Password Recovery in Clojure

This Blog post will help you to add the password recovery functionalities in your clojure web application.

Firstly, create html file containing textbox for getting email address, on which a new passowrd will be sent.

Next, add this in your project.clj File

:repositories [["central-proxy" "">]]

:dependencies [[org.apache.commons/commons-email "1.2"]]

Now follow the given steps to add password recovery functionality:

Let’s define a forgot-password.clj namespace and import the following :

(ns testapp.routes.forgot-password
(: import org.apache.commons.mail.SimpleEmail)
(:require [noir.validation :as vali]
[testapp.models.db :as db]
[noir.util.crypt :as crypt]))

To get the random string we can use the following code:-

(def alphanumeric "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz")
(def length 10)
(defn get-random-id []
(apply str (repeatedly length #(rand-nth alphanumeric))))

We also have to define the routes :-

The GET forgot-password route simply call the forgot-password function to render the page

(GET "/forgot-password" [] (forgot-password))

Function to render the page using default luminus template:

(defn forgot-password[&[email]]
(layout/render "forgot-password.html"

The POST forgot-password route simply call the forgot-password-post function and pass the email as an argument

(POST "/forgot-password" [email]
(forgot-password-post email))

Define the forgot-password-post function in (testapp.routes.forgot-password.clj) . This function sends the password (a random string) to the given e-mail:

(defn forgot-password-post [email]
(def newpassword (get-random-id))
(if (and (vali/valid-email? email) (= email (:email (db/get-email email))))
(db/update-user-password email (crypt/encrypt newpassword))
(doto (SimpleEmail.)
(.setHostName "")
(.setSslSmtpPort "465")
(.setSSL true)
(.addTo email)
(.setFrom "" "TestApp")
(.setSubject "Your New Password on testapp account is")
(.setMsg newpassword)
(.setAuthentication "" "your password")
(resp/redirect "/login"))
(catch Exception e
(vali/rule false [:email (.getMessage e)])
(forgot-password email))))

Note :- * This code may contain some validation which is applicable on email.                        Like:email-error (vali/on-error :email first)

Define “get-email”, “update-user-password” in namesapce “db” to get the email addressand to update the user password respectively.

encrypt” from “noir.util.crypt” is used to encrypt the password.

This entry was posted in Clojure. Bookmark the permalink.

One Response to Password Recovery in Clojure

  1. alexisgallagher says:

    Maybe I’m missing something obvious here but …. how does this step me from resetting your password against your will, as long as I have your email address?

    If /forgot-password is not authenticated, anyone can call it.

    Is this not why the workflow everywhere is not for the server to send the user a new password, but to send them a confirmation link, in order to confirm that the person controlling the email inbox actually wants the password reset?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s