Configuration of xml2js to allow XXE

Hello, I have a project at school. I need to create websites that have various vulnerabilities. I created an API using node.js and express.js. I have a login system where the data is stored and queried in a JSON file. However, I want to create an XXE vulnerability. For this I sent an XML file to index.js (node.js) with Javascript. I converted the XML file to JSON with xml2js. But I would change the settings so that an XXE vulnerability is possible.

Configuration:

var parser = new xml2js.Parser({
    dtdvalid: false,
    xmldecl: false,
    xmldecl: { doctype: true },
    doctype: true,
    explicitArray: true,
    normalize: true,
    charkey: '&',
    xmlCharKey: '&'
});

app.post:

app.post('/projekt/XXE/api/login/', (req, res) => {
    let body = "";
    req.on('data', chunk => {
        body += chunk.toString();
        let bodySt = body.substring(0, 1).replace(/"/g, "");
        let bodyLt = body.substring(body.length - 1).replace(/"/g, "");
        body = bodySt + body.substring(1, body.length - 1) + bodyLt;
        console.log(body);
    });
    req.on('end', () => {
        parser.parseString(body, (err, result) => {
            if(err) {
                res.status(400).send('Invalid XML' + body);
                return;
            }
            const jsonData = result;
            const username = jsonData.root.username[0];
            const password = jsonData.root.password[0];
            fs.readFile('users.json', (err, data) => {
                if(err) {
                    res.status(500).send('Error reading users file');
                    return;
                }
                const users = JSON.parse(data);
                const user = users.find(user => user.username === username);
                if(!user) {
                    res.status(404).send(`User ${username} not found`);
                    return;
                }
                bcrypt.compare(password, user.password, (err, same) => {
                    if(same) {
                        res.status(200).send('Login successful');
                        return;
                    } else {
                        res.status(401).send('Invalid password');
                        return;
                    }
                });
            });
        });
    });
});

However, when I create a payload and thus use the & character, I only get the message ‘Invalid XML’.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "file:///etc/passwd">
]>
<root><username>
 &company;
</username><password>1123</password></root>

Thanks for the help in advance