@alexc101 It looks like it should work how it is. But maybe you should try to use
bcrypt.compare() asynchronously for efficiency (the rest of your code is doing async just fine).
You also seem a bit indecisive about whether the result will be (true/false) or (user/null) or (resolve/reject-with-Error). Just choose one of those schemes, and test it until you trust it. :)
(My password validator either resolves-with-nothing or rejects-with-Error because I need to handle the reject-with-Error path anyway, and I would rather have only code two paths, not three!)