SSO integration: validate dobetternorge.no signed tokens, update landing page

- bootstrap.php: dbnToolsValidateSsoToken(), SSO session check in dbnToolsIsAuthenticated()
- index.php: SSO handler at top, Do Better Norge member panel in login card
- .env: DBN_SSO_SECRET placeholder

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

includes/bootstrap.php

@@ -110,12 +110,33 @@ dbnToolsStartSession();
 
 function dbnToolsIsAuthenticated(): bool
 {
+    // SSO session established via dobetternorge.no signed token
+    if (!empty($_SESSION['dbn_tools_authenticated']) && !empty($_SESSION['dbn_tools_sso_uid'])) {
+        return true;
+    }
+    // Regular Caveau session
     return !empty($_SESSION['dbn_tools_authenticated'])
         && !empty($_SESSION['dbn_tools_user_id'])
         && !empty($_SESSION['dbn_tools_client_id'])
         && (string)($_SESSION['dbn_tools_client_slug'] ?? '') === dbnToolsClientSlug();
 }
 
+/**
+ * Validates a signed SSO token from dobetternorge.no.
+ * Returns the decoded payload array or null on failure.
+ */
+function dbnToolsValidateSsoToken(string $token, string $secret): ?array
+{
+    $parts = explode('.', $token, 2);
+    if (count($parts) !== 2) return null;
+    [$payload, $sig] = $parts;
+    if (!hash_equals(hash_hmac('sha256', $payload, $secret), $sig)) return null;
+    $data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
+    if (!is_array($data) || ($data['exp'] ?? 0) < time()) return null;
+    if (empty($data['tools_approved'])) return null;
+    return $data;
+}
+
 function dbnToolsAuthenticatedUser(): ?array
 {
     if (!dbnToolsIsAuthenticated()) {