DEV Community: Jude Eigbiremonlen

How not to build a login & signup system

Jude Eigbiremonlen — Mon, 08 Jun 2026 01:45:10 +0000

You shouldn't build a login & signup system that only securely and effectively authenticates users; instead, create a system that makes sure your application does more than just securely authenticate users by adding an extra layer of security, which includes the following:

Create a login attempt tracker
Always add a CAPTCHA to your signup/registration form.

Yeah, this is information that you may get from a senior dev or probably too late after your system or user has been exploited. Note these concepts can be implemented with any programming language.

So let's explain the reasons and how to properly implement these extra layers.

Reason

The reason why you should always add CAPTCHA to your signup/registration form is to prevent automated systems or bots from flooding your servers and creating fake accounts.

The login page doesn't necessarily always require a captcha because it is not a good user experience to always require an already existing user to answer the captcha every time they login.

Instead, you create a system that tracks user login attempts and shows the CAPTCHA when they reach a certain number of failed login attempts.

This will prevent unauthorized individuals from guessing your user's login credentials and also protect your server from potential brute-force attacks.

How to properly implement the login attempt tracker security layer

You need to create a database table to store login attempt details, increase the counts every time and create an httpOnly cookie "attemptCounts" for server-side access only. The main reason to save the details to a database and not cookies only is to prevent attackers from altering the data and also to be able to identify and track clients even if they switch devices, locations or IP addresses.

So you can either identify & track each attempt by a user email/IP/username/phone-number using any of these single options or combine them based on the data you collect.

Example of a simple login attempt table:

id: serial
email: string //email or username or phonenumber
ip: string
counts: integer
createdAt: timeStamp
updatedAt: timeStamp

The maximum failed login attack should be 5. Some enterprise and financial systems may set it to only 3 attempts; between 3 and 5 works fine.

The next thing to do if they exceed the allowed login attempts:

1. Implement the CAPTCHA mechanism: Show the captcha on the login form and make it compulsory every time until the user login successfully and then update the login attempt to 0 in the db.

2. Implement time-lockout mechanism: Prevent the client from being able to submit the login form for a specific timeframe.

3. Block the account and force a password reset: Send a password reset to the user's email if it exists, or the user has to visit your office physically. This option is mostly used by banking apps & fintech.

You can implement any of them or combine them as you like. Some applications use all three, while most apps implement only captcha or time-lockout mechanism.

Make sure you track IP address and username/email/phone-number so that even if they try from another device or IP, your system is still able to detect and identify them.

Ok, that will be all for now.

One of Those Days: Building from Zero EP001

Jude Eigbiremonlen — Sun, 07 Jun 2026 19:32:54 +0000

This post is the first in this series, which I'm starting with the goal of documenting my journey as an indie developer building a product from zero.

Brief Introduction:
I'm a full-stack software developer, and my name is Jude Eigbiremonlen.

I'm currently building Moriod, an AI powered exam preparation platform that helps students study smarter, understand their courses better and achieve excellent grades. Starting with students at the university, where I'm furthering my education. The platform is tailored specifically for students at the university.

When I started:

I started building this project last year and deployed it to production in December 2025. Without building every feature before deploying, I just focused on the core features.

And for the past 5 months, my focus has been mainly on distribution and adding user-requested features with a goal of having a stable web version and then building a mobile version by the end of 2026.

Journey:

I focused on distribution and adding features requested by users because I've worked at a product-led startup at its early stage and this has helped me discard the popular assumption that having just a good product or a product that solves a particular problem alone is enough, which is not entirely true.

I'm bootstrapping from zero with no investor or any kind of funding yet and documenting the whole journey here.
So I'm sticking till the end.

In my next post I will share how we got our first 20 signups (all active recurring users), the challenges I encountered, my expectations & dose of reality and what I decided to do.

Product Stats:
Revenure: $0
Published: December 2025.

Build Production-Safe API: Crucial Things Most Junior Devs and Beginners Neglect

Jude Eigbiremonlen — Sat, 07 Mar 2026 06:01:19 +0000

I will share 3 things you need to understand and implement in every API system you will build or have already built.

It's important you know that all these principles can be implemented in any language.

Learn how to build production-safe API systems:

1. Implement CORS:

CORS stands for Cross-Origin Resource Sharing, CORS is a security mechanism that the server uses to allow or reject requests from certain origins from accessing resources.
What this means is you can specifically tell your server to only allow requests from one or multiple domain origins only, and every other request that's not from these origins will be rejected.
There are cases you will want to use the wildcard "*" which tells your server any origin can access its resources.

When should I implement this?

This is recommended for all public endpoints. The only case this may not be needed is when you don't want to restrict any origin from accessing server resources.

Even if that public endpoint is only used by your application or other external systems built by your team, this is even one more reason you must implement CORS, because you don't want anybody out there who discovers this endpoint to access server resources.

2. Rate Limiting:

This is a mechanism used to control the number of requests a client (an IP of an actual person or bot) can make to your API within a specified time frame.

So this allows you to set the number of requests an IP can send to your server per second, minute, hour, day etc. This ensures one client doesn't flood your API with requests.

Rate limiting protects your API from bots, scraping, brute force attacks and DoS attacks, which can

Either max out your server's allocated resources.
Increase hosting cost
Or give third parties unrestricted access to scrape data.

When should I implement this?

All API systems should implement a rate limiting algorithm.

Types of rate limiting algorithms:

Fixed Window Algorithm:

This sets a fixed number as the limit within a timeframe (e.g 1000 per hour), and every request received is counted.
Once the set fixed number is reached in the set period of time, every other subsequent request will be blocked temporarily.

Token Bucket Algorithm:

This is used for API that want to allow an occasional high number of requests from clients but not every time.

