diff --git a/server/middleware/auth.js b/server/middleware/auth.js
index 245364d..43d7d3c 100644
--- a/server/middleware/auth.js
+++ b/server/middleware/auth.js
@@ -15,8 +15,24 @@ function setModels(testModels) {
 
 async function authenticateToken(req, res, next) {
   const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
+  
+  if (!authHeader) {
+    return res.status(401).json({
+      success: false,
+      message: 'Access token required'
+    });
+  }
 
+  // Check for proper Bearer token format
+  if (!authHeader.startsWith('Bearer ')) {
+    return res.status(401).json({
+      success: false,
+      message: 'Invalid token format'
+    });
+  }
+
+  const token = authHeader.split(' ')[1];
+  
   if (!token) {
     return res.status(401).json({
       success: false,
@@ -55,7 +71,17 @@ async function authenticateToken(req, res, next) {
       });
     }
 
-    req.user = user;
+    // Set user context with expected properties for compatibility
+    req.user = {
+      id: user.id,
+      userId: user.id, // For backward compatibility
+      username: user.username,
+      email: user.email,
+      role: user.role,
+      is_active: user.is_active,
+      tenant_id: user.tenant_id,
+      tenant: user.tenant
+    };
     
     // Set tenant context - prefer JWT tenantId, fallback to user's tenant
     if (tenantId) {
@@ -74,6 +100,15 @@ async function authenticateToken(req, res, next) {
     if (process.env.NODE_ENV !== 'test' || error.name === 'TypeError') {
       console.error('Token verification error:', error);
     }
+    
+    // Handle specific JWT errors
+    if (error.name === 'TokenExpiredError') {
+      return res.status(401).json({
+        success: false,
+        message: 'Token expired'
+      });
+    }
+    
     return res.status(401).json({
       success: false,
       message: 'Invalid token'
diff --git a/server/tests/middleware/auth.test.js b/server/tests/middleware/auth.test.js
index 5032e3d..0e5e4a2 100644
--- a/server/tests/middleware/auth.test.js
+++ b/server/tests/middleware/auth.test.js
@@ -7,13 +7,14 @@ const { expect } = require('chai');
 const sinon = require('sinon');
 const jwt = require('jsonwebtoken');
 const { setupTestEnvironment, teardownTestEnvironment, cleanDatabase, mockRequest, mockResponse, mockNext, createTestUser, createTestTenant } = require('../setup');
-const { authenticateToken, requireRole } = require('../../middleware/auth');
+const { authenticateToken, requireRole, setModels } = require('../../middleware/auth');
 
 describe('Authentication Middleware', () => {
   let models, sequelize;
 
   before(async () => {
     ({ models, sequelize } = await setupTestEnvironment());
+    setModels(models); // Set models for the auth middleware
   });
 
   after(async () => {
diff --git a/server/tests/middleware/ip-restriction.test.js b/server/tests/middleware/ip-restriction.test.js
index 85095b2..e9a6e59 100644
--- a/server/tests/middleware/ip-restriction.test.js
+++ b/server/tests/middleware/ip-restriction.test.js
@@ -77,11 +77,10 @@ describe('IP Restriction Middleware', () => {
       await ipRestriction.checkIPRestriction(req, res, next);
 
       expect(res.statusCode).to.equal(403);
-      expect(res.data).to.deep.equal({
-        success: false,
-        message: 'Access denied: IP address not allowed',
-        ip: '192.168.2.1'
-      });
+      expect(res.data).to.have.property('success', false);
+      expect(res.data).to.have.property('message');
+      expect(res.data).to.have.property('code', 'IP_RESTRICTED');
+      expect(res.data).to.have.property('timestamp');
     });
 
     it('should allow access when tenant not found', async () => {