Add staticfile finder to limit exposure

Author: codingjoe

README.md

@@ -30,12 +30,16 @@ INSTALLED_APPS = [
 ]
 ```
 
-Next, add the `node_modules` directory to your staticfiles directories:
+Next, add a new staticfiles finder to your `STATICFILES_FINDERS` setting:
 
 ```python
 # settings.py
-STATICFILES_DIRS = [
-    BASE_DIR / "node_modules",
+STATICFILES_FINDERS = [
+    # Django's default finders
+    "django.contrib.staticfiles.finders.FileSystemFinder",
+    "django.contrib.staticfiles.finders.AppDirectoriesFinder",
+    # django-esm finder
+    "django_esm.finders.ESMFinder",
 ]
 ```
 

django_esm/finders.py

@@ -0,0 +1,58 @@
+import functools
+import json
+
+from django.conf import settings
+from django.contrib.staticfiles.finders import BaseFinder
+from django.contrib.staticfiles.utils import matches_patterns
+from django.core.checks import Error
+
+from . import storages, utils
+
+
+class ESMFinder(BaseFinder):
+    def __init__(self, apps=None, *args, **kwargs):
+        self.apps = apps or []
+        super().__init__(*args, **kwargs)
+
+    def check(self, **kwargs):
+        return [*self._check_package_json()]
+
+    def _check_package_json(self):
+        if not (settings.BASE_DIR / "package.json").exists():
+            return [
+                Error(
+                    "package.json not found",
+                    hint="Run `npm init` to create a package.json file.",
+                    obj=self,
+                    id="django_esm.E001",
+                )
+            ]
+        return []
+
+    def find(self, path, all=False):
+        if path in self.all:
+            return [path] if all else path
+        return []  # this method has a strange return type
+
+    def list(self, ignore_patterns):
+        return self._list(*ignore_patterns)
+
+    @staticmethod
+    @functools.lru_cache()
+    def _list(*ignore_patterns):
+        with (settings.BASE_DIR / "package.json").open() as f:
+            package_json = json.load(f)
+
+        return [
+            (path, storages.root_storage)
+            for mod, path in utils.parse_root_package(package_json)
+            if not matches_patterns(path, ignore_patterns)
+        ] + [
+            (path, storages.node_modules_storage)
+            for mod, path in utils.parse_dependencies(package_json)
+            if not matches_patterns(path, ignore_patterns)
+        ]
+
+    @functools.cached_property
+    def all(self):
+        return [path for path, storage in self.list([])]

django_esm/storages.py

@@ -0,0 +1,9 @@
+from django.conf import settings
+from django.core.files.storage import FileSystemStorage
+
+root_storage = FileSystemStorage(
+    location=settings.BASE_DIR, base_url=settings.STATIC_URL
+)
+node_modules_storage = FileSystemStorage(
+    location=settings.BASE_DIR / "node_modules", base_url=settings.STATIC_URL
+)

django_esm/templatetags/esm.py

@@ -3,6 +3,7 @@
 
 from django import template
 from django.conf import settings
+from django.contrib.staticfiles.storage import staticfiles_storage
 from django.utils.safestring import mark_safe
 
 from .. import utils
@@ -11,24 +12,18 @@
 
 
 @register.simple_tag
+@functools.lru_cache()
 def importmap():
-    fn = _importmap if settings.DEBUG else _cached_importmap
-    return fn()
-
-
-functools.lru_cache()
-
-
-def _cached_importmap():
-    return _importmap()
-
-
-def _importmap():
     with (settings.BASE_DIR / "package.json").open() as f:
         package_json = json.load(f)
+
+    imports = dict(utils.parse_root_package(package_json)) | dict(
+        utils.parse_dependencies(package_json)
+    )
+
     return mark_safe(  # nosec
         json.dumps(
-            {"imports": dict(utils.parse_root_package(package_json))},
+            {"imports": {k: staticfiles_storage.url(v) for k, v in imports.items()}},
             indent=2 if settings.DEBUG else None,
             separators=None if settings.DEBUG else (",", ":"),
         )

django_esm/utils.py

@@ -1,11 +1,11 @@
+from __future__ import annotations
+
 import itertools
 import json
 import re
 from pathlib import Path
 
 from django.conf import settings
-from django.contrib.staticfiles.finders import get_finders
-from django.contrib.staticfiles.storage import staticfiles_storage
 
 
 def parse_root_package(package_json):
@@ -26,32 +26,32 @@ def parse_root_package(package_json):
         url = mod
         if mod[0] in [".", "/"]:
             # local file
-            yield from get_static_from_abs_path(module_name, settings.BASE_DIR / mod)
+            yield from get_static_from_abs_path(
+                module_name, settings.BASE_DIR / mod, settings.BASE_DIR
+            )
         else:
             yield module_name, url
 
+
+def parse_dependencies(package_json):
     for dep_name, dep_version in package_json.get("dependencies", {}).items():
         yield from parse_package_json(settings.BASE_DIR / "node_modules" / dep_name)
 
 
-def get_static_from_abs_path(mod: str, path: Path):
-    for finder in get_finders():
-        for storage in finder.storages.values():
-            try:
-                rel_path = path.relative_to(Path(storage.location).resolve())
-            except ValueError:
-                pass
-            else:
-                if "*" in mod:
-                    for match in Path(storage.location).rglob(
