From a1de71615b105d1a50d11a821b7dddbda4efc22d Mon Sep 17 00:00:00 2001
From: Amir Hasanbasic <43892661+hamir-suspect@users.noreply.github.com>
Date: Tue, 14 May 2024 11:03:04 +0200
Subject: [PATCH] Sync with upstream  (#2)

* Exclude empty paths from spec (#583)

* Exclude empty paths from spec

* fix: assert_operation_response header lookup (#584)

* fix: assert_operation_response header lookup

* Release version 3.18.1

* Fix 'AllOf cast returns a map, but I expected a struct' (#592)

* Add failing test

* Cast result of AllOf cast into a struct

* Shorter module name

* Add missing NoneCache test

* Release version 3.18.2

* Relax dependency constraint on ymlr to allow version ~> 5.0 (#586)

* relax dependency on ymlr, and fix some tests

* test with more elixir versions

* Update Elixir version test matrix (#602)

* Update Elixir version test matrix

* Fix map key order dependent test

* Release version 3.18.3

* Support response code ranges

See: https://swagger.io/docs/specification/describing-responses/

* Release version 3.19.0

* Add notice that body params are not merged into Conn.params whne using cast and validate plug (#589)

* Set nonces on <script> and <style> elements if configured (#593)

* Allow script and style nonces

* Allow nonces on the SwaggerUIOAuth2Redirect plug as well

---------

Co-authored-by: Alisina Bahadori <alisina.bm@gmail.com>
Co-authored-by: Matt Sutkowski <msutkowski@gmail.com>
Co-authored-by: Dimitris Zorbas <dimitrisplusplus@gmail.com>
Co-authored-by: Angelika Tyborska <angelikatyborska@fastmail.com>
Co-authored-by: Aleksandr Lossenko <aleksandr.lossenko@memsource.com>
Co-authored-by: Nathan Alderson <me@nathanalderson.com>
---
 .github/workflows/elixir.yml                  |  21 ++-
 CHANGELOG.md                                  |  20 +++
 .../phoenix_app/lib/phoenix_app_web/router.ex |   9 +-
 lib/open_api_spex/cast/all_of.ex              |   8 +-
 lib/open_api_spex/cast/utils.ex               |  16 +-
 lib/open_api_spex/operation_builder.ex        |   5 +
 lib/open_api_spex/path_item.ex                |  23 +--
 lib/open_api_spex/plug/cast_and_validate.ex   |   2 +
 lib/open_api_spex/plug/swagger_ui.ex          |  42 ++++-
 .../plug/swagger_ui_oauth2_redirect.ex        | 156 ++++++++++--------
 lib/open_api_spex/test/test_assertions.ex     |  27 +--
 mix.exs                                       |   4 +-
 test/cast/all_of_test.exs                     |   3 +-
 test/cast/object_test.exs                     |   6 +-
 test/paths_test.exs                           |   9 +-
 test/plug/none_cache_test.exs                 |  28 ++++
 test/plug/swagger_ui_test.exs                 |  33 ++++
 .../response_code_ranges_controller.ex        |  58 +++++++
 test/support/router.ex                        |   4 +-
 test/support/user_no_replace_controller.ex    |   2 +-
 test/test_assertions_test.exs                 |  56 +++++--
 21 files changed, 400 insertions(+), 132 deletions(-)
 create mode 100644 test/plug/none_cache_test.exs
 create mode 100644 test/support/response_code_ranges_controller.ex

