If the user enters a wrong username, $userinfo[$_POST['username']] does not exists, hence you need to check if the key exists in the array:
if($userinfo[$_POST['username']] ?? '' === md5($_POST['password'])) {
Here is how to restrict access in Kirby: Restricting access to your site | Kirby CMS