Update metadata info view

assets/templates/html/pasteMeta.html.tmpl

@@ -1,3 +1,36 @@
 {{define "title"}}
-'{{.Paste.Key}}' meta info - rushlink
+'{{.Paste.Key}}{{.FileExt}}' metadata - rushlink
+{{end}}
+
+{{define "body"}}
+<pre>
+<a href="{{.Host}}/{{.Paste.Key}}{{.FileExt}}">{{.Host}}/{{.Paste.Key}}{{.FileExt}}</a>
+---
+{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
+with delete token: <a href="{{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}">{{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}</a>
+{{else -}}
+with delete token: &lt;unknown&gt;
+{{end -}}
+type: {{.Paste.Type}}
+state: {{.Paste.State}}
+{{if .Paste.TimeCreated.IsZero -}}
+created: unknown
+{{else -}}
+created: {{.Paste.TimeCreated}}
+{{end -}}
+delete token: {{.CanDelete.String}}
+
+{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
+```
+# To delete this {{.Paste.Type}}, execute:
+{{- /*
+    We have the option here to take the deleteToken from the user request or
+    from .Paste.  Both are equivalent as long as .CanDelete is correct.  We
+    use the .Request value, because leaking the deleteToken would be a more
+    dramatic vulnerability.
+*/}}
+curl --request "DELETE" "<a href="{{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}">{{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"</a>
+```
+</pre>
+{{end}}
 {{end}}

assets/templates/txt/pasteMeta.txt.tmpl

@@ -1,17 +1,27 @@
-METADATA on <{{.Host}}/{{.Paste.Key}}>:
+{{.Host}}/{{.Paste.Key}}{{.FileExt}}
-
+---
-TYPE: {{.Paste.Type}}
+{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
-STATE: {{.Paste.State}}
+with delete token: {{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}
-{{if .Paste.TimeCreated.IsZero -}}
-CREATED: undefined
 {{else -}}
-CREATED: {{.Paste.TimeCreated}}
+with delete token: <unknown>
+{{end -}}type: {{.Paste.Type}}
+state: {{.Paste.State}}
+{{if .Paste.TimeCreated.IsZero -}}
+created: unknown
+{{else -}}
+created: {{.Paste.TimeCreated}}
 {{end -}}
-DELETE TOKEN: {{.CanDelete.String}}
+delete token: {{.CanDelete.String}}
 
 {{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
 ```
 # To delete this {{.Paste.Type}}, execute:
-curl --request "DELETE" "{{.Host}}/{{.Paste.Key}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"
+{{- /*
+    We have the option here to take the deleteToken from the user request or
+    from .Paste.  Both are equivalent as long as .CanDelete is correct.  We
+    use the .Request value, because leaking the deleteToken would be a more
+    dramatic vulnerability.
+*/ -}}
+curl --request "DELETE" "{{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"
 ```
 {{end}}

handlers.go

@@ -93,6 +93,7 @@ func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request
 	var p *db.Paste
 	var fuID *uuid.UUID
 	var fu *db.FileUpload
+	var fileExt string
 	if err := rl.db.Bolt.View(func(tx *bolt.Tx) error {
 		var err error
 		p, err = db.GetPaste(tx, key)
@@ -107,6 +108,7 @@ func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request
 			if err != nil {
 				return err
 			}
+			fileExt = filepath.Ext(fu.FileName)
 		}
 		return nil
 	}); err != nil {
@@ -137,6 +139,7 @@ func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request
 
 		data := map[string]interface{}{
 			"Paste":     p,
+			"FileExt":   fileExt,
 			"CanDelete": canDelete,
 		}
 		rl.render(w, r, "pasteMeta", data)
@@ -210,10 +213,7 @@ func (rl *rushlink) newFileUploadPasteHandler(w http.ResponseWriter, r *http.Req
 	}); err != nil {
 		panic(err)
 	}
-	data := map[string]interface{}{
+	data := map[string]interface{}{"Paste": paste, "FileUpload": fu}
-		"Paste":      paste,
-		"FileUpload": fu,
-		"FileExt":    filepath.Ext(fu.FileName)}
 	rl.render(w, r, "newFileUploadPasteSuccess", data)
 }