diff --git a/.github/workflows/elixir.yml b/.github/workflows/elixir.yml
index f83af979..802e4c11 100644
--- a/.github/workflows/elixir.yml
+++ b/.github/workflows/elixir.yml
@@ -65,12 +65,27 @@ jobs:
     name: Test (OTP ${{matrix.otp}} / Elixir ${{matrix.elixir}})
     strategy:
       matrix:
-        otp: ['22', '23', '24', '25']
-        elixir: ['1.11', '1.12', '1.13']
+        otp: ['22', '23', '24', '25', '26']
+        elixir: ['1.11', '1.12', '1.13', '1.14', '1.15', '1.16']
         exclude:
-          - {otp: '25', elixir: '1.10'}
+          - {otp: '22', elixir: '1.14'}
+          - {otp: '22', elixir: '1.15'}
+          - {otp: '22', elixir: '1.16'}
+          - {otp: '23', elixir: '1.14'}
+          - {otp: '23', elixir: '1.15'}
+          - {otp: '23', elixir: '1.16'}
+          - {otp: '24', elixir: '1.11'}
+          - {otp: '24', elixir: '1.12'}
+          - {otp: '24', elixir: '1.13'}
+          - {otp: '24', elixir: '1.14'}
+          - {otp: '24', elixir: '1.15'}
           - {otp: '25', elixir: '1.11'}
           - {otp: '25', elixir: '1.12'}
+          - {otp: '25', elixir: '1.14'}
+          - {otp: '26', elixir: '1.11'}
+          - {otp: '26', elixir: '1.12'}
+          - {otp: '26', elixir: '1.13'}
+          - {otp: '26', elixir: '1.14'}
     steps:
       - uses: actions/checkout@v2
       - uses: erlef/setup-beam@v1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a6d8c7a..3b40beec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## v3.19.0 - 2024-04-30
+
+* Support response code ranges by @zorbash in 8898859da1
+
+## v3.18.3 - 2024-03-15
+
+* Relax dependency constraint on ymlr to allow version ~> 5.0 by @egze in https://github.com/open-api-spex/open_api_spex/pull/586
+
+## v3.18.2 - 2024-01-26
+
+* Fix 'AllOf cast returns a map, but I expected a struct' by @angelikatyborska in https://github.com/open-api-spex/open_api_spex/pull/592
+
+## v3.18.1 - 2023-12-19
+
+* Fix `assert_operation_response/2` header lookup by @msutkowski in https://github.com/open-api-spex/open_api_spex/pull/584
+* Exclude empty paths (`operation false`) from generated spec by @alisinabh in https://github.com/open-api-spex/open_api_spex/pull/583
+* Cast discriminator when no title present (#574) by @albertored in https://github.com/open-api-spex/open_api_spex/pull/574
+* Docstest Operation.parameter/5 by @zorbash
+* Document the spec export task `--filename` option by @zorbash
+
 ## v3.18.0 - 2023-08-23
 
 * Relax dependency constraint on ymlr to allow version ~> 4.0 by @arcanemachine in https://github.com/open-api-spex/open_api_spex/pull/544
diff --git a/examples/phoenix_app/lib/phoenix_app_web/router.ex b/examples/phoenix_app/lib/phoenix_app_web/router.ex
index d6fadf53..6097be09 100644
--- a/examples/phoenix_app/lib/phoenix_app_web/router.ex
+++ b/examples/phoenix_app/lib/phoenix_app_web/router.ex
@@ -9,7 +9,12 @@ defmodule PhoenixAppWeb.Router do
     oauth: [
       # client_id: "e2195a7487322a0f19bf"
       client_id: "Iv1.d7c611e5607d77b0"
-    ]
+    ],
+    csp_nonce_assign_key: %{script: :script_src_nonce, style: :style_src_nonce}
+  ]
+
+  @oauth_redirect_config [
+    csp_nonce_assign_key: %{script: :script_src_nonce}
   ]
 
   def swagger_ui_config, do: @swagger_ui_config
@@ -28,7 +33,7 @@ defmodule PhoenixAppWeb.Router do
 
     get "/swaggerui", OpenApiSpex.Plug.SwaggerUI, @swagger_ui_config
 
-    get "/swaggerui/oauth2-redirect.html", OpenApiSpex.Plug.SwaggerUIOAuth2Redirect, :show
+    get "/swaggerui/oauth2-redirect.html", OpenApiSpex.Plug.SwaggerUIOAuth2Redirect, @oauth_redirect_config
   end
 
   scope "/api" do
diff --git a/lib/open_api_spex/cast/all_of.ex b/lib/open_api_spex/cast/all_of.ex
index 372d55b5..e0f49ced 100644
--- a/lib/open_api_spex/cast/all_of.ex
+++ b/lib/open_api_spex/cast/all_of.ex
@@ -34,14 +34,14 @@ defmodule OpenApiSpex.Cast.AllOf do
     cast_all_of(%{ctx | schema: %{schema | allOf: [nested_schema | remaining]}}, result)
   end
 
-  defp cast_all_of(%{schema: %{allOf: []}, errors: []} = ctx, acc) do
+  defp cast_all_of(%{schema: %{allOf: [], "x-struct": module}, errors: []} = ctx, acc)
+       when not is_nil(module) do
     with :ok <- Utils.check_required_fields(ctx, acc) do
-      {:ok, acc}
+      {:ok, struct(module, acc)}
     end
   end
 
-  defp cast_all_of(%{schema: %{allOf: [], errors: [], "x-struct": module}} = ctx, acc)
-       when not is_nil(module) do
+  defp cast_all_of(%{schema: %{allOf: []}, errors: []} = ctx, acc) do
     with :ok <- Utils.check_required_fields(ctx, acc) do
       {:ok, acc}
     end
diff --git a/lib/open_api_spex/cast/utils.ex b/lib/open_api_spex/cast/utils.ex
index 5be0b02a..c2ba810b 100644
--- a/lib/open_api_spex/cast/utils.ex
+++ b/lib/open_api_spex/cast/utils.ex
@@ -73,9 +73,19 @@ defmodule OpenApiSpex.Cast.Utils do
   - If multiple `content-type` headers are found, the function will only return the value of the first one.
 
