fix: server-side export filtering and JSON parse safety

- Export endpoint supports ?ids= query param for selective export,
preventing full token payload over the network
- Import hook wraps JSON.parse in try-catch for invalid files
- Add test for selective export filtering

shared/hooks/use-accounts.ts

@@ -156,13 +156,11 @@ export function useAccounts() {
   }, []);
 
   const exportAccounts = useCallback(async (selectedIds?: string[]) => {
-    const resp = await fetch("/auth/accounts/export");
+    const params = selectedIds && selectedIds.length > 0
+      ? `?ids=${selectedIds.join(",")}`
+      : "";
+    const resp = await fetch(`/auth/accounts/export${params}`);
     const data = await resp.json() as { accounts: Array<{ id: string }> };
-    // Filter to selected accounts if specified
-    if (selectedIds && selectedIds.length > 0) {
-      const idSet = new Set(selectedIds);
-      data.accounts = data.accounts.filter((a) => idSet.has(a.id));
-    }
     const blob = new Blob([JSON.stringify(data, null, 2)], { type: "application/json" });
     const url = URL.createObjectURL(blob);
     const a = document.createElement("a");
@@ -184,7 +182,12 @@ export function useAccounts() {
     errors: string[];
   }> => {
     const text = await file.text();
-    const parsed = JSON.parse(text) as Record<string, unknown>;
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      return { success: false, added: 0, updated: 0, failed: 0, errors: ["Invalid JSON file"] };
+    }
     // Support both { accounts: [...] } (export format) and raw array
     const accounts = Array.isArray(parsed)
       ? parsed

src/routes/__tests__/accounts-import-export.test.ts

@@ -108,6 +108,17 @@ describe("account import/export", () => {
     }
   });
 
+  it("GET /auth/accounts/export?ids= filters server-side", async () => {
+    const id1 = pool.addAccount("tokenAAAA1234567890");
+    pool.addAccount("tokenBBBB1234567890");
+
+    const res = await app.request(`/auth/accounts/export?ids=${id1}`);
+    expect(res.status).toBe(200);
+    const data = await res.json() as { accounts: Array<{ id: string }> };
+    expect(data.accounts).toHaveLength(1);
+    expect(data.accounts[0].id).toBe(id1);
+  });
+
   // ── Import ─────────────────────────────────────────────
 
   it("POST /auth/accounts/import adds new accounts", async () => {

src/routes/accounts.ts

@@ -87,9 +87,15 @@ export function createAccountRoutes(
     return c.redirect(authUrl);
   });
 
-  // Export all accounts (with tokens) for backup/migration
+  // Export accounts (with tokens) for backup/migration
+  // ?ids=id1,id2 for selective export; omit for all
   app.get("/auth/accounts/export", (c) => {
-    const entries = pool.getAllEntries();
+    let entries = pool.getAllEntries();
+    const idsParam = c.req.query("ids");
+    if (idsParam) {
+      const idSet = new Set(idsParam.split(",").filter(Boolean));
+      entries = entries.filter((e) => idSet.has(e.id));
+    }
     return c.json({ accounts: entries });
   });