Neeto JWT user login integration

[VarunSriram99]

This PR serves as an example project to integrate JWT-based user login in Neeto. Once a user authenticates against your backend, this flow lets you bounce them into a Neeto product (NeetoCal, NeetoRecord, etc.) without making them sign in again.

Frontend

• Add a button which will take you to your Neeto product (say NeetoCal). The button should have an internal link to one of your routes in your server. In this example, the button "Go to NeetoCal" points to the route /api/neeto/:id/neetocal.

Backend

• Install the package: yarn add neeto-jwt.

• Set the following environment variables (see neeto-jwt README):

  1. NEETO_JWT_WORKSPACE: subdomain of your Neeto workspace (e.g. spinkart).
  2. NEETO_JWT_PRIVATE_KEY: private key shared by the Neeto team for that workspace.

• Authenticate the currently logged-in user in your own app.

• Use the neeto-jwt NPM package to mint a short-lived ES256-signed JWT and build the login URL. User scope is the default — no scope option needed:

  import NeetoJWT from "neeto-jwt";
  
  const neetoJWT = new NeetoJWT({
    email: user.email,
    // workspace and privateKey come from env vars; pass them explicitly to override
  });
  
  const loginUrl = neetoJWT.generateLoginUrl(
    `https://${process.env.NEETO_JWT_WORKSPACE}.neetodesk.com/admin`
  );
  // => https://spinkart.neetoauth.com/users/auth/jwt?...

• Redirect the user to the login URL. NeetoAuth verifies the JWT against the workspace's registered public key, signs the user in, and redirects to the Neeto sub-app.

Important

The private key is the only thing that proves a JWT came from your backend. Never share it, ship it to the browser, or commit it.

Constructor options

Option	Required?	Default	Notes
email	Yes	—	Must already be invited to the workspace — user scope does not auto-create.
workspace	Yes (unless env var set)	NEETO_JWT_WORKSPACE	The tenant claim embedded in the JWT, and also the subdomain of the generated login URL.
privateKey	Yes (unless env var set)	NEETO_JWT_PRIVATE_KEY	RSA private key for signing.
scope	No	"user"	Leave unset (or pass "user") for this flow. Pass "consumer" for the consumer flow instead.

Methods

• generateJWT() - returns just the signed JWT string
• generateLoginUrl(redirectUri) - returns the full NeetoAuth login URL with the JWT attached.

How NeetoAuth resolves the signing key

The JWT lands at https://<workspace>.neetoauth.com/users/auth/jwt?... and the auth engine looks up the workspace by the subdomain in the request URL - so the JWT host and your registered workspace must match. If the workspace is not registered, NeetoAuth replies with '<workspace>' workspace is not registered for JWT authentication.

Redirect URI rules

For user scope, the redirectUri you pass must be a Neeto sub-app - its leading subdomain is stripped by NeetoAuth before redirect. Arbitrary external URLs will not work here.

Email pre-existence is required

The email passed in the JWT must already be invited to the workspace. User scope does not auto-create accounts - that's a consumer-scope feature. If the email is unknown, sign-in fails.

Pinned dependency

neeto-jwt@2.0.0 (latest as of writing). Earlier versions on the branch (0.0.4, 1.0.0, 1.1.0) reflect the iteration history and are kept in commit history for reference.

---

Documentation: https://neetoauthhelp.neetokb.com/p/a-f439e89b