   """
-  @spec content_type_from_header(Plug.Conn.t()) :: String.t() | nil
-  def content_type_from_header(conn = %Plug.Conn{}) do
-    case Plug.Conn.get_req_header(conn, "content-type") do
+  @spec content_type_from_header(Plug.Conn.t(), :request | :response) ::
+          String.t() | nil
+  def content_type_from_header(conn = %Plug.Conn{}, header_location \\ :request) do
+    content_type =
+      case header_location do
+        :request ->
+          Plug.Conn.get_req_header(conn, "content-type")
+
+        :response ->
+          Plug.Conn.get_resp_header(conn, "content-type")
+      end
+
+    case content_type do
       [header_value | _] ->
         header_value
         |> String.split(";")
diff --git a/lib/open_api_spex/operation_builder.ex b/lib/open_api_spex/operation_builder.ex
index 6802c286..f9c70d6d 100644
--- a/lib/open_api_spex/operation_builder.ex
+++ b/lib/open_api_spex/operation_builder.ex
@@ -108,6 +108,11 @@ defmodule OpenApiSpex.OperationBuilder do
   def build_responses(_), do: []
 
   defp status_to_code(:default), do: :default
+
+  defp status_to_code(status)
+       when status in [:"1XX", "1XX", :"2XX", "2XX", :"3XX", "3XX", :"4XX", "4XX", :"5XX", "5XX"],
+       do: status
+
   defp status_to_code(status), do: Status.code(status)
 
   def build_request_body(%{body: {description, media_type, schema}}) do
diff --git a/lib/open_api_spex/path_item.ex b/lib/open_api_spex/path_item.ex
index 82042707..c7f0c585 100644
--- a/lib/open_api_spex/path_item.ex
+++ b/lib/open_api_spex/path_item.ex
@@ -73,16 +73,17 @@ defmodule OpenApiSpex.PathItem do
   defp from_valid_routes([]), do: nil
 
   defp from_valid_routes(routes) do
-    attrs =
-      routes
-      |> Enum.map(fn route ->
-        case Operation.from_route(route) do
-          nil -> nil
-          op -> {route.verb, op}
-        end
-      end)
-      |> Enum.filter(& &1)
-
-    struct(PathItem, attrs)
+    routes
+    |> Enum.map(fn route ->
+      case Operation.from_route(route) do
+        nil -> nil
+        op -> {route.verb, op}
+      end
+    end)
+    |> Enum.filter(& &1)
+    |> case do
+      [] -> nil
+      attrs -> struct(PathItem, attrs)
+    end
   end
 end
diff --git a/lib/open_api_spex/plug/cast_and_validate.ex b/lib/open_api_spex/plug/cast_and_validate.ex
index e8af40fc..d07a9dd2 100644
--- a/lib/open_api_spex/plug/cast_and_validate.ex
+++ b/lib/open_api_spex/plug/cast_and_validate.ex
@@ -1,6 +1,8 @@
 defmodule OpenApiSpex.Plug.CastAndValidate do
   @moduledoc """
   Module plug that will cast and validate the `Conn.params` and `Conn.body_params` according to the schemas defined for the operation.
+  Note that when using this plug, the body params are no longer merged into `Conn.params` and must be read from `Conn.body_params`
+  separately.
 
   The operation_id can be given at compile time as an argument to `init`:
 
diff --git a/lib/open_api_spex/plug/swagger_ui.ex b/lib/open_api_spex/plug/swagger_ui.ex
index 6c3ddd6c..5d274dfc 100644
--- a/lib/open_api_spex/plug/swagger_ui.ex
+++ b/lib/open_api_spex/plug/swagger_ui.ex
@@ -43,7 +43,11 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
       <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/4.14.0/swagger-ui.css" >
       <link rel="icon" type="image/png" href="./favicon-32x32.png" sizes="32x32" />
       <link rel="icon" type="image/png" href="./favicon-16x16.png" sizes="16x16" />
-      <style>
+      <%= if style_src_nonce do %>
+        <style nonce="<%= style_src_nonce %>">
+      <% else %>
+        <style>
+      <% end %>
         html
         {
           box-sizing: border-box;
@@ -68,7 +72,11 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
 
