Does the server check source endpoint (IP)?

In many cases wakaama core obtains client object from information in incoming packets (for example token in observations), however it should retrieve client object based on endpoint (source IP + port).
In other words is client authentication checked?
If not, then maybe a client may be impersonated (maliciously or by DHCP "accidents").