diff --git a/server/tests/security/vulnerabilities.test.js b/server/tests/security/vulnerabilities.test.js
index 3064a76..ea50094 100644
--- a/server/tests/security/vulnerabilities.test.js
+++ b/server/tests/security/vulnerabilities.test.js
@@ -65,9 +65,13 @@ describe('Security Tests', () => {
             // This might be valid depending on configuration
             continue;
           }
-          expect.fail(`Token manipulation test "${test.name}" should have failed`);
+          // Token should have been rejected but wasn't - this is unexpected
+          throw new Error(`Token manipulation test "${test.name}" should have failed but was accepted`);
         } catch (error) {
           // Expected behavior - token should be rejected
+          if (error.message && error.message.includes('should have failed but was accepted')) {
+            throw error; // Re-throw unexpected success
+          }
           expect(error.name).to.be.oneOf(['JsonWebTokenError', 'TokenExpiredError', 'NotBeforeError']);
         }
       }
@@ -230,11 +234,15 @@ describe('Security Tests', () => {
       ];
 
       allowedIPs.forEach(ip => {
-        expect(checkIPRestriction(ip, tenant.ip_restrictions)).to.be.true;
+        const result = checkIPRestriction(ip, tenant.ip_restrictions);
+        console.log(`Testing allowed IP ${ip} against ${tenant.ip_restrictions}: ${result}`);
+        expect(result).to.be.true;
       });
 
       blockedIPs.forEach(ip => {
-        expect(checkIPRestriction(ip, tenant.ip_restrictions)).to.be.false;
+        const result = checkIPRestriction(ip, tenant.ip_restrictions);
+        console.log(`Testing blocked IP ${ip} against ${tenant.ip_restrictions}: ${result}`);
+        expect(result).to.be.false;
       });
     });
 
diff --git a/server/tests/setup.js b/server/tests/setup.js
index 9bbfdf6..d782b5d 100644
--- a/server/tests/setup.js
+++ b/server/tests/setup.js
@@ -147,8 +147,8 @@ async function createTestUser(userData = {}) {
   }
   
   const defaultUserData = {
-    username: 'testuser',
-    email: 'test@example.com',
+    username: userData.username || `testuser${Date.now()}${Math.floor(Math.random() * 1000)}`,
+    email: userData.email || `test${Date.now()}@example.com`,
     password_hash: '$2b$10$dummyHashForTestingOnly',
     role: 'admin',
     tenant_id: tenant.id,