"Unable to access identity settings." when accessing /admin only on localhost. CORS error

I can access my site’s published my-site.com/admin page just fine. But when trying to access it locally at localhost:8000/admin, I get the following message after providing my site’s url.

"Unable to access identity settings. When using git-gateway backend make sure to enable Identity service and Git Gateway."

I have Identity and Git Gateway enabled for the site.

The console error suggests its a CORS issue.

> netlify-cms-app 2.11.3
> netlify-cms-core 2.15.1
> Failed to load resource: the server responded with a status of 401 ()
> Access to fetch at 'https://my-site.netlify.com/.netlify/identity/settings' from origin 'http://localhost:8000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

So I tried adding Access-Control-Allow-Origin: "*" to the netlify.toml file. But I understand that these don’t affect ./netlify/* paths.

[[headers]]
  # Define which paths this specific [[headers]] block will cover.
  for = "/*"
    [headers.values]
    Access-Control-Allow-Origin = "*"

That didn’t have any effect.

Unsure what I’ve missed or if this is a bug.

I may be wrong, but I believe you’ve spoken about this to a colleague in the helpdesk, and it turned out to be related to the password protection on your site (which was not being fed an Authorization HTTP request header) - does that sound like you? If not, please tell us which site you are working on (it’s not called “my-site” which you used to obfuscate your error message; please don’t do that in the future to save everyone some trouble :))

Haven’t talked to any one in the help desk as far as I remember. But it makes sense that password protection would be my problem here as well. I incorrectly assumed that Netlify CMS was doing some special auth with git-gateway and would bypass password protection.

I have since removed Netlify CMS, so I wont be able to confirm with this particular site.

Apologies for the obfuscation. I should have put <my-site-name> to make it obvious.

Thanks.

sounds good - please let us know if you need anything else.