IP-based blacklists should run anyway in that case. The change
simplifies the doAuthenticate() flow, and the ratelimit API.

Add a test for this case too.