Posted on: 2013-03-06 17:18:44.000
I'd been putting off doing a Forgot Password module for newLISP on Rockets because it is such a pain doing it properly. You can't just have one click to reset a password, because what if someone else knows your user name or email? Then they could change your password to whatever they want!
So what most sites do is let you trigger a reset, then send a confirmation message to that email address, and then make you retrieve the email and click on a special link to reset your password.
Funnily enough, on another site I'm developing I was testing logging out and logging in, and you know what? I forgot my password. So I figured this was as good as an excuse as any to build a Forgot Module! (And no, I couldn't just grab the password from the database, because it's encrypted for security!)
I wanted the whole thing to be only a single page for simplicity. rockets-forgotpassword.lsp
is the page that handles triggering the email, confirming and sending the email, and resetting the password, so the code flow may not seem obvious at first glance. The emails contain links of unique identifiers (sometimes called GUIDs) that expire after an hour and are matched with email addresses of the people who sent them, so people won't be able to guess them either. The tokens are stored in a file called reset-tokens.lisp
. This file is automatically generated if it doesn't previously exist.
One more thing: to get the email links to work, the module needs two additional configuration options in Rockets-config.lisp
(set 'AdminEmail "firstname.lastname@example.org")
(set 'SiteURL "newlisponrockets.com")
You should change these to your own email and URL from whatever domain you are running Rockets on.
The code, along with the rest of Rockets, is available in GitHub here: https://github.com/newlisponrockets/newLISP-on-Rockets