Without this patch, it is not possible to write an authentication plugin that prevents certain users from logging in under certain conditions, if there is another authentication plugin that will authenticate them. This patch adds a pre-authentication hook during the login process, so an auth plugin can return AUTH_DENIED at that point and prevent any further possibility of login via another plugin.
This patch also introduces a class named auth_status, and uses it to return the state of authentication (currently just status, message, errorcode) from the pre-authentication hook and then keep it all in one place. Since this patch is intended for the stable release, the changes are minimized and this isn't being used extensively. But auth_status could be expanded to include more information, and it could be used throughout the login process in order to simplify login/index.php by not relying variously on $frm, $user, and $errormsg at different points.
I've also attached a very simple demo blacklist plugin that denies all authentication for a user named 'test1'.