dlseitz.dev-backend/routes/contactRoutes.js

const express = require('express');
const router = express.Router();
const rateLimit = require('express-rate-limit');
const { body, validationResult } = require('express-validator');
const contactController = require('../controllers/contactController');
const { formSecurityCheck } = require('../middleware/securityMw');

// 🛡️ Configure rate limiting to prevent DDoS and spamming
const apiLimiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 5,
    message: "Too many requests from this IP, please try again after 15 minutes."
});

// Define the route for form submissions
router.post('/submit-form',
    apiLimiter,
    [
        // express-validator: sanitation and validation
        body('firstName').trim().escape(),
        body('lastName').trim().escape(),
        body('email').isEmail().normalizeEmail(),
        body('organization').trim().escape(),
        body('phone').trim(),
        body('message').trim().escape(),
    ],
    // Middleware to handle the express-validator results
    (req, res, next) => {
        const errors = validationResult(req);
        if (!errors.isEmpty()) {
            console.error('Validation failed:', errors.array());
            return res.status(400).json({ success: false, message: 'Invalid form data.' });
        }
        next();
    },
    // The security middleware
    formSecurityCheck,
    // The controller, which is the final step
    contactController.submitForm
);

module.exports = router;