password sending should be a string, there is a probability you send passwords as just numbers

password = await bcrypt.hash(password.toString(), salt);