Checking session with client/useSession vs api/getSession

[YuriGor]

Hi, could you please advice if there is some performance/resources consumption drawback in the approach below:
(I am using jwt sessions with mongo on vercel)

• instead of checking if user authorized to access some page with 'useSession' before loading page data
  I just check if user is authorized on corresponding API on back end using 'getSession' and if not - return 401 so on client side if I see 401 instead of expected data - I show message/link to login.

So my question is - am I causing excessive requests to back end?
Maybe by using 'useSession' on client side next-auth will ping server only few times and then just cache session/info session is missing in browser instead of doing requests to backend on each data request?

Or it's not a big difference and I can stay with my API-based approach and enjoy a bit more readable and reusable code?
Statistically normal user will not lurk over random private URLs trying to load them multiple times being not authorized, right?

Reason why I want to not check session separately - to not worry about it at all, so from react perspective there is no separate phases with waiting for loading session info / checking session /waiting for loading data . Everything is hidden into single loading data phase (handled by SWR) and auth error is just one of possible data errors. So in UI I don't worry explicitly which page is restricted and which is available anonymously, all this is up to back-end and generic error handler.

[YuriGor]

Yeah, looks like I am doing extra request.
Anyway I have session check to show user menu in app bar on top,
so if I check session first and then don't request data if session is missing - it's only one "session" request made by next-auth:

But if I don't check session on client and try to request data, then I still have this session request + my failed data request:

I just don't like the idea of using some withAuth hoc explicitly, when I already have declared corresponding api is private - it's a double declaration. I'd like to be lazy and maintain public/private distinction in one place, on back end, but here is a price.

Maybe there is a way to let next-auth know about this 401 just happend? So it will not try to fetch session info until user will sign in?

[YuriGor]

If on each 401 I could do something like this:

next-auth/src/client/index.js

Line 284 in b3ffe50

broadcast.post({ event: 'session', data: { trigger: 'signout' } })

then next-auth could trust me there is no session without doing extra requests.