     <script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/4.14.0/swagger-ui-bundle.js" charset="UTF-8"> </script>
     <script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/4.14.0/swagger-ui-standalone-preset.js" charset="UTF-8"> </script>
-    <script>
+    <%= if script_src_nonce do %>
+      <script nonce="<%= script_src_nonce %>">
+    <% else %>
+      <script>
+    <% end %>
     window.onload = function() {
       // Begin Swagger UI call region
       const api_spec_url = new URL(window.location);
@@ -95,7 +103,7 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
           }
           return request;
         }
-        <%= for {k, v} <- Map.drop(config, [:path, :oauth]) do %>
+        <%= for {k, v} <- Map.drop(config, [:path, :oauth, :csp_nonce_assign_key]) do %>
         , <%= camelize(k) %>: <%= encode_config(camelize(k), v) %>
         <% end %>
       })
@@ -135,6 +143,10 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
 
    * `:path` - Required. The URL path to the API definition.
    * `:oauth` - Optional. Config to pass to the `SwaggerUIBundle.initOAuth()` function.
+   * `:csp_nonce_assign_key` - Optional. An assign key to find the CSP nonce value used
+     for assets. Supports either `atom()` or a map of type
+     `%{optional(:script) => atom(), optional(:style) => atom()}`. You will probably
+     want to set this on the `SwaggerUIOAuth2Redirect` plug as well.
    * all other opts - forwarded to the `SwaggerUIBundle` constructor
 
   ## Example
@@ -142,7 +154,8 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
       get "/swaggerui", OpenApiSpex.Plug.SwaggerUI,
         path: "/api/openapi",
         default_model_expand_depth: 3,
-        display_operation_id: true
+        display_operation_id: true,
+        csp_nonce_assign_key: %{script: :script_src_nonce, style: :style_src_nonce}
   """
   @impl Plug
   def init(opts) when is_list(opts) do
@@ -153,7 +166,14 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
   def call(conn, config) do
     csrf_token = Plug.CSRFProtection.get_csrf_token()
     config = supplement_config(config, conn)
-    html = render(config, csrf_token)
+
+    html =
+      render(
+        config,
+        csrf_token,
+        get_nonce(conn, config, :style),
+        get_nonce(conn, config, :script)
+      )
 
     conn
     |> Plug.Conn.put_resp_content_type("text/html")
@@ -164,7 +184,9 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
 
   EEx.function_from_string(:defp, :render, @html, [
     :config,
-    :csrf_token
+    :csrf_token,
+    :style_src_nonce,
+    :script_src_nonce
   ])
 
