Bump version to 0.1.6.34

- Changed the method of loading cover images to use the API route instead of directly from the filesystem.
- This aligns with the existing approach for audio playback and improves consistency across the application.

Dockerfile

@@ -27,7 +27,9 @@ COPY . .
 RUN if [ -n "$APP_VERSION" ]; then \
     echo "$APP_VERSION" > /tmp/version.txt; \
     else \
-    (git describe --tags --always 2>/dev/null || \
+    (git describe --tags --exact-match 2>/dev/null || \
+     git describe --tags --abbrev=0 2>/dev/null || \
+     git tag --sort=-version:refname | head -1 2>/dev/null || \
      (grep -o '"version": "[^"]*"' package.json 2>/dev/null | cut -d'"' -f4 | sed 's/^/v/') || \
      echo "dev") > /tmp/version.txt; \
     fi && \

app/api/covers/[filename]/route.ts

@@ -0,0 +1,95 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { stat } from 'fs/promises';
+import { createReadStream } from 'fs';
+import path from 'path';
+
+export async function GET(
+    request: NextRequest,
+    { params }: { params: Promise<{ filename: string }> }
+) {
+    try {
+        const { filename } = await params;
+
+        // Security: Prevent path traversal attacks
+        // Allow alphanumeric, hyphens, underscores, and dots for image filenames
+        // Support common image formats: jpg, jpeg, png, gif, webp
+        const safeFilenamePattern = /^[a-zA-Z0-9_\-\.]+\.(jpg|jpeg|png|gif|webp)$/i;
+        if (!safeFilenamePattern.test(filename)) {
+            return new NextResponse('Invalid filename', { status: 400 });
+        }
+
+        // Additional check: ensure no path separators
+        if (filename.includes('/') || filename.includes('\\') || filename.includes('..')) {
+            return new NextResponse('Invalid filename', { status: 400 });
+        }
+
+        const filePath = path.join(process.cwd(), 'public/uploads/covers', filename);
+
+        // Security: Verify the resolved path is still within covers directory
+        const coversDir = path.join(process.cwd(), 'public/uploads/covers');
+        const resolvedPath = path.resolve(filePath);
+        if (!resolvedPath.startsWith(coversDir)) {
+            return new NextResponse('Forbidden', { status: 403 });
+        }
+
+        const stats = await stat(filePath);
+        const fileSize = stats.size;
+
+        // Determine content type based on file extension
+        const ext = filename.toLowerCase().split('.').pop();
+        const contentTypeMap: Record<string, string> = {
+            'jpg': 'image/jpeg',
+            'jpeg': 'image/jpeg',
+            'png': 'image/png',
+            'gif': 'image/gif',
+            'webp': 'image/webp',
+        };
+        const contentType = contentTypeMap[ext || ''] || 'image/jpeg';
+
+        const stream = createReadStream(filePath);
+
+        // Convert Node stream to Web stream
+        const readable = new ReadableStream({
+            start(controller) {
+                let isClosed = false;
+
+                stream.on('data', (chunk: any) => {
+                    if (isClosed) return;
+                    try {
+                        controller.enqueue(chunk);
+                    } catch (e) {
+                        isClosed = true;
+                        stream.destroy();
+                    }
+                });
+
+                stream.on('end', () => {
+                    if (isClosed) return;
+                    isClosed = true;
+                    controller.close();
+                });
+
+                stream.on('error', (err: any) => {
+                    if (isClosed) return;
+                    isClosed = true;
+                    controller.error(err);
+                });
+            },
+            cancel() {
+                stream.destroy();
+            }
+        });
+
+        return new NextResponse(readable, {
+            status: 200,
+            headers: {
+                'Content-Length': fileSize.toString(),
+                'Content-Type': contentType,
+                'Cache-Control': 'public, max-age=3600, must-revalidate',
+            },
+        });
+    } catch (error) {
+        console.error('Error serving cover image:', error);
+        return new NextResponse('Internal Server Error', { status: 500 });
+    }
+}

app/api/curator/specials/[id]/route.ts

@@ -1,9 +1,14 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { PrismaClient } from '@prisma/client';
 import { requireStaffAuth } from '@/lib/auth';
+import { access } from 'fs/promises';
+import path from 'path';
 
 const prisma = new PrismaClient();
 
+// Mark route as dynamic to prevent caching
+export const dynamic = 'force-dynamic';
+
 export async function GET(
     request: NextRequest,
     { params }: { params: Promise<{ id: string }> }
@@ -52,13 +57,40 @@ export async function GET(
         return NextResponse.json({ error: 'Special not found' }, { status: 404 });
     }
 
