From 06913a0aeda9acb71292cec530cac85dc852f6fb Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Tue, 28 Apr 2026 22:03:02 -0400
Subject: [PATCH] test(ext/sw): router accepts/rejects backup messages per
 sender

---
 .../router/__tests__/router.test.ts           | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/extension/src/service-worker/router/__tests__/router.test.ts b/extension/src/service-worker/router/__tests__/router.test.ts
index 8b0b01d..bc07b33 100644
--- a/extension/src/service-worker/router/__tests__/router.test.ts
+++ b/extension/src/service-worker/router/__tests__/router.test.ts
@@ -786,3 +786,54 @@ describe('upload_attachment / download_attachment', () => {
     expect(result).toEqual({ ok: false, error: 'unauthorized_sender' });
   });
 });
+
+// --- export_backup / restore_backup sender check ---
+
+describe('export_backup / restore_backup sender check', () => {
+  it('accepts vault tab for export_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      { type: 'export_backup', passphrase: 'p', includeImage: false },
+      state,
+      makeVaultSender(),
+    );
+    // The handler may return ok: false (vault_locked / missing state) but the
+    // router must NOT reject it as unauthorized_sender.
+    expect(result).not.toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+
+  it('accepts popup for export_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      { type: 'export_backup', passphrase: 'p', includeImage: false },
+      state,
+      makePopupSender(),
+    );
+    expect(result).not.toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+
+  it('rejects setup tab for export_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      { type: 'export_backup', passphrase: 'p', includeImage: false },
+      state,
+      makeSetupSender(),
+    );
+    expect(result).toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+
+  it('rejects content top frame for restore_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      {
+        type: 'restore_backup',
+        bytes: new ArrayBuffer(8),
+        passphrase: 'p',
+        newRemote: { hostType: 'gitea', hostUrl: 'https://x', repoPath: 'a/b', apiToken: 't' },
+      },
+      state,
+      makeContentSender('https://example.com'),
+    );
+    expect(result).toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+});