diff --git a/app.js b/app.js
index e15629c411..329529b823 100644
--- a/app.js
+++ b/app.js
@@ -142,6 +142,15 @@ app.get('/nonprofits', contactController.getContact);
 app.post('/nonprofits', contactController.postContact);
 
 // # Protected routes, user must be logged in.
+app.post(
+    '/update-progress',
+    passportConf.isAuthenticated,
+    userController.updateProgress);
+
+app.get(
+    '/challenges/:challengeNumber',
+    passportConf.isAuthenticated,
+    challengesController.returnChallenge);
 app.all('/account', passportConf.isAuthenticated);
 app.get('/account', userController.getAccount);
 app.post('/account/profile', userController.postUpdateProfile);
@@ -149,16 +158,6 @@ app.post('/account/password', userController.postUpdatePassword);
 app.post('/account/delete', userController.postDeleteAccount);
 app.get('/account/unlink/:provider', userController.getOauthUnlink);
 
-app.post(
-  '/update-progress',
-  passportConf.isAuthenticated,
-  userController.updateProgress);
-
-app.get(
-  '/challenges/:challengeNumber',
-  passportConf.isAuthenticated,
-  challengesController.returnChallenge);
-
 /**
  * API examples routes.
  */
diff --git a/controllers/challenges.js b/controllers/challenges.js
index 094bf739f2..e997a2bb95 100644
--- a/controllers/challenges.js
+++ b/controllers/challenges.js
@@ -7,7 +7,8 @@ var _ = require('lodash');
 
 exports.returnChallenge = function(req, res, next) {
     var challengeNumber = parseInt(req.params.challengeNumber) || 0;
-    Challenge.findOne({challengeNumber: challengeNumber}, function(err, c){
+    if (challengeNumber > 41) { challengeNumber = 0; }
+    Challenge.findOne({challengeNumber: challengeNumber}, function (err, c) {
         if (err) {
             console.error('Challenge err: ', err);
             next(err);