-                        str(rel_path).replace("*", "**/*")
-                    ):
-                        sp = str(match.relative_to(Path(storage.location).resolve()))
-                        pattern = re.escape(str(rel_path)).replace(r"\*", r"(.*)")
-                        bit = re.match(pattern, sp).group(1)
-                        yield mod.replace("*", bit), staticfiles_storage.url(sp)
-                else:
-                    yield mod, staticfiles_storage.url(str(rel_path))
+def get_static_from_abs_path(mod: str, path: Path, location: Path):
+    try:
+        rel_path = path.relative_to(location.resolve())
+    except ValueError:
+        pass
+    else:
+        if "*" in mod:
+            for match in location.rglob(str(rel_path).replace("*", "**/*")):
+                sp = str(match.relative_to(location.resolve()))
+                pattern = re.escape(str(rel_path)).replace(r"\*", r"(.*)")
+                bit = re.match(pattern, sp).group(1)
+                yield mod.replace("*", bit), sp
+        else:
+            yield mod, str(rel_path)
 
 
 # There is a long history how ESM is supported in Node.js
@@ -101,7 +101,9 @@ def parse_package_json(path: Path = None):
         module = next(find_default_key(module))
 
         yield from get_static_from_abs_path(
-            str(Path(name) / module_name), path / module
+            str(Path(name) / module_name),
+            path / module,
+            settings.BASE_DIR / "node_modules",
         )
 
     for dep_name, dep_version in dependencies.items():

tests/test_finders.py

@@ -0,0 +1,47 @@
+from django.contrib.staticfiles.finders import get_finder
+from django.core.checks import Error
+
+from django_esm import storages
+
+
+class TestESMFinder:
+    finder = get_finder("django_esm.finders.ESMFinder")
+
+    def test_find(self):
+        assert self.finder.find("foo") == []
+        assert (
+            self.finder.find("testapp/static/js/index.js")
+            == "testapp/static/js/index.js"
+        )
+        assert (
+            self.finder.find("testapp/static/js/components/index.js")
+            == "testapp/static/js/components/index.js"
+        )
+        assert self.finder.find("lit-html/lit-html.js", all=True) == [
+            "lit-html/lit-html.js"
+        ]
+        assert self.finder.find("foo/bar.js") == []
+
+    def test_list(self):
+        all_files = self.finder.list([])
+        assert ("testapp/static/js/index.js", storages.root_storage) in all_files
+        assert (
+            "testapp/static/js/components/index.js",
+            storages.root_storage,
+        ) in all_files
+        assert ("lit-html/lit-html.js", storages.node_modules_storage) in all_files
+        assert ("htmx.org/dist/htmx.min.js", storages.node_modules_storage) in all_files
+
+    def test_check(self, settings):
+        assert not self.finder.check()
+
+        settings.BASE_DIR = settings.BASE_DIR / "foo"
+
+        assert self.finder.check() == [
+            Error(
+                "package.json not found",
+                hint="Run `npm init` to create a package.json file.",
+                obj=self.finder,
+                id="django_esm.E001",
+            )
+        ]

tests/test_utils.py

@@ -1,6 +1,7 @@
 from pathlib import Path
 
 import pytest
+from django.conf import settings
 
 from django_esm import utils
 
@@ -9,16 +10,20 @@
 
 def test_parse_root_package(package_json):
     import_map = dict(utils.parse_root_package(package_json))
-    assert import_map["htmx.org"] == "/static/htmx.org/dist/htmx.min.js"
-    assert import_map["lit"] == "/static/lit/index.js"
+    assert import_map["#index"] == "testapp/static/js/index.js"
+    assert import_map["#components/index.js"] == "testapp/static/js/components/index.js"
+    assert import_map["#htmx"] == "https://unpkg.com/htmx.org@1.9.10"
+
+
+def test_parse_dependencies(package_json):
+    import_map = dict(utils.parse_dependencies(package_json))
+    assert import_map["lit-html"] == "lit-html/lit-html.js"
+    assert import_map["htmx.org"] == "htmx.org/dist/htmx.min.js"
+    assert import_map["lit"] == "lit/index.js"
     assert (
         import_map["@lit/reactive-element"]
-        == "/static/%40lit/reactive-element/reactive-element.js"
+        == "@lit/reactive-element/reactive-element.js"
     )
-    assert import_map["lit-html"] == "/static/lit-html/lit-html.js"
-    assert import_map["#index"] == "/static/js/index.js"
-    assert import_map["#components/index.js"] == "/static/js/components/index.js"
-    assert import_map["#htmx"] == "https://unpkg.com/htmx.org@1.9.10"
 
 
 def test_parse_root_package__bad_imports(package_json):
@@ -47,4 +52,8 @@ def test_cast_exports():
 
 
 def test_get_static_from_abs_path():
-    assert not list(utils.get_static_from_abs_path("#some-module", Path("/foo/bar")))
+    assert not list(
+        utils.get_static_from_abs_path(
+            "#some-module", Path("/foo/bar"), settings.BASE_DIR
+        )
+    )

tests/testapp/settings.py

@@ -80,3 +80,8 @@
 STATICFILES_DIRS = [
     BASE_DIR / "node_modules",
 ]
+STATICFILES_FINDERS = [
+    "django.contrib.staticfiles.finders.FileSystemFinder",
+    "django.contrib.staticfiles.finders.AppDirectoriesFinder",
+    "django_esm.finders.ESMFinder",
+]