5 files changed, 867 insertions, 0 deletions
diff --git a/meshmc/libraries/katabasis/src/DeviceFlow.cpp b/meshmc/libraries/katabasis/src/DeviceFlow.cpp
new file mode 100644
index 0000000000..d03b3efd8f
--- /dev/null
+++ b/meshmc/libraries/katabasis/src/DeviceFlow.cpp
@@ -0,0 +1,539 @@
+/* SPDX-FileCopyrightText: 2026 Project Tick
+ * SPDX-FileContributor: Project Tick
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ *   MeshMC - A Custom Launcher for Minecraft
+ *   Copyright (C) 2026 Project Tick
+ *
+ *   This program is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <QList>
+#include <QPair>
+#include <QDebug>
+#include <QTcpServer>
+#include <QMap>
+#include <QNetworkRequest>
+#include <QNetworkReply>
+#include <QNetworkAccessManager>
+#include <QDateTime>
+#include <QCryptographicHash>
+#include <QTimer>
+#include <QVariantMap>
+#include <QUuid>
+#include <QDataStream>
+
+#include <QUrlQuery>
+
+#include "katabasis/DeviceFlow.h"
+#include "katabasis/PollServer.h"
+#include "katabasis/Globals.h"
+
+#include "JsonResponse.h"
+
+namespace
+{
+	// ref: https://tools.ietf.org/html/rfc8628#section-3.2
+	// Exception: Google sign-in uses "verification_url" instead of "*_uri" -
+	// we'll accept both.
+	bool hasMandatoryDeviceAuthParams(const QVariantMap& params)
+	{
+		if (!params.contains(Katabasis::OAUTH2_DEVICE_CODE))
+			return false;
+
+		if (!params.contains(Katabasis::OAUTH2_USER_CODE))
+			return false;
+
+		if (!(params.contains(Katabasis::OAUTH2_VERIFICATION_URI) ||
+			  params.contains(Katabasis::OAUTH2_VERIFICATION_URL)))
+			return false;
+
+		if (!params.contains(Katabasis::OAUTH2_EXPIRES_IN))
+			return false;
+
+		return true;
+	}
+
+	QByteArray
+	createQueryParameters(const QList<Katabasis::RequestParameter>& parameters)
+	{
+		QByteArray ret;
+		bool first = true;
+		for (auto& h : parameters) {
+			if (first) {
+				first = false;
+			} else {
+				ret.append("&");
+			}
+			ret.append(QUrl::toPercentEncoding(h.name) + "=" +
+					   QUrl::toPercentEncoding(h.value));
+		}
+		return ret;
+	}
+} // namespace
+
+namespace Katabasis
+{
+
+	DeviceFlow::DeviceFlow(Options& opts, Token& token, QObject* parent,
+						   QNetworkAccessManager* manager)
+		: QObject(parent), token_(token)
+	{
+		manager_ = manager ? manager : new QNetworkAccessManager(this);
+		qRegisterMetaType<QNetworkReply::NetworkError>(
+			"QNetworkReply::NetworkError");
+		options_ = opts;
+	}
+
+	bool DeviceFlow::linked()
+	{
+		return token_.validity != Validity::None;
+	}
+	void DeviceFlow::setLinked(bool v)
+	{
+		qDebug() << "DeviceFlow::setLinked:" << (v ? "true" : "false");
+		token_.validity = v ? Validity::Certain : Validity::None;
+	}
+
+	void DeviceFlow::updateActivity(Activity activity)
+	{
+		if (activity_ == activity) {
+			return;
+		}
+
+		activity_ = activity;
+		switch (activity) {
+			case Katabasis::Activity::Idle:
+			case Katabasis::Activity::LoggingIn:
+			case Katabasis::Activity::LoggingOut:
+			case Katabasis::Activity::Refreshing:
+				// non-terminal states...
