of passwords (e.g., to edit a username) or to fetch the current password for an item.
- The aforementioned pipeline produces concatenated JSON as output, which my tooling (Swift) requires gross hacks to parse - I need to turn it into an array of dictionaries by wrapping it in square brackets and adding commas between each item, which is very hard to do correctly.
- Errors are not machine-readable. I have to run regular expressions over them to guess what the error means. If you have localizations of your error messages, this is going to break. For example, to tell if you need to reauthenticate I have to look for an error containing "You are not currently signed in". It would be better to have different return codes for different errors or have a way to spit out errors in JSON that are machine-readable.
- I want to wrap the authentication step in a native GUI. Unfortunately,
op signin --rawwrites directly to/dev/tty. That means I would have to use forkpty() to launchopif I want to know the text of the password prompt. Anything involving pseudoterminals is a PITA, and I say that as the author of a terminal emulator :) - There is no secure way to change a password or add an item with a non-autogenerated password.
op item edit -hacknowledges this ("When setting sensitive values, carefully evaluate where you're using assignment statements. Command arguments can be visible to other processes on your machine"). There should be a way to provide a password via stdin rather than as a command-line attribute. This has forced me to only allow autogenerated passwords, which adds an extra step for users who have to go edit them through the native app. Obviously autogenerated passwords are better, but my users will undoubtedly need to share passwords with other non-1password users so this is a real limitation. - The link on this page takes you to v1 of the CLI for macOS. Is that an oversight? https://developer.1password.com/docs/cli/v1/get-started/
- Errors aren't well documented. For example, I'd like to handle the case where enabling biometric authentication requires the 1password app to be locked and unlocked, but I only discovered it by accident. There are surely many more edge cases I would want to expose.
- I wish I could test whether biometric authentication is enabled. Currently I do it with a hack (try to get an item with a bogus ID and parsing the error message). This is important because it determines whether I need to prompt the user to enter their master password to fetch an auth token.
1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.2.1
