diff --git a/tailbone/api/auth.py b/tailbone/api/auth.py
index cf421444..0fbe8b82 100644
--- a/tailbone/api/auth.py
+++ b/tailbone/api/auth.py
@@ -83,16 +83,33 @@ class AuthenticationView(APIView):
         if not (username and password):
             return {'error': "Invalid username or password"}
 
+        # make sure credentials are valid
         user = self.authenticate_user(username, password)
         if not user:
             return {'error': "Invalid username or password"}
 
+        # is there some reason this user should not login?
+        error = self.why_cant_user_login(user)
+        if error:
+            return {'error': error}
+
         login_user(self.request, user)
         return self.user_info(user)
 
     def authenticate_user(self, username, password):
         return authenticate_user(Session(), username, password)
 
+    def why_cant_user_login(self, user):
+        """
+        This method is given a ``User`` instance, which represents someone who
+        is just now trying to login, and has already cleared the basic hurdle
+        of providing the correct credentials for a user on file.  This method
+        is responsible then, for further verification that this user *should*
+        in fact be allowed to login to this app node.  If the method determines
+        a reason the user should *not* be allowed to login, then it should
+        return that reason as a simple string.
+        """
+
     @api
     def logout(self):
         """