-    // Filtere Songs ohne vollständige Song-Daten (song, song.filename)
+    // Filtere Songs ohne vollständige Song-Daten und prüfe Datei-Existenz
-    // Dies verhindert Fehler im Frontend, wenn Songs gelöscht wurden oder Daten fehlen
+    // Dies verhindert Fehler im Frontend, wenn Songs gelöscht wurden, Daten fehlen
-    const filteredSongs = special.songs.filter(ss => ss.song && ss.song.filename);
+    // oder Dateien noch nicht im Container verfügbar sind (Volume Mount Delay)
+    const uploadsDir = path.join(process.cwd(), 'public/uploads');
+    
+    const filteredSongs = await Promise.all(
+        special.songs
+            .filter(ss => ss.song && ss.song.filename)
+            .map(async (ss) => {
+                const filePath = path.join(uploadsDir, ss.song.filename);
+                try {
+                    // Prüfe ob Datei existiert und zugänglich ist
+                    await access(filePath);
+                    return ss;
+                } catch (error) {
+                    // Datei existiert nicht oder ist nicht zugänglich
+                    console.warn(`[API] Song file not available: ${ss.song.filename} (may be syncing)`);
+                    return null;
+                }
+            })
+    );
+
+    // Entferne null-Werte (Songs ohne verfügbare Dateien)
+    const availableSongs = filteredSongs.filter((ss): ss is typeof special.songs[0] => ss !== null);
 
     return NextResponse.json({
         ...special,
-        songs: filteredSongs,
+        songs: availableSongs,
+    }, {
+        headers: {
+            'Cache-Control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
+            'Pragma': 'no-cache',
+            'Expires': '0',
+        },
     });
 }
 

app/curator/CuratorPageClient.tsx

@@ -1615,7 +1615,7 @@ export default function CuratorPageClient() {
                             </div>
                         )}
                         
-                        <div style={{ overflowX: 'auto' }}>
+                        <div style={{ overflowX: 'auto', position: 'relative' }}>
                             <table
                                 style={{
                                     width: '100%',
@@ -1686,7 +1686,17 @@ export default function CuratorPageClient() {
                                             {t('columnRating')} {sortField === 'averageRating' && (sortDirection === 'asc' ? '↑' : '↓')}
                                         </th>
                                         <th style={{ padding: '0.5rem' }}>{t('columnExcludeGlobal')}</th>
-                                        <th style={{ padding: '0.5rem' }}>{t('columnActions')}</th>
+                                        <th 
+                                            style={{ 
+                                                padding: '0.5rem',
+                                                position: 'sticky',
+                                                right: 0,
+                                                backgroundColor: 'white',
+                                                zIndex: 10,
+                                            }}
+                                        >
+                                            {t('columnActions')}
+                                        </th>
                                     </tr>
                                 </thead>
                                 <tbody>
@@ -1701,12 +1711,13 @@ export default function CuratorPageClient() {
 
                                         const isSelected = selectedSongIds.has(song.id);
                                         
+                                        const rowBackgroundColor = isSelected ? '#eff6ff' : 'white';
                                         return (
                                             <tr 
                                                 key={song.id} 
                                                 style={{ 
                                                     borderBottom: '1px solid #f3f4f6',
-                                                    backgroundColor: isSelected ? '#eff6ff' : 'transparent',
+                                                    backgroundColor: rowBackgroundColor,
                                                 }}
                                             >
                                                 <td style={{ padding: '0.5rem' }}>
@@ -1810,7 +1821,7 @@ export default function CuratorPageClient() {
                                                             }}
                                                         >
                                                             <img
-                                                                src={`/uploads/covers/${song.coverImage}`}
+                                                                src={`/api/covers/${song.coverImage}`}
                                                                 alt={`Cover für ${song.title}`}
                                                                 style={{
                                                                     width: '200px',
@@ -2010,6 +2021,10 @@ export default function CuratorPageClient() {
                                                     style={{
                                                         padding: '0.5rem',
                                                         whiteSpace: 'nowrap',
+                                                        position: 'sticky',
+                                                        right: 0,
+                                                        backgroundColor: rowBackgroundColor,
+                                                        zIndex: 10,
                                                     }}
                                                 >
                                                     {isEditing ? (
@@ -2025,6 +2040,7 @@ export default function CuratorPageClient() {
                                                                     border: 'none',
                                                                     borderRadius: '0.25rem',
                                                                     cursor: 'pointer',
+                                                                    whiteSpace: 'nowrap',
                                                                 }}
                                                             >
                                                                 💾
@@ -2038,6 +2054,7 @@ export default function CuratorPageClient() {
                                                                     border: 'none',
                                                                     borderRadius: '0.25rem',
                                                                     cursor: 'pointer',
+                                                                    whiteSpace: 'nowrap',
                                                                 }}
                                                             >
                                                                 ✖

app/curator/specials/[id]/page.tsx

@@ -32,6 +32,7 @@ export default function CuratorSpecialEditorPage() {
             }
             const res = await fetch(`/api/curator/specials/${specialId}`, {
                 headers: getCuratorAuthHeaders(),
+                cache: 'no-store',
             });
             if (res.status === 403) {
                 setError(t('specialForbidden'));

