feat: support password field in /user/create webhook

When Evotor sends a password in the payload, hash and store it
immediately and set the user to active — skipping the invite flow.
Without a password, behaviour is unchanged (pending status + invite email).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/routes/evotor_webhooks.py

@@ -17,7 +17,7 @@ from fastapi.responses import JSONResponse
 from sqlalchemy import or_
 from sqlalchemy.orm import Session
 
-from web.auth.password import verify_password
+from web.auth.password import hash_password, verify_password
 from web.config import settings
 from web.database import get_db
 from web.models.connections import EvotorConnection
@@ -108,6 +108,7 @@ async def user_create(request: Request, db: Session = Depends(get_db)):
     first_name = (body.get("first_name") or body.get("firstName") or custom.get("first_name") or custom.get("firstName") or "").strip() or None
     last_name = (body.get("second_name") or body.get("last_name") or body.get("lastName") or custom.get("second_name") or custom.get("last_name") or custom.get("lastName") or "").strip() or None
     middle_name = (body.get("middle_name") or custom.get("middle_name") or "").strip() or None
+    password = (body.get("password") or custom.get("password") or "").strip() or None
 
     # Try to find existing user
     user: User | None = None
@@ -135,20 +136,22 @@ async def user_create(request: Request, db: Session = Depends(get_db)):
             user.last_name = last_name
         if middle_name:
             user.middle_name = middle_name
+        if password and not user.password_hash:
+            user.password_hash = hash_password(password)
         if user.status == UserStatusEnum.pending:
             user.status = UserStatusEnum.active
         db.flush()
     else:
-        # Create new pending user
+        # Create new user; active immediately if password provided, else pending
         user = User(
             first_name=first_name or "",
             last_name=last_name or "",
             middle_name=middle_name,
             email=email or f"{evotor_user_id}@evotor.invalid",
             phone=phone or None,
-            password_hash=None,
+            password_hash=hash_password(password) if password else None,
             role=UserRoleEnum.user,
-            status=UserStatusEnum.pending,
+            status=UserStatusEnum.active if password else UserStatusEnum.pending,
             evotor_user_id=evotor_user_id,
             evotor_meta=body,
             created_at=now,
@@ -157,27 +160,28 @@ async def user_create(request: Request, db: Session = Depends(get_db)):
         db.add(user)
         db.flush()  # get user.id
 
-    # Generate invite
-    invite_token = secrets.token_urlsafe(32)
-    user.invite_token = invite_token
-    user.invite_expires = now + timedelta(hours=settings.INVITE_EXPIRE_HOURS)
-
     api_token = _upsert_evotor_connection(db, user.id, evotor_user_id)
-    db.commit()
 
-    # Send invite email if we have a real email address
-    if email:
-        invite_url = f"{settings.BASE_URL}/invite?token={invite_token}"
-        html = (
-            f"<p>Здравствуйте!</p>"
-            f"<p>Вам открыт доступ к ЭВОСИНК. Завершите регистрацию по ссылке:</p>"
-            f'<p><a href="{invite_url}">{invite_url}</a></p>'
-            f"<p>Ссылка действительна {settings.INVITE_EXPIRE_HOURS} часов.</p>"
-        )
-        send_email_task.delay(email, "Приглашение в ЭВОСИНК", html)
+    if not password:
+        # No password provided — send invite link so user can set one
+        invite_token = secrets.token_urlsafe(32)
+        user.invite_token = invite_token
+        user.invite_expires = now + timedelta(hours=settings.INVITE_EXPIRE_HOURS)
+        db.commit()
+        if email:
+            invite_url = f"{settings.BASE_URL}/invite?token={invite_token}"
+            html = (
+                f"<p>Здравствуйте!</p>"
+                f"<p>Вам открыт доступ к ЭВОСИНК. Завершите регистрацию по ссылке:</p>"
+                f'<p><a href="{invite_url}">{invite_url}</a></p>'
+                f"<p>Ссылка действительна {settings.INVITE_EXPIRE_HOURS} часов.</p>"
+            )
+            send_email_task.delay(email, "Приглашение в ЭВОСИНК", html)
+        else:
+            logger.info("No email for evotor_user_id=%s, invite URL: %s/invite?token=%s",
+                        evotor_user_id, settings.BASE_URL, invite_token)
     else:
-        logger.info("No email for evotor_user_id=%s, invite URL: %s/invite?token=%s",
-                    evotor_user_id, settings.BASE_URL, invite_token)
+        db.commit()
 
     return JSONResponse({"userId": evotor_user_id, "token": api_token})