Tiled

Changed

- Updated OIDC Authenticator configuration to expect `well_known_uri` and
`audience` and to no longer expect `token_uri`, `authorization_endpoint` and
`public_keys`, which can be fetched at initialization (server startup) time.
See examples `example_configs/orcid_auth.yml`,
`example_configs/google_auth.yml`, and `example_configs/simple_oidc`.

Maintenance

- Addressed DeprecationWarnings from Python and dependencies
- Update AccessPolicy Docs to match new filter arguments
- Refactored intialization of dask DataFrame to be compatible with dask 2025.1

Added

- `docker-compose.yml` now uses the healthcheck endpoint `/healthz`
- In client, support specifying API key expiration time as string with
units, like ``"7d"` or `"10m"`.
- Fix bug where access policies were not applied to child nodes during request
- Add metadata-based access control to SimpleAccessPolicy
- Add example test of metadata-based allowed_scopes which requires the path to the target node
- Added Helm chart with deployable default configuration

Fixed

- Bug in Python client resulted in error when accessing data sources on a
just-created object.
- Fix bug where access policies were not applied to child nodes during request

Changed

- The argument `prompt_for_reauthentication` is now ignored and warns.
Tiled will never prompt for reauthentication after the client is constructed;
if a session expires or is revoked, it will raise `CannotRefreshAuthentication`.
- The arguments `username` and `password` have been removed from the client
constructor functions. Tiled will always prompt for these interactively.
See the Authentication How-to Guide for more information, including on
how applications built on Tiled can customize this.
- The argument `remember_me` has been added to the client constructor
functions and to `Context.authenticate` and its alias `Context.login`.
This can be used to clear and avoid storing any tokens related to
the session.
- Change access policy API to be async for filters and allowed_scopes
- Pinned zarr to `<3` because Zarr 3 is still working on adding support for
certain features that we rely on from Zarr 2.

Added

- Add HTTP endpoint `PATCH /array/full/{path}` to enable updating and
optionally _extending_ an existing array.
- Add associated Python client method `ArrayClient.patch`.
- Hook to authentication prompt to make password login available without TTY.

Fixed

- Fix curl and httpie installation in docker image.
- Minor fix to api key docs to reflect correct CLI usage.
- Fix the construction of urls by passing query parameters as kwargs,
adapting to a behavior change in httpx v0.28.0.

Changed

- Switch from appdirs to platformdirs.

Added

- Add adapters for reading back assets with the image/jpeg and
multipart/related;type=image/jpeg mimetypes.
- Automatic reshaping of tiff data by the adapter to account for
extra/missing singleton dimension
- Add a check for the `openpyxcl` module when importing excel serializer.

Changed

- Drop support for Python 3.8, which is reached end of life
upstream on 7 October 2024.
- Do not require SQL database URIs to specify a "driver" (Python
library to be used for connecting).

Fixed

- A regression in the container broke support for `tiled register ...` and
`tiled serve directory ...`. When these became client-side operations, the
container needed to add the client-side dependencies to support them.

- Add kwarg to client logout to auto-clear default identity.
- Do not automatically enter username if default identity is used.
- Add API route and Python client method enabling admins to
reokve API keys belonging to any user or service.

Added

- Added support for explicit units in numpy datetime64 dtypes.

Fixed

- Follow-up fix to compatibility with Starlette v0.38.0
- Adapt to change in dask public API in dask 2024.9.0.