Users are added in a group with wrong host in host-part of user

[PrajwolAmatya]

Describe the bug

While adding members to a group, using the wrong host name in payload @odata.id, the status code is 204 and the user is added to the gruop.

Steps to reproduce

Steps to reproduce the behavior:

1. Create a user Alice
2. Create a group Demo
3. Try adding user Alice to group Demo using the API request with invalid host in @odata.id

curl -k --header "Content-Type: application/json" \
        --request POST  --data \
	'{ "@odata.id": "https://<invalid-host>/graph/v1.0/users/<userId>" }' \
	'https://localhost:9200/graph/v1.0/groups/<groupId>/members/$ref' -u admin:admin

Expected behavior

The user should not be added to the group.

Actual behavior

The user is added to the group and the response status code is 204.

Actual response:

> POST /graph/v1.0/groups/387477e6-d71b-4493-8ff5-1b69c56d160b/members/$ref HTTP/1.1
> Host: localhost:9200
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 88
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Date: Mon, 20 Mar 2023 06:40:31 GMT
< X-Graph-Version: 3.0.0-alpha.1+5a54c8a8b
< 
* Connection #0 to host localhost left intact

[micbar]

@rhafer @butonic Should we fix that?

[rhafer]

@rhafer @butonic Should we fix that?

Yeah, probably. The current validation of the @odata.id (and the members@odata.bind) reference is really basic. Though I don't think that this is something that we need to fix urgently.