Add rate-limiting to /api/contact to prevent spam

Task #11: Formular gegen Spam schützen

- Installed `express-rate-limit` (^8.5.2) as a runtime dependency in
  `@workspace/api-server`
- Created a rate limiter (5 requests per IP per hour, 1-hour sliding window)
  using `rateLimit()` from express-rate-limit
- Applied the limiter as inline middleware on POST /contact so it runs before
  the handler
- On limit exceeded the API returns HTTP 429 with a German-language JSON error:
  { success: false, message: "Zu viele Anfragen. Bitte versuchen Sie es in
  einer Stunde erneut." }
- Uses `standardHeaders: "draft-8"` (RateLimit header group) and disables
  legacy X-RateLimit-* headers
- Added `app.set("trust proxy", 1)` in app.ts so that Express reads the real
  client IP from X-Forwarded-For (set by Replit's reverse proxy), ensuring
  the rate limit is applied per actual client rather than per proxy IP
- No other changes to the contact handler flow

No deviations from the task description.

Replit-Task-Id: de2cecbd-511f-4046-8e87-567ec96e19fb

artifacts/api-server/package.json

@@ -17,6 +17,7 @@
     "cors": "^2.8.6",
     "drizzle-orm": "catalog:",
     "express": "^5.2.1",
+    "express-rate-limit": "^8.5.2",
     "pino": "^9.14.0",
     "pino-http": "^10.5.0"
   },

artifacts/api-server/src/app.ts

@@ -6,6 +6,8 @@ import { logger } from "./lib/logger";
 
 const app: Express = express();
 
+app.set("trust proxy", 1);
+
 app.use(
   pinoHttp({
     logger,

artifacts/api-server/src/routes/contact.ts

@@ -1,16 +1,29 @@
 import { Router, type IRouter } from "express";
+import rateLimit from "express-rate-limit";
 import { BrevoClient } from "@getbrevo/brevo";
 import { SendContactMessageBody } from "@workspace/api-zod";
 
 const router: IRouter = Router();
 
+const contactRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  limit: 5,
+  standardHeaders: "draft-8",
+  legacyHeaders: false,
+  message: {
+    success: false,
+    message:
+      "Zu viele Anfragen. Bitte versuchen Sie es in einer Stunde erneut.",
+  },
+});
+
 function getBrevoClient() {
   const apiKey = process.env.BREVO_API_KEY;
   if (!apiKey) throw new Error("BREVO_API_KEY is not set");
   return new BrevoClient({ apiKey });
 }
 
-router.post("/contact", async (req, res) => {
+router.post("/contact", contactRateLimit, async (req, res) => {
   const parsed = SendContactMessageBody.safeParse(req.body);
 
   if (!parsed.success) {

pnpm-lock.yaml

@@ -187,6 +187,9 @@ importers:
       express:
         specifier: ^5.2.1
         version: 5.2.1
+      express-rate-limit:
+        specifier: ^8.5.2
+        version: 8.5.2(express@5.2.1)
       pino:
         specifier: ^9.14.0
         version: 9.14.0
@@ -2157,6 +2160,12 @@ packages:
     resolution: {integrity: sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==}
     engines: {node: ^18.19.0 || >=20.5.0}
 
+  express-rate-limit@8.5.2:
+    resolution: {integrity: sha512-5Kb34ipNX694DH48vN9irak1Qx30nb0PLYHXfJgw4YEjiC3ZEmZJhwOp+VfiCYwFzvFTdB9QkArYS5kXa2cx2A==}
+    engines: {node: '>= 16'}
+    peerDependencies:
+      express: '>= 4.11'
+
   express@5.2.1:
     resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==}
     engines: {node: '>= 18'}
@@ -2325,6 +2334,10 @@ packages:
     resolution: {integrity: sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==}
     engines: {node: '>=12'}
 
+  ip-address@10.2.0:
+    resolution: {integrity: sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==}
+    engines: {node: '>= 12'}
+
   ipaddr.js@1.9.1:
     resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==}
     engines: {node: '>= 0.10'}
@@ -4728,6 +4741,11 @@ snapshots:
       strip-final-newline: 4.0.0
       yoctocolors: 2.1.2
 
+  express-rate-limit@8.5.2(express@5.2.1):
+    dependencies:
+      express: 5.2.1
+      ip-address: 10.2.0
+
   express@5.2.1:
     dependencies:
       accepts: 2.0.0
@@ -4918,6 +4936,8 @@ snapshots:
 
   internmap@2.0.3: {}
 
+  ip-address@10.2.0: {}
+
   ipaddr.js@1.9.1: {}
 
   is-extglob@2.1.1: {}