Svelte + Go Echo Starterkit
A production-oriented e-commerce starter kit with SvelteKit frontend and Go Echo backend.
Features
- Authentication: JWT-based with dual scope (internal/customer)
- Role System: Admin, Manager, Staff, Customer roles with partial permission scaffolding
- Activity Logs: Audit logging for mutating admin/customer requests
- Payment Gateway: Pluggable interface with manual gateway stub
- Theme System: Dark/light mode with customizable primary color
- E-Commerce Core: Products, Orders, Users management
Tech Stack
| Frontend | Backend |
|---|---|
| SvelteKit 5 | Go Echo v4 |
| Tailwind CSS 4 | GORM |
| TypeScript | PostgreSQL/SQLite |
| Lucide Icons | JWT Auth |
Quick Start
Prerequisites
- Go 1.22+
- Node.js 18+
- PostgreSQL (optional, SQLite works for dev)
Backend Setup
cd backend
# Copy environment file
cp .env.example .env
# Edit .env with your settings
# DATABASE_URL=./data/starterkit.db (SQLite for dev)
# DATABASE_URL=postgres://user:pass@host:5432/db (PostgreSQL for prod)
# JWT_SECRET=change-this-to-a-secure-random-string
# Install dependencies
go mod tidy
# Run database migrations (creates tables)
go run cmd/main.go -migrate
# Seed default data (admin user)
go run cmd/main.go -seed
# Start development server
make dev
# or
go run cmd/main.go
Backend runs on: http://localhost:3078
Frontend Setup
cd frontend
# Install dependencies
npm install
# Start development server
npm run dev
Frontend runs on: http://localhost:5173
Default Credentials
After seeding:
| Role | Username | Password |
|---|---|---|
| Admin | admin | admin123 |
| Manager | manager | manager123 |
| Staff | staff | staff123 |
| Customer | customer | customer123 |
Important: Change these immediately in production!
Project Structure
svelte-go-starterkit/
├── backend/
│ ├── cmd/main.go # Entry point
│ ├── internal/
│ │ ├── config/ # Configuration
│ │ ├── service/ # Services and HTTP handlers
│ │ ├── middleware/ # Auth, Role middleware
│ │ ├── model/ # Database models
│ │ ├── repository/ # Data access layer
│ │ └── payment/ # Payment gateway interface
│ └── pkg/utils/ # Shared utilities
│
└── frontend/
└── src/
├── lib/
│ ├── api/ # API client
│ ├── auth.svelte.ts
│ ├── theme.svelte.ts
│ └── components/ # UI components
└── routes/
├── +page.svelte # Landing page
├── (auth)/ # Login, Register
├── (app)/ # Customer dashboard
└── admin/ # Admin panel
API Endpoints
Public
| Method | Path | Description |
|---|---|---|
| GET | /api/public/settings |
App branding & config |
| POST | /api/auth/register |
Customer registration |
| POST | /api/auth/login |
Login |
| POST | /api/auth/refresh |
Refresh access token |
| GET | /api/auth/me |
Get current authenticated user |
| POST | /api/auth/logout |
Logout |
Customer (Authenticated)
| Method | Path | Description |
|---|---|---|
| GET | /api/customer/me |
Get current user |
| PUT | /api/customer/profile |
Update profile |
| GET | /api/customer/orders |
List own orders |
| GET | /api/customer/orders/:id |
Get order details |
| POST | /api/customer/orders |
Create order |
Admin (Authenticated)
| Method | Path | Description |
|---|---|---|
| GET | /api/admin/users |
List users |
| POST | /api/admin/users |
Create user |
| GET | /api/admin/users/:id |
Get user |
| PUT | /api/admin/users/:id |
Update user |
| DELETE | /api/admin/users/:id |
Delete user |
| GET | /api/admin/products |
List products |
| POST | /api/admin/products |
Create product |
| GET | /api/admin/products/:id |
Get product |
| PUT | /api/admin/products/:id |
Update product |
| DELETE | /api/admin/products/:id |
Delete product |
| GET | /api/admin/orders |
List all orders |
| GET | /api/admin/orders/:id |
Get order |
| PUT | /api/admin/orders/:id |
Update order |
| GET | /api/admin/activity-logs |
Activity logs |
| GET/PUT | /api/admin/settings |
Settings |
| GET | /api/products |
Public product list |
| GET | /api/products/:id |
Public product detail |
Role Permissions
| Role | Permissions |
|---|---|
| admin | All permissions via role |
| manager | manage_orders, manage_products, view_reports |
| staff | view_orders, update_order_status |
| customer | own_orders, own_profile |
OTP Configuration
OTP settings exist in config/settings, but OTP login or verification flow is not implemented yet:
otp_enabled = true
otp_provider = whatsapp # or email, sms
Theme Customization
Users can customize the theme via settings:
{
"ui_theme_mode": "dark" | "light",
"ui_theme_primary": "#0ea5e9"
}
Available color presets: Sky, Blue, Pink, Violet, Rose, Emerald, Amber, Orange
Development
Running Tests
make test
make test uses a writable Go build cache via TEST_GOCACHE so it works in sandboxed environments that do not allow writes to the default ~/.cache/go-build. Override it if needed:
make test TEST_GOCACHE=/custom/path
Building for Production
# Backend
cd backend
make build
# Binary: backend/tmp/main
# Frontend
cd frontend
npm run build
# Output: frontend/build/
License
MIT
Security Status
Current status of the verified security work in this repo:
fixed: frontend auth now uses cookie-based session handling instead of keeping active access/refresh tokens in browser storage.fixed: backend auth writesHttpOnlycookies, accepts refresh-from-cookie, and no longer requires a JSON body for refresh to succeed.fixed: backend sets stronger security headers, disables caching for sensitive responses, and validates trusted origins/config more strictly.fixed:github.com/golang-jwt/jwt/v5has been raised tov5.3.0.mitigated: JWT parsing now rejects oversized or malformed tokens before handing them to the JWT library.unknown: refresh-token rotation is still in-memory only; production deployments should move this to durable shared storage such as Redis.unknown: payment gateway posture is not fully assessed because the repo currently exposes a manual/stub payment flow.unknown: full live dependency scanning is environment-dependent. In restricted shells,go list -m -u -json allandnpm audit --jsonmay fail due blocked access toproxy.golang.organdregistry.npmjs.org.
