We should not use depth in the sync API

[matrixbot]

This issue was originally created by @neilalexander at matrix-org/dendrite#967.

Currently the sync API uses the event depth when inserting events into the topology, which we should really not do since depth is deprecated.

(Incidentally, we probably need to come up with some better way to maintain topological ordering with inserts.)

[matrixbot]

This comment was originally posted by @kegsay at matrix-org/dendrite#967 (comment).

Reference: matrix-org/gomatrixserverlib#187

[matrixbot]

This comment was originally posted by @ara4n at matrix-org/dendrite#967 (comment).

There are other places we use depth too - e.g. federationapi /get_missing_events and even /send. This isn't a problem just because depth is deprecated - it's a security problem, because depth simply can't be trusted from the wire. I believe we have to use the value returned by v2 state res.

I think we might have to fix this before beta, given it's a known sec issue.

[matrixbot]

This comment was originally posted by @neilalexander at matrix-org/dendrite#967 (comment).

Depth appears in the federation API when we try to get missing events, largely because the /get_missing_events endpoint specifies the min_depth field. Although from what I can tell, this is an entirely superficial filter and there would not really be any ill effect if we just ignored the depth values and always used 0 both inbound and outbound.