   defp camelize(identifier) do
@@ -203,4 +225,12 @@ defmodule OpenApiSpex.Plug.SwaggerUI do
   defp supplement_config(config, _conn) do
     config
   end
+
+  def get_nonce(conn, config, type) do
+    case config[:csp_nonce_assign_key] do
+      key when is_atom(key) -> conn.assigns[key]
+      %{^type => key} when is_atom(key) -> conn.assigns[key]
+      _ -> nil
+    end
+  end
 end
diff --git a/lib/open_api_spex/plug/swagger_ui_oauth2_redirect.ex b/lib/open_api_spex/plug/swagger_ui_oauth2_redirect.ex
index 7e3efa46..6ca03347 100644
--- a/lib/open_api_spex/plug/swagger_ui_oauth2_redirect.ex
+++ b/lib/open_api_spex/plug/swagger_ui_oauth2_redirect.ex
@@ -12,81 +12,99 @@ defmodule OpenApiSpex.Plug.SwaggerUIOAuth2Redirect do
     <html lang="en-US">
       <head>
         <title>Swagger UI: OAuth2 Redirect</title>
-      </head>
-      <body onload="run()">
-        <script>
-            'use strict';
-            function run() {
-                var oauth2 = window.opener.swaggerUIRedirectOauth2;
-                var sentState = oauth2.state;
-                var redirectUrl = oauth2.redirectUrl;
-                var isValid, qp, arr;
-
-                if (/code|token|error/.test(window.location.hash)) {
-                    qp = window.location.hash.substring(1);
-                } else {
-                    qp = location.search.substring(1);
-                }
-
-                arr = qp.split("&")
-                arr.forEach(function (v, i, _arr) { _arr[i] = '"' + v.replace('=', '":"') + '"'; })
-                qp = qp ? JSON.parse('{' + arr.join() + '}',
-                    function (key, value) {
-                        return key === "" ? value : decodeURIComponent(value)
-                    }
-                ) : {}
-
-                isValid = qp.state === sentState
-                var flow = oauth2.auth.schema.get("flow");
-
-                if ((flow === "accessCode" || flow === "authorizationCode") && !oauth2.auth.code) {
-                    if (!isValid) {
-                        oauth2.errCb({
-                            authId: oauth2.auth.name,
-                            source: "auth",
-                            level: "warning",
-                            message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
-                        });
-                    }
-
-                    if (qp.code) {
-                        delete oauth2.state;
-                        oauth2.auth.code = qp.code;
-                        var callbackOpts1 = { auth: oauth2.auth, redirectUrl: redirectUrl };
-                        oauth2.callback({ auth: oauth2.auth, redirectUrl: redirectUrl });
-                    } else {
-                        let oauthErrorMsg
-                        if (qp.error) {
-                            oauthErrorMsg = "[" + qp.error + "]: " +
-                                (qp.error_description ? qp.error_description + ". " : "no accessCode received from the server. ") +
-                                (qp.error_uri ? "More info: " + qp.error_uri : "");
-                        }
-
-                        oauth2.errCb({
-                            authId: oauth2.auth.name,
-                            source: "auth",
-                            level: "error",
-                            message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
-                        });
-                    }
-                } else {
-                    // oauth2.auth.state = oauth2.state;
-                    var callbackOpts2 = { auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl };
-                    oauth2.callback(callbackOpts2);
-                }
-                window.close();
-            }
+        <%= if script_src_nonce do %>
+          <script nonce="<%= script_src_nonce %>">
+        <% else %>
+          <script>
+        <% end %>
+          'use strict';
+          (function run() {
+              var oauth2 = window.opener.swaggerUIRedirectOauth2;
+              var sentState = oauth2.state;
+              var redirectUrl = oauth2.redirectUrl;
+              var isValid, qp, arr;
+
+              if (/code|token|error/.test(window.location.hash)) {
+                  qp = window.location.hash.substring(1);
+              } else {
+                  qp = location.search.substring(1);
+              }
+
+              arr = qp.split("&")
+              arr.forEach(function (v, i, _arr) { _arr[i] = '"' + v.replace('=', '":"') + '"'; })
+              qp = qp ? JSON.parse('{' + arr.join() + '}',
+                  function (key, value) {
+                      return key === "" ? value : decodeURIComponent(value)
+                  }
+              ) : {}
+
+              isValid = qp.state === sentState
+              var flow = oauth2.auth.schema.get("flow");
+
+              if ((flow === "accessCode" || flow === "authorizationCode") && !oauth2.auth.code) {
+                  if (!isValid) {
+                      oauth2.errCb({
+                          authId: oauth2.auth.name,
+                          source: "auth",
+                          level: "warning",
+                          message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
+                      });
+                  }
+
+                  if (qp.code) {
+                      delete oauth2.state;
+                      oauth2.auth.code = qp.code;
+                      var callbackOpts1 = { auth: oauth2.auth, redirectUrl: redirectUrl };
+                      oauth2.callback({ auth: oauth2.auth, redirectUrl: redirectUrl });
+                  } else {
+                      let oauthErrorMsg
+                      if (qp.error) {
+                          oauthErrorMsg = "[" + qp.error + "]: " +
+                              (qp.error_description ? qp.error_description + ". " : "no accessCode received from the server. ") +
+                              (qp.error_uri ? "More info: " + qp.error_uri : "");
+                      }
+
+                      oauth2.errCb({
+                          authId: oauth2.auth.name,
+                          source: "auth",
+                          level: "error",
+                          message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
+                      });
+                  }
+              } else {
+                  // oauth2.auth.state = oauth2.state;
+                  var callbackOpts2 = { auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl };
+                  oauth2.callback(callbackOpts2);
+              }
+              window.close();
+          })();
         </script>
-      </body>
+      </head>
     </html>
   """
 
+  @doc """
+  Initializes the plug.
+
+  ## Options
+
+   * `:csp_nonce_assign_key` - Optional. An assign key to find the CSP nonce value used
+     for assets. Supports either `atom()` or a map of type `%{optional(:script) => atom()}`.
+
+  ## Example
+
+      get "/oauth2-redirect.html",
+          OpenApiSpex.Plug.SwaggerUIOAuth2Redirect,
+          csp_nonce_assign_key: %{script: :script_src_nonce}
+  """
   @impl Plug
-  def init(_opts), do: []
+  def init(opts) when is_list(opts) do
+    Map.new(opts)
+  end
 
   @impl Plug
-  def call(conn, _opts) do
-    html = render()
+  def call(conn, config) do
+    html = render(OpenApiSpex.Plug.SwaggerUI.get_nonce(conn, config, :script))
 
     conn
     |> put_resp_content_type("text/html")
@@ -94,5 +112,5 @@ defmodule OpenApiSpex.Plug.SwaggerUIOAuth2Redirect do
   end
 
   require EEx
-  EEx.function_from_string(:defp, :render, @html, [])
+  EEx.function_from_string(:defp, :render, @html, [:script_src_nonce])
 end
diff --git a/lib/open_api_spex/test/test_assertions.ex b/lib/open_api_spex/test/test_assertions.ex
index 42f95b2e..809044d6 100644
--- a/lib/open_api_spex/test/test_assertions.ex
+++ b/lib/open_api_spex/test/test_assertions.ex
@@ -136,7 +136,7 @@ defmodule OpenApiSpex.TestAssertions do
     case operation_lookup[operation_id] do
       nil ->
         flunk(
-          "Failed to resolve schema. Unable to find a response for operation_id: #{operation_id} for response status code: #{conn.status}"
+          "Failed to resolve a response schema for operation_id: #{operation_id} for status code: #{conn.status}"
         )
 
