Addressed BugWatch review comments on consumer JWT support

VarunSriram99 · VarunSriram99 · commit 8988850f3a1d · 2026-05-05T19:48:01.000+05:30
diff --git a/js/README.md b/js/README.md
@@ -62,7 +62,6 @@ import NeetoJWT from "neeto-jwt";
 
 const neetoJWT = new NeetoJWT({
   email: "consumer@example.com",
-  workspace: "app",
   privateKey: "<your-private-key>",
   scope: "consumer",
 });
@@ -73,6 +72,12 @@ const loginUrl = neetoJWT.generateLoginUrl(
 // => https://app.neetoauth.com/consumers/auth/jwt?...
 ```
 
+When `scope: "consumer"` is set and `workspace` is omitted, the client defaults
+to `"app"` (the only workspace consumers belong to in NeetoAuth) instead of
+reading `NEETO_JWT_WORKSPACE`. This avoids accidentally pointing the consumer
+flow at a tenant-specific workspace if you've already configured the env var
+for the user-scope flow.
+
 #### Identity is asserted, not pre-required
 
 Unlike user-scope JWT (where the email must already be invited to the
@@ -92,9 +97,10 @@ be a Neeto subdomain — any URL the partner controls works.
 ### Options
 
 - `email` (string, required): The user's email address.
-- `workspace` (string, optional): The Neeto workspace. Defaults to the
-  NEETO_JWT_WORKSPACE environment variable. For consumer scope, set this to
-  `"app"`.
+- `workspace` (string, optional): The Neeto workspace. For user scope, defaults
+  to the `NEETO_JWT_WORKSPACE` environment variable. For consumer scope, defaults
+  to `"app"` (env var ignored) since all consumers live under that workspace.
+  Pass an explicit value only if you need to override (e.g. staging tests).
 - `privateKey` (string, optional): The private key used to sign the JWT.
   Defaults to the NEETO_JWT_PRIVATE_KEY environment variable.
 - `scope` (string, optional): `"user"` (default) or `"consumer"`. Determines
diff --git a/js/src/index.ts b/js/src/index.ts
@@ -1,5 +1,5 @@
 import jwt from "jsonwebtoken";
-import { Scope } from "./types.js";
+import type { Scope } from "./types.js";
 import {
   getClientAppName,
   getLoginUri,
@@ -14,19 +14,23 @@ interface Options {
   scope?: Scope;
 }
 
+const CONSUMER_WORKSPACE = "app";
+
 class NeetoJWT {
   private email: string;
   private workspace: string;
   private privateKey: string;
   private scope: Scope;
 
   constructor(options: Options) {
-    const {
-      email,
-      workspace = process.env.NEETO_JWT_WORKSPACE,
-      privateKey = process.env.NEETO_JWT_PRIVATE_KEY,
-      scope = "user",
-    } = options || {};
+    const { email, privateKey = process.env.NEETO_JWT_PRIVATE_KEY } =
+      options || {};
+    const scope: Scope = options?.scope ?? "user";
+    const workspace =
+      options?.workspace ??
+      (scope === "consumer"
+        ? CONSUMER_WORKSPACE
+        : process.env.NEETO_JWT_WORKSPACE);
 
     if (!email) throw new Error("Email is required.");
     if (!workspace) throw new Error("Workspace is required.");
@@ -69,11 +73,11 @@ class NeetoJWT {
 
     // User scope assumes the redirectUri points at a Neeto sub-app, so the
     // shared NeetoAuth flow strips the leading subdomain. Consumer scope is
-    // for arbitrary partner domains — we pass the URI through verbatim so
-    // NeetoAuth can redirect back to the partner correctly.
+    // for arbitrary partner domains — pass the URI through verbatim and let
+    // URLSearchParams handle encoding.
     const redirect_uri =
       this.scope === "consumer"
-        ? encodeURI(redirectUri)
+        ? redirectUri
         : getRedirectUri(redirectUri);
 
     const searchParams: SearchParams = {
diff --git a/js/src/utils.ts b/js/src/utils.ts
@@ -6,7 +6,7 @@ import {
   TLD,
   USER_LOGIN_PATH,
 } from "./constants.js";
-import { Scope } from "./types.js";
+import type { Scope } from "./types.js";
 
 export type SearchParams = {
   jwt: string;
diff --git a/js/test/index.test.ts b/js/test/index.test.ts
@@ -123,4 +123,50 @@ describe("NeetoJWT", () => {
         })
     ).toThrow("Scope must be either 'user' or 'consumer'.");
   });
+
+  it("should default consumer-scope workspace to 'app' when omitted, ignoring NEETO_JWT_WORKSPACE", () => {
+    const previous = process.env.NEETO_JWT_WORKSPACE;
+    process.env.NEETO_JWT_WORKSPACE = "tenant1";
+    try {
+      const neetoJWT = new NeetoJWT({ email, privateKey, scope: "consumer" });
+      const loginUrl = neetoJWT.generateLoginUrl(
+        "http://partner.example.com/post-login"
+      );
+      expect(loginUrl).toContain("https://app.neetoauth.com/consumers/auth/jwt");
+      expect(loginUrl).not.toContain("tenant1");
+    } finally {
+      process.env.NEETO_JWT_WORKSPACE = previous;
+    }
+  });
+
+  it("should honour an explicit consumer-scope workspace override", () => {
+    const neetoJWT = new NeetoJWT({
+      email,
+      privateKey,
+      workspace: "staging-app",
+      scope: "consumer",
+    });
+    const loginUrl = neetoJWT.generateLoginUrl("http://partner.example.com/cb");
+    expect(loginUrl).toContain(
+      "https://staging-app.neetoauth.com/consumers/auth/jwt"
+    );
+  });
+
+  it("should not double-encode the consumer redirect URI", () => {
+    const neetoJWT = new NeetoJWT({
+      email,
+      workspace: "app",
+      privateKey,
+      scope: "consumer",
+    });
+    const loginUrl = neetoJWT.generateLoginUrl(
+      "http://partner.example.com/path with space?q=1"
+    );
+    // URLSearchParams encodes a space as `+`, never as `%2520`.
+    expect(loginUrl).not.toContain("%2520");
+    const params = new URL(loginUrl).searchParams;
+    expect(params.get("redirect_uri")).toBe(
+      "http://partner.example.com/path with space?q=1"
+    );
+  });
 });
