is it possible to disable preflight request authentication check?

[dsultanr]

When I send a curl request to couchDB with the authorization everything works OK

here is the log

user@DESKTOP-B5AORRT:/mnt/c/WINDOWS/system32$ curl -v -H "Origin: http://localhost:8084" -H "X-Auth-CouchDB-Roles: users" -H "X-Auth-CouchDB-UserName: 20210907233149" -H "X-Auth-CouchDB-Token: 92f4b91f6854441926ef94a2312f4dc0b75206d2" "http://localhost:5984/_session"
* Expire in 0 ms for 6 (transfer 0x7fffdcc4bfb0)
* Expire in 1 ms for 1 (transfer 0x7fffdcc4bfb0)
* Expire in 0 ms for 1 (transfer 0x7fffdcc4bfb0)
* Expire in 2 ms for 1 (transfer 0x7fffdcc4bfb0)
* Expire in 1 ms for 1 (transfer 0x7fffdcc4bfb0)
* Expire in 2 ms for 1 (transfer 0x7fffdcc4bfb0)
* Expire in 3 ms for 1 (transfer 0x7fffdcc4bfb0)
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7fffdcc4bfb0)
* Connected to localhost (127.0.0.1) port 5984 (#0)
> GET /_session HTTP/1.1
> Host: localhost:5984
> User-Agent: curl/7.64.0
> Accept: */*
> Origin: http://localhost:8084
> X-Auth-CouchDB-Roles: users
> X-Auth-CouchDB-UserName: 20210907233149
> X-Auth-CouchDB-Token: 92f4b91f6854441926ef94a2312f4dc0b75206d2
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: http://localhost:8084
< Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
< Cache-Control: must-revalidate
< Content-Length: 154
< Content-Type: application/json
< Date: Tue, 07 Sep 2021 20:56:08 GMT
< Server: CouchDB/3.1.1 (Erlang OTP/20)
<
{"ok":true,"userCtx":{"name":"20210907233149","roles":["users"]},"info":{"authentication_handlers":["cookie","proxy","default"],"authenticated":"proxy"}}
* Connection #0 to host localhost left intact

but when I'm doing request from browser with fetch

        let headers = new Headers();
        headers.append('X-Auth-CouchDB-Roles', 'users');
        headers.append('X-Auth-CouchDB-UserName', '20210907233149');
        headers.append('X-Auth-CouchDB-Token', '92f4b91f6854441926ef94a2312f4dc0b75206d2');

        fetch('http://localhost:5984/_session', { headers })
            .then(response => response.blob())
            .then(blobby => {
                console.log(blobby);
            });

it fails with error:
Access to fetch at 'http://localhost:5984/_session' from origin 'http://localhost:8084' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
tried both with credentials: 'include' and without. no luck
preflight requests fails with 401 Unauthorized
But AFAIK it's impossible to force the browser to send X-Auth headers in the preflight request

Is it possible to disable preflight's request authorization check in couchDB?

[dsultanr]

here is my local.ini

; CouchDB Windows installer-generated admin user
[admins]
admin = -pbkdf2-b237ab693c6f950c58a26900048525c78beaac27,400d6a487d91339b6ce4dd6000440456,10

[couchdb]
uuid = 6443e553ef11f5b034ebf58dc49fdfd5

[couch_httpd_auth]
secret = 830668671043493a218da2fa8085c571
proxy_use_secret = true

[chttpd]
bind_address = 0.0.0.0
port = 5984
authentication_handlers = {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, default_authentication_handler}

[cluster]
n = 1

[httpd]
enable_cors = true
authentication_handlers = {couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}

[cors]
origins = http://localhost:8084,http://localhost
credentials = true
headers = accept, authorization, content-type, origin, referer
methods = GET, PUT, POST, HEAD, DELETE

[dsultanr]

added a MITM proxy between client and couchDB and here is what actually happening

Request:

Response:

[dsultanr]

switched to JWT tokens, problem is gone