I have a working solution now that performs a github based login and uses the csrf for a refresh. Also I found somebody else with the same problem and a similar solution: Automate updating nodes to the Flow Library - Creating Nodes - Node-RED Forum (nodered.org)
Interestingly, he is not using a login at all. Not requiring a login seems to be a security issue to me?
Also, during the automation of the refresh, I stumbled upon the fact that the redirect_uri that is used for the callback to the node-red site is http and not https.
Is this on purpose? I would expect the whole login flow to be https based to prevent man-in-the-middle attacks. So I see a security risk there as well.
