Security fix
- Validate the account user password even when the session is cached (fixes #1583).
Since Kinto 8.2.0 the account plugin had a security flaw where the password wasn't verified during the session duration.
New features
- Add bucket and account creation permissions in the permissions endpoint (fixes #1510)
Bug fixes
- Reduce the OpenID state string length to fit in the PostgreSQL cache backend (fixes #1566)
Documentation
- Improve OpenID settings and API documentation
Internal Changes
- Now fully rely on Pyup.io (or contributors) to update the versions in the
requirements.txtfile (fixes #1512) - Move from importing pip to running it in a subprocess (see pypa/pip#5081).
- Remove useless print when using the OpenID policy (ref #1509)
- Try to recover from the race condition where two requests can delete the same record. (Fix #1557; refs #1407.)