coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/dependabot.yaml
Lines changed: 36 additions & 0 deletions b/‎.github/dependabot.yaml
Lines changed: 36 additions & 0 deletions
diff --git a/‎cli/configssh.go
Lines changed: 26 additions & 32 deletions b/‎cli/configssh.go
Lines changed: 26 additions & 32 deletions
diff --git a/‎cli/configssh_internal_test.go
Lines changed: 4 additions & 4 deletions b/‎cli/configssh_internal_test.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎cli/configssh_test.go
Lines changed: 14 additions & 1 deletion b/‎cli/configssh_test.go
Lines changed: 14 additions & 1 deletion
diff --git a/‎coderd/coderdtest/oidctest/idp.go
Lines changed: 38 additions & 18 deletions b/‎coderd/coderdtest/oidctest/idp.go
Lines changed: 38 additions & 18 deletions
diff --git a/‎docs/install/releases.md
Lines changed: 1 addition & 1 deletion b/‎docs/install/releases.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎dogfood/Dockerfile
Lines changed: 1 addition & 1 deletion b/‎dogfood/Dockerfile
Lines changed: 1 addition & 1 deletion
@@ -4,7 +4,7 @@ description: |
 inputs:
   version:
     description: "The Go version to use."
-    default: "1.22.4"
+    default: "1.22.5"
 runs:
   using: "composite"
   steps:
 
@@ -39,6 +39,10 @@ updates:
       prefix: "chore"
     labels: []
     open-pull-requests-limit: 15
+    groups:
+      x:
+        patterns:
+          - "golang.org/x/*"
     ignore:
       # Ignore patch updates for all dependencies
       - dependency-name: "*"
@@ -73,6 +77,32 @@ updates:
     commit-message:
       prefix: "chore"
     labels: []
+    groups:
+      xterm:
+        patterns:
+          - "@xterm*"
+      mui:
+        patterns:
+          - "@mui*"
+      react:
+        patterns:
+          - "react*"
+          - "@types/react*"
+      emotion:
+        patterns:
+          - "@emotion*"
+      eslint:
+        patterns:
+          - "eslint*"
+          - "@typescript-eslint*"
+      jest:
+        patterns:
+          - "jest*"
+          - "@types/jest"
+      vite:
+        patterns:
+          - "vite*"
+          - "@vitejs/plugin-react"
     ignore:
       # Ignore patch updates for all dependencies
       - dependency-name: "*"
@@ -83,4 +113,10 @@ updates:
       - dependency-name: "@types/node"
         update-types:
           - version-update:semver-major
+      # Ignore @storybook updates, run `pnpm dlx storybook@latest upgrade` to upgrade manually
+      - dependency-name: "*storybook*" # matches @storybook/* and storybook*
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+          - version-update:semver-patch
     open-pull-requests-limit: 15
@@ -54,6 +54,7 @@ type sshConfigOptions struct {
 	disableAutostart bool
 	header           []string
 	headerCommand    string
+	removedKeys      map[string]bool
 }
 
 // addOptions expects options in the form of "option=value" or "option value".
@@ -74,30 +75,20 @@ func (o *sshConfigOptions) addOption(option string) error {
 	if err != nil {
 		return err
 	}
-	for i, existing := range o.sshOptions {
-		// Override existing option if they share the same key.
-		// This is case-insensitive. Parsing each time might be a little slow,
-		// but it is ok.
-		existingKey, _, err := codersdk.ParseSSHConfigOption(existing)
-		if err != nil {
-			// Don't mess with original values if there is an error.
-			// This could have come from the user's manual edits.
-			continue
-		}
-		if strings.EqualFold(existingKey, key) {
-			if value == "" {
-				// Delete existing option.
-				o.sshOptions = append(o.sshOptions[:i], o.sshOptions[i+1:]...)
-			} else {
-				// Override existing option.
-				o.sshOptions[i] = option
-			}
-			return nil
-		}
+	lowerKey := strings.ToLower(key)
+	if o.removedKeys != nil && o.removedKeys[lowerKey] {
+		// Key marked as removed, skip.
+		return nil
 	}
-	// Only append the option if it is not empty.
+	// Only append the option if it is not empty
+	// (we interpret empty as removal).
 	if value != "" {
 		o.sshOptions = append(o.sshOptions, option)
+	} else {
+		if o.removedKeys == nil {
+			o.removedKeys = make(map[string]bool)
+		}
+		o.removedKeys[lowerKey] = true
 	}
 	return nil
 }
@@ -440,26 +431,29 @@ func (r *RootCmd) configSSH() *serpent.Command {
 					configOptions := sshConfigOpts
 					configOptions.sshOptions = nil
 
