add password verification step to JWT simulation

dsshimel · claude · dsshimel · commit 841c21f7719b · 2026-02-12T17:01:06.000-05:00
The JWT flow previously jumped straight from POST /login to signing the
token, omitting the credential check. Added a "Verify password" step that
clarifies the server still needs a database/store lookup to authenticate
the user — the "stateless" property only applies to subsequent requests.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/attendabot/frontend/src/simulations/flowData.ts b/attendabot/frontend/src/simulations/flowData.ts
@@ -627,6 +627,15 @@ export const flows: AuthFlow[] = [
         payload: `POST /login\n\n{ "username": "alice",\n  "password": "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" }`,
         color: "#6c8cff",
       },
+      {
+        from: "server",
+        to: "server",
+        label: "Verify password",
+        description:
+          'Server checks the credentials against a database or other store (e.g. hashed passwords, LDAP, env vars). This step is NOT stateless \u2014 the server needs some source of truth to authenticate the user. The "stateless" property of JWT only applies to subsequent requests, after this initial verification.',
+        payload: `hash = bcrypt.hash(password, user.salt)\n\nhash === user.password_hash  \u2192  \u2705 MATCH\n\n// This is the ONLY database read\n// in the entire JWT flow`,
+        color: "#a78bfa",
+      },
       {
         from: "server",
         to: "server",
