Permissions not working. Invalid API key getting authorized

Here's the link to the repo: https://github.com/AdrianNO1/appwritetest

I have an API endpoint and in it I need to verify the identity of the user, who sends a JWT token and the clientId in the headers. I create an appwrite client with the JWT token and another client (server_client) with my API own key, which has access to everything. I use the server client to create a new document and grand the user with the id in the headers permissions to delete that document, I then use the client client to delete that document to check if it has permission, but it always does, no matter the value of the JWT token. So I thought anyone had permissions to delete that document somehow but if I remove the .setKey line for the client client I get an unauthorized error when trying to delete the document. So setting the key to somethign random like "asdasdad" somehow gives it permission to delete the document. I have attached an image of the permissions in the collection i'm using, but that was just an attempt at fixing the issue and it still persists even if I remove the permission you see in the image.

line 34 in app/api/testroute/route.ts is where i'm setting the client key

1. you don't need to create/delete document to verify the JWT token. You can rather do -

const client = new Client()
    .setEndpoint("https://cloud.appwrite.io/v1")
    .setProject("67c6ce0c000610957a54")
    .setJWT(userJWT);

const account = new Account(client);
try {
  await account.get();
  // user jwt okay!
} catch (error) {
    // print error, user jwt might not be correct.
}

2. I doubt how the creation itself would work without any valid key, session due to [Permission.delete(Role.user(userId))] as that isn't permitted. Without session, you can only add permissions for any or guest.
3. I don't see you setting the JWT as well.