Always exempt login attempts that use app-tokens from rate-limits