Task #11: Formular gegen Spam schützen
- Installed `express-rate-limit` (^8.5.2) as a runtime dependency in
`@workspace/api-server`
- Created a rate limiter (5 requests per IP per hour, 1-hour sliding window)
using `rateLimit()` from express-rate-limit
- Applied the limiter as inline middleware on POST /contact so it runs before
the handler
- On limit exceeded the API returns HTTP 429 with a German-language JSON error:
{ success: false, message: "Zu viele Anfragen. Bitte versuchen Sie es in
einer Stunde erneut." }
- Uses `standardHeaders: "draft-8"` (RateLimit header group) and disables
legacy X-RateLimit-* headers
- Added `app.set("trust proxy", 1)` in app.ts so that Express reads the real
client IP from X-Forwarded-For (set by Replit's reverse proxy), ensuring
the rate limit is applied per actual client rather than per proxy IP
- No other changes to the contact handler flow
No deviations from the task description.
Replit-Task-Id: de2cecbd-511f-4046-8e87-567ec96e19fb
After a visitor submits the contact form, Brevo now sends two emails:
1. The existing notification to jh@unixweb.de with the message details
2. A new confirmation email to the sender's address
The confirmation email:
- Is sent from "Joachim Hummel <jh@unixweb.de>"
- Addresses the sender by name
- Thanks them and sets response-time expectations (1-2 Werktage)
- Includes both plain-text and HTML versions
- Is logged separately via req.log.info for observability
If either email fails, the entire request returns a 500 error (atomic
behavior — both succeed or neither does from the user's perspective).
File changed:
- artifacts/api-server/src/routes/contact.ts
Also ran `pnpm --filter @workspace/api-spec run codegen` to fix a
pre-existing typecheck failure caused by stale generated lib output.
Typecheck passes cleanly after codegen.
Replit-Task-Id: a5d51157-6bd1-48c7-ba04-68e7d951eeab