Sliding Window Algorithm:

This is similar to the fixed window algorithm but shifts the time window depending on a certain circumstance. A common use case is allowing certain users to have higher priority requests or consistent access within a set time window when there's high usage, while reducing or temporarily blocking requests from other users.

Note there are several other rate limiting methods that are not mentioned here.

3. API Logs:

Yeah, an API log is a structured and detailed record of all requests and responses that your API handles.
API logs are very important because they help in tracking issues, monitoring performance, and spotting security threats & patterns.

What you should log:

Access logs: Record every request made to the API; this should include request method, timestamp, client IP address, requested URL endpoint, and response status code.
Error logs: Record every exception and error your API encounters. This should contain the error message, the endpoint where it occurred, the timestamp, the request method, and other related information.

A detailed and structured API log provides you a bird's-eye view of what's happening in your API system. You don't just build an API and deploy, but you can also see basically how it's being used, user behaviors, performance gaps & trends, and security threats.

Most times, I wish most beginner tutorials and learning resources out there taught these things; that's why I decided to stop and publish this out here.

How to Fix Function _load_textdomain_just_in_time Error in WordPress

Jude Eigbiremonlen — Sun, 22 Feb 2026 22:21:48 +0000

Here is how you can resolve this error on your WordPress website. This is the same approach I now use after several attempts to fix this type of error, and it works every time.

Let's see some of the reasons behind this type of error, and we can then take a step-by-step approach to addressing it.

Ok, below are 3 possible reasons why you can get this error:

WordPress Version Upgrade Compatibility:
WordPress's latest version may not be compatible with one or some of your plugins or the theme currently being used on the website. This usually occurs when your plugins or theme is using a deprecated API, function, or even approach that's no longer supported in the latest WordPress upgrade.
Plugin version upgrade compatibility: this is usually when one or several of your plugins are updated but are no longer compatible with either your theme or other plugins or even your current WordPress version.
Theme version upgrade compatibility: you can get this error when your current theme version is upgraded, but now one of your plugins is no longer compatible with the latest theme version.

So the next step is to troubleshoot the website to know which of these 3 is actually the cause of the error, and that ultimately determines how we would solve it.

Step 1:

Turn on debug mode: Turn on debug mode from your cPanel from the Softaculous WordPress manager.

Or in the wp-config.php file, paste this code there. And remember to reset to false once the issue is fixed.

define( 'WP_DEBUG', true);
define( 'WP_DEBUG_DISPLAY', true );

The error can be identified by either visiting the website or reviewing the error log file. If you receive a helpful error message, it may provide instructions on how to resolve the issue; otherwise, please proceed to the next step.

Scenario 1:

Rename your plugin folder to old_plugins and visit the site admin dashboard.
Go to the /wp-content/plugins/ folder in your WordPress installation's root directory.

Note that if you can access the admin dashboard, it means that one of your plugins is causing the problem. We are now one step closer to resolving the issue.

Next step:

Rename the folder back to "Plugins" and disable all the plugins for the next.

Detecting the culprit plugin:

Enable each plugin one at a time to determine which one causes the initial error.

Fix (Solution to fixing the problem):

When you identify the specific plugin causing the problem, I recommend rolling back to an older version that is compatible with your site. This is a quick fix for live websites that need to be up and running as soon as possible, while you take your time fixing the plugin code based on the error message displayed on a test or local server.

Scenario 2:

If you renamed the plugin folder to old_plugin and you are still unable to access the admin panel. Then, from the cPanel WordPress manager, switch from your current theme to any other one to test.

However, if the admin panel or site loads after changing the theme, the issue is with the theme.

Follow the same fix approach used for scenario 1 for a quick fix or long-term fix.

Scenario 3:

If after changing the theme, you still can't access the site or admin panel, then roll back the WordPress version from cPanel back to an older version.

Another thing you can also do is to contact the authors of these plugins or themes to update their tools by providing the current version of the WordPress plugin or theme you use that's not compatible, which is helpful to easily simulate the error and figure out the fix.

Get Started with CSVParse for Node.js (csv-parse npm package)

Jude Eigbiremonlen — Fri, 13 Feb 2026 09:07:52 +0000

The csv-parse is a parsing package that interprets CSV input into array or object. It uses Nodejs stream API under the hood but has been optimised for easy of use and parsing large datasets.

Usage

To get started run the following command to install the package in your existing or new project.
Install the package

npm i csv-parse

Example CSV (data.csv)

name,age,email
Alex,33,alex@example.com 
Bekky,20,bekky@example.com 
Carl,27,carl@example.com

Read and Parse data.csv

import fs from 'node:fs';
import {parse} from 'csv-parse';

const records =[];

fs.createReadStream('path/data.csv')
.pipe(
   parse{
     columns: true, //use first row as header
     skip_empty_lines: true,
   }
)
.on('data',(row)=>{
   records.push(row);
})
.on('error',(err)=>{
   console.error(err.message);
})
.on('end', ()=>{
    console.log(records);
});

Output

[
  { name: 'Alex', age: '33', email: 'alex@example.com' },
  { name: 'Bekky', age: '20', email: 'bekky@example.com' },
  { name: 'Carl', age: '27', email: 'carl@example.com' }
]

Here's what you should always remember,

The parse API parse('input',options,callback) accepts an input which, it then interprets into structured data using the specified parsing rules passed as the options argument.

input : string or buffer
options: parsing rule (optional). e.g {columns:true/false,delimiter:","}
callback(err, records)

It is recommended you use fs.createReadStream() to stream your file piece by piece, instead of loading everything once into memory when using fs.readFile().
Stream tells node to read chunks of the file and each chunk is parsed imediately which keeps memory usage low. You can use fs.readFile() for file that is ≤ 5MB.