i'm pretty sure that's the case
i'm pretty sure doing a CSRF on auth with Mastodon and OmniAuth doesn't give an attacker anything
that was considered a vulnerability in flows were logging in using OmniAuth would associate a remote identity to an existing local account (thus giving the remote identity access to the local account, and if an attacker somehow manages to get their victim to log in as the attacker on the remote identity provider… they'd have access to that local account)
except in our case, logging in through OmniAuth just logs into an account 100% determined by the remote identity and does not bind an existing local account to a remote identity, i think? i'd have to check but yeah i don't think an attacker can do much
then we can drop the CSRF protections on that endpoint and restore the redirect flow
This is a small personal instance running on a couple small ARM servers at home.