You can place the server-side application logic in the app/server directory. Derby applications provide Express middleware on the server, so you can bundle other middleware before doing this. For example, you might have authentication middleware that prevents certain routes from being displayed if the user is not logged in.
However, this is not a sufficient authentication solution because data updates arrive as messages through Socket.IO and they will not pass through Express middleware through which the home page requests go.
We are going to add a simple solution that allows you to authenticate users and then allow them based on the path when they sign up or change data, but this has not yet been implemented. This is very important in the list of things that need to be done, and Derby is still in a stage of rapid development.