Odoo Cors and auth=user

Question

How do i call an endpoint with cors and auth=user?

@http.route('/endpoint', type='json', cors='http://127.0.0.1:5173', auth='user', csrf=False, methods=['OPTIONS', 'POST'])
def endpoint(self):
    return {'test'}

If i call this endpoint from javascript with

axios.post('http://127.0.0.1:8069/endpoint', {
    jsonrpc: "2.0",
    params: {},
}, {
    headers: {"Content-Type": "application/json"},
    withCredentials: true,
})
.then(content => {
    console.log(content.data)
})
.catch(error => alert(JSON.stringify(error)))

i always get the following error

Access to XMLHttpRequest at 'http://127.0.0.1:8069/endpoint' from origin 'http://127.0.0.1:5173' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I logged in before with

@http.route('/login', type='json', cors='http://127.0.0.1:5173', auth='none', csrf=False, methods=['OPTIONS', 'POST'])
def login(self, db, login, password):
    http.request.session.authenticate(db, login, password)
    return http.request.env['ir.http'].session_info()

and

axios.post('http://127.0.0.1:8069/login', {
    jsonrpc: "2.0",
    params: {
        db: "db_name",
        login: email,
        password: password
    },
}, {
    headers: {"Content-Type": "application/json"},
    withCredentials: true,
})
.then(content => {
    console.log(content.data)
})
.catch(error => alert(JSON.stringify(error)))

and that works.

Answer 1

Server should respond with Access-Control-Allow-Origin header being '*'