public void Verify___when_valid___should_store_hashed_password_and_generate_salt() { var existingUser = TestData.User(); var emailVerify = existingUser.EmailVerificationPath; var twofactor = existingUser.TwoFactorCode; var password = "******"; existingUser.Salt = ""; _authStore.Setup(a => a.GetUserByEmailVerificationPath(emailVerify)) .Returns(existingUser); _authStore.Setup(a => a.SaveUser(It.Is <User>(u => u.Salt.Length > 0))) .Verifiable(); // ned to get this lazily, as salt is changed by service... Func <byte[]> expectedHash = () => PasswordHasher.GenerateSaltedHash(password, existingUser.Salt); _authStore.Setup(a => a.SavePasswordHash(existingUser.Id, It.Is <byte[]>(h => PasswordHasher.CompareByteArrays(expectedHash(), h))) ).Verifiable(); var result = _authenticationService.Verify(emailVerify, password, twofactor); Assert.IsTrue(result); _authStore.Verify(); }