Enable login_via_existing_session by default

[hughns]

Following discussion in #15388 (review) this PR enables the login_via_existing_session capability from MSC3882 by default.

As UIA is required by default and there is a rate limit of 1 request per minute on the new endpoint, I believe this qualifies as "secure by default".

Pull Request Checklist

• Pull request is based on the develop branch
• Pull request includes a changelog file. The entry should:
  • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
  • Use markdown where necessary, mostly for code blocks.
  • End with either a period (.) or an exclamation mark (!).
  • Start with a capital letter.
  • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
• Pull request includes a sign off
• Code style is correct
  (run the linters)

[reivilibre]

Not sure if this PR wanted review; it's a draft but it's also in the queue.

[reivilibre]

I would probably promote this to feature and write out in words what this allows, so that it's more noticeable (I expect some admins may want to turn this off, so best not hide it in misc which should not generally contain user-noticeable changes).

[reivilibre]

This seems to be missing rationale for why this feature would be useful if you have to authenticate anyway — why don't you 'just authenticate on the device where you're logging in'?

I can imagine some reasons but it might be nice to give a brief summary here.

[clokep]

@hughns Should we put this into the review queue?