CSRF token: alternatives for the lack of time_limit in v0.14

[riccardolorenzon]

I'm currently using Flask-WTF v0.13.1, i have a few forms on my website, all created including the CSRF token.

For some reasons i have to set a different expiration on each form, so far i could set manually the time_limit value upon creating the csrf token.

I would like to update to the v0.14, according to the changelog time_limit is gone and there is no reference in the docs on how to change it anymore.
Looking in the source code i saw that the form has a csrf_time_limit meta parameter.

I tried to set that parameter on my form:

from flask_wtf import FlaskForm

class myForm(FlaskForm):
    class Meta:
        csrf_time_limit = 7200

    content = TextAreaField('content')

Although debugging the csrf.py module i see that the validate_csrf_token of _FlaskFormCSRF is actually never called.

The method validate_csrf is called within the method protect() instead, in this case the meta parameter is never considered.

I don't understand if this is a bug of the package or if i'm missing something.

[riccardolorenzon]

Any news about this? i would be more than happy to contribute with a PR but i need to know first if this is a bug or if i'm missing something.