Add API Browser with Swagger UI for VS Code extension (#244)

* Add `slas token` command for retrieving SLAS shopper access tokens

Supports public (PKCE) and private (client_credentials) client flows,
guest and registered customer authentication, and auto-discovery of
public SLAS clients via the admin API.

* api browser wip

* Fix API Browser: CORS proxy, auth, parameter prefill, and UX improvements

- Proxy API requests through extension host to avoid CORS in webview
- Fix OAuth2 preauthorize payload format (lock icons now turn green)
- Fix parameter prefill for $ref schemas (replace schema instead of adding sibling)
- Pre-fill both organizationId and siteId from config
- Acquire token before rendering and embed via onComplete callback
- Extract required scopes from spec and include tenant scope for Admin APIs
- Add scopes option to CreateOAuthOptions in SDK for scope-aware token requests
- Expand custom_properties when fetching SCAPI schemas
- Defer tree view loading until user clicks "Load APIs"
- Remove transparent background overrides to fix Swagger UI code block readability
- Align SLAS token logging with Auth module conventions ([SLAS REQ/RESP] format)

* Add changeset for SDK scopes option and SLAS logging

* Include b2c-vs-extension in changeset

---------

Co-authored-by: amit-kumar8-sf <amit.kumar.sf1408@gmail.com>

Author: clavery

.changeset/api-browser-improvements.md

@@ -0,0 +1,6 @@
+---
+'@salesforce/b2c-tooling-sdk': minor
+'b2c-vs-extension': minor
+---
+
+Add API Browser with Swagger UI for interactive SCAPI exploration. Proxy requests through extension host to avoid CORS, pre-fill parameters and auth tokens, and expand custom properties in schemas.

packages/b2c-tooling-sdk/src/config/resolved-config.ts

@@ -73,10 +73,14 @@ export class ResolvedConfigImpl implements ResolvedB2CConfig {
     if (!this.hasOAuthConfig()) {
       throw new Error('OAuth requires clientId');
     }
+    const configScopes = this.values.scopes ?? [];
+    const additionalScopes = options?.scopes ?? [];
+    const mergedScopes =
+      additionalScopes.length > 0 ? [...new Set([...configScopes, ...additionalScopes])] : configScopes;
     const credentials: AuthCredentials = {
       clientId: this.values.clientId,
       clientSecret: this.values.clientSecret,
-      scopes: this.values.scopes,
+      scopes: mergedScopes.length > 0 ? mergedScopes : undefined,
       accountManagerHost: this.values.accountManagerHost,
     };
     return resolveAuthStrategy(credentials, {allowedMethods: options?.allowedMethods});

packages/b2c-tooling-sdk/src/config/types.ts

@@ -306,6 +306,8 @@ export interface ConfigSource {
 export interface CreateOAuthOptions {
   /** Allowed OAuth methods (default: ['client-credentials', 'implicit']) */
   allowedMethods?: AuthMethod[];
+  /** Additional OAuth scopes to request beyond those in config */
+  scopes?: string[];
 }
 
 /**

packages/b2c-tooling-sdk/src/slas/token.ts

@@ -57,6 +57,40 @@ async function checkResponse(response: Response, context: string): Promise<void>
   throw new Error(`SLAS ${context} failed (HTTP ${response.status})${detail}`);
 }
 
+/**
+ * Helper to collect response headers as a plain object for logging.
+ */
+function serializeHeaders(response: Response): Record<string, string> {
+  const headers: Record<string, string> = {};
+  response.headers.forEach((value, key) => {
+    headers[key] = value;
+  });
+  return headers;
+}
+
+/**
+ * Performs a logged fetch request following the Auth logging conventions.
+ * Returns the response (caller must check status).
+ */
+async function loggedFetch(url: string, init: RequestInit): Promise<{response: Response; duration: number}> {
+  const logger = getLogger();
+  const method = init.method ?? 'GET';
+
+  logger.debug({method, url}, `[SLAS REQ] ${method} ${url}`);
+  logger.trace({method, url, headers: init.headers, body: init.body?.toString()}, `[SLAS REQ BODY] ${method} ${url}`);
+
+  const startTime = Date.now();
+  const response = await fetch(url, init);
+  const duration = Date.now() - startTime;
+
+  logger.debug(
+    {method, url, status: response.status, duration},
+    `[SLAS RESP] ${method} ${url} ${response.status} ${duration}ms`,
+  );
+
+  return {response, duration};
+}
+
 /**
  * Retrieves a guest shopper access token from SLAS.
  *
@@ -73,7 +107,7 @@ export async function getGuestToken(config: SlasTokenConfig): Promise<SlasTokenR
     return getPrivateClientGuestToken(config);
   }
 
