howlongtobeat 0.2.2 → 0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c202be25ee5614c52d8334494939e9dbfb220a74e6f1fb1791b927bbf4ad1ba
-  data.tar.gz: '00268aa34aa51cd06ce4d0484f7bc380218e52ae881f5b967c03204379c48080'
+  metadata.gz: 5e8314a8423ed470f6b0f5f80097b903ece915d2a6eabc356cdb34104dacb929
+  data.tar.gz: 7e6c9c045ee96345593fa961007988a96b78ffd4dd1f44b0f4529f79c14f2ecd
 SHA512:
-  metadata.gz: 83c98f7ed7ef66cc500fd3f0005330371711a1b3111df321933fa7bc7b99909e720be9e95a2be354705fe674d8115065513fbe9f6cfa7644cbab01a6698c1065
-  data.tar.gz: dc27b8455d7c0d99015e9f57a3e5fe72e7efc837e6b3f7d7e528df8e15a7098d18406505064d5228b3e52784553a9ed75f6d2a68cee5ef2c8dd9c8392771076e
+  metadata.gz: e6cb621ce224ad454077852c33e4295f8bab8394c81865703c397a93f6d83d710142cd426b43f14e9d94bca24e2f9e9aafb1ab800db66709864f7a7531d29b27
+  data.tar.gz: e59d86c29009a8e2759874ef021c0ff49285d797778454ef60cb639d8d8899412ce445d5cf6180c3d6cfc756b6590b60324abffda6f305f6ca5648b61c6eb630

data/CHANGELOG.md

@@ -25,6 +25,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Security
 - None
 
+## [0.2.4] - 2026-05-07
+
+### Fixed
+- HLTB renamed the search endpoint from `/api/finder` to `/api/bleed`. Runtime discovery already adapted, but the hardcoded fallbacks didn't — refresh `SEARCH_URL`, the default in `fetch_search_token`, and the candidate list to put `/api/bleed` first.
+
+### Changed
+- Drop the `_app-*.js` script-name filter in `send_website_request_getcode`. The modern HLTB build (Turbopack) ships chunks with opaque names like `0-~-0up.q3_p0.js`, so the filter never matched and forced every search through a redundant retry. Single-pass discovery now iterates all `<script src>` tags directly.
+- `send_website_request_getcode` only returns when a `search_url` is found; finding only an `api_key` no longer short-circuits the loop.
+
+## [0.2.3] - 2026-04-15
+
+### Fixed
+- Send `x-hp-key` and `x-hp-val` headers extracted from the `/init` response, matching HLTB's updated API authentication (mirrors Python package v1.0.21)
+- Inject the dynamic key/value pair from `/init` into the search request payload
+
 ## [0.2.2] - 2026-03-24
 
 ### Fixed

data/lib/howlongtobeat/html_requests.rb

@@ -8,7 +8,10 @@ module HowLongToBeat
     BASE_URL = 'https://howlongtobeat.com'
     REFERER_HEADER = BASE_URL
     GAME_URL = "#{BASE_URL}/game"
-    SEARCH_URL = "#{BASE_URL}/api/finder"
+    # HLTB renames this endpoint periodically (most recent: /api/find -> /api/finder -> /api/bleed).
+    # The runtime discovery in `send_website_request_getcode` is the source of truth;
+    # this constant is the fallback when discovery fails.
+    SEARCH_URL = "#{BASE_URL}/api/bleed"
 
     class SearchModifiers
       NONE = ""
@@ -48,7 +51,8 @@ module HowLongToBeat
 
       def extract_search_url_script(script_content)
         # Prefer the search endpoint used in POST fetch calls, which is more stable
-        # than hardcoding "/api/search" and works with variants like "/api/finder".
+        # than hardcoding "/api/search" and works with variants like "/api/finder"
+        # and "/api/bleed" (current as of 2026-05).
         post_fetch_pattern = /fetch\s*\(\s*["']\/api\/([a-zA-Z0-9_\/-]+)[^"']*["']\s*,\s*{[^}]*method:\s*["']POST["'][^}]*}/mi
         if (match = script_content.match(post_fetch_pattern))
           path_suffix = match[1]
@@ -70,18 +74,28 @@ module HowLongToBeat
       end
     end
 
+    AuthStruct = Struct.new(:auth_token, :auth_key, :auth_value)
+
     class << self
-      def get_search_request_headers
-        {
+      def get_search_request_headers(auth_struct = nil)
+        headers = {
           'content-type' => 'application/json',
           'accept' => '*/*',
           'User-Agent' => random_user_agent,
-          'referer' => REFERER_HEADER,
-          'origin' => BASE_URL
+          'Referer' => REFERER_HEADER,
+          'Origin' => BASE_URL
         }
+
+        if auth_struct
+          headers['x-auth-token'] = auth_struct.auth_token.to_s if auth_struct.auth_token
+          headers['x-hp-key'] = auth_struct.auth_key.to_s if auth_struct.auth_key
+          headers['x-hp-val'] = auth_struct.auth_value.to_s if auth_struct.auth_value
+        end
+
+        headers
       end
 
-      def get_search_request_data(game_name, search_modifiers = SearchModifiers::NONE, page = 1, search_info = nil)
+      def get_search_request_data(game_name, search_modifiers = SearchModifiers::NONE, page = 1, search_info = nil, auth_struct = nil)
         payload = {
           searchType: 'games',
           searchTerms: game_name.split,
@@ -123,23 +137,24 @@ module HowLongToBeat
           payload[:searchOptions][:users][:id] = search_info.api_key
         end
 
