Password Recovery in Clojure

Table of contents

Reading Time: 2 minutes

This Blog post will help you to add the password recovery functionalities in your clojure web application.

Firstly, create html file containing textbox for getting email address, on which a new passowrd will be sent.

Next, add this in your project.clj File


:repositories [["central-proxy" "http://repository.sonatype.org/content/repositories/central/">http://repository.sonatype.org/content/repositories/central/]]

:dependencies [[org.apache.commons/commons-email "1.2"]]

Now follow the given steps to add password recovery functionality:

Let’s define a forgot-password.clj namespace and import the following :


(ns testapp.routes.forgot-password
(: import org.apache.commons.mail.SimpleEmail)
(:require [noir.validation :as vali]
[testapp.models.db :as db]
[noir.util.crypt :as crypt]))

To get the random string we can use the following code:-

(def alphanumeric "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz")
(def length 10)
(defn get-random-id []
(apply str (repeatedly length #(rand-nth alphanumeric))))

We also have to define the routes :-

The GET forgot-password route simply call the forgot-password function to render the page


(GET "/forgot-password" [] (forgot-password))

Function to render the page using default luminus template:


(defn forgot-password[&[email]]
(layout/render "forgot-password.html"
{
* CODE
}))

The POST forgot-password route simply call the forgot-password-post function and pass the email as an argument


(POST "/forgot-password" [email]
(forgot-password-post email))

Define the forgot-password-post function in (testapp.routes.forgot-password.clj) . This function sends the password (a random string) to the given e-mail:

(defn forgot-password-post [email]
(def newpassword (get-random-id))
(if (and (vali/valid-email? email) (= email (:email (db/get-email email))))
(try
(do
(db/update-user-password email (crypt/encrypt newpassword))
(doto (SimpleEmail.)
(.setHostName "smtp.gmail.com")
(.setSslSmtpPort "465")
(.setSSL true)
(.addTo email)
(.setFrom "youremailid@gmail.com" "TestApp")
(.setSubject "Your New Password on testapp account is")
(.setMsg newpassword)
(.setAuthentication "youremailid@gmail.com" "your password")
(.send))
(resp/redirect "/login"))
(catch Exception e
(vali/rule false [:email (.getMessage e)])
(forgot-password)))
(forgot-password email))))

Note :- * This code may contain some validation which is applicable on email. Like:email-error (vali/on-error :email first)

Define “get-email”, “update-user-password” in namesapce “db” to get the email addressand to update the user password respectively.

“encrypt” from “noir.util.crypt” is used to encrypt the password.

2 thoughts on “Password Recovery in Clojure2 min read”

Maybe I’m missing something obvious here but …. how does this step me from resetting your password against your will, as long as I have your email address?

If /forgot-password is not authenticated, anyone can call it.

Is this not why the workflow everywhere is not for the server to send the user a new password, but to send them a confirmation link, in order to confirm that the person controlling the email inbox actually wants the password reset?