fix: look up user by evotor_user_id first in /user/verify

Evotor sends userId but not necessarily a matching phone/email.
Now tries evotor_user_id first, then falls back to email/phone.
Also removed the requirement for username/phone when userId is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/routes/evotor_webhooks.py

@@ -209,10 +209,14 @@ async def user_verify(request: Request, db: Session = Depends(get_db)):
     password: str = body.get("password", "")
 
     login = username or phone
-    if not login or not password:
-        return JSONResponse({"error": "username/phone and password required"}, status_code=400)
+    if not password:
+        return JSONResponse({"error": "password required"}, status_code=400)
 
-    # match by email, username, or phone
+    # 1. Match by evotor_user_id (most reliable — Evotor always sends userId)
+    user = db.query(User).filter(User.evotor_user_id == evotor_user_id).first() if evotor_user_id else None
+
+    # 2. Fall back to email or phone
+    if not user and login:
         user = db.query(User).filter(
             or_(User.email == login, User.phone == login)
         ).first()