-  logger.debug('Using public client PKCE guest flow');
+  logger.debug({clientId: config.slasClientId}, '[SLAS] Using public client PKCE guest flow');
 
   const baseUrl = buildBaseUrl(config.shortCode, config.organizationId);
   const verifier = generateCodeVerifier();
@@ -89,11 +123,12 @@ export async function getGuestToken(config: SlasTokenConfig): Promise<SlasTokenR
   });
 
   const authorizeUrl = `${baseUrl}/oauth2/authorize?${authorizeParams.toString()}`;
-  logger.debug({url: authorizeUrl}, 'SLAS authorize request');
 
-  const authorizeResponse = await fetch(authorizeUrl, {redirect: 'manual'});
+  const {response: authorizeResponse} = await loggedFetch(authorizeUrl, {redirect: 'manual'});
 
   if (authorizeResponse.status !== 303) {
+    const respHeaders = serializeHeaders(authorizeResponse);
+    logger.trace({headers: respHeaders}, `[SLAS RESP BODY] GET ${authorizeUrl}`);
     await checkResponse(authorizeResponse, 'authorize');
     throw new Error(`Expected 303 redirect from SLAS authorize, got ${authorizeResponse.status}`);
   }
@@ -104,7 +139,7 @@ export async function getGuestToken(config: SlasTokenConfig): Promise<SlasTokenR
   }
 
   const {code, usid} = parseRedirectCode(location);
-  logger.debug({usid}, 'Got authorization code from SLAS');
+  logger.debug({usid}, '[SLAS] Got authorization code');
 
   // Step 2: Exchange code for token
   const tokenBody = new URLSearchParams({
@@ -117,22 +152,27 @@ export async function getGuestToken(config: SlasTokenConfig): Promise<SlasTokenR
     usid,
   });
 
-  const tokenResponse = await fetch(`${baseUrl}/oauth2/token`, {
+  const tokenUrl = `${baseUrl}/oauth2/token`;
+  const {response: tokenResponse} = await loggedFetch(tokenUrl, {
     method: 'POST',
     headers: {'Content-Type': 'application/x-www-form-urlencoded'},
     body: tokenBody,
   });
 
   await checkResponse(tokenResponse, 'token exchange (authorization_code_pkce)');
-  return (await tokenResponse.json()) as SlasTokenResponse;
+  const data = (await tokenResponse.json()) as SlasTokenResponse;
+  const respHeaders = serializeHeaders(tokenResponse);
+  logger.trace({headers: respHeaders, body: data}, `[SLAS RESP BODY] POST ${tokenUrl}`);
+
+  return data;
 }
 
 /**
  * Private client guest token via client_credentials grant.
  */
 async function getPrivateClientGuestToken(config: SlasTokenConfig): Promise<SlasTokenResponse> {
   const logger = getLogger();
-  logger.debug('Using private client client_credentials guest flow');
+  logger.debug({clientId: config.slasClientId}, '[SLAS] Using private client client_credentials guest flow');
 
   const baseUrl = buildBaseUrl(config.shortCode, config.organizationId);
   const basicAuth = Buffer.from(`${config.slasClientId}:${config.slasClientSecret}`).toString('base64');
@@ -142,7 +182,8 @@ async function getPrivateClientGuestToken(config: SlasTokenConfig): Promise<Slas
     channel_id: config.siteId,
   });
 
-  const tokenResponse = await fetch(`${baseUrl}/oauth2/token`, {
+  const tokenUrl = `${baseUrl}/oauth2/token`;
+  const {response: tokenResponse} = await loggedFetch(tokenUrl, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/x-www-form-urlencoded',
@@ -152,7 +193,11 @@ async function getPrivateClientGuestToken(config: SlasTokenConfig): Promise<Slas
   });
 
   await checkResponse(tokenResponse, 'token (client_credentials)');
-  return (await tokenResponse.json()) as SlasTokenResponse;
+  const data = (await tokenResponse.json()) as SlasTokenResponse;
+  const respHeaders = serializeHeaders(tokenResponse);
+  logger.trace({headers: respHeaders, body: data}, `[SLAS RESP BODY] POST ${tokenUrl}`);
+
+  return data;
 }
 
 /**
@@ -172,7 +217,7 @@ export async function getRegisteredToken(config: SlasRegisteredLoginConfig): Pro
   const baseUrl = buildBaseUrl(config.shortCode, config.organizationId);
   const isPrivate = Boolean(config.slasClientSecret);
 