+				break;
+			case Katabasis::Activity::FailedSoft:
+				// terminal state, tokens did not change
+				break;
+			case Katabasis::Activity::FailedHard:
+			case Katabasis::Activity::FailedGone:
+				// terminal state, tokens are invalid
+				token_ = Token();
+				break;
+			case Katabasis::Activity::Succeeded:
+				setLinked(true);
+				break;
+		}
+		emit activityChanged(activity_);
+	}
+
+	QString DeviceFlow::token()
+	{
+		return token_.token;
+	}
+	void DeviceFlow::setToken(const QString& v)
+	{
+		token_.token = v;
+	}
+
+	QVariantMap DeviceFlow::extraTokens()
+	{
+		return token_.extra;
+	}
+
+	void DeviceFlow::setExtraTokens(QVariantMap extraTokens)
+	{
+		token_.extra = extraTokens;
+	}
+
+	void DeviceFlow::setPollServer(PollServer* server)
+	{
+		if (pollServer_)
+			pollServer_->deleteLater();
+
+		pollServer_ = server;
+	}
+
+	PollServer* DeviceFlow::pollServer() const
+	{
+		return pollServer_;
+	}
+
+	QVariantMap DeviceFlow::extraRequestParams()
+	{
+		return extraReqParams_;
+	}
+
+	void DeviceFlow::setExtraRequestParams(const QVariantMap& value)
+	{
+		extraReqParams_ = value;
+	}
+
+	QString DeviceFlow::grantType()
+	{
+		if (!grantType_.isEmpty())
+			return grantType_;
+
+		return OAUTH2_GRANT_TYPE_DEVICE;
+	}
+
+	void DeviceFlow::setGrantType(const QString& value)
+	{
+		grantType_ = value;
+	}
+
+	// First get the URL and token to display to the user
+	void DeviceFlow::login()
+	{
+		qDebug() << "DeviceFlow::link";
+
+		updateActivity(Activity::LoggingIn);
+		setLinked(false);
+		setToken("");
+		setExtraTokens(QVariantMap());
+		setRefreshToken(QString());
+		setExpires(QDateTime());
+
+		QList<RequestParameter> parameters;
+		parameters.append(RequestParameter(OAUTH2_CLIENT_ID,
+										   options_.clientIdentifier.toUtf8()));
+		parameters.append(
+			RequestParameter(OAUTH2_SCOPE, options_.scope.toUtf8()));
+		QByteArray payload = createQueryParameters(parameters);
+
+		QUrl url(options_.authorizationUrl);
+		QNetworkRequest deviceRequest(url);
+		deviceRequest.setHeader(QNetworkRequest::ContentTypeHeader,
+								"application/x-www-form-urlencoded");
+		QNetworkReply* tokenReply = manager_->post(deviceRequest, payload);
+
+		connect(tokenReply, &QNetworkReply::finished, this,
+				&DeviceFlow::onDeviceAuthReplyFinished, Qt::QueuedConnection);
+	}
+
+	// Then, once we get them, present them to the user
+	void DeviceFlow::onDeviceAuthReplyFinished()
+	{
+		qDebug() << "DeviceFlow::onDeviceAuthReplyFinished";
+		QNetworkReply* tokenReply = qobject_cast<QNetworkReply*>(sender());
+		if (!tokenReply) {
+			qDebug() << "DeviceFlow::onDeviceAuthReplyFinished: reply is null";
+			return;
+		}
+		if (tokenReply->error() == QNetworkReply::NoError) {
+			QByteArray replyData = tokenReply->readAll();
+
+			// Dump replyData
+			// SENSITIVE DATA in RelWithDebInfo or Debug builds
+			// qDebug() << "DeviceFlow::onDeviceAuthReplyFinished: replyData\n";
+			// qDebug() << QString( replyData );
+
+			QVariantMap params = parseJsonResponse(replyData);
+
+			// Dump tokens
+			qDebug()
+				<< "DeviceFlow::onDeviceAuthReplyFinished: Tokens returned:\n";
+			foreach (QString key, params.keys()) {
+				// SENSITIVE DATA in RelWithDebInfo or Debug builds, so it is
+				// truncated first
+				qDebug() << key << ": " << params.value(key).toString();
+			}
+
+			// Check for mandatory parameters
+			if (hasMandatoryDeviceAuthParams(params)) {
+				qDebug() << "DeviceFlow::onDeviceAuthReplyFinished: Device "
+							"auth request response";
+
+				const QString userCode =
+					params.take(OAUTH2_USER_CODE).toString();
+				QUrl uri = params.take(OAUTH2_VERIFICATION_URI).toUrl();
+				if (uri.isEmpty())
+					uri = params.take(OAUTH2_VERIFICATION_URL).toUrl();
+
+				if (params.contains(OAUTH2_VERIFICATION_URI_COMPLETE))
+					emit openBrowser(
+						params.take(OAUTH2_VERIFICATION_URI_COMPLETE).toUrl());
+
+				bool ok = false;
+				int expiresIn = params[OAUTH2_EXPIRES_IN].toInt(&ok);
+				if (!ok) {
+					qWarning() << "DeviceFlow::startPollServer: No expired_in "
+								  "parameter";
+					updateActivity(Activity::FailedHard);
+					return;
+				}
+
