Authorization should happen at the level of the backend since using Socket.IO's authorization mechanism does not offer enough granularity. As an example, consider a backend that allows anyone to read but only logged in users to create, update or delete. By providing the backend with a socket, it could optionally obtain the session ID and authorize the current operation.

Experimenting on the auth branch:
https://github.com/scttnlsn/backbone.io/tree/auth