diff --git a/website/src/controllers/api-v3/challenges.js b/website/src/controllers/api-v3/challenges.js
index 321f3c66c5..f98cac0302 100644
--- a/website/src/controllers/api-v3/challenges.js
+++ b/website/src/controllers/api-v3/challenges.js
@@ -77,9 +77,15 @@ api.createChallenge = {
     req.body.official = user.contributor.admin && req.body.official;
     let challenge = new Challenge(Challenge.sanitize(req.body));
 
-    let results = await Q.all(challenge.save(), group.save());
-    let savedChal = results[0];
+    // First validate challenge so we don't save group if it's invalid (only runs sync validators)
+    let challengeValidationErrors = challenge.validateSync();
+    if (challengeValidationErrors) throw challengeValidationErrors;
 
+    let results = await Q.all([challenge.save({
+      validateBeforeSave: false, // already validate
+    }), group.save()]);
+
+    let savedChal = results[0];
     await savedChal.syncToUser(user); // (it also saves the user)
     res.respond(201, savedChal);
   },
@@ -140,7 +146,7 @@ api.getChallenge = {
     let validationErrors = req.validationErrors();
     if (validationErrors) throw validationErrors;
 
-    let user = res.local.user;
+    let user = res.locals.user;
     let challengeId = req.params.challengeId;
 
     let challenge = await Challenge.findById(challengeId).exec();
diff --git a/website/src/controllers/api-v3/tasks.js b/website/src/controllers/api-v3/tasks.js
index cee1ba4527..c2498b2a94 100644
--- a/website/src/controllers/api-v3/tasks.js
+++ b/website/src/controllers/api-v3/tasks.js
@@ -92,7 +92,7 @@ api.createChallengeTasks = {
     let reqValidationErrors = req.validationErrors();
     if (reqValidationErrors) throw reqValidationErrors;
 
-    let user = res.local.user;
+    let user = res.locals.user;
     let challengeId = req.params.challengeId;
 
     let challenge = await Challenge.findOne({_id: challengeId}).exec();
@@ -194,7 +194,7 @@ api.getChallengeTasks = {
     let validationErrors = req.validationErrors();
     if (validationErrors) throw validationErrors;
 
-    let user = res.local.user;
+    let user = res.locals.user;
     let challengeId = req.params.challengeId;
 
     let challenge = await Challenge.findOne({_id: challengeId}).select('leader').exec();