fix: don't show success on validation error in forgot-password forms

The catch-all error handler (for anti-email-enumeration) was also swallowing 422 validation errors, making it appear that a reset email was sent even for empty or invalid input. Now 422 responses are excluded from the catch — the user stays on the form so the field-level validation messages remain visible. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 20:53:03 +02:00
parent e5fdb3efb1
commit 824b28897e
2 changed files with 24 additions and 6 deletions
--- a/apps/app/src/pages/forgot-password.vue
+++ b/apps/app/src/pages/forgot-password.vue
@@ -38,13 +38,22 @@ async function onSubmit(): Promise<void> {
      email: email.value.trim(),
      app: 'app',
    })
+    done.value = true
  }
-  catch {
-    // Always show generic success (no email enumeration)
+  catch (error: unknown) {
+    const ax = error as { response?: { status?: number } }
+
+    if (ax.response?.status === 422) {
+      // Validation error — don't show success, let the user fix input
+      return
+    }
+
+    // For all other errors (404 user-not-found, network, etc.):
+    // show generic success to prevent email enumeration
+    done.value = true
  }
  finally {
    isSubmitting.value = false
-    done.value = true
  }
 }
 </script>