@benqoder/beam 0.1.2 → 0.2.0

package/dist/collect.js

@@ -24,67 +24,3 @@ export function collectActions(glob) {
     }
     return handlers;
 }
-/**
- * Collects modal handlers from glob imports.
- *
- * @example
- * ```typescript
- * const modals = collectModals<Env>(
- *   import.meta.glob('./modals/*.tsx', { eager: true })
- * )
- * ```
- */
-export function collectModals(glob) {
-    const handlers = {};
-    for (const [, module] of Object.entries(glob)) {
-        for (const [exportName, exportValue] of Object.entries(module)) {
-            if (typeof exportValue === 'function' && exportName !== 'default') {
-                handlers[exportName] = exportValue;
-            }
-        }
-    }
-    return handlers;
-}
-/**
- * Collects drawer handlers from glob imports.
- *
- * @example
- * ```typescript
- * const drawers = collectDrawers<Env>(
- *   import.meta.glob('./drawers/*.tsx', { eager: true })
- * )
- * ```
- */
-export function collectDrawers(glob) {
-    const handlers = {};
-    for (const [, module] of Object.entries(glob)) {
-        for (const [exportName, exportValue] of Object.entries(module)) {
-            if (typeof exportValue === 'function' && exportName !== 'default') {
-                handlers[exportName] = exportValue;
-            }
-        }
-    }
-    return handlers;
-}
-/**
- * Collects all handlers (actions, modals, drawers) from glob imports.
- * This is a convenience function that collects all three at once.
- *
- * @example
- * ```typescript
- * const { actions, modals, drawers } = collectHandlers<Env>({
- *   actions: import.meta.glob('./actions/*.tsx', { eager: true }),
- *   modals: import.meta.glob('./modals/*.tsx', { eager: true }),
- *   drawers: import.meta.glob('./drawers/*.tsx', { eager: true }),
- * })
- *
- * export const beam = createBeam<Env>({ actions, modals, drawers })
- * ```
- */
-export function collectHandlers(globs) {
-    return {
-        actions: globs.actions ? collectActions(globs.actions) : {},
-        modals: globs.modals ? collectModals(globs.modals) : {},
-        drawers: globs.drawers ? collectDrawers(globs.drawers) : {},
-    };
-}

package/dist/createBeam.d.ts

@@ -1,5 +1,5 @@
 import { RpcTarget } from 'capnweb';
-import type { ActionHandler, ActionResponse, ModalHandler, DrawerHandler, BeamConfig, BeamInstance, BeamContext, BeamSession } from './types';
+import type { ActionHandler, ActionResponse, BeamConfig, BeamInstance, BeamContext, BeamSession, SessionConfig } from './types';
 /**
  * Session implementation using KV storage.
  * Exported for users who need custom storage adapter.
@@ -50,21 +50,11 @@ export declare class CookieSession implements BeamSession {
 declare class BeamServer<TEnv extends object> extends RpcTarget {
     private ctx;
     private actions;
-    private modals;
-    private drawers;
-    constructor(ctx: BeamContext<TEnv>, actions: Record<string, ActionHandler<TEnv>>, modals: Record<string, ModalHandler<TEnv>>, drawers: Record<string, DrawerHandler<TEnv>>);
+    constructor(ctx: BeamContext<TEnv>, actions: Record<string, ActionHandler<TEnv>>);
     /**
      * Call an action handler
      */
     call(action: string, data?: Record<string, unknown>): Promise<ActionResponse>;
-    /**
-     * Open a modal
-     */
-    modal(modalId: string, data?: Record<string, unknown>): Promise<string>;
-    /**
-     * Open a drawer
-     */
-    drawer(drawerId: string, data?: Record<string, unknown>): Promise<string>;
     /**
      * Register a client callback for server-initiated updates
      * This enables bidirectional communication - server can push to client
@@ -76,7 +66,7 @@ declare class BeamServer<TEnv extends object> extends RpcTarget {
     notify(event: string, data: unknown): Promise<void>;
 }
 /**
- * Creates a Beam instance configured with actions, modals, and drawers.
+ * Creates a Beam instance configured with actions.
  * Uses capnweb for RPC, enabling promise pipelining and bidirectional calls.
