return User
  .findOne({ _id: req.body._id, deleted: { $eq: null}})
  .exec()
  .then(user => {
    if (user && PasswordManager.compare(password, user.password)) {