When using Socket.io in NodeJS, it creates a polling transport first and then tries to upgrade it to a websocket on the side. During the initial polling request, it is possible to send headers to the server and use information in these to do authentication. That socket is then marked as safe, and every request coming after the initial one is considered coming from the same user.
This assumption is never stated directly in Socket.io documentation, but several examples uses middleware (which is only run on initial connection setup) to handle authentication.
My question is, does this certainty carry over when the polling transport is upgraded to a websocket? Should I re-authenticate once the socket presents and "upgrade" event? And am I certain that a mallicius client won't be able to establish a websocket directly, without first going through the polling step?