diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index c81c28dc849..c18ad1f84cc 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -504,8 +504,8 @@ class UsersController < ApplicationController
               success: false,
               message: @error,
               errors: @user&.errors&.to_hash,
-              is_developer: UsernameCheckerService.is_developer?(@user.email),
-              admin: @user.admin?
+              is_developer: UsernameCheckerService.is_developer?(@user&.email),
+              admin: @user&.admin?
             }
           else
             render json: {
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index e5715baf88d..704ff66e998 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -303,11 +303,9 @@ describe UsersController do
     context 'invalid token' do
       render_views
 
-      before do
-        get :password_reset, params: { token: "evil_trout!" }
-      end
-
       it 'disallows login' do
+        get :password_reset, params: { token: "evil_trout!" }
+
         expect(response).to be_success
 
         expect(CGI.unescapeHTML(response.body))
@@ -319,6 +317,16 @@ describe UsersController do
 
         expect(session[:current_user_id]).to be_blank
       end
+
+      it "responds with proper error message" do
+        put :password_reset, params: {
+          token: "evil_trout!", password: "awesomeSecretPassword"
+        }, format: :json
+
+        expect(response).to be_success
+        expect(JSON.parse(response.body)["message"]).to eq(I18n.t('password_reset.no_token'))
+        expect(session[:current_user_id]).to be_blank
+      end
     end
 
     context 'valid token' do