I wanted to follow up on this subject, I personally feel that CSRF should be leveraged in any authentication request through a web browser. However I know you are looking for a more in-depth response. So I will see if I can find a senior engineer to elaborate more.