As far as I understand it a CSRF check should be done on any requests that change the state.
If this is the case shouldn't all POST requests have a CSRF check?
If this isn't the case what exceptions are there?
The origin of this question is from a tutorial on Managing Session Cookies with Firebase, they use CSRF checks for the initial login step but not for a post request later
https://firebase.google.com/docs/auth/admin/manage-cookies#node.js_2
TL;DR:
As you mentioned, in a CSRF attack an attacker looks to perform a state-changing operation such as modifying the profile's email address, transferring money, etc.
Any post-authentication request that triggers any operation on the server should be validated. Implementing CSRF protection on a log-in screen makes no sense as the attacker would need to know the user's password, and if he knows the users password the CSRF attack is redundant. (Disclaimer - in some edge-cases such as chaining with self-XSS, CSRF on a login screen could assist an attacker)
Requests that simply return data but do not perform any action, do not require CSRF protection as in a CSRF attack the attacker won't have access to the server's response.
CSRF attacks are made possible because cookies are automatically sent by the browser to the corresponding domain, without requiring any programmatic trigger or user interaction. Which also means that putting a CSRF token in a cookies makes no sense and won't actually mitigate CSRF.
That said, there is more than one way to mitigate CSRF attacks: