Let's create a new middleware layer that uses our application's session property to check whether a user is authorized to use a specific API. This middleware will be included on all the secured API routes of our application and will check whether the user session is an admin role, before allowing the request through. This sort of user role middleware is useful to protect sensitive parts of your application from unauthorized users.