loresoft
diff --git a/‎README.md‎
Lines changed: 15 additions & 14 deletions b/‎README.md‎
Lines changed: 15 additions & 14 deletions
diff --git a/‎src/AspNetCore.SecurityKey/SecurityKeyAuthenticationHandler.cs‎
Lines changed: 33 additions & 23 deletions b/‎src/AspNetCore.SecurityKey/SecurityKeyAuthenticationHandler.cs‎
Lines changed: 33 additions & 23 deletions
diff --git a/‎src/AspNetCore.SecurityKey/SecurityKeyAuthorizationFilter.cs‎
Lines changed: 16 additions & 2 deletions b/‎src/AspNetCore.SecurityKey/SecurityKeyAuthorizationFilter.cs‎
Lines changed: 16 additions & 2 deletions
@@ -216,7 +216,7 @@ builder.Services.AddSecurityKey(options =>
 
 AspNetCore.SecurityKey provides built-in IP address whitelisting capabilities to restrict API access based on client IP addresses. This feature supports both IPv4 and IPv6 addresses, individual IPs, and network ranges using CIDR notation.
 
-### Configuration
+### IP Whitelisting Configuration
 
 IP whitelisting is configured using the enhanced configuration format in `appsettings.json`:
 
@@ -305,7 +305,7 @@ app.UseForwardedHeaders();
 app.UseSecurityKey();
 ```
 
-### Security Considerations
+### IP Whitelisting Considerations
 
 1. **Combine with HTTPS**: IP whitelisting should always be combined with HTTPS to prevent man-in-the-middle attacks
 2. **Network Ranges**: Be careful with broad network ranges like `0.0.0.0/0` or `::/0` as they allow all addresses
@@ -724,21 +724,22 @@ Use these stable names when configuring OpenTelemetry:
 
 ### Metrics
 
-| Metric                                | Unit       | Description                                            |
-| ------------------------------------- | ---------- | ------------------------------------------------------ |
-| `securitykey.authentication.requests` | `requests` | Number of SecurityKey authentication requests handled. |
-| `securitykey.authentication.failures` | `failures` | Number of failed SecurityKey authentication requests.  |
-| `securitykey.authentication.duration` | `ms`       | Duration of SecurityKey authentication attempts.       |
+| Metric                      | Unit        | Description                                           |
+| --------------------------- | ----------- | ----------------------------------------------------- |
+| `securitykey.auth.requests` | `{request}` | Number of SecurityKey authentication attempts.        |
+| `securitykey.auth.failures` | `{failure}` | Number of failed SecurityKey authentication attempts. |
+| `securitykey.auth.duration` | `ms`        | Duration of SecurityKey authentication attempts.      |
 
 ### Tags
 
-| Tag                               | Description                                                                    |
-| --------------------------------- | ------------------------------------------------------------------------------ |
-| `securitykey.auth.scheme`         | Authentication scheme name when using the authentication handler.              |
-| `securitykey.auth.result`         | Authentication result, such as `success` or `failure`.                         |
-| `securitykey.auth.failure_reason` | Failure reason, such as `invalid_client` or `authentication_error`.            |
-| `securitykey.auth.pattern`        | Integration pattern, such as `middleware`, `endpoint_filter`, or `mvc_filter`. |
-| `securitykey.api_key.hash`        | SHA-256 hash of the API key for tracking usage without exposing the raw key.   |
+| Tag                               | Description                                                                      |
+| --------------------------------- | -------------------------------------------------------------------------------- |
+| `securitykey.auth.scheme`         | Authentication scheme name when using the authentication handler.                |
+| `securitykey.auth.result`         | Authentication result, such as `success` or `failure`.                           |
+| `securitykey.auth.failure_reason` | Failure reason, such as `invalid_client` or `authentication_error`.              |
+| `securitykey.auth.pattern`        | Integration pattern, such as `middleware`, `endpoint_filter`, or `mvc_filter`.   |
+| `securitykey.client`              | SHA-256 hash of the API key for tracking client usage without exposing raw keys. |
+| `securitykey.endpoint`            | Resolved endpoint display name or request path.                                  |
 
 ### OpenTelemetry Configuration Example
 
 
@@ -3,6 +3,7 @@
 using System.Text.Encodings.Web;
 
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -16,6 +17,7 @@ namespace AspNetCore.SecurityKey;
 public class SecurityKeyAuthenticationHandler : AuthenticationHandler<SecurityKeyAuthenticationSchemeOptions>
 {
     private static readonly AuthenticateResult InvalidSecurityKey = AuthenticateResult.Fail("Invalid Security Key");
+    private static readonly AuthenticateResult AuthenticationError = AuthenticateResult.Fail("Authentication error");
 
     /// <summary>
     /// Initializes a new instance of the <see cref="SecurityKeyAuthenticationHandler"/> class.
@@ -40,6 +42,7 @@ public SecurityKeyAuthenticationHandler(
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
         var startTimestamp = 0L;
+        string? endpoint = null;
         Activity? activity = null;
 
         try
@@ -59,7 +62,10 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             startTimestamp = Stopwatch.GetTimestamp();
             activity = SecurityKeyDiagnostics.ActivitySource.StartActivity(SecurityKeyDiagnostics.AuthenticationActivityName, ActivityKind.Server);
 
+            endpoint = GetEndpoint();
+
             activity?.SetTag(SecurityKeyDiagnostics.AuthenticationSchemeTagName, Scheme.Name);
+            activity?.SetTag(SecurityKeyDiagnostics.EndpointTagName, endpoint);
 
