fix: #7477

src/controllers/authentication.js

@@ -273,13 +273,20 @@ function continueLogin(req, res, next) {
 		if (passwordExpiry && passwordExpiry < Date.now()) {
 			winston.verbose('[auth] Triggering password reset for uid ' + userData.uid + ' due to password policy');
 			req.session.passwordExpired = true;
-			user.reset.generate(userData.uid, function (err, code) {
+
+			async.series({
+				code: async.apply(user.reset.generate, userData.uid),
+				buildHeader: async.apply(middleware.buildHeader, req, res),
+				header: async.apply(middleware.generateHeader, req, res, {}),
+			}, function (err, payload) {
 				if (err) {
 					return helpers.noScriptErrors(req, res, err.message, 403);
 				}
 
 				res.status(200).send({
-					next: nconf.get('relative_path') + '/reset/' + code,
+					next: nconf.get('relative_path') + '/reset/' + payload.code,
+					header: payload.header,
+					config: res.locals.config,
 				});
 			});
 		} else {

src/controllers/index.js

@@ -62,10 +62,11 @@ Controllers.reset = function (req, res, next) {
 	};
 
 	if (req.params.code) {
-		// Save to session and redirect
+		// Save to session
 		req.session.reset_code = req.params.code;
-		res.redirect(nconf.get('relative_path') + '/reset');
-	} else if (req.session.reset_code) {
+	}
+
+	if (req.session.reset_code) {
 		// Validate and save to local variable before removing from session
 		user.reset.validate(req.session.reset_code, function (err, valid) {
 			if (err) {