  *
  * @example
@@ -86,9 +76,7 @@ declare class BeamServer<TEnv extends object> extends RpcTarget {
  * import type { Env } from './types'
  *
  * export const beam = createBeam<Env>({
- *   actions: { createProduct, deleteProduct },
- *   modals: { confirmDelete },
- *   drawers: { productDetails }
+ *   actions: { createProduct, deleteProduct, confirmDelete }
  * })
  *
  * // app/server.ts
@@ -100,5 +88,50 @@ declare class BeamServer<TEnv extends object> extends RpcTarget {
  * ```
  */
 export declare function createBeam<TEnv extends object = object>(config: BeamConfig<TEnv>): BeamInstance<TEnv>;
-export { BeamServer };
+/**
+ * Public Beam RPC Server - initial unauthenticated API
+ *
+ * This follows the capnweb in-band authentication pattern:
+ * - WebSocket connections start with this unauthenticated API
+ * - Client calls authenticate(token) to get the authenticated BeamServer
+ * - This prevents Cross-Site WebSocket Hijacking (CSWSH) attacks
+ */
+declare class PublicBeamServer<TEnv extends object> extends RpcTarget {
+    private secret;
+    private sessionConfig;
+    private env;
+    private request;
+    private actions;
+    private auth;
+    constructor(secret: string, sessionConfig: SessionConfig<TEnv> | undefined, env: TEnv, request: Request, actions: Record<string, ActionHandler<TEnv>>, auth: ((request: Request, env: TEnv) => Promise<import('./types').BeamUser | null>) | undefined);
+    /**
+     * Authenticate with a token and return the authenticated API
+     * This is the only method available on the public API
+     */
+    authenticate(token: string): Promise<BeamServer<TEnv>>;
+}
+/**
+ * Generate the auth token meta tag HTML for in-band WebSocket authentication.
+ * Call this in your layout/page to inject the token.
+ *
+ * @example
+ * ```tsx
+ * // app/routes/_renderer.tsx
+ * import { beamTokenMeta } from '@benqoder/beam'
+ *
+ * export default defineRenderer((c, { Layout, children }) => {
+ *   const token = c.get('beamAuthToken')
+ *   return (
+ *     <html>
+ *       <head>
+ *         <RawHTML>{beamTokenMeta(token)}</RawHTML>
+ *       </head>
+ *       <body>{children}</body>
+ *     </html>
+ *   )
+ * })
+ * ```
+ */
+export declare function beamTokenMeta(token: string): string;
+export { BeamServer, PublicBeamServer };
 //# sourceMappingURL=createBeam.d.ts.map

package/dist/createBeam.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createBeam.d.ts","sourceRoot":"","sources":["../src/createBeam.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAyB,MAAM,SAAS,CAAA;AAC1D,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,WAAW,EAEX,WAAW,EAIZ,MAAM,SAAS,CAAA;AAEhB;;;;;;;;;;GAUG;AACH,qBAAa,SAAU,YAAW,WAAW;IAC3C,OAAO,CAAC,SAAS,CAAQ;IACzB,OAAO,CAAC,EAAE,CAAa;gBAEX,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW;IAK9C,OAAO,CAAC,GAAG;IAIL,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAMhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC;AAED;;;;;GAKG;AACH,qBAAa,aAAc,YAAW,WAAW;IAC/C,OAAO,CAAC,IAAI,CAAyB;IACrC,OAAO,CAAC,MAAM,CAAiB;gBAEnB,WAAW,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM;IAI/C,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAIhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAKtD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKxC,8CAA8C;IAC9C,OAAO,IAAI,OAAO;IAIlB,uDAAuD;IACvD,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAGnC;AA4ED;;;;;;;;GAQG;AACH,cAAM,UAAU,CAAC,IAAI,SAAS,MAAM,CAAE,SAAQ,SAAS;IACrD,OAAO,CAAC,GAAG,CAAmB;IAC9B,OAAO,CAAC,OAAO,CAAqC;IACpD,OAAO,CAAC,MAAM,CAAoC;IAClD,OAAO,CAAC,OAAO,CAAqC;gBAGlD,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,EAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,EAC1C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;IAS9C;;OAEG;IACG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAavF;;OAEG;IACG,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQjF;;OAEG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQnF;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,KAAK,IAAI,GAAG,IAAI;IAKxE;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;CAM1D;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,UAAU,CAAC,IAAI,SAAS,MAAM,GAAG,MAAM,EACrD,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,GACvB,YAAY,CAAC,IAAI,CAAC,CA8MpB;AAGD,OAAO,EAAE,UAAU,EAAE,CAAA"}
