Improve GraphQL Data Validation and Fix HTTPX Proxy Compatibility

[GrekF3]

Fixed incorrect behavior in HTTPX proxy handling, ensuring proper forwarding and compatibility across different proxy formats.

Improved GraphQL data guards to prevent incorrect data extraction and reduce unexpected runtime errors.

Adjusted internal validation logic to ensure safer and more predictable processing of GraphQL responses.

These changes improve reliability when working with proxies and enhance robustness of GraphQL-related operations.

[subzeroid]

Thanks for the patch! Going to close this — the repo has moved a lot since November 2025 (massive sync with instagrapi 2.4.4 across 0.1.x → 0.7.x), and most of what this PR does is now either already done a different way, or actively regresses something we changed.

Detailed breakdown:

Already in main (different implementation)

• APP_SETTINGS rotation (config.py +25, auth.py +84) — we already ported instagrapi 2.4.4's config.APP_SETTINGS (same two app versions: 364.0.0.35.86 + 385.0.0.47.74) and set_app(seed=) from upstream. config.py is byte-for-byte identical to instagrapi 2.4.4. See aiograpi/config.py:25 and aiograpi/mixins/auth.py:806.

• extract_direct_message xma_clip + xma_media_share — already handled, see aiograpi/extractors.py:466-478.

Regressions

• request(verify=False) (reqwests.py R86-R92) — would roll back our 0.6.6 TLS hardening. We default to verify=True now; opt-out is documented for SSL-MITM proxies.

Obsolete

• reqwests.py edits — file was renamed to httpx_ext.py in 0.1.1.
• httpx <0.28 / >=0.28 proxies vs proxy shim (_proxy_kwargs) — pyproject.toml pins httpx==0.28.1 exactly, so the dual-API shim has no live branch.
• Dual proxy/proxies setters in init.py — same reason.

Salvaged

• extract_reply_message xma_share/xma_clip — real bug, ported in 6daf5d0. Replies quoting reel/clip shares no longer drop xma_share.

Considered but skipped

• GraphQL raw_response= + data isinstance check — requires extending ClientGraphqlError constructor; unclear payoff given our existing GraphQL error path. Not portable in isolation.
• username_from_user_id defensive except Exception: — too broad, would mask real bugs.
• Challenge auth_platform → ChallengeUnknownStep — niche, only matters for one specific challenge URL pattern.
• Challenge bad-code retry × 3 — UX win on paper, but bad-code detection is a fragile localized-string match ("Please check the code we sent you and try again" in str(e)); doesn't trigger resend_code between attempts (so IG might just reject the same one-shot code again); worst-case extends polling from 2 min to 6 min on a broken handler. If we want this, it should match on error_type and call resend.
• private.py 400+empty → ConnectProxyError — debatable; could mask legit 400s from upstream.

If you want to revisit any of the "considered" items as smaller focused PRs against current main, happy to look. Closing this one.