Add rate-limiting to /api/contact to prevent spam

Task #11: Formular gegen Spam schützen - Installed `express-rate-limit` (^8.5.2) as a runtime dependency in `@workspace/api-server` - Created a rate limiter (5 requests per IP per hour, 1-hour sliding window) using `rateLimit()` from express-rate-limit - Applied the limiter as inline middleware on POST /contact so it runs before the handler - On limit exceeded the API returns HTTP 429 with a German-language JSON error: { success: false, message: "Zu viele Anfragen. Bitte versuchen Sie es in einer Stunde erneut." } - Uses `standardHeaders: "draft-8"` (RateLimit header group) and disables legacy X-RateLimit-* headers - Added `app.set("trust proxy", 1)` in app.ts so that Express reads the real client IP from X-Forwarded-For (set by Replit's reverse proxy), ensuring the rate limit is applied per actual client rather than per proxy IP - No other changes to the contact handler flow No deviations from the task description. Replit-Task-Id: de2cecbd-511f-4046-8e87-567ec96e19fb
2026-05-15 16:39:43 +00:00
parent f9e363f446
commit a111d2930d
4 changed files with 37 additions and 1 deletions
--- a/artifacts/api-server/package.json
+++ b/artifacts/api-server/package.json
@@ -17,6 +17,7 @@
    "cors": "^2.8.6",
    "drizzle-orm": "catalog:",
    "express": "^5.2.1",
+    "express-rate-limit": "^8.5.2",
    "pino": "^9.14.0",
    "pino-http": "^10.5.0"
  },
--- a/artifacts/api-server/src/app.ts
+++ b/artifacts/api-server/src/app.ts
@@ -6,6 +6,8 @@ import { logger } from "./lib/logger";

 const app: Express = express();

+app.set("trust proxy", 1);
+
 app.use(
  pinoHttp({
    logger,
--- a/artifacts/api-server/src/routes/contact.ts
+++ b/artifacts/api-server/src/routes/contact.ts
@@ -1,16 +1,29 @@
 import { Router, type IRouter } from "express";
+import rateLimit from "express-rate-limit";
 import { BrevoClient } from "@getbrevo/brevo";
 import { SendContactMessageBody } from "@workspace/api-zod";

 const router: IRouter = Router();

+const contactRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  limit: 5,
+  standardHeaders: "draft-8",
+  legacyHeaders: false,
+  message: {
+    success: false,
+    message:
+      "Zu viele Anfragen. Bitte versuchen Sie es in einer Stunde erneut.",
+  },
+});
+
 function getBrevoClient() {
  const apiKey = process.env.BREVO_API_KEY;
  if (!apiKey) throw new Error("BREVO_API_KEY is not set");
  return new BrevoClient({ apiKey });
 }

-router.post("/contact", async (req, res) => {
+router.post("/contact", contactRateLimit, async (req, res) => {
  const parsed = SendContactMessageBody.safeParse(req.body);

  if (!parsed.success) {