+{"version":3,"file":"createBeam.d.ts","sourceRoot":"","sources":["../src/createBeam.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAyB,MAAM,SAAS,CAAA;AAC1D,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,UAAU,EACV,YAAY,EACZ,WAAW,EAEX,WAAW,EACX,aAAa,EAGd,MAAM,SAAS,CAAA;AAwDhB;;;;;;;;;;GAUG;AACH,qBAAa,SAAU,YAAW,WAAW;IAC3C,OAAO,CAAC,SAAS,CAAQ;IACzB,OAAO,CAAC,EAAE,CAAa;gBAEX,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW;IAK9C,OAAO,CAAC,GAAG;IAIL,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAMhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC;AAED;;;;;GAKG;AACH,qBAAa,aAAc,YAAW,WAAW;IAC/C,OAAO,CAAC,IAAI,CAAyB;IACrC,OAAO,CAAC,MAAM,CAAiB;gBAEnB,WAAW,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM;IAI/C,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAIhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAKtD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKxC,8CAA8C;IAC9C,OAAO,IAAI,OAAO;IAIlB,uDAAuD;IACvD,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAGnC;AA0ID;;;;;;;;GAQG;AACH,cAAM,UAAU,CAAC,IAAI,SAAS,MAAM,CAAE,SAAQ,SAAS;IACrD,OAAO,CAAC,GAAG,CAAmB;IAC9B,OAAO,CAAC,OAAO,CAAqC;gBAGlD,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;IAO9C;;OAEG;IACG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAavF;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,KAAK,IAAI,GAAG,IAAI;IAKxE;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;CAM1D;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,UAAU,CAAC,IAAI,SAAS,MAAM,GAAG,MAAM,EACrD,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,GACvB,YAAY,CAAC,IAAI,CAAC,CAkOpB;AAED;;;;;;;GAOG;AACH,cAAM,gBAAgB,CAAC,IAAI,SAAS,MAAM,CAAE,SAAQ,SAAS;IAC3D,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,aAAa,CAAiC;IACtD,OAAO,CAAC,GAAG,CAAM;IACjB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAqC;IACpD,OAAO,CAAC,IAAI,CAA2F;gBAGrG,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,aAAa,CAAC,IAAI,CAAC,GAAG,SAAS,EAC9C,GAAG,EAAE,IAAI,EACT,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,EAC5C,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,KAAK,OAAO,CAAC,OAAO,SAAS,EAAE,QAAQ,GAAG,IAAI,CAAC,CAAC,GAAG,SAAS;IAWjG;;;OAGG;IACG,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;CA4C7D;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAInD;AAGD,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,CAAA"}

package/dist/createBeam.js

@@ -1,5 +1,43 @@
 import { getSignedCookie, setSignedCookie } from 'hono/cookie';
 import { RpcTarget, newWorkersRpcResponse } from 'capnweb';
+/** Default token lifetime: 5 minutes */
+const DEFAULT_TOKEN_LIFETIME = 5 * 60 * 1000;
+/**
+ * Sign an auth token payload using HMAC-SHA256
+ */
+async function signToken(payload, secret) {
+    const encoder = new TextEncoder();
+    const data = JSON.stringify(payload);
+    const key = await crypto.subtle.importKey('raw', encoder.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+    const sigBase64 = btoa(String.fromCharCode(...new Uint8Array(signature)));
+    return `${btoa(data)}.${sigBase64}`;
+}
+/**
+ * Verify and decode an auth token
+ */
+async function verifyToken(token, secret) {
+    try {
+        const [dataBase64, sigBase64] = token.split('.');
+        if (!dataBase64 || !sigBase64)
+            return null;
+        const data = atob(dataBase64);
+        const encoder = new TextEncoder();
+        const key = await crypto.subtle.importKey('raw', encoder.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+        const signature = Uint8Array.from(atob(sigBase64), c => c.charCodeAt(0));
+        const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+        if (!valid)
+            return null;
+        const payload = JSON.parse(data);
+        // Check expiration
+        if (payload.exp < Date.now())
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
 /**
  * Session implementation using KV storage.
