Got a couple of exceptions with:

A NoMethodError occurred in identities#reset_password:

  undefined method `password_expired?' for nil:NilClass
  app/controllers/identities_controller.rb:40:in `reset_password'

That offending line:

    if !current_user.is_anonymous? && current_user.identity.password_expired?

The current_user isn't anonymous but current_user.identity is nil (an "identity" is a password authentication in Accounts).

I would recommend adding a spec here. The create_user call at the top of that file creates a dummy user with an identity, so you'll need to find a way to either create a non-anonymous user without an identity (maybe as an option to that create_user method) or have an option to add a non-identity authentication (probably some examples somewhere else of creating a user with a fake Facebook authentication).

Users are sent to this reset password page when their password expires. And those people of course have identities. So these must be some random arrivals. A reasonable behavior for when a password-less person goes to reset_password would be to redirect them to the login page with a flash error that says "Your password cannot be reset. Please contact support for assistance." -- just in case they are not some random arrival and have a real need, we won't lose them.

In addition to reaching this from the expired password approach, these could also be users with social logins who say "Forgot password" (probably way more likely :-)

Most definitely. Make sure the message tells them to try FB/Google/Twitter. Or even figure out which one they have.