diff --git a/spec/controllers/internal_users_controller_spec.rb b/spec/controllers/internal_users_controller_spec.rb
index d922eb94..a2f5a6c0 100644
--- a/spec/controllers/internal_users_controller_spec.rb
+++ b/spec/controllers/internal_users_controller_spec.rb
@@ -163,6 +163,49 @@ describe InternalUsersController do
     expect_template(:edit)
   end
 
+  describe 'GET #forgot_password' do
+    context 'when no user is logged in' do
+      before(:each) do
+        expect(controller).to receive(:current_user).and_return(nil)
+        get :forgot_password
+      end
+
+      expect_status(200)
+      expect_template(:forgot_password)
+    end
+
+    context 'when a user is already logged in' do
+      before(:each) do
+        expect(controller).to receive(:current_user).and_return(user)
+        get :forgot_password
+      end
+
+      expect_redirect(:root)
+    end
+  end
+
+  describe 'POST #forgot_password' do
+    context 'with an email address' do
+      let(:request) { proc { post :forgot_password, email: user.email } }
+      before(:each) { request.call }
+
+      it 'delivers instructions to reset the password' do
+        expect(InternalUser).to receive(:find_by).and_return(user)
+        expect(user).to receive(:deliver_reset_password_instructions!)
+        request.call
+      end
+
+      expect_redirect(:root)
+    end
+
+    context 'without an email address' do
+      before(:each) { post :forgot_password }
+
+      expect_status(200)
+      expect_template(:forgot_password)
+    end
+  end
+
   describe 'GET #index' do
     before(:each) do
       allow(controller).to receive(:current_user).and_return(user)
@@ -185,6 +228,65 @@ describe InternalUsersController do
     expect_template(:new)
   end
 
+  describe 'GET #reset_password' do
+    let(:user) { users.first }
+
+    context 'without a valid password reset token' do
+      before(:each) { get :reset_password, id: user.id }
+
+      expect_redirect
+    end
+
+    context 'with a valid password reset token' do
+      before(:each) do
+        user.deliver_reset_password_instructions!
+        get :reset_password, id: user.id, token: user.reset_password_token
+      end
+
+      expect_assigns(user: :user)
+      expect_status(200)
+      expect_template(:reset_password)
+    end
+  end
+
+  describe 'PUT #reset_password' do
+    let(:user) { users.first }
+    before(:each) { user.deliver_reset_password_instructions! }
+
+    context 'without a valid password reset token' do
+      before(:each) { put :reset_password, id: user.id }
+
+      expect_redirect(:root)
+    end
+
+    context 'with a valid password reset token' do
+      let(:password) { 'foo' }
+
+      context 'with a matching password confirmation' do
+        let(:request) { proc { put :reset_password, internal_user: {password: password, password_confirmation: password}, id: user.id, token: user.reset_password_token } }
+        before(:each) { request.call }
+
+        expect_assigns(user: :user)
+
+        it 'changes the password' do
+          expect(InternalUser.authenticate(user.email, password)).to eq(user)
+        end
+
+        expect_redirect { Rails.application.routes.url_helpers.send(:sign_in_path) }
+      end
+
+      context 'without a matching password confirmation' do
+        before(:each) do
+          put :reset_password, internal_user: {password: password, password_confirmation: ''}, id: users.first.id, token: user.reset_password_token
+        end
+
+        expect_assigns(user: :user)
+        expect_status(200)
+        expect_template(:reset_password)
+      end
+    end
+  end
+
   describe 'GET #show' do
     before(:each) do
       allow(controller).to receive(:current_user).and_return(user)