diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb
index 5e322d91e..78a899678 100644
--- a/app/controllers/devise_token_auth/passwords_controller.rb
+++ b/app/controllers/devise_token_auth/passwords_controller.rb
@@ -107,7 +107,7 @@ def edit
         # ensure that user is confirmed
         @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at
 
-        # allow user to change password without current_password
+        # allow user to change password once without current_password
         @resource.allow_password_change = true;
 
         @resource.save!
diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb
index a2962143c..4dbe9ffce 100644
--- a/test/controllers/devise_token_auth/passwords_controller_test.rb
+++ b/test/controllers/devise_token_auth/passwords_controller_test.rb
@@ -33,6 +33,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_email")]
         end
       end
+
       describe 'not redirect_url should return 401' do
         before do
           @auth_headers = @resource.create_new_auth_token
@@ -300,6 +301,45 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
+        describe 'success with after password reset' do
+          before do
+            xhr :post, :create, {
+              email:        @resource.email,
+              redirect_url: @redirect_url
+            }
+
+            @mail = ActionMailer::Base.deliveries.last
+            @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+            @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+
+            xhr :get, :edit, {
+              reset_password_token: @mail_reset_token,
+              redirect_url: @mail_redirect_url
+            }
+
+            @auth_headers = @resource.create_new_auth_token
+            request.headers.merge!(@auth_headers)
+            @new_password = Faker::Internet.password
+
+            xhr :put, :update, {
+              password: @new_password,
+              password_confirmation: @new_password
+            }
+
+            @data = JSON.parse(response.body)
+            @allow_password_change = @resource.allow_password_change
+            @resource.reload
+          end
+
+          test "request should be successful" do
+            assert_equal 200, response.status
+          end
+
+          test "sets allow_password_change false" do
+            assert_equal false, @allow_password_change
+          end
+        end
+
         describe 'current password mismatch error' do
           before do
             @auth_headers = @resource.create_new_auth_token