fix: look up user by evotor_user_id first in /user/verify

Evotor sends userId but not necessarily a matching phone/email.
Now tries evotor_user_id first, then falls back to email/phone.
Also removed the requirement for username/phone when userId is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/routes/evotor_webhooks.py

@@ -209,13 +209,17 @@ async def user_verify(request: Request, db: Session = Depends(get_db)):
     password: str = body.get("password", "")
 
     login = username or phone
-    if not login or not password:
+    if not password:
-        return JSONResponse({"error": "username/phone and password required"}, status_code=400)
+        return JSONResponse({"error": "password required"}, status_code=400)
 
-    # match by email, username, or phone
+    # 1. Match by evotor_user_id (most reliable — Evotor always sends userId)
-    user = db.query(User).filter(
+    user = db.query(User).filter(User.evotor_user_id == evotor_user_id).first() if evotor_user_id else None
-        or_(User.email == login, User.phone == login)
+
-    ).first()
+    # 2. Fall back to email or phone
+    if not user and login:
+        user = db.query(User).filter(
+            or_(User.email == login, User.phone == login)
+        ).first()
 
     if not user:
         return JSONResponse({"error": "Неверные данные"}, status_code=401)