parse-community · dalyaidan1 · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/spec/PasswordPolicy.spec.js b/spec/PasswordPolicy.spec.js
@@ -512,6 +512,72 @@ describe('Password Policy: ', () => {
     });
   });
 
+  it('signup should fail if password does not conform to the policy enforced using async validatorCallback', done => {
+    const user = new Parse.User();
+    reconfigureServer({
+      appName: 'passwordPolicy',
+      passwordPolicy: {
+        validatorCallback: async password => password === 'valid',
+      },
+      publicServerURL: 'http://localhost:8378/1',
+    }).then(() => {
+      user.setUsername('user1');
+      user.setPassword('invalid');
+      user.set('email', 'user1@parse.com');
+      user
+        .signUp()
+        .then(() => {
+          fail('Should have failed as password does not conform to the policy.');
+          done();
+        })
+        .catch(error => {
+          expect(error.code).toEqual(142);
+          done();
+        });
+    });
+  });
+
+  it('signup should succeed if password conforms to the policy enforced using async validatorCallback', done => {
+    const user = new Parse.User();
+    reconfigureServer({
+      appName: 'passwordPolicy',
+      passwordPolicy: {
+        validatorCallback: async password => password === 'oneUpper',
+      },
+      publicServerURL: 'http://localhost:8378/1',
+    }).then(() => {
+      user.setUsername('user1');
+      user.setPassword('oneUpper');
+      user.set('email', 'user1@parse.com');
+      user
+        .signUp()
+        .then(() => {
+          Parse.User.logOut()
+            .then(() => {
+              Parse.User.logIn('user1', 'oneUpper')
+                .then(function () {
+                  done();
+                })
+                .catch(err => {
+                  jfail(err);
+                  fail('Should be able to login');
+                  done();
+                });
+            })
+            .catch(error => {
+              jfail(error);
+              fail('Logout should have succeeded');
+              done();
+            });
+        })
+        .catch(error => {
+          jfail(error);
+          fail('Should have succeeded as password conforms to the policy.');
+          done();
+        });
+    });
+  });
+
   it('signup should fail if password does not match validatorPattern but succeeds validatorCallback', done => {
     const user = new Parse.User();
     reconfigureServer({
@@ -564,6 +630,32 @@ describe('Password Policy: ', () => {
     });
   });
 
+  it('signup should fail if password matches validatorPattern but fails async validatorCallback', done => {
+    const user = new Parse.User();
+    reconfigureServer({
+      appName: 'passwordPolicy',
+      passwordPolicy: {
+        validatorPattern: /[A-Z]+/, // password should contain at least one UPPER case letter
+        validatorCallback: async () => false,
+      },
+      publicServerURL: 'http://localhost:8378/1',
+    }).then(() => {
+      user.setUsername('user1');
+      user.setPassword('oneUpper');
+      user.set('email', 'user1@parse.com');
+      user
+        .signUp()
+        .then(() => {
+          fail('Should have failed as password does not conform to the policy.');
+          done();
+        })
+        .catch(error => {
+          expect(error.code).toEqual(142);
+          done();
+        });
+    });
+  });
+
   it('signup should succeed if password conforms to both validatorPattern and validatorCallback', done => {
     const user = new Parse.User();
     reconfigureServer({

diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -1112,7 +1112,7 @@ module.exports.PasswordPolicyOptions = {
   },
   validatorCallback: {
     env: 'PARSE_SERVER_PASSWORD_POLICY_VALIDATOR_CALLBACK',
-    help: 'Set a callback function to validate a password to be accepted.<br><br>If used in combination with `validatorPattern`, the password must pass both to be accepted.',
+    help: 'Set a callback function to validate a password to be accepted. Can return a boolean or `Promise<boolean>`.<br><br>If used in combination with `validatorPattern`, the password must pass both to be accepted.',
   },
   validatorPattern: {
     env: 'PARSE_SERVER_PASSWORD_POLICY_VALIDATOR_PATTERN',

diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -664,11 +664,11 @@ export interface PasswordPolicyOptions {
   <br><br>
   If used in combination with `validatorCallback`, the password must pass both to be accepted. */
   validatorPattern: ?string;
-  /*   */
   /* Set a callback function to validate a password to be accepted.
+  Can return a `boolean` or `Promise<boolean>`.
   <br><br>
   If used in combination with `validatorPattern`, the password must pass both to be accepted. */
-  validatorCallback: ?() => void;
+  validatorCallback: ?(password: string) => boolean | Promise<boolean>;
   /* Set the error message to be sent.
   <br><br>
   Default is `Password does not meet the Password Policy requirements.` */

diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -940,14 +940,13 @@ RestWrite.prototype._validateEmail = function () {
     });
 };
 
-RestWrite.prototype._validatePasswordPolicy = function () {
+RestWrite.prototype._validatePasswordPolicy = async function () {
   if (!this.config.passwordPolicy) { return Promise.resolve(); }
-  return this._validatePasswordRequirements().then(() => {
-    return this._validatePasswordHistory();
-  });
+  await this._validatePasswordRequirements();
+  return this._validatePasswordHistory();
 };
 
-RestWrite.prototype._validatePasswordRequirements = function () {
+RestWrite.prototype._validatePasswordRequirements = async function () {
   // check if the password conforms to the defined password policy if configured
   // If we specified a custom error in our configuration use it.
   // Example: "Passwords must include a Capital Letter, Lowercase Letter, and a number."
@@ -961,16 +960,19 @@ RestWrite.prototype._validatePasswordRequirements = function () {
     : 'Password does not meet the Password Policy requirements.';
   const containsUsernameError = 'Password cannot contain your username.';
 
-  // check whether the password meets the password strength requirements
-  if (
-    (this.config.passwordPolicy.patternValidator &&
-      !this.config.passwordPolicy.patternValidator(this.data.password)) ||
-    (this.config.passwordPolicy.validatorCallback &&
-      !this.config.passwordPolicy.validatorCallback(this.data.password))
-  ) {
+  const patternValidator = this.config.passwordPolicy.patternValidator;
+  if (patternValidator && !patternValidator(this.data.password)) {
     return Promise.reject(new Parse.Error(Parse.Error.VALIDATION_ERROR, policyError));
   }
 
+  const validatorCallback = this.config.passwordPolicy.validatorCallback;
+  if (validatorCallback) {
+    const isValid = await Promise.resolve(validatorCallback(this.data.password));
+    if (!isValid) {
+      return Promise.reject(new Parse.Error(Parse.Error.VALIDATION_ERROR, policyError));
+    }
+  }
+
   // check whether password contain username
   if (this.config.passwordPolicy.doNotAllowUsername === true) {
     if (this.data.username) {

diff --git a/types/Options/index.d.ts b/types/Options/index.d.ts
@@ -226,7 +226,7 @@ export interface AccountLockoutOptions {
 }
 export interface PasswordPolicyOptions {
     validatorPattern?: string;
-    validatorCallback?: () => void;
+    validatorCallback?: (password: string) => boolean | Promise<boolean>;
     validationError?: string;
     doNotAllowUsername?: boolean;
     maxPasswordAge?: number;