CORS error after upgrading from 1.1.0 to 1.1.1

[despatates]

Environment

------------------------------
- Operating System: Linux
- Node Version:     v24.11.1
- Nuxt Version:     4.2.1
- CLI Version:      3.30.0
- Nitro Version:    2.12.8
- Package Manager:  yarn@1.22.22
- Builder:          -
- User Config:      app, auth, components, css, dayjs, compatibilityDate, devtools, fonts, i18n, modules, postcss, routeRules, runtimeConfig, sentry, sourcemap, ssr, telemetry, vuetify
- Runtime Modules:  @nuxt/eslint@1.11.0, @nuxtjs/i18n@10.2.1, dayjs-nuxt@2.1.11, @nuxt/fonts@0.11.4, @pinia/nuxt@0.11.3, @sidebase/nuxt-auth@1.1.0, @sentry/nuxt/module@10.28.0, vuetify-nuxt-module@0.18.8
- Build Modules:    -
------------------------------

Reproduction

Migrate from 1.1.0 to 1.1.1.

Describe the bug

I'm using the local provider. After upgrading from 1.1.0 to 1.1.1, the refresh token requests fail with a CORS error.
The nuxt-auth setup didn't changed, as well as the backend server.

Here is my config:

auth: {
  baseURL: 'http://localhost:8080',
  globalAppMiddleware: true,
  provider: {
    type: 'local',
    endpoints: {
      // ...
    },
    token: {
      signInResponseTokenPointer: '/access_token',
    },
    refresh: {
      isEnabled: true,
      endpoint: { /* ... */ },
      refreshOnlyToken: false,
      token: {
        signInResponseRefreshTokenPointer: '/refresh_token',
        refreshRequestTokenPointer: '/refresh_token',
      },
    },
  },
}

My app is running on localhost:3000. I'm sorry but I don't have much more info to provide.
Is there a parameter I missed?

Additional context

Logs

[vvarp]

I got hit by this one as well, but unfortunately (and for a good reasons) this requires adjusting CORS settings in your backend.

All you need to do is:

• drop Access-Control-Allow-Origin: * and do Access-Control-Allow-Origin: https://your-exact-domain.com instead
• send Access-Control-Allow-Credentials: true

[despatates]

Thank you for your help. I tried your solution and it works.
For context, my backend is stateless and only uses a Bearer token to authenticate the user, it doesn't use cookies. It is also used by several clients.

This CORS error seems to have been introduced by #1065 fix(#1063): always include browser cookies by default.

It looks like a breaking change for me.
I understand this is probably better for security in many setups, but it forces me to update my backend and support credential mode even though I don't need, just because the client now always sends cookies.

It would be very helpful to have a setting to opt out this behavior and keep the previous semantics for the local provider, for example:

auth: {
  provider: {
    type: 'local',
    // ...
    fetchOptions: {
      credentials: 'omit', // or 'same-origin' instead of always 'include'
    }
  }
}