-					// Add standard options.
-					err := configOptions.addOptions(defaultOptions...)
-					if err != nil {
-						return err
+					// User options first (SSH only uses the first
+					// option unless it can be given multiple times)
+					for _, opt := range sshConfigOpts.sshOptions {
+						err := configOptions.addOptions(opt)
+						if err != nil {
+							return xerrors.Errorf("add flag config option %q: %w", opt, err)
+						}
 					}
 
-					// Override with deployment options
+					// Deployment options second, allow them to
+					// override standard options.
 					for k, v := range coderdConfig.SSHConfigOptions {
 						opt := fmt.Sprintf("%s %s", k, v)
 						err := configOptions.addOptions(opt)
 						if err != nil {
 							return xerrors.Errorf("add coderd config option %q: %w", opt, err)
 						}
 					}
-					// Override with flag options
-					for _, opt := range sshConfigOpts.sshOptions {
-						err := configOptions.addOptions(opt)
-						if err != nil {
-							return xerrors.Errorf("add flag config option %q: %w", opt, err)
-						}
+
+					// Finally, add the standard options.
+					err := configOptions.addOptions(defaultOptions...)
+					if err != nil {
+						return err
 					}
 
 					hostBlock := []string{
 
@@ -272,32 +272,32 @@ func Test_sshConfigOptions_addOption(t *testing.T) {
 			},
 		},
 		{
-			Name: "Replace",
+			Name: "AddTwo",
 			Start: []string{
 				"foo bar",
 			},
 			Add: []string{"Foo baz"},
 			Expect: []string{
+				"foo bar",
 				"Foo baz",
 			},
 		},
 		{
-			Name: "AddAndReplace",
+			Name: "AddAndRemove",
 			Start: []string{
-				"a b",
 				"foo bar",
 				"buzz bazz",
 			},
 			Add: []string{
 				"b c",
+				"a ", // Empty value, means remove all following entries that start with "a", i.e. next line.
 				"A hello",
 				"hello world",
 			},
 			Expect: []string{
 				"foo bar",
 				"buzz bazz",
 				"b c",
-				"A hello",
 				"hello world",
 			},
 		},
 
@@ -65,7 +65,7 @@ func TestConfigSSH(t *testing.T) {
 
 	const hostname = "test-coder."
 	const expectedKey = "ConnectionAttempts"
-	const removeKey = "ConnectionTimeout"
+	const removeKey = "ConnectTimeout"
 	client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{
 		ConfigSSH: codersdk.SSHConfigResponse{
 			HostnamePrefix: hostname,
@@ -620,6 +620,19 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 				regexMatch: `ProxyCommand .* --header-command "printf h1=v1 h2='v2'" ssh`,
 			},
 		},
+		{
+			name: "Multiple remote forwards",
+			args: []string{
+				"--yes",
+				"--ssh-option", "RemoteForward 2222 192.168.11.1:2222",
+				"--ssh-option", "RemoteForward 2223 192.168.11.1:2223",
+			},
+			wantErr:  false,
+			hasAgent: true,
+			wantConfig: wantConfig{
+				regexMatch: "RemoteForward 2222 192.168.11.1:2222.*\n.*RemoteForward 2223 192.168.11.1:2223",
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt
 
@@ -343,6 +343,13 @@ func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP {
 		idp.realServer(t)
 	}
 
+	// Log the url to indicate which port the IDP is running on if it is
+	// being served on a real port.
+	idp.logger.Info(context.Background(),
+		"fake IDP created",
+		slog.F("issuer", idp.IssuerURL().String()),
+	)
+
 	return idp
 }
 
@@ -744,7 +751,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	// This endpoint is required to initialize the OIDC provider.
 	// It is used to get the OIDC configuration.
 	mux.Get("/.well-known/openid-configuration", func(rw http.ResponseWriter, r *http.Request) {
-		f.logger.Info(r.Context(), "http OIDC config", slog.F("url", r.URL.String()))
+		f.logger.Info(r.Context(), "http OIDC config", slogRequestFields(r)...)
 
