CORS error only for a specific ROUTE in the API

Hello,

I have the following problem:

I am using Laravel as API backend for some applications. For this I installed "fruitcake/laravel-cors":"^2.0", and set it up as follows:

config/cors.php

    'paths' => ['api/*', 'sanctum/csrf-cookie', 'login', 'logout', '/','*'],
    'allowed_methods' => ['*'],
    'allowed_origins' => ['*'],
    'allowed_origins_patterns' => ['*'],
    'allowed_headers' => ['*'],
    'exposed_headers' => [],
    'max_age' => 0,
    'supports_credentials' => true,

Additionally I have the following .htaccess

Header always set Access-Control-Allow-Origin "*".
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT, PATCH".
Header always set Access-Control-Allow-Headers "*".


RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$  [R=200,L]

My problem now is that everything works fine until I want to call the following route:

https://api.example.com/api/user

And only when I want to access the USER controller I get these errors:

has been blocked by CORS policy: Response to preflight request does not pass access control check: It does not have HTTP ok status.

This is what the routes look like in routes/api.php:

Route::group(['middleware' => 'auth:api'], function () {
    // lot more routes here

    Route::patch('/user/setting', [UserController::class, 'updateUserSetting']);
    Route::post('/user/setting', [UserController::class, 'setUserSetting']);
});

But really only with these two routes, all others go. I just don't understand it.