getHashFragmentParams incorrectly decodes entire hash fragment

[u-mikhalenka]

Bug: getHashFragmentParams incorrectly decodes entire hash fragment

Description

The UrlHelperService.getHashFragmentParams method is prematurely decoding the entire URL hash fragment with decodeURIComponent before parsing individual parameters. This causes issues when parameter values contain encoded special characters, particularly with Azure AD and implicit flow.

Steps to reproduce

1. Use implicit flow with Azure AD
2. Perform a silent refresh operation
3. When silent refresh fails, Azure AD returns a hash fragment containing parameters including error_uri which contains encoded URL characters

Current behavior

The hash fragment from Azure AD like:

#error=login_required&error_description=AADSTS50058%3a+A+silent+sign-in+request...&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d50058&state=...

Is decoded prematurely with:

hash = decodeURIComponent(hash);

This decodes error_uri value to include a literal ? character, which then breaks the subsequent parsing because the question mark is interpreted as a parameter delimiter.

Expected behavior

The hash fragment should not be decoded as a whole. Instead, decoding should only be applied to individual parameters after they've been properly parsed into key-value pairs, which is already handled in the parseQueryString method:

key = decodeURIComponent(escapedKey);
value = decodeURIComponent(escapedValue);

Fix suggestion

Remove the line hash = decodeURIComponent(hash); from the getHashFragmentParams method, allowing parseQueryString to handle decoding each parameter individually.

[u-mikhalenka]

Also, userState part must be decoded in parseState method.