 		_ = json.NewEncoder(rw).Encode(f.provider)
 	})
@@ -754,7 +761,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	// w/e and clicking "Allow". They will be redirected back to the redirect
 	// when this is done.
 	mux.Handle(authorizePath, http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		f.logger.Info(r.Context(), "http call authorize", slog.F("url", r.URL.String()))
+		f.logger.Info(r.Context(), "http call authorize", slogRequestFields(r)...)
 
 		clientID := r.URL.Query().Get("client_id")
 		if !assert.Equal(t, f.clientID, clientID, "unexpected client_id") {
@@ -812,11 +819,12 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 			values, err = f.authenticateOIDCClientRequest(t, r)
 		}
 		f.logger.Info(r.Context(), "http idp call token",
-			slog.F("url", r.URL.String()),
-			slog.F("valid", err == nil),
-			slog.F("grant_type", values.Get("grant_type")),
-			slog.F("values", values.Encode()),
-		)
+			append(slogRequestFields(r),
+				slog.F("valid", err == nil),
+				slog.F("grant_type", values.Get("grant_type")),
+				slog.F("values", values.Encode()),
+			)...)
+
 		if err != nil {
 			http.Error(rw, fmt.Sprintf("invalid token request: %s", err.Error()), httpErrorCode(http.StatusBadRequest, err))
 			return
@@ -990,8 +998,10 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	mux.Handle(userInfoPath, http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		email, ok := validateMW(rw, r)
 		f.logger.Info(r.Context(), "http userinfo endpoint",
-			slog.F("valid", ok),
-			slog.F("email", email),
+			append(slogRequestFields(r),
+				slog.F("valid", ok),
+				slog.F("email", email),
+			)...,
 		)
 		if !ok {
 			return
@@ -1011,8 +1021,10 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	mux.Mount("/external-auth-validate/", http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		email, ok := validateMW(rw, r)
 		f.logger.Info(r.Context(), "http external auth validate",
-			slog.F("valid", ok),
-			slog.F("email", email),
+			append(slogRequestFields(r),
+				slog.F("valid", ok),
+				slog.F("email", email),
+			)...,
 		)
 		if !ok {
 			return
@@ -1028,7 +1040,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	}))
 
 	mux.Handle(keysPath, http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		f.logger.Info(r.Context(), "http call idp /keys")
+		f.logger.Info(r.Context(), "http call idp /keys", slogRequestFields(r)...)
 		set := jose.JSONWebKeySet{
 			Keys: []jose.JSONWebKey{
 				{
@@ -1042,7 +1054,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	}))
 
 	mux.Handle(deviceVerify, http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		f.logger.Info(r.Context(), "http call device verify")
+		f.logger.Info(r.Context(), "http call device verify", slogRequestFields(r)...)
 
 		inputParam := "user_input"
 		userInput := r.URL.Query().Get(inputParam)
@@ -1099,7 +1111,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	}))
 
 	mux.Handle(deviceAuth, http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		f.logger.Info(r.Context(), "http call device auth")
+		f.logger.Info(r.Context(), "http call device auth", slogRequestFields(r)...)
 
 		p := httpapi.NewQueryParamParser()
 		p.RequiredNotEmpty("client_id")
@@ -1161,7 +1173,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	}))
 
 	mux.NotFound(func(rw http.ResponseWriter, r *http.Request) {
-		f.logger.Error(r.Context(), "http call not found", slog.F("path", r.URL.Path))
+		f.logger.Error(r.Context(), "http call not found", slogRequestFields(r)...)
 		t.Errorf("unexpected request to IDP at path %q. Not supported", r.URL.Path)
 	})
 
@@ -1422,11 +1434,19 @@ func (f *FakeIDP) getClaims(m *syncmap.Map[string, jwt.MapClaims], key string) (
 	return v, true
 }
 
+func slogRequestFields(r *http.Request) []any {
+	return []any{
+		slog.F("url", r.URL.String()),
+		slog.F("host", r.Host),
+		slog.F("method", r.Method),
+	}
+}
+
 func httpErrorCode(defaultCode int, err error) int {
-	var stautsErr statusHookError
+	var statusErr statusHookError
 	status := defaultCode
-	if errors.As(err, &stautsErr) {
-		status = stautsErr.HTTPStatusCode
+	if errors.As(err, &statusErr) {
+		status = statusErr.HTTPStatusCode
 	}
 	return status
 }
 
@@ -56,4 +56,4 @@ pages.
 | 2.11.x       | May 07, 2024      | Security Support |
 | 2.12.x       | June 04, 2024     | Stable           |
 | 2.13.x       | July 02, 2024     | Mainline         |
-| 2.14.x       | Aigust 06, 2024   | Not Released     |
+| 2.14.x       | August 06, 2024   | Not Released     |
@@ -8,7 +8,7 @@ FROM ubuntu:jammy AS go
 
 RUN apt-get update && apt-get install --yes curl gcc
 # Install Go manually, so that we can control the version
-ARG GO_VERSION=1.22.4
+ARG GO_VERSION=1.22.5
 RUN mkdir --parents /usr/local/go
 
 # Boring Go is needed to build FIPS-compliant binaries.