Add products.validators.js and tags.validators.js following the same
pattern as articles/users. Wire createProductRules, updateProductRules,
and createTagRules into their respective routes via the validate middleware.
Remove the local fieldValidation helper from both controllers and fix
missing return statements on next() calls in products.controller.js.
Replaces the broken fieldValidation helper (called next() without return,
so execution continued on invalid input) with express-validator chains
applied at the route level. Validation covers: email format, username
constraints, password min length, field lengths, URL and phone formats.
products and tags controllers retain their local fieldValidation pending
a separate ecommerce validation pass.
Helmet adds HTTP security headers (HSTS, X-Frame-Options,
X-Content-Type-Options, etc.). CSP is disabled pending deployment-
specific tuning. Rate limiting (10 req / 15 min per IP) is applied
to POST /login and POST / (registration) to mitigate brute force
and credential stuffing attacks.
Product and products routes were sitting under /api/cms but conceptually
belong to a separate e-commerce domain. Split them out into a dedicated
ecommerce subrouter mounted at /api/ecommerce.