  * Exported for users who need custom storage adapter.
@@ -114,19 +152,81 @@ function parseSessionDataFromRequest(request) {
     }
 }
 /**
- * Create a BeamContext with script() and render() helpers
+ * Helper to convert JSX/Promise/string to HTML string.
+ * Handles HonoX HtmlEscapedString, Promises, and plain strings.
+ *
+ * HonoX async components have `.toString()` that returns a Promise<string>.
+ * We need to await that result as well.
+ */
+async function toHtml(content) {
+    // First, await if content itself is a Promise
+    const resolved = await content;
+    // Plain string - return as-is
+    if (typeof resolved === 'string')
+        return resolved;
+    // Null/undefined - return empty string
+    if (resolved == null)
+        return '';
+    // HtmlEscapedString or JSX element - call toString()
+    // For async components, toString() returns a Promise<string>
+    const maybeStringable = resolved;
+    if (typeof maybeStringable.toString === 'function') {
+        const str = await maybeStringable.toString();
+        // Ensure it's a plain string
+        return '' + str;
+    }
+    // Fallback
+    return '' + resolved;
+}
+/**
+ * Create a BeamContext with script(), render(), modal(), drawer() helpers
  */
 function createBeamContext(base) {
     return {
         ...base,
         script: (code) => ({ script: code }),
-        render: (html, options) => {
-            if (html instanceof Promise) {
-                return html.then((resolved) => ({ html: resolved, script: options?.script }));
+        render: (content, options) => {
+            // Helper to build response without undefined values
+            const buildResponse = (html) => {
+                const response = { html };
+                if (options?.script)
+                    response.script = options.script;
+                if (options?.target)
+                    response.target = options.target;
+                if (options?.swap)
+                    response.swap = options.swap;
+                return response;
+            };
+            // Handle array of JSX/strings for multi-target rendering
+            if (Array.isArray(content)) {
+                return Promise.all(content.map(toHtml)).then(buildResponse);
             }
-            return { html, script: options?.script };
+            // Single content - always convert via toHtml to handle HtmlEscapedString
+            return toHtml(content).then(buildResponse);
         },
         redirect: (url) => ({ redirect: url }),
+        modal: (html, options) => {
+            return toHtml(html).then((resolved) => {
+                const modalObj = { html: resolved };
+                if (options?.size)
+                    modalObj.size = options.size;
+                if (options?.spacing !== undefined)
+                    modalObj.spacing = options.spacing;
+                return { modal: modalObj };
+            });
+        },
+        drawer: (html, options) => {
+            return toHtml(html).then((resolved) => {
+                const drawerObj = { html: resolved };
+                if (options?.position)
+                    drawerObj.position = options.position;
+                if (options?.size)
+                    drawerObj.size = options.size;
+                if (options?.spacing !== undefined)
+                    drawerObj.spacing = options.spacing;
+                return { drawer: drawerObj };
+            });
+        },
     };
 }
 /**
@@ -141,14 +241,10 @@ function createBeamContext(base) {
 class BeamServer extends RpcTarget {
     ctx;
     actions;
-    modals;
-    drawers;
-    constructor(ctx, actions, modals, drawers) {
+    constructor(ctx, actions) {
         super();
         this.ctx = ctx;
         this.actions = actions;
-        this.modals = modals;
-        this.drawers = drawers;
     }
     /**
      * Call an action handler
@@ -165,26 +261,6 @@ class BeamServer extends RpcTarget {
         }
         return result;
     }
-    /**
-     * Open a modal
-     */
-    async modal(modalId, data = {}) {
-        const handler = this.modals[modalId];
-        if (!handler) {
-            throw new Error(`Unknown modal: ${modalId}`);
-        }
-        return await handler(this.ctx, data);
-    }
-    /**
-     * Open a drawer
-     */
-    async drawer(drawerId, data = {}) {
-        const handler = this.drawers[drawerId];
-        if (!handler) {
-            throw new Error(`Unknown drawer: ${drawerId}`);
-        }
-        return await handler(this.ctx, data);
-    }
     /**
      * Register a client callback for server-initiated updates
      * This enables bidirectional communication - server can push to client
@@ -205,7 +281,7 @@ class BeamServer extends RpcTarget {
     }
 }
 /**
- * Creates a Beam instance configured with actions, modals, and drawers.
