Cross-origin resource sharing error wildcard origin not allowed when i use auth request to my server ngrok

I am writing and testing a full-stack application. My frontend is uploaded to hosting and has the address for example – planner. And my server is on a local computer with a database. For the test, I run the server through the ngrok tunnel, I registered, and received a free static domain for example – grateful.
In requests, I use axios, I have public requests – $public, and authorized with a token – $auth. Public requests work without problems, but for requests with authorization I get a CORS error. This error is in both desktop Google Chrome and mobile Google Chrome, in Microsoft Edge, and also in Safari on the iPhone.
My CORS ERROR is: cross-origin resource sharing error wildcard origin not allowed

I am sending next code

  1. axios request settings
  2. CORS settings on the server
  3. as well as responses in the Google Chrome browser to an authorized request, as well as the response from the Microsoft Edge browser.

  1. const $auth = axios.create({
    baseURL: “grateful”,
    withCredentials: true,
    });
    const $public = axios.create({
    baseURL: “grateful”,
    withCredentials: true,
    });
    $auth.interceptors.request.use((config) => {
    config.headers.Authorization = Bearer ${localStorage.getItem( "accessTokenPlanner" )};
    return config;
    });

  2. const allowedOrigins = [
    “planner”,
    “grateful”,
    ];

    app.use(
    cors({
    origin: function (origin, callback) {
    if (!origin || allowedOrigins.includes(origin)) {
    callback(null, true);
    } else {
    callback(new Error(“CORS not allowed”));
    }
    },
    credentials: true,
    methods: [“GET”, “POST”, “PUT”, “DELETE”, “OPTIONS”],
    allowedHeaders: [“Content-Type”, “Authorization”],
    })
    );

  3. Google chrome
    access-control-allow-origin: *
    content-length: 2906
    content-security-policy: default-src ‘self’ https://cdn.ngrok.com ‘unsafe-eval’ ‘unsafe-inline’; img-src data: w3.org/svg/2000
    content-type: text/html
    date: Thu, 27 Mar 2025 14:43:11 GMT
    referrer-policy:no-referrer
    x-content-type-options:nosniff

    MS Edge
    access-control-allow-origin:*
    content-length:2906
    content-security-policy:default-src ‘self’ https://cdn.ngrok.com ‘unsafe-eval’ ‘unsafe-inline’; img-src data: w3.org/svg/2000
    content-type:text/html
    date:Thu, 27 Mar 2025 15:31:51 GMT
    referrer-policy:no-referrer
    x-content-type-options:nosniff

I checked all the link addresses and rewrote the settings several times.
The most interesting thing is that with these settings that I wrote above, everything works periodically in the desktop version of Google Chrome. But now it doesn’t work anymore, although I didn’t change anything.