SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

the golang docs suggest handling CORS at the server level: https://supertokens.io/docs/go/usage/handling-cors
I have different policies for various paths under the same server, and to date have been returning the Access-Control-* headers from within the handlers for each of those paths

I'm just getting to where I'm incorporating the supertokens middleware on the backend ... and because it's inserted between the server and the path-handler, if the middleware hits an error the path-handler never has a chance to send the Access-Control-* headers

so: when the middleware hits an error, the error is masked in the browser by a complaint about there being no CORS header in the response