From 41fb2d22cc0daaa56b8a893fe3cfcc8a3419fe3a Mon Sep 17 00:00:00 2001
From: Kirill Solomko <ksolomko@sipwise.com>
Date: Mon, 19 Jan 2026 13:37:05 +0100
Subject: [PATCH] MT#64280 add ngcp_admin_ui_jwt realm and X-NGCP-Admin-UI
 header

* ngcp_admin_ui_jwt is a copy of api_admin_jwt realm but with
  use_session: 1
* ngcp_admin_ui_jwt is used when X-NGCP-Admin-UI header is provided

Change-Id: Ia82f97df922a69866f7c7d63ad1566ff0fc4bc2a
---
 lib/NGCP/Panel.pm                             | 20 ++++++++-
 .../Authentication/Store/RoleFromRealm.pm     |  2 +-
 lib/NGCP/Panel/Controller/Root.pm             | 44 ++++++++++++++-----
 3 files changed, 54 insertions(+), 12 deletions(-)

diff --git a/lib/NGCP/Panel.pm b/lib/NGCP/Panel.pm
index 8681f39ed6..7293ecfba4 100644
--- a/lib/NGCP/Panel.pm
+++ b/lib/NGCP/Panel.pm
@@ -327,7 +327,25 @@ __PACKAGE__->config(
                 store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm',
                 use_userdata_from_session => 0,
             }
-        }
+        },
+        ngcp_admin_ui_jwt => {
+            credential => {
+                class => '+NGCP::Panel::Authentication::Credential::JWT',
+                username_jwt => 'username',
+                username_field => 'login',
+                id_jwt => 'id',
+                id_field => 'id',
+                jwt_key => _get_jwt_key(),
+                debug => 1,
+                alg => 'HS256',
+            },
+            store => {
+                class => 'DBIx::Class',
+                user_model => 'DB::admins',
+                store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm',
+            },
+            use_session => 1,
+        },
     },
     ngcp_version => get_ngcp_version(),
     uploadtmp    => $panel_config->{general}{tmpdir} // '/tmp',
diff --git a/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm b/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm
index fbffa5427e..577153d0a0 100644
--- a/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm
+++ b/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm
@@ -6,7 +6,7 @@ sub roles {
     my ($self) = @_;
 
     if ($self->auth_realm) {
-        for my $auth_type (qw/admin_bcrypt admin admin_jwt api_admin_cert api_admin_http api_admin api_admin_bcrypt api_admin_jwt/) {
+        for my $auth_type (qw/admin_bcrypt admin admin_jwt api_admin_cert api_admin_http api_admin api_admin_bcrypt api_admin_jwt ngcp_admin_ui_jwt/) {
             if ($auth_type eq $self->auth_realm) {
                 if ($self->_user->lawful_intercept) {
                     return "lintercept";
diff --git a/lib/NGCP/Panel/Controller/Root.pm b/lib/NGCP/Panel/Controller/Root.pm
index e4713431a0..b13dbe2e6f 100644
--- a/lib/NGCP/Panel/Controller/Root.pm
+++ b/lib/NGCP/Panel/Controller/Root.pm
@@ -210,12 +210,24 @@ sub auto :Private {
                     $c->log->debug("Invalid api subscriber JWT login");
                 }
             } else {
-                $c->log->debug("Root::auto API request with admin JWT");
-                my $realm = "api_admin_jwt";
-                my $res = $c->authenticate({}, $realm);
+               if  ($c->req->headers->header("X-NGCP-Admin-UI") &&
+                    $c->req->headers->header("X-NGCP-Admin-UI") eq "1") {
 
-                unless ($c->user_exists) {
-                    $c->log->debug("Invalid api admin JWT login");
+                    $c->log->debug("Root::auto API request from NGCP-Admin-UI with admin JWT");
+                    my $realm = "ngcp_admin_ui_jwt";
+                    my $res = $c->authenticate({}, $realm);
+
+                    unless ($c->user_exists) {
+                        $c->log->debug("Invalid api NGCP-Admin-UI admin JWT login");
+                    }
+                } else {
+                    $c->log->debug("Root::auto API request with admin JWT");
+                    my $realm = "api_admin_jwt";
+                    my $res = $c->authenticate({}, $realm);
+
+                    unless ($c->user_exists) {
+                        $c->log->debug("Invalid api admin JWT login");
+                    }
                 }
             }
 
@@ -341,12 +353,24 @@ sub auto :Private {
             $c->req->headers->header("Authorization") &&
             $c->req->headers->header("Authorization") =~ m/^Bearer /) {
 
-        $c->log->debug("Root::auto UI request with admin JWT");
-        my $realm = "admin_jwt";
-        my $res = $c->authenticate({}, $realm);
+        if  ($c->req->headers->header("X-NGCP-Admin-UI") &&
+             $c->req->headers->header("X-NGCP-Admin-UI") eq "1") {
 
-        unless ($c->user_exists) {
-            $c->log->debug("invalid UI admin JWT login");
+            $c->log->debug("Root::auto UI request from NGCP-Admin-UI with admin JWT");
+            my $realm = "ngcp_admin_ui_jwt";
+            my $res = $c->authenticate({}, $realm);
+
+            unless ($c->user_exists) {
+                $c->log->debug("Invalid NGCP-Admin-UI admin JWT login");
+            }
+        } else {
+            $c->log->debug("Root::auto UI request with admin JWT");
+            my $realm = "admin_jwt";
+            my $res = $c->authenticate({}, $realm);
+
+            unless ($c->user_exists) {
+                $c->log->debug("invalid UI admin JWT login");
+            }
         }
 
         $self->api_apply_fake_time($c);