diff --git a/lib/wsapi/email_for_token.js b/lib/wsapi/email_for_token.js
index 4b3c837fbd05a80b97771bce131057724803c4e3..05bf4e2e4c1dfe32a4c861442bd33674d52950fd 100644
--- a/lib/wsapi/email_for_token.js
+++ b/lib/wsapi/email_for_token.js
@@ -46,7 +46,7 @@ exports.process = function(req, res) {
       // browser as the initiator
       var must_auth = true;
 
-      if (uid && req.session.userid === uid &&
+      if (((uid && req.session.userid === uid) || !req.session.userid) &&
                typeof req.session.pendingReset === 'string' &&
                req.params.token === req.session.pendingReset) {
         must_auth = false;
diff --git a/tests/forgotten-pass-test.js b/tests/forgotten-pass-test.js
index e4e2407e88101701820938453e058f1e87174e1c..b13b5ddc14a69ff6f839bbd1e658fe86cc1abf1c 100755
--- a/tests/forgotten-pass-test.js
+++ b/tests/forgotten-pass-test.js
@@ -232,6 +232,7 @@ suite.addBatch({
       assert.equal(r.code, 200);
       var body = JSON.parse(r.body);
       assert.strictEqual(body.success, true);
+      assert.strictEqual(body.must_auth, false);
     }
   }
 });