+ * Creates a Beam instance configured with actions.
  * Uses capnweb for RPC, enabling promise pipelining and bidirectional calls.
  *
  * @example
@@ -215,9 +291,7 @@ class BeamServer extends RpcTarget {
  * import type { Env } from './types'
  *
  * export const beam = createBeam<Env>({
- *   actions: { createProduct, deleteProduct },
- *   modals: { confirmDelete },
- *   drawers: { productDetails }
+ *   actions: { createProduct, deleteProduct, confirmDelete }
  * })
  *
  * // app/server.ts
@@ -229,14 +303,12 @@ class BeamServer extends RpcTarget {
  * ```
  */
 export function createBeam(config) {
-    const { actions, modals, drawers = {}, auth, session: sessionConfig } = config;
+    const { actions, auth, session: sessionConfig } = config;
     // Session defaults
     const cookieName = sessionConfig?.cookieName ?? 'beam_sid';
     const maxAge = sessionConfig?.maxAge ?? 365 * 24 * 60 * 60; // 1 year
     return {
         actions,
-        modals,
-        drawers,
         auth,
         /**
          * Middleware that resolves auth, session, and sets beam context in Hono.
@@ -323,8 +395,22 @@ export function createBeam(config) {
                     request: c.req.raw,
                     session,
                 });
+                // Generate auth token for in-band WebSocket authentication
+                const secret = sessionConfig?.secretEnvKey
+                    ? c.env[sessionConfig.secretEnvKey]
+                    : sessionConfig?.secret;
+                let authToken = '';
+                if (secret && sessionId) {
+                    const tokenPayload = {
+                        sid: sessionId,
+                        uid: user?.id ?? null,
+                        exp: Date.now() + DEFAULT_TOKEN_LIFETIME,
+                    };
+                    authToken = await signToken(tokenPayload, secret);
+                }
                 // Set in Hono context for use by routes
                 c.set('beam', ctx);
+                c.set('beamAuthToken', authToken);
                 await next();
                 // If using cookie session and data was modified, save it back to cookie
                 if (cookieSession && cookieSession.isDirty() && sessionConfig) {
@@ -341,10 +427,46 @@ export function createBeam(config) {
                 }
             };
         },
+        /**
+         * Generate a short-lived auth token for in-band WebSocket authentication.
+         * Use this when you need to generate a token outside of the authMiddleware.
+         *
+         * @example
+         * ```typescript
+         * const token = await beam.generateAuthToken(ctx)
+         * // Embed in page: <meta name="beam-token" content="${token}">
+         * ```
+         */
+        async generateAuthToken(ctx) {
+            if (!sessionConfig) {
+                throw new Error('Session config is required for auth token generation');
+            }
+            const secret = sessionConfig.secretEnvKey
+                ? ctx.env[sessionConfig.secretEnvKey]
+                : sessionConfig.secret;
+            if (!secret) {
+                throw new Error('Session secret is required for auth token generation');
+            }
+            // Get session ID from request cookies
+            const sessionId = parseSessionFromRequest(ctx.request, cookieName);
+            if (!sessionId) {
+                throw new Error('No session found - ensure authMiddleware is used');
+            }
+            const tokenPayload = {
+                sid: sessionId,
+                uid: ctx.user?.id ?? null,
+                exp: Date.now() + DEFAULT_TOKEN_LIFETIME,
+            };
+            return signToken(tokenPayload, secret);
+        },
         /**
          * Init function for HonoX createApp().
          * Registers the WebSocket RPC endpoint using capnweb.
          *
+         * SECURITY: Uses in-band authentication pattern to prevent CSWSH attacks.
