How does Meteor validate web socket requests?

Hi, we’re trying to ensure that our Meteor application is as secure as possible.

I understand that CSRF attacks and cookie tossing is prevented by not using cookies and that using SSL to encrypt DDP messages is essential.

One thing I’m unsure of is how Meteor validates each web socket request? I’m guessing using the a session token stored in localStorage but I can’t see where this takes place in the code base.

Can someone please explain or point me in the right direction.