diff --git a/auth/session.go b/auth/session.go
index c7c81e4a0cf1f0bbef631822438a8c5cc1d55fb3..009cef2cc86aaad9f8053e70470c09a2838a463c 100644
--- a/auth/session.go
+++ b/auth/session.go
@@ -51,17 +51,19 @@ func GetSignedSessionTokenString(request events.APIGatewayProxyRequest, secretKe
 
 // ValidateJWTWithSessionTokens attempts to validate the JWT string by signing each session token using the secret, and
 // using the resulting signed session token to validate the JWT. If the JWT can be validated using a session token, the
-// JsonWebToken is returned, otherwise nil is returned.
-func ValidateJWTWithSessionTokens(jsonWebTokenString string, secretKey string, sessionTokens []string) *JsonWebToken {
+// JsonWebToken is returned, otherwise nil is returned. If the JWT is expired, nil is returned along with the session token.
+func ValidateJWTWithSessionTokens(jsonWebTokenString string, secretKey string, sessionTokens []string) (validJsonWebToken *JsonWebToken, expiredSessionToken *string) {
 	// Test each session token to find one that is valid
 	for _, sessionToken := range sessionTokens {
 		jsonWebToken, err := ValidateJWTWithSessionToken(jsonWebTokenString, secretKey, sessionToken)
 		if err == nil {
-			return &jsonWebToken
+			return &jsonWebToken, nil
+		} else if err.Error() == "token has expired" {
+			return nil, &sessionToken
 		}
 	}
 
-	return nil
+	return nil, nil
 }
 
 // FindAndRemoveCurrentSessionToken attempts to validate the JWT string by signing each session token using the secret,
diff --git a/cognito/cognito.go b/cognito/cognito.go
index d8300aee61cb523bc6fd133bda6fc39e9d31dfc2..079b2000bc551fd313e3d261b1b042e66c89e3d0 100644
--- a/cognito/cognito.go
+++ b/cognito/cognito.go
@@ -90,6 +90,18 @@ func SetUserPassword(pool string, username string, password string) (*cognitoide
 	return output, err
 }
 
+func ConfirmPasswordReset(appClientID string, username string, password string, confirmationCode string) (*cognitoidentityprovider.ConfirmForgotPasswordOutput, error) {
+	input := cognitoidentityprovider.ConfirmForgotPasswordInput{
+		ClientId:         &appClientID,
+		ConfirmationCode: &confirmationCode,
+		Password:         &password,
+		Username:         &username,
+	}
+	output, err := CognitoService.ConfirmForgotPassword(&input)
+	logs.Info("output", output)
+	return output, err
+}
+
 // FOR API LOGS
 
 func DetermineAuthType(identity events.APIGatewayRequestIdentity) *string {
diff --git a/errors/errors.go b/errors/errors.go
index 678c54b9e219cd031dfb42d2b5ca692ff0bb82e8..d302aa6a793579e52f0ce85d693b9cf63beed74b 100644
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -2,6 +2,7 @@ package errors
 
 import (
 	"fmt"
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	pkg_errors "github.com/pkg/errors"
 )
 
@@ -111,6 +112,17 @@ func HTTPWithError(code int, err error) error {
 	return wrappedErr
 }
 
+func AWSErrorWithoutExceptionCode(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if awsError, ok := err.(awserr.Error); ok {
+		return Error(awsError.Message())
+	}
+	return err
+}
+
 type Description struct {
 	Message string       `json:"error"`
 	Source  *CallerInfo  `json:"source,omitempty"`