Hi there, I'm getting this error on the react client:

Access to fetch at 'https://evt-api-dev.revod.cloud/auth/signinup/code' from origin 'http://localhost:8000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
evt-api-dev.revod.cloud/auth/signinup/code:1          Failed to load resource: net::ERR_FAILED

even though these are the allowed origins in the nestjs backend:

ts
app.enableCors({
    origin: [
      process.env.EVENTVM_BASE_URL,
      'https://studio.apollographql.com',
      'http://localhost:8000',
    ],
    allowedHeaders: ['content-type', ...supertokens.getAllCORSHeaders()],
    credentials: true,
  });

why's so?

Im not sure. This doesn't seem to be an issue related to supertokens as such. But normally for cors, I use the

cors

node package like so: https://github.com/supertokens/supertokens-node/blob/master/examples/express/with-thirdpartyemailpassword/index.js#L120

@rp_st it's actually behaving really weird: if I'm using ONLY passwordless recipe it works. It doesn't with the one passwordless + social login

You need to init the same recipe on the frontend and backend. Are you doing that?

ohhhh that's right... no I am not