dlseitz.dev-backend/routes/contactRoutes.js

// contactRoutes.js
module.exports = (contactController, securityMw) => {
    const express = require('express');
    const router = express.Router();
    const rateLimit = require('express-rate-limit');
    const { body, validationResult } = require('express-validator');

    // 🛡️ Configure rate limiting to prevent DDoS and spamming
    const apiLimiter = rateLimit({
        windowMs: 15 * 60 * 1000, // 15 minutes
        max: 5,
        message: "Too many requests from this IP, please try again after 15 minutes."
    });

    // Define the route for form submissions with all middleware
    router.post('/submit-form',
        apiLimiter,
        // The security middleware is now a separate step,
        // containing both the honeypot check and hCaptcha verification.
        securityMw.formSecurityCheck,
        [
            // express-validator: sanitation and validation
            body('firstName').trim().escape(),
            body('lastName').trim().escape(),
            body('email').isEmail().normalizeEmail(),
            body('organization').trim().escape(),
            body('phone').trim(),
            body('message').trim().escape(),
        ],
        // Middleware to handle the express-validator results
        (req, res, next) => {
            const errors = validationResult(req);
            if (!errors.isEmpty()) {
                console.error('Validation failed:', errors.array());
                return res.status(400).json({ success: false, message: 'Invalid form data.' });
            }
            next();
        },
        // The controller, which is the final step
        contactController.submitForm
    );

    // Return the configured router
    return router;
};