       operation ->
@@ -154,20 +154,27 @@ defmodule OpenApiSpex.TestAssertions do
           ) ::
             term | no_return
     defp validate_operation_response(conn, %Operation{operationId: operation_id} = operation, spec) do
-      content_type = Utils.content_type_from_header(conn)
+      content_type = Utils.content_type_from_header(conn, :response)
+
+      responses = Map.get(operation, :responses, %{})
+      code_range = String.first(to_string(conn.status)) <> "XX"
+
+      response =
+        Map.get(responses, conn.status) ||
+          Map.get(responses, "#{conn.status}") ||
+          Map.get(responses, :"#{conn.status}") ||
+          Map.get(responses, code_range) ||
+          Map.get(responses, :"#{code_range}", %{})
 
       resolved_schema =
-        get_in(operation, [
-          Access.key!(:responses),
-          Access.key!(conn.status),
-          Access.key!(:content),
-          content_type,
-          Access.key!(:schema)
-        ])
+        response
+        |> Map.get(:content, %{})
+        |> Map.get(content_type, %{})
+        |> Map.get(:schema)
 
       if is_nil(resolved_schema) do
         flunk(
-          "Failed to resolve schema! Unable to find a response for operation_id: #{operation_id} for response status code: #{conn.status} and content type #{content_type}"
+          "Failed to resolve a response schema for operation_id: #{operation_id} for status code: #{conn.status} and content type: #{content_type}"
         )
       end
 
diff --git a/mix.exs b/mix.exs
index 78459d52..49eaee63 100644
--- a/mix.exs
+++ b/mix.exs
@@ -2,7 +2,7 @@ defmodule OpenApiSpex.Mixfile do
   use Mix.Project
 
   @source_url "https://github.com/open-api-spex/open_api_spex"
-  @version "3.18.0"
+  @version "3.19.0"
 
   def project do
     [
@@ -70,7 +70,7 @@ defmodule OpenApiSpex.Mixfile do
       {:phoenix, "~> 1.3", only: [:dev, :test]},
       {:plug, "~> 1.7"},
       {:poison, "~> 3.0 or ~> 4.0 or ~> 5.0", optional: true},
-      {:ymlr, "~> 2.0 or ~> 3.0 or ~> 4.0", optional: true}
+      {:ymlr, "~> 2.0 or ~> 3.0 or ~> 4.0 or ~> 5.0", optional: true}
     ]
   end
 
diff --git a/test/cast/all_of_test.exs b/test/cast/all_of_test.exs
index a491dc25..9f2fbabe 100644
--- a/test/cast/all_of_test.exs
+++ b/test/cast/all_of_test.exs
@@ -355,6 +355,7 @@ defmodule OpenApiSpex.CastAllOfTest do
 
   test "with schema having x-type" do
     value = %{fur: true, meow: true}
-    assert {:ok, _} = cast(value: value, schema: CatSchema.schema())
+
+    assert {:ok, %CatSchema{fur: true, meow: true}} = cast(value: value, schema: CatSchema.schema())
   end
 end
diff --git a/test/cast/object_test.exs b/test/cast/object_test.exs
index add91d24..84261c18 100644
--- a/test/cast/object_test.exs
+++ b/test/cast/object_test.exs
@@ -415,7 +415,11 @@ defmodule OpenApiSpex.ObjectTest do
         }
       }
 
-      assert {:error, [error1, error2]} = cast(value: %{"age" => 0, "name" => "N"}, schema: schema)
+      assert {:error, [_error1, _error2] = errors} =
+               cast(value: %{"age" => 0, "name" => "N"}, schema: schema)
+
+      error1 = Enum.find(errors, &(&1.path == [:age]))
+      error2 = Enum.find(errors, &(&1.path == [:name]))
 
       assert %Error{} = error1
       assert error1.reason == :minimum
diff --git a/test/paths_test.exs b/test/paths_test.exs
index 300e9497..4bec9a9f 100644
--- a/test/paths_test.exs
+++ b/test/paths_test.exs
@@ -12,8 +12,13 @@ defmodule OpenApiSpex.PathsTest do
                "/api/pets/{id}" => pets_path_item
              } = paths
 
