Check third party rules before persisting knocks over federation (#10212)

An accidental mis-ordering of operations during #6739 technically allowed an incoming knock event over federation in before checking it against any configured Third Party Access Rules modules.

This PR corrects that by performing the TPAR check *before* persisting the event.

Author: anoadragon453

changelog.d/10212.feature

@@ -0,0 +1 @@
+Implement "room knocking" as per [MSC2403](https://github.com/matrix-org/matrix-doc/pull/2403). Contributed by Sorunome and anoa.

synapse/handlers/federation.py

@@ -2086,8 +2086,6 @@ async def on_send_knock_request(
 
         context = await self.state_handler.compute_event_context(event)
 
-        await self._auth_and_persist_event(origin, event, context)
-
         event_allowed = await self.third_party_event_rules.check_event_allowed(
             event, context
         )
@@ -2097,6 +2095,8 @@ async def on_send_knock_request(
                 403, "This event is not allowed in this context", Codes.FORBIDDEN
             )
 
+        await self._auth_and_persist_event(origin, event, context)
+
         return context
 
     async def get_state_for_pdu(self, room_id: str, event_id: str) -> List[EventBase]: