Releases: Query-farm/vgi-rpc-python
Releases · Query-farm/vgi-rpc-python
v0.6.8
What's Changed
- Request offline access for external frontends: When
return_tois set, the OAuth authorization URL now includesaccess_type=offlineandprompt=consentso Google returns arefresh_token. This lets external frontends (e.g. DuckDB WASM) silently refresh expired id_tokens without user interaction.
v0.6.7
What's Changed
- External frontend redirect now includes OAuth metadata: The URL fragment on
return_toredirects now passesrefresh_token,token_endpoint,client_id,client_secret, anduse_id_tokenso external frontends can refresh tokens independently. - Token exchange returns refresh_token:
_exchange_code_for_tokennow returns a 3-tuple(token, max_age, refresh_token). - All fragment values are URL-encoded via
urllib.parse.quote.
v0.6.6
What's Changed
- OAuth PKCE external frontend support: Session cookie wire format bumped to v4 with a new
return_tofield. External frontends can pass_vgi_return_toquery parameter to receive auth tokens via URL fragment redirect instead of cookies. - Bug fix: Fixed session cookie cleanup path mismatch in the external redirect branch — the cookie path now correctly matches where it was set (
{prefix}/_oauth/), ensuring browsers actually delete it. - Lint fixes: Sorted
__slots__, import ordering, and indentation cleanup.
v0.6.5
Changes
- HTTP 500 → 200 for server errors: Server errors are now returned as HTTP 200 with an
X-VGI-RPC-Error: trueheader. This ensures clients that discard response bodies on 5xx status codes still receive the Arrow IPC error metadata. Client errors (400/401/404/415) remain unchanged. - CORS:
X-VGI-RPC-Erroris now included in the CORS expose headers. - OAuth PKCE: Added browser-based OAuth PKCE flow support and fixed mypy/ty strict type narrowing issues.
v0.6.4
What's new
- Access-Control-Max-Age on CORS preflight:
make_wsgi_app()now accepts acors_max_ageparameter (default 7200 seconds / 2 hours). Whencors_originsis set, OPTIONS responses include theAccess-Control-Max-Ageheader so browsers cache preflight results. - External storage logging improvements: Externalize log messages now report both raw IPC size and uploaded (post-compression) size. SHA-256 docstring corrected to clarify it covers pre-compression bytes.
v0.6.3
Add X-VGI-Content-Encoding to CORS exposed headers.
Access-Control-Expose-Headers now includes X-VGI-Content-Encoding so browser clients can detect zstd-compressed responses cross-origin.
v0.6.2
Expose WWW-Authenticate and X-Request-ID in CORS headers.
Browsers cannot read non-safelisted response headers from cross-origin responses unless they appear in Access-Control-Expose-Headers. These headers are now always exposed when CORS is enabled:
- WWW-Authenticate — needed for OAuth discovery from 401 responses
- X-Request-ID — for client-side debugging
v0.6.1
Changes
- Exempt CORS preflight OPTIONS requests from authentication middleware — browsers do not send credentials on preflight, so auth rejection was blocking cross-origin access.
v0.6.0
v0.6.0 — Synchronized release
All three vgi-rpc implementations (Python, Go, TypeScript) are now at feature parity and share this version number.
What's in this release
- SHA-256 checksums for external storage pointer batches (
vgi_rpc.location.sha256) - Compute SHA-256 of raw IPC bytes on externalize, verify on resolve/fetch
- Backward compatible — absent checksum skips verification
- Default HTTP prefix changed from
/vgito""(empty) - 12 new SHA-256 tests (8 unit + 4 HTTP transport)
- 2,448 tests passing
Feature parity with Go and TypeScript
All three implementations now support: wire protocol v1, describe v3, unary/producer/exchange streams, HTTP server/client, bearer/JWT/mTLS/OAuth auth, OpenTelemetry, dispatch hooks, HTML pages, external storage with SHA-256, S3 and GCS backends.
v0.1.27
Changes
- Default HTTP prefix changed from
/vgito""(root). Endpoints now live at the root by default (e.g./bind,/init). Users who need a prefix can still pass--prefix /vgi. - Client functions (
http_connect,http_capabilities, etc.) now auto-detect prefix from_SyncTestClient.prefixwhen not explicitly passed. - CI lint job now runs before tests for faster failure feedback.