+         * WebSocket connections start unauthenticated, client must call authenticate(token)
+         * with a valid token obtained from a same-origin page request.
+         *
          * @example
          * ```typescript
          * const app = createApp({
@@ -362,60 +484,117 @@ export function createBeam(config) {
                 if (upgradeHeader !== 'websocket') {
                     return c.text('Expected WebSocket', 426);
                 }
-                // Try to get context from middleware, otherwise resolve fresh
-                let ctx;
-                const existingCtx = c.var.beam;
-                if (existingCtx) {
-                    ctx = existingCtx;
+                // Get the session secret for token verification
+                const secret = sessionConfig?.secretEnvKey
+                    ? c.env[sessionConfig.secretEnvKey]
+                    : sessionConfig?.secret;
+                if (!secret) {
+                    return c.text('Session secret is required for secure WebSocket connections', 500);
                 }
-                else {
-                    // Resolve auth
-                    const user = auth ? await auth(c.req.raw, c.env) : null;
-                    // Resolve session for WebSocket (cookie storage is read-only in WebSocket context)
-                    let session;
-                    if (sessionConfig) {
-                        const sessionId = parseSessionFromRequest(c.req.raw, cookieName);
-                        if (sessionId) {
-                            // Use custom storage factory if provided
-                            if (sessionConfig.storageFactory) {
-                                session = sessionConfig.storageFactory(sessionId, c.env);
-                            }
-                            else {
-                                // Default: cookie-based session (read-only - can't set cookies in WebSocket)
-                                const existingData = parseSessionDataFromRequest(c.req.raw);
-                                session = new CookieSession(existingData);
-                            }
-                        }
-                        else {
-                            // No session cookie - provide noop (rare edge case)
-                            session = {
-                                get: async () => null,
-                                set: async () => { },
-                                delete: async () => { },
-                            };
-                        }
-                    }
-                    else {
-                        session = {
-                            get: async () => null,
-                            set: async () => { },
-                            delete: async () => { },
-                        };
-                    }
-                    ctx = createBeamContext({
-                        env: c.env,
-                        user,
-                        request: c.req.raw,
-                        session,
-                    });
-                }
-                // Create BeamServer instance with capnweb RpcTarget
-                const server = new BeamServer(ctx, actions, modals, drawers);
+                // Create PublicBeamServer - client must authenticate to get full API
+                const server = new PublicBeamServer(secret, sessionConfig, c.env, c.req.raw, actions, auth);
                 // Use capnweb to handle the RPC connection
                 return newWorkersRpcResponse(c.req.raw, server);
             });
         },
     };
 }
+/**
+ * Public Beam RPC Server - initial unauthenticated API
+ *
+ * This follows the capnweb in-band authentication pattern:
+ * - WebSocket connections start with this unauthenticated API
+ * - Client calls authenticate(token) to get the authenticated BeamServer
+ * - This prevents Cross-Site WebSocket Hijacking (CSWSH) attacks
+ */
+class PublicBeamServer extends RpcTarget {
+    secret;
+    sessionConfig;
+    env;
+    request;
+    actions;
+    auth;
+    constructor(secret, sessionConfig, env, request, actions, auth) {
+        super();
+        this.secret = secret;
+        this.sessionConfig = sessionConfig;
+        this.env = env;
+        this.request = request;
+        this.actions = actions;
+        this.auth = auth;
+    }
+    /**
+     * Authenticate with a token and return the authenticated API
+     * This is the only method available on the public API
+     */
+    async authenticate(token) {
+        // Verify the token
+        const payload = await verifyToken(token, this.secret);
+        if (!payload) {
+            throw new Error('Invalid or expired auth token');
+        }
+        // Resolve auth (user info is embedded in token, but we re-resolve for fresh data)
+        const user = this.auth ? await this.auth(this.request, this.env) : null;
+        // Resolve session
+        let session;
+        if (this.sessionConfig) {
+            const cookieName = this.sessionConfig.cookieName ?? 'beam_sid';
+            const sessionId = parseSessionFromRequest(this.request, cookieName);
+            // Verify session ID matches token
+            if (sessionId !== payload.sid) {
+                throw new Error('Session mismatch');
+            }
+            if (sessionId && this.sessionConfig.storageFactory) {
+                session = this.sessionConfig.storageFactory(sessionId, this.env);
+            }
+            else if (sessionId) {
+                const existingData = parseSessionDataFromRequest(this.request);
+                session = new CookieSession(existingData);
+            }
+            else {
+                session = { get: async () => null, set: async () => { }, delete: async () => { } };
+            }
+        }
+        else {
+            session = { get: async () => null, set: async () => { }, delete: async () => { } };
+        }
+        // Create authenticated context
+        const ctx = createBeamContext({
+            env: this.env,
+            user,
+            request: this.request,
+            session,
+        });
+        // Return the authenticated BeamServer
+        return new BeamServer(ctx, this.actions);
+    }
+}
+/**
+ * Generate the auth token meta tag HTML for in-band WebSocket authentication.
