This section of the doc says that
For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
Wildcard is used for completely public APIs which don't require an auth. If you want to use credentials (via cookies) you've got to set the exact list of allowed urls in Access-Control-Allow-Origin
Make sure res.setHeader("Access-Control-Allow-Credentials","true");
is used at the back end like:
app.use(function(req, res, next) {
res.setHeader("Access-Control-Allow-Origin", 'YOUR URL HERE');
res.setHeader("Access-Control-Allow-Credentials","true");
res.setHeader("Access-Control-Expose-Headers", "Set-Cookie");
res.setHeader("Access-Control-Allow-Headers", "Content-Type, x-xsrf-token, X-Requested-With, Accept, Expires, Last-Modified, Cache-Control");
res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
});
Also the $httpProvider.defaults.withCredentials = true;
should be used at the angular side to allow sending the credentials.
angular.module('CoolModule')
.config(['$httpProvider', function($httpProvider){
// For Access-Control-Allow-Origin and Set-Cookie header
$httpProvider.defaults.withCredentials = true;
}]);
or $http({withCredentials: true, ...}).get(...)
Hope this helps.
EDIT: Not a solution, but as a workaround to allow the OPTIONS request this piece of code could be added:
...
res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
if ('OPTIONS' == req.method) {
res.send(200); } else { next();
}
...