-  logger.debug({isPrivate}, 'Using registered customer login flow');
+  logger.debug({clientId: config.slasClientId, isPrivate}, '[SLAS] Using registered customer login flow');
 
   const verifier = generateCodeVerifier();
   const challenge = generateCodeChallenge(verifier);
@@ -187,7 +232,8 @@ export async function getRegisteredToken(config: SlasRegisteredLoginConfig): Pro
     redirect_uri: config.redirectUri,
   });
 
-  const loginResponse = await fetch(`${baseUrl}/oauth2/login`, {
+  const loginUrl = `${baseUrl}/oauth2/login`;
+  const {response: loginResponse} = await loggedFetch(loginUrl, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/x-www-form-urlencoded',
@@ -198,6 +244,8 @@ export async function getRegisteredToken(config: SlasRegisteredLoginConfig): Pro
   });
 
   if (loginResponse.status !== 303) {
+    const respHeaders = serializeHeaders(loginResponse);
+    logger.trace({headers: respHeaders}, `[SLAS RESP BODY] POST ${loginUrl}`);
     await checkResponse(loginResponse, 'login');
     throw new Error(`Expected 303 redirect from SLAS login, got ${loginResponse.status}`);
   }
@@ -208,9 +256,11 @@ export async function getRegisteredToken(config: SlasRegisteredLoginConfig): Pro
   }
 
   const {code, usid} = parseRedirectCode(location);
-  logger.debug({usid}, 'Got authorization code from SLAS login');
+  logger.debug({usid}, '[SLAS] Got authorization code from login');
 
   // Step 2: Exchange code for token
+  const tokenUrl = `${baseUrl}/oauth2/token`;
+
   if (isPrivate) {
     const basicAuth = Buffer.from(`${config.slasClientId}:${config.slasClientSecret}`).toString('base64');
     const tokenBody = new URLSearchParams({
@@ -221,7 +271,7 @@ export async function getRegisteredToken(config: SlasRegisteredLoginConfig): Pro
       usid,
     });
 
-    const tokenResponse = await fetch(`${baseUrl}/oauth2/token`, {
+    const {response: tokenResponse} = await loggedFetch(tokenUrl, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/x-www-form-urlencoded',
@@ -231,7 +281,11 @@ export async function getRegisteredToken(config: SlasRegisteredLoginConfig): Pro
     });
 
     await checkResponse(tokenResponse, 'token exchange (authorization_code)');
-    return (await tokenResponse.json()) as SlasTokenResponse;
+    const data = (await tokenResponse.json()) as SlasTokenResponse;
+    const respHeaders = serializeHeaders(tokenResponse);
+    logger.trace({headers: respHeaders, body: data}, `[SLAS RESP BODY] POST ${tokenUrl}`);
+
+    return data;
   }
 
   // Public client — use PKCE
@@ -245,12 +299,16 @@ export async function getRegisteredToken(config: SlasRegisteredLoginConfig): Pro
     usid,
   });
 
-  const tokenResponse = await fetch(`${baseUrl}/oauth2/token`, {
+  const {response: tokenResponse} = await loggedFetch(tokenUrl, {
     method: 'POST',
     headers: {'Content-Type': 'application/x-www-form-urlencoded'},
     body: tokenBody,
   });
 
   await checkResponse(tokenResponse, 'token exchange (authorization_code_pkce)');
-  return (await tokenResponse.json()) as SlasTokenResponse;
+  const data = (await tokenResponse.json()) as SlasTokenResponse;
+  const respHeaders = serializeHeaders(tokenResponse);
+  logger.trace({headers: respHeaders, body: data}, `[SLAS RESP BODY] POST ${tokenUrl}`);
+
+  return data;
 }