+ * Call this in your layout/page to inject the token.
+ *
+ * @example
+ * ```tsx
+ * // app/routes/_renderer.tsx
+ * import { beamTokenMeta } from '@benqoder/beam'
+ *
+ * export default defineRenderer((c, { Layout, children }) => {
+ *   const token = c.get('beamAuthToken')
+ *   return (
+ *     <html>
+ *       <head>
+ *         <RawHTML>{beamTokenMeta(token)}</RawHTML>
+ *       </head>
+ *       <body>{children}</body>
+ *     </html>
+ *   )
+ * })
+ * ```
+ */
+export function beamTokenMeta(token) {
+    // Escape any quotes in the token for safe HTML embedding
+    const escapedToken = token.replace(/"/g, '&quot;');
+    return `<meta name="beam-token" content="${escapedToken}">`;
+}
 // Export BeamServer for advanced usage (e.g., extending with custom methods)
-export { BeamServer };
+export { BeamServer, PublicBeamServer };

package/dist/index.d.ts

@@ -1,7 +1,5 @@
-export { createBeam, KVSession, CookieSession } from './createBeam';
+export { createBeam, KVSession, CookieSession, beamTokenMeta } from './createBeam';
 export { render } from './render';
-export { ModalFrame } from './ModalFrame';
-export { DrawerFrame } from './DrawerFrame';
-export { collectActions, collectModals, collectDrawers, collectHandlers, } from './collect';
-export type { ActionHandler, ModalHandler, DrawerHandler, BeamConfig, BeamInstance, BeamInitOptions, BeamUser, BeamContext, BeamVariables, AuthResolver, BeamSession, SessionConfig, SessionStorageFactory, } from './types';
+export { collectActions, } from './collect';
+export type { ActionHandler, ActionResponse, ModalOptions, DrawerOptions, BeamConfig, BeamInstance, BeamInitOptions, BeamUser, BeamContext, BeamVariables, AuthResolver, BeamSession, SessionConfig, SessionStorageFactory, AuthTokenPayload, } from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAG3C,OAAO,EACL,cAAc,EACd,aAAa,EACb,cAAc,EACd,eAAe,GAChB,MAAM,WAAW,CAAA;AAGlB,YAAY,EACV,aAAa,EACb,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,WAAW,EACX,aAAa,EACb,YAAY,EACZ,WAAW,EACX,aAAa,EACb,qBAAqB,GACtB,MAAM,SAAS,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAClF,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AAGjC,OAAO,EACL,cAAc,GACf,MAAM,WAAW,CAAA;AAGlB,YAAY,EACV,aAAa,EACb,cAAc,EACd,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,WAAW,EACX,aAAa,EACb,YAAY,EACZ,WAAW,EACX,aAAa,EACb,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,SAAS,CAAA"}

package/dist/index.js

@@ -1,7 +1,5 @@
 // Main server-side exports for @benqoder/beam
-export { createBeam, KVSession, CookieSession } from './createBeam';
+export { createBeam, KVSession, CookieSession, beamTokenMeta } from './createBeam';
 export { render } from './render';
-export { ModalFrame } from './ModalFrame';
-export { DrawerFrame } from './DrawerFrame';
 // Auto-discovery utilities
-export { collectActions, collectModals, collectDrawers, collectHandlers, } from './collect';
+export { collectActions, } from './collect';