components/CurateSpecialEditor.tsx

@@ -184,7 +184,7 @@ export default function CurateSpecialEditor({
                                     </button>
                                 </div>
                                 <WaveformEditor
-                                    audioUrl={`/uploads/${selectedSpecialSong.song.filename}`}
+                                    audioUrl={`/api/audio/${selectedSpecialSong.song.filename}`}
                                     startTime={pendingStartTime ?? selectedSpecialSong.startTime}
                                     duration={totalDuration}
                                     unlockSteps={unlockSteps}

docs/TESTING.md

@@ -0,0 +1,88 @@
+# Integration Testing
+
+Hördle uses [Playwright](https://playwright.dev/) for end-to-end (E2E) integration testing. These tests ensure that critical flows like gameplay, authentication, and admin management function correctly across different browsers.
+
+## Prerequisites
+
+Ensure you have the Playwright browsers installed:
+
+```bash
+npx playwright install
+```
+
+## Running Tests
+
+### Headless Mode (CI/CLI)
+
+To run all tests in headless mode (Chromium, Firefox, WebKit):
+
+```bash
+npm run test:e2e
+```
+
+### UI Mode (Interactive)
+
+To run tests with a UI to inspect traces and watch execution:
+
+```bash
+npm run test:e2e:ui
+```
+
+### Specific Test File
+
+To run a specific test file:
+
+```bash
+npx playwright test tests/gameplay.spec.ts
+```
+
+### Specific Project (Browser)
+
+To run tests only on a specific browser (e.g., Chromium):
+
+```bash
+npx playwright test --project=chromium
+```
+
+## Configuration
+
+The Playwright configuration is located in `playwright.config.ts`. It sets up the base URL (default: `http://localhost:3000`) and the web server command to start the app if it's not running.
+
+### Environment Variables
+
+*   **`ADMIN_PASSWORD`**: The tests assume the admin password is `'admin123'`. 
+    *   In `app/api/admin/login/route.ts`, the login logic has been enhanced to check if `ADMIN_PASSWORD` is a bcrypt hash (starts with `$2b$`) or plain text. 
+    *   For local testing, you can set `ADMIN_PASSWORD="admin123"` in your `.env` or `.env.local` (though the default fallback in the code also handles this).
+*   **Curator Credentials**: The mock Curator login page (`app/[locale]/curator/page.tsx`) mocks validation for testing.
+    *   Username: `elpatron`
+    *   Password: `example_password`
+
+## Test Structure
+
+Tests are located in the `tests/` directory:
+
+*   **`auth.spec.ts`**: Verifies public access and admin login flows.
+*   **`admin.spec.ts`**: Checks the Admin Dashboard, including access protection and visibility of sections (Dashboard, Daily Puzzles, etc.).
+*   **`curator.spec.ts`**: Verifies the Curator login form and authentication flows (valid/invalid credentials).
+*   **`gameplay.spec.ts`**: Tests the core game loop: loading the game, playing audio, interaction with the prompt, and submitting a guess.
+
+## Troubleshooting & Known Issues
+
+### Next.js Development Overlay (`nextjs-portal`)
+
+In development mode (`npm run dev`), Next.js injects an overlay (`<nextjs-portal>`) for hot reloading feedback. This overlay can sometimes intercept clicks intended for UI elements, causing tests to fail with "element is not clickable" or timeout errors.
+
+**Solution:** 
+We inject a CSS style in the `beforeEach` hook of our tests to hide this overlay:
+
+```typescript
+test.beforeEach(async ({ page }) => {
+    await page.addStyleTag({ content: 'nextjs-portal, #nextjs-dev-overlay, [data-nextjs-dev-overlay] { display: none !important; }' });
+});
+```
+
+### WebKit (Safari) Stability
+
+WebKit can be slower or more sensitive to timing in some environments. If tests fail on WebKit but pass on other browsers:
+1.  Try increasing the timeout in `playwright.config.ts`.
+2.  Use `await page.waitForTimeout(500)` or specific assertions like `await expect(page).toHaveURL(...)` to allow for transition times, as implemented in `tests/admin.spec.ts`.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hoerdle",
-  "version": "0.1.6.29",
+  "version": "0.1.6.34",
   "private": true,
   "scripts": {
     "dev": "next dev",

scripts/deploy.sh

@@ -63,8 +63,10 @@ fi
 ./scripts/backup-restic.sh
 
 # Nur neueste Version holen (shallow fetch), vollständiges Repo ist im Deployment nicht nötig
-echo "📥 Fetching latest commit (shallow clone) from git..."
+# Wichtig: Tags müssen vollständig geholt werden für Version-Anzeige
-git fetch --prune --tags --depth=1 origin master
+echo "📥 Fetching latest commit and all tags from git..."
+git fetch --prune --tags origin master
+git fetch --tags origin
 git reset --hard origin/master
 
 # Prüfe und erstelle/repariere Netzwerk falls nötig