feat: accept phone + password in /user/verify webhook

- Accept phone as an alternative to username for user lookup
- On first auth when user has no password set, save the provided
  password and activate the account (same logic as /user/create)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/routes/evotor_webhooks.py

@@ -198,23 +198,30 @@ async def user_verify(request: Request, db: Session = Depends(get_db)):
 
     evotor_user_id: str = body.get("userId", "")
     username: str = body.get("username", "").strip()
+    phone: str = body.get("phone", "").strip()
     password: str = body.get("password", "")
 
-    if not username or not password:
-        return JSONResponse({"error": "username and password required"}, status_code=400)
+    login = username or phone
+    if not login or not password:
+        return JSONResponse({"error": "username/phone and password required"}, status_code=400)
 
-    # username is email or phone
+    # match by email, username, or phone
     user = db.query(User).filter(
-        or_(User.email == username, User.phone == username)
+        or_(User.email == login, User.phone == login)
     ).first()
 
-    if not user or not user.password_hash:
+    if not user:
         return JSONResponse({"error": "Неверные данные"}, status_code=401)
 
     if user.status == UserStatusEnum.suspended:
         return JSONResponse({"error": "Аккаунт заблокирован"}, status_code=403)
 
-    if not verify_password(password, user.password_hash):
+    if not user.password_hash:
+        # First auth with password — save it and activate the account
+        user.password_hash = hash_password(password)
+        if user.status == UserStatusEnum.pending:
+            user.status = UserStatusEnum.active
+    elif not verify_password(password, user.password_hash):
         return JSONResponse({"error": "Неверные данные"}, status_code=401)
 
     # Get or create connection to retrieve api_token