Drop in Components Cors policy in development mode

Im building an app with Dwolla that has a backend server written in NodeJS and a frontend client written in ReactJS. I’ve been trying to work with the Drop in components but I have a problem with the component not managing to go past the server side CORS policy.

this is my frontend set up:

  environment: "sandbox",
  styles: "/styles/update-custom.css",
  // tokenUrl: () => Promise.resolve("/token-endpoint"),
  tokenUrl: "http://localhost:5000/dwolla/token-url",
  success: (res) => console.log(res),
  error: (err) => console.log(err),

and this is my cors set up on nodejs/express side:

const app = express()
const port = process.env.PORT || 5000
app.use([limiter, morgan('common'), helmet()])

I’ve also tried multiple setups to cors like:

app.options('*', cors())
app.use(cors({ origin: '*' })
app.use(cors({ origin: '' })
app.use(cors({ origin: 'http://locahost:3000' })

nothing works, it keep getting blocked with different messages. For the setup I have above in the express script the error Im getting is: Access to fetch at ‘http://localhost:5000/dwolla/token-url’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’.

Would really appreciate the help - I should not this is not happening with any other calls, from postman, client, curl etc.

Thank you!