diff --git a/app/controllers/auth/setup_controller.rb b/app/controllers/auth/setup_controller.rb
index 376a30c16f..5e7b14646a 100644
--- a/app/controllers/auth/setup_controller.rb
+++ b/app/controllers/auth/setup_controller.rb
@@ -35,6 +35,6 @@ class Auth::SetupController < ApplicationController
   end
 
   def user_params
-    params.require(:user).permit(:email)
+    params.expect(user: [:email])
   end
 end
diff --git a/spec/requests/auth/setup_spec.rb b/spec/requests/auth/setup_spec.rb
index fa3c196805..72413e1740 100644
--- a/spec/requests/auth/setup_spec.rb
+++ b/spec/requests/auth/setup_spec.rb
@@ -24,4 +24,15 @@ RSpec.describe 'Auth Setup' do
       end
     end
   end
+
+  describe 'PUT /auth/setup' do
+    before { sign_in Fabricate(:user, confirmed_at: nil) }
+
+    it 'gracefully handles invalid nested params' do
+      put '/auth/setup?user=invalid'
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
 end