$ewiki_plugins["auth_query"][0] (&$data, $login)

Is also called from within ewiki_auth() whenever the current users name
is required and/or a login form could be printed into the current page.

The fourth param $login (boolean) tells whether a login form should be
printed (or some other mystic authentication should be started). This is
important because $login=0 means to just check for a username and the
password which may be currently already present in the httpd/cgi
environment (in a Cookie for example).

With $login==1 the plugin is asked to return a login <form> by writing it
into the $ewiki_errmsg variable (unless you do some exotic authentict. 
like http AUTH or access granting based on IP addresses). One could also
put a failure notice into $ewiki_errmsg.

An $login>=2 on the other hand can be used to explicetely enforce printing
of the login <form>, even if an user was already logged in. (This then
becomes the re-login hook).

If you then retrieved a $username and $password inside your auth_query
plugin (from wherever and regardless if $login=0 or $login=1), then
your ["auth_query"] plugin should immediately compare it against a user
To comply with the rest of the ewiki auth plugins, you should do this
by calling ewiki_auth_user($username,$password) - which then just returns
true or false, if the retrieved name and pw match anything inside of any
registered user database. ewiki_auth_user() will then set $ewiki_ring,
$ewiki_auth_user, $ewiki_author if the queried database contained that
informations. Leave the $ewiki_errmsg alone if you let ewiki_auth_user()
check the $password.

You could of course let your ["auth_query"] plugin do all that work
(comparing a $username and $password against an internal list, and
setting $ewiki_ring when possible) - some people may find this far
easier than chaining to ewiki_auth_user() or so, and this would allow
you some more flexibility and reduces complexity.

This function doesn't need a return() value - it is not evaluated. If
you want to return something or inform some other parts or plugins, then
use $ewiki_errmsg for <html> strings, or $ewiki_ring for basic access
granting or invent another variable for later reevaluation by another
function (your custom ["auth_perm"] plugin for example).
prev << "$ewiki_plugins["auth_perm"][0] ($id, &$data, $action, $ring, $forcelogin)"
next >> "$ewiki_plugins["auth_userdb"][] ($username, $password)"

You cannot modify the ProtectedMode file, but anyhow any ideas or suggestion should as usually get filed on BugReports, UserSuggestions or even better the ProtectedMode.Discussion.