Clarify auth rules require that auth events be in the same room

[kegsay]

Link to problem area: https://spec.matrix.org/unstable/rooms/v11/#authorization-rules

Issue

We should have:

Add auth rule: “If any auth event has a room_id which doesn’t match our room_id, reject”.

Synapse implements this already, but it should be clarified in the spec.

[richvdh]

I fixed the title, hopefully it is more accurate now

[richvdh]

The synapse implementation of this seems to have landed in matrix-org/synapse#6472, matrix-org/synapse#6524 and matrix-org/synapse#6530, and were ultimately released in Synapse v1.7.1 (making that a security release). Unfortunately it doesn't seem to have made it into the spec.

(The impl was later tweaked in matrix-org/synapse#7817)