I was wondering if maybe some new developments have changed the story in te mean time? Are there now options to do some automated access towards the portal to refresh a node via an automated way?
Interestingly, he is not using a login at all. Not requiring a login seems to be a security issue to me?
Also, during the automation of the refresh, I stumbled upon the fact that the redirect_uri that is used for the callback to the node-red site is http and not https.
Is this on purpose? I would expect the whole login flow to be https based to prevent man-in-the-middle attacks. So I see a security risk there as well.
It doesn't require a login to request a refresh, but you do need a CSRF token. There is not a lot to gain by putting the refresh request behind a login - it doesn't do anything if there is no update available.
Thanks for highlighting - now fixed.
In general, if you have concerns about security issues, its best to raise them with us privately rather than air them in a public forum - just in case there is a genuine issue. That allows us to address any potential issue before it is made public and could get exploited.