Overriding password login

Is there an easy way to intercept password login requests on the server?

I have an optional external user database. This database doesn’t do OAuth style proxy authentication (client logs in externally, client gets token, server validates token); the server will check against it directly.

I want the client side behaviour to be vanilla accounts-password.

On the server, I want to intercept the requests, decide whether I’m using default meteor passwords or the alternative DB (and this might be on a per-login basis). If the former, normal behaviour continues. If the latter, I pre-flight the user lookup, validate the password (if any), populate the user database, and then continue with login.

I tried hooking Accounts.validateLoginAttempt, but that happens after user and password validation. I’d also like to benefit from the password encryption and other behaviour provided by accounts-password and the existing client-side API.

Suggestions? Guides? Thanks