NextJS - CORS No 'Access-Control-Allow-Origin' header is present on the requested resource

noelt.dolan · January 24, 2024, 1:10pm

Hi,

I’m having a problem with auth0 CORS issues both on local and deployed development branch of NextJS 14 app.

In my auth0 applicaton account I’ve added both my local and deployed development urls under the following sections:

Allowed Callback URLs,
Allowed Logout URLs,
Allowed Web Origins
Allow Cross-Origin Authentication
Allowed Origins (CORS)

But I’m still getting the following just for home, this one is for localhost:

"Access to fetch at ‘https://dev-my-instanceId.us.auth0.com/authorize?…’ (redirected from ‘http://localhost:3000/dashboard?_rsc=acgkz’) from origin ‘http://localhost:3000’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. "

Access to fetch at 'https://dev-<instanceId>.us.auth0.com/authorize?client_id=<clientId>>&scope=openid%20profile%20email&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback&nonce=oIdCmaHiR6DVq96O8sNnF5KfgBrjXaE4gNevlbhPujg&state=eyJyZXR1cm5UbyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMC9kYXNoYm9hcmQifQ&code_challenge_method=S256&code_challenge=192mQQ_qp_u0IyOnjDBiH6ptWQhOWeQqeCZ5ZDQ49E4' (redirected from 'http://localhost:3000/dashboard?_rsc=acgkz') from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

For reference, this is what my home/landing page looks like.

'use client';
import { useUser } from '@auth0/nextjs-auth0/client';
import Link from 'next/link';

export default function Home() {
  const { user, isLoading, error } = useUser();

  if (isLoading) {
    return (
      <div>
        <p className="text-warn">loading...!:p</p>
      </div>
    );
  }

  if (error) {
    return (
      <div>
        <p className="text-warn">
          Something gone very wrong! error:{JSON.stringify(error, null, 4)}
        </p>
      </div>
    );
  }

  return (
    <>
      <h1 className="text-3xl font-bold underline">Home page!</h1>
      {!user ? (
        <p>
          Looks like you need to <Link href="/api/auth/login">login</Link>{' '}
          first!
        </p>
      ) : (
        <p>hello {user.name}!</p>
      )}
    </>
  );
}

Anyone else having this problem? Am I missing something obvious? (can’t believe I’d be the only one)

noelt.dolan · January 24, 2024, 1:13pm

Also, for further reference, here is the basic /api/auth/[auth0]/route.ts setup.

import { handleAuth, handleLogin, handleLogout } from '@auth0/nextjs-auth0';

const logoutUrl = [
  `${process.env.AUTH0_ISSUER_BASE_URL}/v2/logout?`,
  `client_id=${process.env.AUTH0_CLIENT_ID}`,
  `&returnTo=${process.env.AUTH0_BASE_URL}`,
];

export const GET = handleAuth({
  login: handleLogin({
    returnTo: '/',
  }),
  logout: handleLogout({
    returnTo: logoutUrl.join(''),
  }),
});

noelt.dolan · January 26, 2024, 9:26am

Hmmm… looks like this is a long standing issue!

github.com/auth0/nextjs-auth0

CORS Errors on logout

opened 02:35AM - 12 Jul 22 UTC

closed 07:00PM - 12 Jul 22 UTC

smparekh

question

### Describe the problem When logging out a user, CORS errors prevent redirect. Login redirection works as intended... Errors in console: ``` Application error: a client-side exception has occurred (see the browser console for more information). Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://auth.dev.mydomain.com/v2/logout?returnTo=https%3A%2F%2Ftest-app.mydomain.com&client_id=XXXXXX. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 404. 22:24:10.987 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://auth.dev.mydomain.com/v2/logout?returnTo=https%3A%2F%2Ftest-app.mydomain.com&client_id=XXXXXX. (Reason: CORS request did not succeed). Status code: (null). ``` I have double checked all applicable settings for my tenant: - [x] Allowed Logout URLs contains https://test-app.mydomain.com - [x] Allowed Web Origins contains https://test-app.mydomain.com - [x] Allowed Callback URLs containts https://test-app.mydomain.com/api/auth/callback  ### What was the expected behavior? App should redirect to https://test-app.mydomain.com  ### Reproduction  ### Environment  - **Version of this library used:** - Auth0 NextJS version: ^1.9.1 - **Which framework are you using, if applicable:** - Next.JS version: ^12.2.0 - **Any other relevant information you think would be useful:** - Component: ```jsx <Link href="/api/auth/logout" passHref> <a>Logout</a> </Link> ``` - I have grafana setup via the same tenant and application where login/logout works as intended.

It’s not really impressive that something like this is left unfixed.

samuel5 · April 24, 2024, 6:49pm

Came here battling the same issue, always Cors errors on logout (and always in my production environment, never with local developement ).

The only fix I have found is to use a clean a tag:

<a href="/api/auth/logout/">Logout</a>

Link component or using router.push(“api/auth/logout”) doesnt work due to the prefetch that the browser will do (I was able to capture this in the network tab inside dev tools).

The readme for auth0/nextjs also uses a href tag:
https://github.com/auth0/nextjs-auth0#consume-authentication