Bug: Does not work for direct links #6
Description
Currently, to use csrf tokens in a form, an additional get request has to be created to somehow redirect the user twice in order to add the CSRF guard. This is not ideal as developers have to write additional code.
To reproduce, run your minimal example, open an incognito tab, and directly go to http://127.0.0.1:8000/comments/new.
This sort of behaviour is a bug that won't be caught by 99% of developers using this library and a mitigation should be done. I believe that the csrf token generator should be separate from the token verifyer and that the guard's from_request implementation should verify the token itself instead of relying on developers to manually verify the code.
Compare the code rocket_csrf makes developers write and the code flask_wtf.csrf where all you need to do is write four lines of code and you get global post form protection.