-      assert pets_path_item.patch.operationId == "OpenApiSpexTest.PetController.update"
-      assert pets_path_item.put.operationId == "OpenApiSpexTest.PetController.update (2)"
+      refute Map.has_key?(paths, "/api/noapi")
+      refute Map.has_key?(paths, "/api/noapi_with_struct")
+
+      operation_ids = [pets_path_item.put.operationId, pets_path_item.patch.operationId]
+
+      assert "OpenApiSpexTest.PetController.update" in operation_ids
+      assert "OpenApiSpexTest.PetController.update (2)" in operation_ids
     end
   end
 end
diff --git a/test/plug/none_cache_test.exs b/test/plug/none_cache_test.exs
new file mode 100644
index 00000000..50c69d02
--- /dev/null
+++ b/test/plug/none_cache_test.exs
@@ -0,0 +1,28 @@
+defmodule OpenApiSpex.Plug.NoneCacheTest do
+  use ExUnit.Case, async: true
+
+  alias OpenApiSpex.Plug.NoneCache
+  alias OpenApiSpexTest.ApiSpec
+
+  setup do
+    [spec: ApiSpec.spec()]
+  end
+
+  describe "get/1" do
+    test "returns nil", %{spec: spec} do
+      assert is_nil(NoneCache.get(spec))
+    end
+  end
+
+  describe "put/2" do
+    test "returns :ok", %{spec: spec} do
+      assert :ok = NoneCache.put(spec, %{})
+    end
+  end
+
+  describe "erase/1" do
+    test "returns :ok", %{spec: spec} do
+      assert :ok = NoneCache.erase(spec)
+    end
+  end
+end
diff --git a/test/plug/swagger_ui_test.exs b/test/plug/swagger_ui_test.exs
index e53b21d6..4506e7bc 100644
--- a/test/plug/swagger_ui_test.exs
+++ b/test/plug/swagger_ui_test.exs
@@ -13,4 +13,37 @@ defmodule OpenApiSpec.Plug.SwaggerUITest do
     assert conn.resp_body =~ ~r[pathname.+?/ui]
     assert String.contains?(conn.resp_body, token)
   end
+
+  describe "nonces" do
+    test "omits nonces if not configured" do
+      conn = Plug.Test.conn(:get, "/ui") |> SwaggerUI.call(@opts)
+      refute String.contains?(conn.resp_body, "nonce")
+    end
+
+    test "renders with single key" do
+      conn =
+        Plug.Test.conn(:get, "/ui")
+        |> Plug.Conn.assign(:nonce, "my_nonce")
+        |> SwaggerUI.call(Map.put(@opts, :csp_nonce_assign_key, :nonce))
+
+      assert String.match?(conn.resp_body, ~r/<style.*nonce="my_nonce"/)
+      assert String.match?(conn.resp_body, ~r/<script.*nonce="my_nonce"/)
+    end
+
+    test "renders with separate keys" do
+      conn =
+        Plug.Test.conn(:get, "/ui")
+        |> Plug.Conn.assign(:style_src_nonce, "my_style_nonce")
+        |> Plug.Conn.assign(:script_src_nonce, "my_script_nonce")
+        |> SwaggerUI.call(
+          Map.put(@opts, :csp_nonce_assign_key, %{
+            script: :script_src_nonce,
+            style: :style_src_nonce
+          })
+        )
+
+      assert String.match?(conn.resp_body, ~r/<style.*nonce="my_style_nonce"/)
+      assert String.match?(conn.resp_body, ~r/<script.*nonce="my_script_nonce"/)
+    end
+  end
 end
diff --git a/test/support/response_code_ranges_controller.ex b/test/support/response_code_ranges_controller.ex
new file mode 100644
index 00000000..49fd8b82
--- /dev/null
+++ b/test/support/response_code_ranges_controller.ex
@@ -0,0 +1,58 @@
+defmodule OpenApiSpexTest.ResponseCodeRangesController do
+  use Phoenix.Controller
+  use OpenApiSpex.ControllerSpecs
+
+  alias OpenApiSpex.Operation
+
+  defmodule GenericResponse do
+    alias OpenApiSpex.Schema
+    require OpenApiSpex
+
+    OpenApiSpex.schema(%{
+      type: :object,
+      properties: %{
+        type: %Schema{
+          type: :string,
+          enum: ["generic"]
+        }
+      }
+    })
+  end
+
+  defmodule CreatedResponse do
+    alias OpenApiSpex.Schema
+    require OpenApiSpex
+
+    OpenApiSpex.schema(%{
+      type: :object,
+      properties: %{
+        type: %Schema{
+          type: :string,
+          enum: ["created"]
+        }
+      }
+    })
+  end
+
+  operation :index,
+    operation_id: "response_code_ranges",
+    summary: "String response codes index",
+    responses: [
+      created:
+        Operation.response(
+          "Created response",
+          "application/json",
+          CreatedResponse
+        ),
+      "2XX":
+        Operation.response(
+          "Generic response",
+          "application/json",
+          GenericResponse
+        )
+    ]
+
+  def index(conn, _) do
+    json(conn, %{type: "generic"})
+  end
+end
diff --git a/test/support/router.ex b/test/support/router.ex
index 217f9e70..89cc5b59 100644
--- a/test/support/router.ex
+++ b/test/support/router.ex
@@ -15,7 +15,9 @@ defmodule OpenApiSpexTest.Router do
     get "/noapi", OpenApiSpexTest.NoApiController, :noapi
     get "/noapi_with_struct", OpenApiSpexTest.NoApiControllerWithStructSpecs, :noapi
 
