Comment 9 for bug 1162914

It looks like there is a race condition between the rpc calls to /auth_signup/retrieve (verify the auth token) and /auth_signup/get_config (determine whether password reset buttons and signup buttons are permitted). Whichever one finishes second gets to set up the form, so if the auth token verification is faster than the signup checks, the browser will briefly display the reset form before switching to the normal login form.

I've attached a patch against the 7.0-20130903-231112-1 nightly deb that doesn't bother calling get_config if it's already called to verify the auth token.