#Can't access admin after update to 2.3.1

Hi guys. After update to 2.3.1 I can't access to my admin. Error:

Blocked request. This host ("myulr.top") is not allowed. To allow this host, add "myulr.top" to server.allowedHosts in vite.config.js.

But my URL is added to AUTH_CORS and ADMIN_CORS in .env and it's used in medusa-config.ts

i got same issue

somehow 2.3.1 can not run medusa build too

My app has been running for about a month with these settings and I haven't changed anything. Just performed an update via npm update.

Also, when starting the server, warnings appeared in the console:

The CJS build of Vite's Node API is deprecated. See https://vite.dev/guide/troubleshooting.html#vite-cjs-node-api-deprecated for more details. (node:78976) [DEP0040] DeprecationWarning: The punycodemodule is deprecated. Please use a userland alternative instead. (Usenode --trace-deprecation ... to show where the warning was created)

Ney @sudden inlet
Can I get you to create a bug report on GitHub for this issue ? 🙌🏼
https://github.com/medusajs/medusa/issues/new?template=bug_report_v2.yml

@leaden dove we reported here https://github.com/medusajs/medusa/issues/11067

@sudden inlet @leaden dove i think i solved it, we must start medusa server in .medusa/server instead root folder

it's worked now

same issue with my test deployment of version 2.3.1
also tried modifying medusa-config.ts to add some additional vite config to no luck

    vite: config => {
      if (isDevelopment) {
        return {
          ...config,
          server: {
            hmr: {
              overlay: true,
            },
            base: "/app/",
            allowedHosts: process.env.MEDUSA_BACKEND_URL,
          },
        }
      }
      return {
        ...config,
        server: {
          hmr: false,
          base: "/app/",
          allowedHosts: process.env.MEDUSA_BACKEND_URL,
        }
      }
    }

server is already starting from the .medusa/server build folder.

@dawn vapor somehow it's worked for me,

cp .env .medusa/server
cd .medusa/server && yarn && yarn start

NODE_ENV=production

yeah some from reading other issues on github I think my issue might come from having switched to npm instead of yarn 🧐

I'm also running into this on a new install. Does anyone have any advice on getting things working with Docker? I have set MEDUSA_BACKEND_URL in medusa-config.ts.

# Current LTS Node
FROM node:22
WORKDIR /app
# Node dependencies
COPY crm/package.json .
COPY crm/yarn.lock .
RUN yarn install
# Copy remaining content of crm to /app
COPY crm/ .
# Next two lines are attempt to workaround for "Blocked request" error
# https://github.com/medusajs/medusa/issues/11067
RUN yarn build
RUN cd .medusa/server
CMD ["yarn", "start"]

You could refer to my dockerfiles posted in another thread: #1330938515340398764 message

Hey guys I am trying to dig into this, but just need to point out that you always need to run medusa start from the .medusa/server folder in V2. It's explained here: https://docs.medusajs.com/resources/medusa-cli/commands/build#run-built-medusa-application

I don't think this is related to above issue, but the production build will never work unless you run the project from there.

Hey that was worth clarifying, but I am already starting my server from .medusa/server on 2.2.0 and it works fine as you mentioning. The same setup on my dev branch on 2.3.1 gives that error. I've added the details of my configuration on the gh issue.

Are you using medusa start to start up your server, and is NODE_ENV production? In production the admin is served as a static project, so the allowedHosts field really should not matter. In develop however we do route requests through Vite to serve the dashboard in middleware mode, where it would matter.

Yes to both. And again, 2.2.0 works fine while 2.3.1 is not.

Can you share the URL of one of the requests that fails with the error? You can obviously replace the www.<your_site>.com part if you don't want to share that

I was able to fix this in my environment (Docker + Google Cloud Run). The final factor seemed to be setting NODE_ENV

# WORKING
# Current LTS Node
FROM node:22
WORKDIR /app
# Node dependencies
COPY crm/package.json .
COPY crm/yarn.lock .
RUN yarn install
# Copy remaining content of crm to /app
COPY crm/ .
# https://docs.medusajs.com/resources/medusa-cli/commands/build#run-built-medusa-application
RUN yarn build
WORKDIR /app/.medusa/server
RUN yarn install
ENV NODE_ENV=production
CMD ["yarn", "start"]

# BROKEN
# Current LTS Node
FROM node:22
WORKDIR /app
# Node dependencies
COPY crm/package.json .
COPY crm/yarn.lock .
RUN yarn install
# Copy remaining content of crm to /app
COPY crm/ .
# https://docs.medusajs.com/resources/medusa-cli/commands/build#run-built-medusa-application
RUN yarn build
WORKDIR /app/.medusa/server
RUN yarn
CMD ["yarn", "start"]

Oh, spoke too soon. The login page now loads but login requests go to localhost(!)

Makes me think backendUrl isn't being obeyed.

Yeh if I change localhost to my real URL using curl then I get a token.

How are you setting the backendUrl? If its in a .env file then you first of all need to copy the .env file into .medusa/server and it needs to be named .env.production, because Medusa only loads the production env file when NODE_ENV is production.

it's being set in the hosting environment via MEDUSA_BACKEND_URL

module.exports = defineConfig({
  projectConfig: {
    databaseUrl: process.env.DATABASE_URL,
    databaseSchema: process.env.DATABASE_SCHEMA ||
      "medusa",
    http: {
      storeCors: process.env.STORE_CORS!,
      adminCors: process.env.ADMIN_CORS!,
      authCors: process.env.AUTH_CORS!,
      jwtSecret: process.env.JWT_SECRET || "supersecret",
      cookieSecret: process.env.COOKIE_SECRET || "supersecret",
    }
  },
  admin: {
    backendUrl: process.env.MEDUSA_BACKEND_URL ||
      "http://localhost:9000"
  },
})

maybe my nesting is wrong?

hm no, seems to match docs

Nesting looks right, could you try and console.log process.env and check that the env is actually set?

that would take a little setting up but it's almost certainly OK based on the GCP console

It works fine when testing with one of our projects so I would ask you to validate that its actually being set in your environment. In any case as long as the admin is served directly from your Medusa server you don't need to set backendUrl at all, so unless you can provide some info for me to go on, I would reccomend that you just remove it entirely.

That's very helpful, thank you. I've removed that section of config and it works.

Glad to hear, I'd still be happy to hear if you ever log the env variables. If Medusa fails to load env variables in Google Cloud Run we would like to hear so we can fix that.

Yes it does seem odd. As far as I know, an env var is an env var, and Cloud Run doesn't do anything special. I use them in other projects without issue.