Since MSC2778's implementation application services are able to use /login to login as an interested user and create a device which aids them in performing end-to-end encryption.

However, /login has a ratelimit on it which is IP-based:

This is obviously quite bad news for application services that need to login to a lot of user accounts on startup or somesuch. Currently there is no way to override this ratelimit.

As a solution, I propose only calling upon the ratelimiter for non uk.half-shot.msc2778.login.application_service identifier types (aka non-AS requests). If the request cannot be authenticated via an access token, it will immediately be rejected.

We may also want to move this line:

as someone could technically supply a huge JSON body over and over and upset the server that way.