Authentication
ShipQ includes a full authentication system that you can generate with a single command. It produces database migrations, handlers, middleware, tests, and optional OAuth integrations — all wired into the compiler chain.
Generating Auth
Section titled “Generating Auth”shipq authThis command generates:
- Migrations for
organizations,accounts, andsessionstables - Handlers in
api/auth/for login, logout, and session management (/auth/login,/auth/logout,/auth/me) - Cookie-based session management with signed cookies (
COOKIE_SECRET) and server-side sessions stored in the database - Auth middleware that protects routes by default
- Generated tests in
api/auth/spec/that verify the full auth flow
After generating auth, run:
go mod tidyshipq migrate upVerify it works
Section titled “Verify it works”Run the generated auth tests:
go test ./api/auth/spec/... -v -count=1Adding Signup
Section titled “Adding Signup”Auth alone gives you login/logout/session management, but no user registration. To add a signup endpoint:
shipq signupThis generates a POST /auth/signup handler that creates an organization and account in a single transaction.
Route Protection
Section titled “Route Protection”After running shipq auth, your shipq.ini includes:
[auth]protect_by_default = trueWhen protect_by_default = true, all handlers generated by shipq resource require authentication unless you explicitly pass --public:
# Auth-protected (default)shipq resource pets all
# Public (no auth required)shipq resource pets all --publicProtected routes automatically:
- Read and verify the signed
sessioncookie from the request - Look up the session in the database and reject expired or missing sessions with
401 Unauthorized - Make the authenticated user’s account and organization available in the handler context
Generated tests for protected resources include both authenticated CRUD tests and 401 rejection tests.
OAuth Integration
Section titled “OAuth Integration”ShipQ supports adding OAuth login providers on top of the base auth system.
Google OAuth
Section titled “Google OAuth”shipq auth googleThis generates:
- A
GET /auth/googleendpoint that initiates the OAuth flow - A
GET /auth/google/callbackendpoint that handles the OAuth callback - Account linking logic (if a user with the same email already exists, the accounts are linked)
Required environment variables:
| Variable | Description |
|---|---|
GOOGLE_CLIENT_ID | Your Google OAuth client ID |
GOOGLE_CLIENT_SECRET | Your Google OAuth client secret |
GOOGLE_REDIRECT_URL | The callback URL (e.g., http://localhost:8080/auth/google/callback) |
GitHub OAuth
Section titled “GitHub OAuth”shipq auth githubSame pattern as Google OAuth, with GitHub-specific endpoints at /auth/github and /auth/github/callback.
Required environment variables:
| Variable | Description |
|---|---|
GITHUB_CLIENT_ID | Your GitHub OAuth app client ID |
GITHUB_CLIENT_SECRET | Your GitHub OAuth app client secret |
GITHUB_REDIRECT_URL | The callback URL (e.g., http://localhost:8080/auth/github/callback) |
Multiple Providers
Section titled “Multiple Providers”You can add multiple OAuth providers. Each provider links to the same account system — if a user signs up with email/password and later logs in with Google using the same email, the accounts are linked automatically.
shipq authshipq signupshipq auth googleshipq auth githubEmail Verification & Password Reset
Section titled “Email Verification & Password Reset”If you have the workers system set up, you can add email verification and password reset flows:
shipq emailThis command:
- Requires
shipq authto have been run first - Requires
shipq workersto have been run first (emails are sent as background jobs) - Generates email verification and password reset handlers
- Generates email templates and sending logic via the worker queue
How Auth Fits the Compiler Chain
Section titled “How Auth Fits the Compiler Chain”Auth is deeply integrated with ShipQ’s compiler chain:
-
Schema compiler:
shipq authcreates migrations thatshipq migrate upcompiles into typed schema bindings. Theorganizations,accounts, andsessionstables become available inshipq/db/schema/schema.go. -
Query compiler: Auth generates query definitions in
querydefs/thatshipq db compileturns into typed query runners for login, session lookup, account creation, etc. -
Handler compiler: Auth handlers register themselves in the handler registry. When you run
shipq handler compile, they’re included in the generated server wiring, OpenAPI spec, test client, and TypeScript clients. -
Resource generation: When
protect_by_default = true,shipq resourcegenerates handlers that use the auth middleware, and the handler compiler generates 401 tests alongside the CRUD tests.
Generated File Ownership
Section titled “Generated File Ownership”Files with the zz_generated_ prefix or the // Code generated by shipq. DO NOT EDIT. header are overwritten on every compile. You can safely edit handler files that don’t have these markers — they’re yours to customize.
The main files you’d typically customize:
- Handler logic in
api/auth/*.go(non-generated files) - Customizing the signup flow (e.g., adding profile fields)
- Adjusting session expiry or cookie settings
Testing Auth
Section titled “Testing Auth”ShipQ generates comprehensive auth tests. After running shipq auth and shipq handler compile, your test suite includes:
- Login flow tests: valid credentials, invalid credentials, missing fields
- Session management tests: token validation, logout,
/auth/me - 401 rejection tests: unauthenticated access to protected routes
- RBAC tests: role-based access control (when roles are configured)
- OAuth tests: provider login flow, account linking
Run all auth-related tests:
go test ./api/auth/spec/... -v -count=1Or run your entire test suite:
go test ./... -v