I'm building an API rest app. I was having issues with CORS preflight fail.
I am not using the $f3->map(). I am mapping every routes in a custom routes.ini

Reading the docs I thought I could not care about OPTIONS, but if I do not route the OPTIONS, it always triggers a 404.

I must add a [OPTIONS /api/... = Ctr->preflight] to handle it, where the preflight method just contains an exit function. Then f3 does the rest of the job

In order to make it work, you just have to have a route at /api/v1/login .. i.e. when you have defined a GET or POST route for it, the OPTIONS preflight is collecting the available http methods that are available, returning a Access-Control-Allow-Methods: OPTION,GET,POST header. This should work out of the box. 404 means that the router probably has not found a route for the resource the request is trying to access.

Thanks for the reply. I had it. What you say is right, but if I specify the attribute [ajax]

Ex: POST /api/v1/login [ajax] = Api_Auth_Controller->login // this makes the OPTIONS fail

While, as you said:
POST /api/v1/login = Api_Auth_Controller->login // this works

Well then it's probably a bug with the ajax flag, which should be ignored in such a case

I Second to just use the POST /api/v1/login = Api_Auth_Controller->login method.

I also do this in my middle-ware router (your pre-flight?) to handle any custom headers

$this->fw->copy('HEADERS.Origin','CORS.Origin');
$this->fw->set('CORS.Origin','*');
$this->fw->set('CORS.headers',['token','content-type', 'x-property-id']);

In fact I will remove the [ajax] specification. Thanks to all.

fixed.