BCrypt salt should be random for each request

[Nawias]

There's a problem with your usage of JBCrypt. The salt should be generated at random for each request, that's the whole point of it.

sparkjava-jwt/src/main/java/com/r6lab/sparkjava/jwt/controller/AuthController.java

Line 34 in 89e3d10

private static final String BCRYPT_SALT = BCrypt.gensalt();

Also, you should be checking passwords using the checkpw() method.

sparkjava-jwt/src/main/java/com/r6lab/sparkjava/jwt/controller/AuthController.java

Line 150 in 89e3d10

String encryptedPassword = BCrypt.hashpw(jsonRequest.get(PASSWORD_PROPERTY).getAsString(), BCRYPT_SALT);

You won't notice it with this in-memory "database" implementation but in a real-world scenario, all passwords will become invalid once you restart your server.