In api-server/index.js, update origin to a domain listed in your /etc/hosts file. Leave the port of ':3001' on there.
Start both servers, then navigate to http://localhost:3000/setcookie. This will set a cookie on localhost.
Next, navigate to http://<domain_listed_in_hosts>:3001 and open your console. You will see a log of { hi: 'there' }. This indicates that we were able to make a cross domain request including cookies. However, the info in that cookie is not accessible while at http://<domain_listed_in_hosts>:3001! In addition, this only works if the 'origin' listed in api-server/index.js is explicitly set to http://<domain_listed_in_hosts>:3001 (not likely in the real world).
To represent reality, change the origin property to any other value, then reload http://<domain_listed_in_hosts>:3001. The request will now fail.