diff --git a/lib/wsapi/email_for_token.js b/lib/wsapi/email_for_token.js
index da6bb87d9d602f42fe0631222c1e5a07777af300..206b7e23660a772c326c95617c4dce1e75d78612 100644
--- a/lib/wsapi/email_for_token.js
+++ b/lib/wsapi/email_for_token.js
@@ -20,6 +20,7 @@ exports.args = ['token'];
 exports.i18n = false;
 
 exports.process = function(req, res) {
+
   db.emailForVerificationSecret(req.query.token, function(err, email, uid, hash) {
     if (err) {
       if (err === 'database unavailable') {
@@ -41,10 +42,15 @@ exports.process = function(req, res) {
       if (uid && req.session.userid === uid) {
         must_auth = false;
       }
-      else if (typeof req.session.pendingCreation === 'string' &&
+      else if (!uid && typeof req.session.pendingCreation === 'string' &&
                req.query.token === req.session.pendingCreation) {
         must_auth = false;
       }
+      else if (typeof req.session.pendingReset === 'string' &&
+               req.query.token === req.session.pendingReset)
+      {
+        must_auth = false;
+      }
 
       res.json({
         success: true,
diff --git a/lib/wsapi/password_reset_status.js b/lib/wsapi/password_reset_status.js
index dd1ff5767ce39583035c334dedc77dcf72fc2a8a..6059eac063238f9507b52c893ea01fc663c19428 100644
--- a/lib/wsapi/password_reset_status.js
+++ b/lib/wsapi/password_reset_status.js
@@ -36,11 +36,8 @@ exports.process = function(req, res) {
     if (staged) {
       return res.json({ status: 'pending' });
     } else {
-      console.log("A", req.session);
       if (wsapi.isAuthed(req, 'assertion')) {
-        console.log("B");
         db.userOwnsEmail(req.session.userid, email, function(err, owned) {
-          console.log("C", err, owned);
           if (err) wsapi.databaseDown(res, err);
           else if (owned) res.json({ status: 'complete', userid: req.session.userid });
           else res.json({ status: 'mustAuth' });
diff --git a/lib/wsapi/stage_reset.js b/lib/wsapi/stage_reset.js
index ccc0a4eca3439005569c7f34048e430fdbada87d..a8aefbbcbdba61397c637ad9f41761ac0bb340ec 100644
--- a/lib/wsapi/stage_reset.js
+++ b/lib/wsapi/stage_reset.js
@@ -91,6 +91,7 @@ exports.process = function(req, res) {
             req.session.pendingReset = secret;
             
             res.json({ success: true });
+
             // let's now kick out a verification email!
             email.sendForgotPasswordEmail(req.body.email, req.body.site, secret, langContext);
           });