cors error deploying vercel

Answered

Briard posted this in #help-forum

BriardOP

2025-03-12T20:53:12.897Z

trying to deply my website to vercel but getting cors error http://localhost:3000/api/auth/sign-in/username

Access to fetch at 'http://localhost:3000/api/auth/sign-in/username' from origin 'https://tazhab-4r9typfhf-codecret-projects.vercel.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

next.config.ts

async headers() {
    return [
      {
        source: "/api/:path*",
        headers: [
          {
            key: "Access-Control-Allow-Origin",
            value: "*", // Set your origin
          },
          {
            key: "Access-Control-Allow-Methods",
            value: "GET, POST, PUT, DELETE, OPTIONS",
          },
          {
            key: "Access-Control-Allow-Headers",
            value: "Content-Type, Authorization",
          },
        ],
      },
    ];
  },

Answered by Dutch

you can add a middleware to make it more specific

// ./middleware.ts
import { NextRequest, NextResponse } from 'next/server'
 
const allowedOrigins = ['https://acme.com', 'https://my-app.org']
 
const corsOptions = {
  'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
  'Access-Control-Allow-Headers': 'Content-Type, Authorization',
}
 
export function middleware(request: NextRequest) {
  // Check the origin from the request
  const origin = request.headers.get('origin') ?? ''
  const isAllowedOrigin = allowedOrigins.includes(origin)
 
  // Handle preflighted requests
  const isPreflight = request.method === 'OPTIONS'
 
  if (isPreflight) {
    const preflightHeaders = {
      ...(isAllowedOrigin && { 'Access-Control-Allow-Origin': origin }),
      ...corsOptions,
    }
    return NextResponse.json({}, { headers: preflightHeaders })
  }
 
  // Handle simple requests
  const response = NextResponse.next()
 
  if (isAllowedOrigin) {
    response.headers.set('Access-Control-Allow-Origin', origin)
  }
 
  Object.entries(corsOptions).forEach(([key, value]) => {
    response.headers.set(key, value)
  })
 
  return response
}
 
export const config = { // <-- here is your filter
  matcher: '/api/:path*',
}

View full answer

36 Replies

Dutch

2025-03-12T20:59:09.151Z

check your api

BriardOP

2025-03-12T21:02:54.368Z

Access to fetch at 'https://domain-ecz3uowws-codecret-projects.vercel.app/api/auth/sign-in/username' from origin 'https://domain-ph82sfsq7-codecret-projects.vercel.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Dutch

2025-03-12T21:03:36.054Z

http://localhost:3000/api/auth/sign-in/username

BriardOP

2025-03-12T21:03:44.627Z

i changed it

to my actuall domain

Dutch

2025-03-12T21:03:55.730Z

no your api should have cors

BriardOP

2025-03-12T21:04:02.138Z

im using betterauth

Dutch

2025-03-12T21:04:10.805Z

not related

BriardOP

2025-03-12T21:04:13.007Z

import { auth } from "@/lib/auth";
import { toNextJsHandler } from "better-auth/next-js";

export const { GET, POST } = toNextJsHandler(auth.handler);

is it related to this

because this is my api/auth/route

Dutch

2025-03-12T21:04:55.282Z

is it working at local

BriardOP

2025-03-12T21:05:01.110Z

yes

@Briard trying to deply my website to vercel but getting cors error http://localhost:3000/api/auth/sign-in/username `Access to fetch at 'http://localhost:3000/api/auth/sign-in/username' from origin 'https://tazhab-4r9typfhf-codecret-projects.vercel.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.` `next.config.ts` ` async headers() { return [ { source: "/api/:path*", headers: [ { key: "Access-Control-Allow-Origin", value: "*", // Set your origin }, { key: "Access-Control-Allow-Methods", value: "GET, POST, PUT, DELETE, OPTIONS", }, { key: "Access-Control-Allow-Headers", value: "Content-Type, Authorization", }, ], }, ]; },`

BriardOP

2025-03-12T21:05:24.321Z

should i delete next.config.ts setup

Dutch

2025-03-12T21:06:15.406Z

need to see your /api folder

BriardOP

2025-03-12T21:06:50.464Z

that's it

Dutch

2025-03-12T21:09:07.239Z

what is that blue file

BriardOP

2025-03-12T21:09:49.452Z

its outside

@Briard import { auth } from "@/lib/auth"; import { toNextJsHandler } from "better-auth/next-js"; export const { GET, POST } = toNextJsHandler(auth.handler);

Dutch

2025-03-12T21:12:56.263Z

is this route.ts

BriardOP

2025-03-12T21:13:43.059Z

yes that was route.ts inside my auth/[...all] directory

Dutch

2025-03-12T21:14:56.999Z

do you have auth-client.ts

BriardOP

2025-03-12T21:15:42.327Z

yes

import { createAuthClient } from "better-auth/react"; // make sure to import from better-auth/react
import { adminClient, usernameClient } from "better-auth/client/plugins";
import { inferAdditionalFields } from "better-auth/client/plugins";
import type { auth } from "./auth";
import { env } from "./env";
// check https://www.better-auth.com/ for more information
export const authClient = createAuthClient({
  baseURL: env.NEXT_PUBLIC_BETTER_AUTH_URL,
  plugins: [
    usernameClient(),
    adminClient(),
    inferAdditionalFields<typeof auth>(),
  ],
});

export type Session = typeof authClient.$Infer.Session;
export type User = Session["user"];

Dutch

2025-03-12T21:17:18.792Z

can you add cors rules to there

or your next config

const nextConfig = {
  ...
  async headers() {
    return [
      {
        source: "/(.*)",
        headers: [
          { key: "Access-Control-Allow-Origin", value: "*" },
          { key: "Access-Control-Allow-Methods", value: "GET,DELETE,PATCH,POST,PUT,OPTIONS" },
          { key: "Access-Control-Allow-Credentials", value: "true" },
          {
            key: "Access-Control-Allow-Headers",
            value: "X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, x-auth-return-redirect",
          },
        ],
      },
    ];
  },
};

BriardOP

2025-03-12T21:22:37.346Z

i add it here

wow its working

source: "/(.*)", i think this was the reason

somehow

Dutch

2025-03-12T21:24:18.977Z

nice to see that i still remember some things xd

Dutch

2025-03-12T21:25:12.073Z

you can add a middleware to make it more specific

// ./middleware.ts
import { NextRequest, NextResponse } from 'next/server'
 
const allowedOrigins = ['https://acme.com', 'https://my-app.org']
 
const corsOptions = {
  'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
  'Access-Control-Allow-Headers': 'Content-Type, Authorization',
}
 
export function middleware(request: NextRequest) {
  // Check the origin from the request
  const origin = request.headers.get('origin') ?? ''
  const isAllowedOrigin = allowedOrigins.includes(origin)
 
  // Handle preflighted requests
  const isPreflight = request.method === 'OPTIONS'
 
  if (isPreflight) {
    const preflightHeaders = {
      ...(isAllowedOrigin && { 'Access-Control-Allow-Origin': origin }),
      ...corsOptions,
    }
    return NextResponse.json({}, { headers: preflightHeaders })
  }
 
  // Handle simple requests
  const response = NextResponse.next()
 
  if (isAllowedOrigin) {
    response.headers.set('Access-Control-Allow-Origin', origin)
  }
 
  Object.entries(corsOptions).forEach(([key, value]) => {
    response.headers.set(key, value)
  })
 
  return response
}
 
export const config = { // <-- here is your filter
  matcher: '/api/:path*',
}

Answer

Dutch

2025-03-12T21:27:33.055Z

also clerk is better than better auth

can we mark it as resolved @Briard