             var ipAddress = keyExtractor.GetRemoteAddress(Context);
 
@@ -70,7 +76,6 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 
             // Authenticate the security key and get the claims identity
             var identity = await keyValidator.Authenticate(securityKey, ipAddress, Scheme.Name, Context.RequestAborted);
-            var securityKeyHash = SecurityKeyDiagnostics.ComputeSecurityKeyHash(securityKey);
 
             if (!identity.IsAuthenticated)
             {
@@ -81,7 +86,8 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                     activity: activity,
                     startTimestamp: startTimestamp,
                     authenticationResult: SecurityKeyDiagnostics.AuthenticationResultFailure,
-                    securityKeyHash: securityKeyHash,
+                    securityKey: securityKey,
+                    endpoint: endpoint,
                     failureReason: SecurityKeyDiagnostics.InvalidSecurityKeyFailureReason);
             }
 
@@ -94,53 +100,57 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 activity: activity,
                 startTimestamp: startTimestamp,
                 authenticationResult: SecurityKeyDiagnostics.AuthenticationResultSuccess,
-                securityKeyHash: securityKeyHash);
+                securityKey: securityKey,
+                endpoint: endpoint);
 
         }
+        catch (OperationCanceledException) when (Context.RequestAborted.IsCancellationRequested)
+        {
+            throw;
+        }
         catch (Exception ex) when (ex is not OperationCanceledException)
         {
             activity?.AddException(ex);
 
-            CompleteAuthentication(
-                result: AuthenticateResult.Fail(ex),
+            return CompleteAuthentication(
+                result: AuthenticationError,
                 activity: activity,
                 startTimestamp: startTimestamp,
                 authenticationResult: SecurityKeyDiagnostics.AuthenticationResultFailure,
+                endpoint: endpoint,
                 failureReason: SecurityKeyDiagnostics.AuthenticationErrorFailureReason);
-
-            throw;
         }
         finally
         {
             activity?.Dispose();
         }
     }
 
-    private static AuthenticateResult CompleteAuthentication(
+    private AuthenticateResult CompleteAuthentication(
         AuthenticateResult result,
         Activity? activity,
         long startTimestamp,
         string authenticationResult,
-        string? securityKeyHash = null,
+        string? securityKey = null,
+        string? endpoint = null,
         string? failureReason = null)
     {
-        activity?.SetTag(SecurityKeyDiagnostics.AuthenticationResultTagName, authenticationResult);
-
-        if (securityKeyHash is not null)
-            activity?.SetTag(SecurityKeyDiagnostics.SecurityKeyHashTagName, securityKeyHash);
-
-        if (failureReason is not null)
-            activity?.SetTag(SecurityKeyDiagnostics.AuthenticationFailureReasonTagName, failureReason);
-
-        if (authenticationResult == SecurityKeyDiagnostics.AuthenticationResultFailure)
-            activity?.SetStatus(ActivityStatusCode.Error, failureReason);
-
-        SecurityKeyDiagnostics.RecordAuthenticationMetrics(
+        SecurityKeyDiagnostics.CompleteAuthentication(
+            activity: activity,
             startTimestamp: startTimestamp,
             authenticationResult: authenticationResult,
-            failureReason: failureReason,
-            securityKeyHash: securityKeyHash);
+            scheme: Scheme.Name,
+            securityKey: securityKey,
+            endpoint: endpoint,
+            failureReason: failureReason);
 
         return result;
     }
+
+    private string GetEndpoint()
+    {
+        return Context.GetEndpoint()?.DisplayName
+            ?? Request.Path.Value
+            ?? "unknown";
+    }
 }
@@ -1,5 +1,6 @@
 using System.Diagnostics;
 
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.Logging;
@@ -52,6 +53,9 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
 
         using var activity = SecurityKeyDiagnostics.StartAuthenticationActivity(SecurityKeyDiagnostics.MvcFilterAuthenticationPattern);
         var startTimestamp = Stopwatch.GetTimestamp();
+        var endpoint = GetEndpoint(context.HttpContext);
+
+        activity?.SetTag(SecurityKeyDiagnostics.EndpointTagName, endpoint);
 
         try
         {
@@ -64,7 +68,8 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
                     activity: activity,
                     startTimestamp: startTimestamp,
                     authenticationResult: SecurityKeyDiagnostics.AuthenticationResultSuccess,
-                    securityKey: securityKey);
+                    securityKey: securityKey,
+                    endpoint: endpoint);
 
                 return;
             }
@@ -76,6 +81,7 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
                 startTimestamp: startTimestamp,
                 authenticationResult: SecurityKeyDiagnostics.AuthenticationResultFailure,
                 securityKey: securityKey,
+                endpoint: endpoint,
                 failureReason: SecurityKeyDiagnostics.InvalidSecurityKeyFailureReason);
 
             context.Result = new UnauthorizedResult();
@@ -85,9 +91,17 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
             SecurityKeyDiagnostics.RecordAuthenticationException(
                 activity: activity,
                 startTimestamp: startTimestamp,
-                exception: ex);
+                exception: ex,
+                endpoint: endpoint);
 
             throw;
         }
     }
+
+    private static string GetEndpoint(HttpContext context)
+    {
+        return context.GetEndpoint()?.DisplayName
+            ?? context.Request.Path.Value
+            ?? "unknown";
+    }
 }