The latest articles on Forem by Yax (@yxl). https://forem.com/yxl https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F937659%2Faba87ca7-96fc-447b-8d42-7b4d9d68a95e.jpg https://forem.com/yxl en Yax Thu, 29 Jan 2026 03:27:20 +0000 https://forem.com/yxl/ysvelgok-the-ultimate-full-stack-starter-kit-527e https://forem.com/yxl/ysvelgok-the-ultimate-full-stack-starter-kit-527e <p>A deep dive into YSvelGoK: Combining SvelteKit, Go (Gin), and MongoDB into a dockerized powerhouse.</p> <h2> Why I Paired Svelte with Go </h2> <p>We often find ourselves choosing between <strong>Developer Experience (DX)</strong> and <strong>Raw Performance</strong>.</p> <ul> <li> <strong>Node.js/Next.js</strong>: Amazing DX, huge ecosystem, but can get heavy.</li> <li> <strong>Go</strong>: Incredible performance, tiny implementation, but authenticating and structuring a full-stack app from scratch takes time.</li> </ul> <p>I wanted the best of both worlds. So I built <strong>YSvelGoK</strong> (Yaxel's Svelte + Go Kit). Here's how it works under the hood.</p> <h2> The Stack </h2> <ul> <li> <strong>Frontend</strong>: <a href="https://kit.svelte.dev/" rel="noopener noreferrer">SvelteKit</a> (Svelte 5)</li> <li> <strong>Backend</strong>: <a href="https://go.dev/" rel="noopener noreferrer">Go</a> with <a href="https://gin-gonic.com/" rel="noopener noreferrer">Gin</a> </li> <li> <strong>Database</strong>: <a href="https://www.mongodb.com/" rel="noopener noreferrer">MongoDB</a> </li> <li> <strong>Runtime</strong>: <a href="https://bun.sh/" rel="noopener noreferrer">Bun</a> (for frontend builds) &amp; Docker</li> </ul> <h2> 🔐 The "Soft Session" Authentication Pattern </h2> <p>Authentication is usually the biggest pain point in Go. I didn't want to rely on a third-party service like Auth0 for a boilerplate, but I also wanted more security than a standard stateless JWT.</p> <p>I implemented a hybrid approach I call <strong>Soft Sessions</strong>.</p> <h3> How it works: </h3> <ol> <li> <strong>Login</strong>: User logs in, backend verifies Argon2 hash.</li> <li> <strong>Session Record</strong>: A simple document is created in MongoDB (<code>_id</code>, <code>user_id</code>, <code>created_at</code>).</li> <li> <strong>Token Issue</strong>: A JWT is signed containing the <strong>Session ID</strong> (not just the User ID).</li> </ol> <h3> The Secret Sauce: Middlewares </h3> <p>In my Go middleware, I don't just check the signature. I also verify the session is alive in MongoDB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// api/Routes/middleware.go</span> <span class="k">func</span> <span class="n">RequireSessionValidate</span><span class="p">()</span> <span class="n">gin</span><span class="o">.</span><span class="n">HandlerFunc</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">claims</span> <span class="o">:=</span> <span class="n">GetCheckedClaims</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="c">// 1. Signature Check</span> <span class="k">if</span> <span class="n">claims</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="n">claims</span><span class="o">.</span><span class="n">Expired</span><span class="p">()</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">AbortWithStatusJSON</span><span class="p">(</span><span class="m">401</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"message"</span><span class="o">:</span> <span class="s">"Unauthorized"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// 2. Database "Liveness" Check</span> <span class="c">// If the session was deleted from DB (logout), this fails</span> <span class="c">// even if the JWT is still mathematically valid.</span> <span class="n">user</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">Db</span><span class="o">.</span><span class="n">ValidateJWTSessionFromClaims</span><span class="p">(</span><span class="n">claims</span><span class="p">,</span> <span class="no">false</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">AbortWithStatusJSON</span><span class="p">(</span><span class="m">401</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"message"</span><span class="o">:</span> <span class="s">"Session Revoked"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"user"</span><span class="p">,</span> <span class="n">user</span><span class="p">)</span> <span class="n">c</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"session"</span><span class="p">,</span> <span class="n">session</span><span class="p">)</span> <span class="n">c</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This gives us <strong>instant revocation</strong> (like sessions) with the <strong>structured claims</strong> of JWTs. MongoDB handles the cleanup automatically via a <strong>TTL Index</strong> on the <code>sessions</code> collection.</p> <h2> 🐳 Dockerizing the Chaos </h2> <p>Orchestrating a frontend, backend, and database manually is annoying. I used Docker Compose to bundle it all.</p> <p>The coolest part? Using <code>depends_on</code> with <code>healthcheck</code> to ensure the API never crashes because the Database wasn't ready yet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">database</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mongo:latest</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">mongosh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--eval"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">db.adminCommand('ping')"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">./api</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">database</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> </code></pre> </div> <h2> 🏎️ SvelteKit on the Frontend </h2> <p>The frontend uses SvelteKit, but configured to work seamlessly with an external Go backend.</p> <p>I use a <strong>Server Hook</strong> (<a href="https://github.com/yxl-prz/YSvelGoK/blob/master/frontend/src/hooks.server.js" rel="noopener noreferrer">hooks.server.js</a>) to parse the JWT from cookies before the page even renders. This allows the SSR (Server Side Rendering) to know if a user is logged in immediately.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// frontend/src/hooks.server.js</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handle</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">resolve</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">token</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Optimistically verify signature for UI state</span> <span class="c1">// Actual data fetching will still be verified by Go</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">payload</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">jwtVerify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">);</span> <span class="nx">event</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h2> Wrapping Up </h2> <p>This architecture has become my go-to for starting new projects. It's type-safe, compiles fast, and the frontend feels incredible.</p> <p>The code is open source. Feel free to clone it, break it, and fix it!</p> <p><a href="https://github.com/yxl-prz/YSvelGoK" rel="noopener noreferrer">yxl-prz/YSvelGoK</a></p> go svelte webdev docker