fix(backend): prevent duplicate key constraint on empty login id when syncing users

backend/internal/handler/user_handler.go

@@ -940,6 +940,10 @@ func (h *UserHandler) BulkUpdateUsers(c *fiber.Ctx) error {
 				}
 			}
 
+			if localUser.LoginID == "" {
+				localUser.LoginID = localUser.ID
+			}
+
 			_ = h.UserRepo.Update(c.Context(), localUser)
 
 			// [Keto Sync]
@@ -1223,6 +1227,10 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 	if h.UserRepo != nil {
 		updatedLocalUser := h.mapToLocalUser(*updated)
 
+		if updatedLocalUser.LoginID == "" {
+			updatedLocalUser.LoginID = updatedLocalUser.ID
+		}
+
 		ctx := context.Background() // Use request context if appropriate, but sync must finish
 		if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
 			slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
@@ -1365,10 +1373,17 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 		compCode = extractTraitString(traits, "company_code")
 	}
 
+	loginID := extractTraitString(traits, "id")
+	if loginID == "" {
+		// Fallback to UUID to prevent unique constraint violations on idx_tenant_login_id
+		// for users that use email/phone exclusively and don't have a specific loginId trait.
+		loginID = identity.ID
+	}
+
 	user := &domain.User{
 		ID:              identity.ID,
 		Email:           extractTraitString(traits, "email"),
-		LoginID:         extractTraitString(traits, "id"),
+		LoginID:         loginID,
 		Name:            extractTraitString(traits, "name"),
 		Phone:           extractTraitString(traits, "phone_number"),
 		Role:            role,