packages/b2c-vs-extension/package.json

@@ -25,7 +25,7 @@
     "onCommand:b2c-dx.openUI",
     "onCommand:b2c-dx.promptAgent",
     "onCommand:b2c-dx.listWebDav",
-    "onCommand:b2c-dx.scapiExplorer",
+    "onView:b2cApiBrowser",
     "onView:b2cSandboxExplorer",
     "onCommand:b2c-dx.scaffold.generate"
   ],
@@ -59,6 +59,11 @@
           "default": true,
           "description": "Enable scaffold generation commands."
         },
+        "b2c-dx.features.apiBrowser": {
+          "type": "boolean",
+          "default": true,
+          "description": "Enable the API Browser for exploring SCAPI schemas."
+        },
         "b2c-dx.logLevel": {
           "type": "string",
           "default": "info",
@@ -114,6 +119,12 @@
           "name": "Libraries",
           "icon": "media/b2c-icon.svg",
           "contextualTitle": "B2C-DX"
+        },
+        {
+          "id": "b2cApiBrowser",
+          "name": "API Browser",
+          "icon": "media/b2c-icon.svg",
+          "contextualTitle": "B2C-DX"
         }
       ],
       "b2c-dx-sandboxes": [
@@ -133,6 +144,10 @@
         "view": "b2cContentExplorer",
         "contents": "No content libraries configured.\n\nSet \"contentLibrary\" in dw.json or add a library manually.\n\n[Add Library](command:b2c-dx.content.addLibrary)"
       },
+      {
+        "view": "b2cApiBrowser",
+        "contents": "Browse SCAPI OpenAPI schemas for your Commerce Cloud instance.\n\nRequires OAuth credentials (clientId, clientSecret) and shortCode in dw.json.\n\n[Load APIs](command:b2c-dx.apiBrowser.refresh)"
+      },
       {
         "view": "b2cSandboxExplorer",
         "contents": "No sandbox realms configured.\n\nSet \"realm\" in dw.json or add a realm manually.\n\n[Add Realm](command:b2c-dx.sandbox.addRealm)"
@@ -155,9 +170,15 @@
         "category": "B2C DX"
       },
       {
-        "command": "b2c-dx.scapiExplorer",
-        "title": "SCAPI API Explorer",
-        "category": "B2C DX"
+        "command": "b2c-dx.apiBrowser.refresh",
+        "title": "Refresh",
+        "icon": "$(refresh)",
+        "category": "B2C DX - API Browser"
+      },
+      {
+        "command": "b2c-dx.apiBrowser.openSwagger",
+        "title": "Open API Documentation",
+        "category": "B2C DX - API Browser"
       },
       {
         "command": "b2c-dx.sandbox.refresh",
@@ -387,6 +408,11 @@
           "when": "view == b2cContentExplorer && b2cContentFilterActive",
           "group": "navigation"
         },
+        {
+          "command": "b2c-dx.apiBrowser.refresh",
+          "when": "view == b2cApiBrowser",
+          "group": "navigation"
+        },
         {
           "command": "b2c-dx.sandbox.refresh",
           "when": "view == b2cSandboxExplorer",
@@ -532,6 +558,10 @@
         }
       ],
       "commandPalette": [
+        {
+          "command": "b2c-dx.apiBrowser.openSwagger",
+          "when": "false"
+        },
         {
           "command": "b2c-dx.sandbox.removeRealm",
           "when": "false"
@@ -639,6 +669,7 @@
     "@vscode/test-electron": "^2.5.2",
     "@vscode/vsce": "^3.7.1",
     "esbuild": "^0.24.0",
+    "swagger-ui-dist": "^5.18.0",
     "eslint": "catalog:",
     "eslint-config-prettier": "catalog:",
     "eslint-plugin-header": "catalog:",

packages/b2c-vs-extension/scripts/esbuild-bundle.mjs

@@ -72,6 +72,21 @@ function inlineSdkPackageJson() {
   fs.writeFileSync(outPath, str, 'utf8');
 }
 
+/** Copy Swagger UI assets to dist/swagger-ui/ for the API Browser webview. */
+function copySwaggerUiAssets() {
+  // Resolve the swagger-ui-dist package location (pnpm may hoist it)
+  const swaggerUiIndex = fileURLToPath(import.meta.resolve('swagger-ui-dist'));
+  const swaggerUiDist = path.dirname(swaggerUiIndex);
+  const outDir = path.join(pkgRoot, 'dist', 'swagger-ui');
+  fs.mkdirSync(outDir, {recursive: true});
+
+  const files = ['swagger-ui-bundle.js', 'swagger-ui-standalone-preset.js', 'swagger-ui.css'];
+  for (const file of files) {
+    fs.copyFileSync(path.join(swaggerUiDist, file), path.join(outDir, file));
+  }
+  console.log(`[swagger-ui] Copied ${files.length} assets to dist/swagger-ui/`);
+}
+
 const watchMode = process.argv.includes('--watch');
 
 const buildOptions = {
@@ -103,6 +118,7 @@ if (watchMode) {
 
   inlineSdkPackageJson();
   copySdkScaffolds();
+  copySwaggerUiAssets();
 
   if (result.metafile && process.env.ANALYZE_BUNDLE) {
     const metaPath = path.join(pkgRoot, 'dist', 'meta.json');