The problem is having client-side JS downloaded from one place trying to make a request to a different place. That's the essential part of the Access-Control-Allow-Origin error.
It appears you are serving up some content from an app server on localhost:9001 (something other than MarkLogic?), then trying to hit http://172.16.32.154:8000 (MarkLogic). That suggests a problem with your architecture: your MarkLogic instance is available for anyone to directly hit. That turns out to be a poor idea from a security point of view.
What is the host at localhost:9001? One option is that the application server in MarkLogic could host whatever you're serving up from localhost:9001, as well as modules that manage the logic you're trying to send through /v1/eval.
Let's look at an example. Suppose you have a MarkLogic application server using the filesystem for modules (note that using a modules database is preferred). Under wherever you have the root for that application server, you could have:
In the "api" directory, you can have an XQuery or JavaScript module called login.xqy or login.sjs that does whatever you're trying to send to /v1/eval. Make sense?
