-1👍
When browsers come across a cross-origin AJAX call, it has to determine if the endpoint understands CORS protocol and what are the acceptable domains/methods/headers are. To do so they will fire Preflight Request in OPTIONS method. https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
However not all AJAX call will trigger such preflight request. For example, if you just directly call
fetch('https://google.com/some_api')
which is essentially to fire a GET call without parameters to https://google.com/some_api, browser might choose to skip preflight and just fire the actual GET call.
-1👍
You should allow OPTIONS method, too. The preflight of the request consists of a request with method OPTIONS, which you should reply to with full headers and empty body.
Also check if your middleware does not throw exception on authentication.