Fix: Cover-Endpoint ohne Auth damit Browser-img-Tags funktionieren

get_current_user vom /api/items/{id}/cover Endpoint entfernt —
Browser lädt <img src> ohne Bearer-Token, daher kam immer 401 → Placeholder.
Cover-IDs sind UUIDs, kein Sicherheitsrisiko.
Bonus: korrekte media_type Erkennung für PNG/JPEG.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/routers/items.py

@@ -135,7 +135,6 @@ async def get_item(
 @router.get("/{item_id}/cover")
 async def get_cover(
     item_id: str,
-    current_user: User = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     result = await db.execute(select(LibraryItem).where(LibraryItem.id == item_id))
@@ -144,7 +143,9 @@ async def get_cover(
         raise HTTPException(status_code=404, detail="Cover not found")
     if not os.path.exists(item.cover_path):
         raise HTTPException(status_code=404, detail="Cover file missing")
-    return FileResponse(item.cover_path, media_type="image/jpeg")
+    ext = os.path.splitext(item.cover_path)[1].lower()
+    media_type = "image/png" if ext == ".png" else "image/jpeg"
+    return FileResponse(item.cover_path, media_type=media_type)
 
 
 @router.patch("/{item_id}")