Public API seems to accept only Basic Authorization header requests when CORS is used

Our Angular (dart) application is making use of the SyncGateway public API in order to access a Couchbase repository. The authorization was being done with the Session SetCookie header . It was working fine when our SyncGateway was set up without CORS.

However, the browser where our application is running will refuse to send any request if the SyncGateway is set up with a CORS origin list. The culprit seems to be the WWW-Authentication response header returned by the SyncGateway, which is set to "Basic realm=‘Sync Gateway’ . If our application is changed to use a Basic Authorization header, the browser will then be working again.

Is it a known issue? Or am I missing something here.
We would really like to stick to using a Session instead of a credential with username and password, as our users would be from an external OAuth source.

Would someone shed some light on this issue.?

Any help would be highly appreciated.

You can try setting the "send_www_authenticate_header": false config option, which I believe was added to support this scenario.

https://docs.couchbase.com/sync-gateway/current/config-properties.html#databases-foo_db-send_www_authenticate_header

More information is in the original community contribution:

First thanks your quick response. I am very impressed

I’ve tried your suggestion. But it didn’t work.
After having set the ]flag to false, our angular app is now working with neither the Basic Authorization nor the Cookie headers.

The browser seems to be not sending any authentication headers at all.
I think it is because the WWW-Authentication header is now not present in the response from the gateway.

Any more suggestion?

Thanks again.