diff --git a/auth/handlers/handle_password-reset.go b/auth/handlers/handle_password-reset.go
index 71d9dbaa2..c524ec3dd 100644
--- a/auth/handlers/handle_password-reset.go
+++ b/auth/handlers/handle_password-reset.go
@@ -4,6 +4,7 @@ import (
 	"github.com/cortezaproject/corteza-server/auth/request"
 	"github.com/cortezaproject/corteza-server/pkg/errors"
 	"github.com/cortezaproject/corteza-server/system/service"
+	"github.com/cortezaproject/corteza-server/system/types"
 	"go.uber.org/zap"
 )
 
@@ -46,11 +47,16 @@ func (h *AuthHandlers) resetPasswordForm(req *request.AuthReq) (err error) {
 
 	req.Template = TmplResetPassword
 
-	if req.AuthUser.User == nil {
+	if req.AuthUser == nil {
 		// user not set, expecting valid token in URL
 		if token := req.Request.URL.Query().Get("token"); len(token) > 0 {
-			req.AuthUser.User, err = h.AuthService.ValidatePasswordResetToken(req.Context(), token)
+			var user *types.User
+
+			user, err = h.AuthService.ValidatePasswordResetToken(req.Context(), token)
 			if err == nil {
+				// login user
+				req.AuthUser = request.NewAuthUser(h.Settings, user, false, h.Opt.SessionLifetime)
+
 				// redirect back to self (but without token and with user in session
 				h.Log.Debug("valid password reset token found, refreshing page with stored user")
 				req.RedirectTo = GetLinks().ResetPassword
diff --git a/auth/handlers/handle_password-reset_test.go b/auth/handlers/handle_password-reset_test.go
index b206aaa66..01038f821 100644
--- a/auth/handlers/handle_password-reset_test.go
+++ b/auth/handlers/handle_password-reset_test.go
@@ -47,9 +47,7 @@ func Test_requestPasswordResetForm(t *testing.T) {
 
 func Test_resetPasswordForm(t *testing.T) {
 	var (
-		ctx  = context.Background()
-		user = makeMockUser(ctx)
-
+		ctx = context.Background()
 		req = &http.Request{
 			URL: &url.URL{},
 		}
@@ -109,11 +107,11 @@ func Test_resetPasswordForm(t *testing.T) {
 
 			tc.fn()
 
-			authReq = prepareClientAuthReq(ctx, req, user)
+			authReq = prepareClientAuthReq(ctx, req, nil)
 			authHandlers = prepareClientAuthHandlers(ctx, authService, authSettings)
 
 			// unset so we get to the main functionality
-			authReq.AuthUser.User = nil
+			authReq.AuthUser = nil
 
 			err := authHandlers.resetPasswordForm(authReq)
 
diff --git a/auth/handlers/mock_test.go b/auth/handlers/mock_test.go
index ce4bae726..fb3d96d66 100644
--- a/auth/handlers/mock_test.go
+++ b/auth/handlers/mock_test.go
@@ -317,8 +317,6 @@ func prepareClientAuthReq(ctx context.Context, req *http.Request, user *types.Us
 	s.MultiFactor.EmailOTP.Enforced = true
 	s.MultiFactor.TOTP.Enabled = true
 
-	authUser := request.NewAuthUser(s, user, true, time.Duration(time.Hour))
-
 	session := sessions.NewSession(&mockSession{
 		save: func(r *http.Request, w http.ResponseWriter, s *sessions.Session) error {
 			s.Values = make(map[interface{}]interface{})
@@ -326,13 +324,18 @@ func prepareClientAuthReq(ctx context.Context, req *http.Request, user *types.Us
 		},
 	}, "session")
 
-	return &request.AuthReq{
+	authReq := &request.AuthReq{
 		Request:  req,
-		AuthUser: authUser,
 		Session:  session,
 		Response: httptest.NewRecorder(),
 		Data:     make(map[string]interface{}),
 	}
+
+	if user != nil {
+		authReq.AuthUser = request.NewAuthUser(s, user, true, time.Duration(time.Hour))
+	}
+
+	return authReq
 }
 
 func prepareClientAuthService(ctx context.Context, user *types.User) *mockAuthService {