-    resources "/users_no_replace", OpenApiSpexTest.UserNoRepalceController, only: [:create, :index]
+    get "/response_code_ranges", OpenApiSpexTest.ResponseCodeRangesController, :index
+
+    resources "/users_no_replace", OpenApiSpexTest.UserNoReplaceController, only: [:create, :index]
 
     # Used by ParamsTest
     resources "/custom_error_users", OpenApiSpexTest.CustomErrorUserController, only: [:index]
diff --git a/test/support/user_no_replace_controller.ex b/test/support/user_no_replace_controller.ex
index b74822fe..f3d10b5a 100644
--- a/test/support/user_no_replace_controller.ex
+++ b/test/support/user_no_replace_controller.ex
@@ -1,4 +1,4 @@
-defmodule OpenApiSpexTest.UserNoRepalceController do
+defmodule OpenApiSpexTest.UserNoReplaceController do
   @moduledoc tags: ["users_no_replace"]
 
   use Phoenix.Controller
diff --git a/test/test_assertions_test.exs b/test/test_assertions_test.exs
index 0959eef5..db896977 100644
--- a/test/test_assertions_test.exs
+++ b/test/test_assertions_test.exs
@@ -120,6 +120,18 @@ defmodule OpenApiSpex.TestAssertionsTest do
       TestAssertions.assert_operation_response(conn)
     end
 
+    test "success with a response code range" do
+      conn =
+        :get
+        |> Plug.Test.conn("/api/response_code_ranges")
+        |> Plug.Conn.put_req_header("content-type", "application/json")
+
+      conn = OpenApiSpexTest.Router.call(conn, [])
+
+      assert conn.status == 200
+      TestAssertions.assert_operation_response(conn, "response_code_ranges")
+    end
+
     test "missing operation id" do
       conn =
         :get
@@ -129,14 +141,11 @@ defmodule OpenApiSpex.TestAssertionsTest do
       conn = OpenApiSpexTest.Router.call(conn, [])
       assert conn.status == 200
 
-      try do
-        TestAssertions.assert_operation_response(conn, "not_a_real_operation_id")
-        raise RuntimeError, "Should flunk"
-      rescue
-        e in ExUnit.AssertionError ->
-          assert e.message =~
-                   "Failed to resolve schema. Unable to find a response for operation_id: not_a_real_operation_id for response status code: 200"
-      end
+      assert_raise(
+        ExUnit.AssertionError,
+        ~r/Failed to resolve a response schema for operation_id: not_a_real_operation_id for status code: 200/,
+        fn -> TestAssertions.assert_operation_response(conn, "not_a_real_operation_id") end
+      )
     end
 
     test "invalid schema" do
@@ -149,14 +158,29 @@ defmodule OpenApiSpex.TestAssertionsTest do
 
       assert conn.status == 200
 
-      try do
-        TestAssertions.assert_operation_response(conn, "showPetById")
-        raise RuntimeError, "Should flunk"
-      rescue
-        e in ExUnit.AssertionError ->
-          assert e.message =~
-                   "Value does not conform to schema PetResponse: Failed to cast value to one of: no schemas validate at"
-      end
+      assert_raise(
+        ExUnit.AssertionError,
+        ~r/Value does not conform to schema PetResponse: Failed to cast value to one of: no schemas validate at/,
+        fn -> TestAssertions.assert_operation_response(conn, "showPetById") end
+      )
+    end
+
+    test "returns an error when the response content-type does not match the schema" do
+      conn =
+        :get
+        |> Plug.Test.conn("/api/pets")
+        |> Plug.Conn.put_req_header("content-type", "application/json")
+        |> Plug.Conn.put_resp_header("content-type", "unexpected-content-type")
+
+      conn = OpenApiSpexTest.Router.call(conn, [])
+
+      assert conn.status == 200
+
+      assert_raise(
+        ExUnit.AssertionError,
+        ~r/Failed to resolve a response schema for operation_id: showPetById for status code: 200 and content type: unexpected-content-type/,
+        fn -> TestAssertions.assert_operation_response(conn, "showPetById") end
+      )
     end
   end
 end