FWIW, I think we'd hit this bug on an ordinary DB fetch error, not just a slow or hung fetch.

That's because we had

	sseSendEvent, sseSenderClosed, err := httpapi.ServerSentEventSender(rw, r)
	if err != nil {
		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
			Message: "Internal error setting up server-sent events.",
			Detail:  err.Error(),
		})
		return
	}
	// Prevent handler from returning until the sender is closed.
	defer func() {
		<-sseSenderClosed
	}()

and once you call this, the only things that allow sseSenderClosed to close is r.Context() expiring or a write error sending an event.

So, when we do

	md, err := api.Database.GetWorkspaceAgentMetadata(ctx, database.GetWorkspaceAgentMetadataParams{
		WorkspaceAgentID: workspaceAgent.ID,
		Keys:             nil,
	})
	if err != nil {
		// If we can't successfully pull the initial metadata, pubsub
		// updates will be no-op so we may as well terminate the
		// connection early.
		httpapi.InternalServerError(rw, err)
		return
	}

httpapi.InternalServerError(rw, err) doesn't actually shut down the SSE, and in fact, probably just corrupts the SSE stream, if anything. At that point it sort of depends on what the client does. If they cleanly hang up then maybe r.Context() gets closed, but if they just ignore the malformed data and keep reading then we just block, since the server will send no more events.

I like what you've done with squirreling away a cancelable context on the Request, but perhaps it makes sense to just accept a context in httpapi.ServerSentEventSender() instead of the Request. That might make it a little more obvious how to cancel.

One other thing I'd like to see on this PR is a test that reproduces the issue with the old code --- e.g. by triggering a database error, and passes with the new code.

FWIW, I think we'd hit this bug on an ordinary DB fetch error, not just a slow or hung fetch.

Yeah, I agree. I know that wasn't the cause in my repro though since my logs were missing the line indicating a DB error happened.

Good catch on the httpapi.InternalServerError, we should make sure these invocations fail/are not permitted on SSE connections. Or automatically translated to SSE error payload (but that's too much magic perhaps).

I like what you've done with squirreling away a cancelable context on the Request, but perhaps it makes sense to just accept a context in httpapi.ServerSentEventSender() instead of the Request. That might make it a little more obvious how to cancel.

Big agree, I wasn't super happy with the squirreling, so I was thinking I'll take a look at refactoring the SSE sender in a separate PR. I do think it should at minimum be closeable, not just "hoping" for a close. If we can find an alternative to using contexts that outlive their function call, I think that'd be good too.

I managed to reproduce the leak by issuing the following cURL command (the agent is v2.2.1 which is more efficient at triggering the ballooning, due to old metadata implementation):

curl \
  -H 'Coder-Session-Token: ...' \
  -H 'Accept: text/event-stream' \
  --limit-rate 1 \
  'http://my-coder:7080/api/v2/workspaceagents/025226f8-a637-4ea4-8fea-620ddbf81272/watch-metadata'

And then going AFK so my computer went a sleep, when I came back and woke my computer, I saw how Coder memory usage started ballooning and was able to stop it in its tracks by pressing Ctrl+C on the cURL command. Not sure whether limit-rate helped in reproduction, or if it was mainly due to what happens to the connection when the other client sleeps.

EDIT: Second repro, using --limit-rate 10, no sleep. Surfaced ~11 minutes after launching cURL.

@spikecurtis I added a test in ab3cea2 that reproduces the leak. Using the DB error exit path is not the same mechanism that triggers it in the wild, but I didn't manage to reproduce it in any other way (in the test).