module.exports = (contactController, securityMw) => {
    const express = require('express');
    const router = express.Router();
    const rateLimit = require('express-rate-limit');
    const { body, validationResult } = require('express-validator');

    // Rate limiter to prevent spam
    const apiLimiter = rateLimit({
        windowMs: 15 * 60 * 1000, // 15 minutes
        max: 5,
        message: "Too many requests from this IP, please try again after 15 minutes."
    });

    router.post('/submit-form',
        apiLimiter,
        securityMw.formSecurityCheck,
        [
            body('firstName').trim().escape(),
            body('lastName').trim().escape(),
            body('email').isEmail().normalizeEmail(),
            body('organization').trim().escape(),
            body('phone').trim(),
            body('message').trim().escape(),
            body('contactMethod')
                .notEmpty().withMessage('Contact method is required.')
                .isIn(['email', 'phone']).withMessage('Contact method must be email or phone.'),
            body('privacyAccepted')
                .isBoolean().withMessage('Privacy acceptance must be true or false.'),
        ],
        (req, res, next) => {
            const errors = validationResult(req);
            if (!errors.isEmpty()) {
                console.error('Validation failed:', errors.array());
                return res.status(400).json({ success: false, message: 'Invalid form data.', errors: errors.array() });
            }
            next();
        },
        contactController.submitForm
    );

    return router;
};