dlseitz.dev-backend/routes/contactRoutes.js

// The entire module is now a function that accepts 'contactController' as an argument.
module.exports = (contactController) => {
    const express = require('express');
    const router = express.Router();
    const rateLimit = require('express-rate-limit');
    const { body, validationResult } = require('express-validator');

    // 🛡️ Configure rate limiting to prevent DDoS and spamming
    const apiLimiter = rateLimit({
        windowMs: 15 * 60 * 1000, // 15 minutes
        max: 5,
        message: "Too many requests from this IP, please try again after 15 minutes."
    });

    // Define the route for form submissions
    router.post('/submit-form',
        apiLimiter,
        // In-line honeypot check
        (req, res, next) => {
            if (req.body.url) {
                console.warn('Bot detected! Honeypot field was filled.');
                return res.status(200).json({ success: true, message: 'Thank you for your submission.' });
            }
            next();
        },
        [
            // express-validator: sanitation and validation
            body('firstName').trim().escape(),
            body('lastName').trim().escape(),
            body('email').isEmail().normalizeEmail(),
            body('organization').trim().escape(),
            body('phone').trim(),
            body('message').trim().escape(),
        ],
        // Middleware to handle the express-validator results
        (req, res, next) => {
            const errors = validationResult(req);
            if (!errors.isEmpty()) {
                console.error('Validation failed:', errors.array());
                return res.status(400).json({ success: false, message: 'Invalid form data.' });
            }
            next();
        },
        // The controller, which is the final step
        contactController.submitForm
    );

    // Return the configured router
    return router;
};