Direct Login

Take a look at ConnectWind's internal employee portal. In addition to company policies & HR information, I heard it also stores flags.
Can you access the protected employee portal without knowing the password and steal the flag?

The source code contains:

<script>
    // Function to display response message
    function set_alert(txt, color) {
    var result = '<div class="alert mb-0 alert-' + color + '">' + txt + '</div>';
    $("#result").html(result);
    $("#result").fadeIn();
    }

    // Check if provided username and password are correct
    function login() {
    $("#result").fadeOut("fast");
    // Send request with credentials
    $.getJSON("login.php",
        {
        "action":"login",
        "username": $("#username").val(),
        "password": $("#password").val()
        }, function (r) {
        if (r.login_successful) {
            // Redirect if login successful
            set_alert('Login successful! Redirecting... <i class="fa-solid fa-spinner fa-spin"></i>', "success");
            setTimeout(function () {
            window.location.href = "./employee_portal.php";
            }, 1500);
        } else {
            // Username or password incorrect
            set_alert("Login failed! Please try again.", "danger");
        }
        }
    );
    }
</script>

Going to /employee_portal.php directly doesn't require authentication, and gives the flag