fix: don't show success on validation error in forgot-password forms

The catch-all error handler (for anti-email-enumeration) was also
swallowing 422 validation errors, making it appear that a reset
email was sent even for empty or invalid input. Now 422 responses
are excluded from the catch — the user stays on the form so the
field-level validation messages remain visible.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/app/src/pages/forgot-password.vue

@@ -38,13 +38,22 @@ async function onSubmit(): Promise<void> {
       email: email.value.trim(),
       app: 'app',
     })
+    done.value = true
   }
-  catch {
+  catch (error: unknown) {
-    // Always show generic success (no email enumeration)
+    const ax = error as { response?: { status?: number } }
+
+    if (ax.response?.status === 422) {
+      // Validation error — don't show success, let the user fix input
+      return
+    }
+
+    // For all other errors (404 user-not-found, network, etc.):
+    // show generic success to prevent email enumeration
+    done.value = true
   }
   finally {
     isSubmitting.value = false
-    done.value = true
   }
 }
 </script>

apps/portal/src/pages/wachtwoord-vergeten.vue

@@ -27,13 +27,22 @@ async function onSubmit(): Promise<void> {
   isSubmitting.value = true
   try {
     await apiClient.post('/auth/forgot-password', { email: email.value.trim(), app: 'portal' })
+    done.value = true
   }
-  catch {
+  catch (error: unknown) {
-    // Always show generic success (no email enumeration)
+    const ax = error as { response?: { status?: number } }
+
+    if (ax.response?.status === 422) {
+      // Validation error — don't show success, let the user fix input
+      return
+    }
+
+    // For all other errors (404 user-not-found, network, etc.):
+    // show generic success to prevent email enumeration
+    done.value = true
   }
   finally {
     isSubmitting.value = false
-    done.value = true
   }
 }
 </script>