+        if auth_struct&.auth_key && auth_struct&.auth_value
+          payload[auth_struct.auth_key] = auth_struct.auth_value
+        end
+
         payload.to_json
       end
 
       def send_web_request(game_name, search_modifiers = SearchModifiers::NONE, page = 1)
-        search_info = send_website_request_getcode(false)
-        if search_info.nil? || search_info.search_url.nil?
-          search_info = send_website_request_getcode(true)
-        end
+        search_info = send_website_request_getcode
 
         endpoint_candidates = build_endpoint_candidates(search_info&.search_url)
 
         endpoint_candidates.each do |endpoint|
-          token = fetch_search_token(endpoint)
-          next unless token
+          auth_struct = fetch_search_token(endpoint)
+          next unless auth_struct
 
-          headers = get_search_request_headers.merge('x-auth-token' => token)
-          payload = get_search_request_data(game_name, search_modifiers, page, search_info)
+          headers = get_search_request_headers(auth_struct)
+          payload = get_search_request_data(game_name, search_modifiers, page, search_info, auth_struct)
           search_url = "#{BASE_URL}#{endpoint}"
           response = make_request(search_url, headers, payload)
           return response if response
@@ -167,7 +182,7 @@ module HowLongToBeat
 
       def fetch_search_token(parsed_search_url = nil)
         base_endpoint = parsed_search_url.to_s.strip
-        base_endpoint = '/api/finder' if base_endpoint.empty?
+        base_endpoint = '/api/bleed' if base_endpoint.empty?
         base_endpoint = "/#{base_endpoint}" unless base_endpoint.start_with?('/')
         base_endpoint = base_endpoint.sub(%r{/+\z}, '')
         base_endpoint = base_endpoint.sub(%r{/init\z}, '')
@@ -180,7 +195,20 @@ module HowLongToBeat
         json = JSON.parse(response) rescue nil
         return nil unless json.is_a?(Hash)
 
-        json['token'] || json.dig('data', 'token') || json['auth_token'] || json['authToken']
+        token = json['token'] || json.dig('data', 'token') || json['auth_token'] || json['authToken']
+
+        auth_key = nil
+        auth_value = nil
+        json.each do |field_name, field_value|
+          lower = field_name.downcase
+          if lower.match?(/key/)
+            auth_key = field_value
+          elsif lower.match?(/val/)
+            auth_value = field_value
+          end
+        end
+
+        AuthStruct.new(token, auth_key, auth_value)
       rescue StandardError
         nil
       end
@@ -189,7 +217,8 @@ module HowLongToBeat
         preferred = parsed_endpoint.to_s.strip
         candidates = []
         candidates << preferred unless preferred.empty?
-        candidates.concat(['/api/finder', '/api/search', '/api/s'])
+        # Known historical endpoints, newest first. HLTB rotates this name periodically.
+        candidates.concat(['/api/bleed', '/api/finder', '/api/search', '/api/s'])
 
         normalized = candidates.map do |endpoint|
           next nil if endpoint.nil? || endpoint.strip.empty?
@@ -201,7 +230,13 @@ module HowLongToBeat
         normalized.compact.uniq
       end
 
-      def send_website_request_getcode(parse_all_scripts)
+      # Walks every <script src> tag on the homepage looking for one that
+      # contains a `fetch("/api/<name>", { method: "POST" })` call. HLTB used to
+      # bundle the relevant code under `_app-*.js`, but the modern (Turbopack)
+      # build emits opaque chunk names like `0-~-0up.q3_p0.js`, so a name-based
+      # filter is no longer reliable — we just iterate and stop on the first
+      # script that yields a `search_url`.
+      def send_website_request_getcode
         headers = get_title_request_headers
         response = make_get_request(BASE_URL, headers)
         return nil unless response
@@ -209,15 +244,16 @@ module HowLongToBeat
         doc = Nokogiri::HTML(response)
         script_urls = doc.css('script[src]').map { |script| script['src'] }
 
-        scripts = parse_all_scripts ? script_urls : script_urls.select { |url| url.include?('_app-') }
-
-        scripts.each do |script_url|
+        script_urls.each do |script_url|
           url = script_url.start_with?('http') ? script_url : "#{BASE_URL}#{script_url}"
           script_content = make_get_request(url, headers)
           next unless script_content
 
           search_info = SearchInfo.new(script_content)
-          return search_info if (search_info.search_url && !search_info.search_url.empty?) || (search_info.api_key && !search_info.api_key.empty?)
+          # Only return on a search_url match — an api_key without a search_url
+          # leaves us with no idea where to POST, and the loop should keep
+          # looking for a chunk that gives us the endpoint.
+          return search_info if search_info.search_url && !search_info.search_url.empty?
         end
 
         nil

data/lib/howlongtobeat/version.rb

@@ -1,3 +1,3 @@
 module HowLongToBeat
-  VERSION = "0.2.2"
+  VERSION = "0.2.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: howlongtobeat
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.4
 platform: ruby
 authors:
 - Dmitrii Pashutskii
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-24 00:00:00.000000000 Z
+date: 2026-05-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri