But is unclear if the HTTP request parameters can be accessed here, so for example a simple token (pre shared key) authentication could be implemented.
It is needed to make it possible for iPhone "web app on home screen" to work properly. Regular Basic Authentication is not remembered (neither the login session nor the username/password), so it must be typed in very, very often.
Yes, that is a problem and I have also experienced that exact issue. I blame apple.
You can create your own authentication system and insert the relevant middleware in the settings.js file at the sections that make reference to middleware. Of course, you will have to turn off the built-in httpNodeAuth to do this.
Personally, I have done this for myself and kept it private due to it probably lacking adequate security. If you don't need multiple users with various access levels, then you may be able to run a proxy in front of your node-red and do the authentication there. I have no idea how that works, but it has been suggested many times in the forum as a safer option.