diff --git a/server/AyaNova/Controllers/AuthController.cs b/server/AyaNova/Controllers/AuthController.cs
index 1e532d3d..93cc38d2 100644
--- a/server/AyaNova/Controllers/AuthController.cs
+++ b/server/AyaNova/Controllers/AuthController.cs
@@ -368,6 +368,13 @@ namespace AyaNova.Api.Controllers
                 return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
             }
 
+            if (string.IsNullOrWhiteSpace(user.PasswordResetCode) || user.PasswordResetCodeExpire == null)
+            {
+                //Make a fail wait
+                await Task.Delay(nFailDelay);
+                return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
+            }
+            
             //vet the expiry
             var utcNow = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);
             if (user.PasswordResetCodeExpire < utcNow.DateTime)
@@ -384,7 +391,7 @@ namespace AyaNova.Api.Controllers
 
         /// <summary>
         /// Generate time limited password reset code for User
-        /// and email to them
+        /// and email link to them so they can set their password
         /// 
         /// </summary>
         /// <param name="id">User id</param>
diff --git a/server/AyaNova/biz/UserBiz.cs b/server/AyaNova/biz/UserBiz.cs
index 263b479c..37fc5468 100644
--- a/server/AyaNova/biz/UserBiz.cs
+++ b/server/AyaNova/biz/UserBiz.cs
@@ -301,6 +301,11 @@ namespace AyaNova.Biz
         {
             User dbObject = await ct.User.FirstOrDefaultAsync(z => z.Id == userId);
             dbObject.Password = Hasher.hash(dbObject.Salt, newPassword);
+
+            //remove reseet code and date so it can't be used again
+            dbObject.PasswordResetCode=null;
+            dbObject.DlKeyExpire=null;
+            
             await ct.SaveChangesAsync();
 
             //Log modification and save context