+				emit showVerificationUriAndCode(uri, userCode, expiresIn);
+
+				startPollServer(params, expiresIn);
+			} else {
+				qWarning() << "DeviceFlow::onDeviceAuthReplyFinished: "
+							  "Mandatory parameters missing from response";
+				updateActivity(Activity::FailedHard);
+			}
+		}
+		tokenReply->deleteLater();
+	}
+
+	// Spin up polling for the user completing the login flow out of band
+	void DeviceFlow::startPollServer(const QVariantMap& params, int expiresIn)
+	{
+		qDebug()
+			<< "DeviceFlow::startPollServer: device_ and user_code expires in"
+			<< expiresIn << "seconds";
+
+		QUrl url(options_.accessTokenUrl);
+		QNetworkRequest authRequest(url);
+		authRequest.setHeader(QNetworkRequest::ContentTypeHeader,
+							  "application/x-www-form-urlencoded");
+
+		const QString deviceCode = params[OAUTH2_DEVICE_CODE].toString();
+		const QString grantType =
+			grantType_.isEmpty() ? OAUTH2_GRANT_TYPE_DEVICE : grantType_;
+
+		QList<RequestParameter> parameters;
+		parameters.append(RequestParameter(OAUTH2_CLIENT_ID,
+										   options_.clientIdentifier.toUtf8()));
+		if (!options_.clientSecret.isEmpty()) {
+			parameters.append(RequestParameter(OAUTH2_CLIENT_SECRET,
+											   options_.clientSecret.toUtf8()));
+		}
+		parameters.append(RequestParameter(OAUTH2_CODE, deviceCode.toUtf8()));
+		parameters.append(
+			RequestParameter(OAUTH2_GRANT_TYPE, grantType.toUtf8()));
+		QByteArray payload = createQueryParameters(parameters);
+
+		PollServer* pollServer =
+			new PollServer(manager_, authRequest, payload, expiresIn, this);
+		if (params.contains(OAUTH2_INTERVAL)) {
+			bool ok = false;
+			int interval = params[OAUTH2_INTERVAL].toInt(&ok);
+			if (ok) {
+				pollServer->setInterval(interval);
+			}
+		}
+		connect(pollServer, &PollServer::verificationReceived, this,
+				&DeviceFlow::onVerificationReceived);
+		connect(pollServer, &PollServer::serverClosed, this,
+				&DeviceFlow::serverHasClosed);
+		setPollServer(pollServer);
+		pollServer->startPolling();
+	}
+
+	// Once the user completes the flow, update the internal state and report it
+	// to observers
+	void
+	DeviceFlow::onVerificationReceived(const QMap<QString, QString> response)
+	{
+		qDebug()
+			<< "DeviceFlow::onVerificationReceived: Emitting closeBrowser()";
+		emit closeBrowser();
+
+		if (response.contains("error")) {
+			qWarning()
+				<< "DeviceFlow::onVerificationReceived: Verification failed:"
+				<< response;
+			updateActivity(Activity::FailedHard);
+			return;
+		}
+
+		// Check for mandatory tokens
+		if (response.contains(OAUTH2_ACCESS_TOKEN)) {
+			qDebug() << "DeviceFlow::onVerificationReceived: Access token "
+						"returned for implicit or device flow";
+			setToken(response.value(OAUTH2_ACCESS_TOKEN));
+			if (response.contains(OAUTH2_EXPIRES_IN)) {
+				bool ok = false;
+				int expiresIn = response.value(OAUTH2_EXPIRES_IN).toInt(&ok);
+				if (ok) {
+					qDebug() << "DeviceFlow::onVerificationReceived: Token "
+								"expires in"
+							 << expiresIn << "seconds";
+					setExpires(
+						QDateTime::currentDateTimeUtc().addSecs(expiresIn));
+				}
+			}
+			if (response.contains(OAUTH2_REFRESH_TOKEN)) {
+				setRefreshToken(response.value(OAUTH2_REFRESH_TOKEN));
+			}
+			updateActivity(Activity::Succeeded);
+		} else {
+			qWarning() << "DeviceFlow::onVerificationReceived: Access token "
+						  "missing from response for implicit or device flow";
+			updateActivity(Activity::FailedHard);
+		}
+	}
+
+	// Or if the flow fails or the polling times out, update the internal state
+	// with error and report it to observers
+	void DeviceFlow::serverHasClosed(bool paramsfound)
+	{
+		if (!paramsfound) {
+			// server has probably timed out after receiving first response
+			updateActivity(Activity::FailedHard);
+		}
+		// poll server is not re-used for later auth requests
+		setPollServer(NULL);
+	}
+
+	void DeviceFlow::logout()
+	{
+		qDebug() << "DeviceFlow::unlink";
+		updateActivity(Activity::LoggingOut);
+		// FIXME: implement logout flows... if they exist
+		token_ = Token();
+		updateActivity(Activity::FailedHard);
+	}
+
+	QDateTime DeviceFlow::expires()
+	{
+		return token_.notAfter;
+	}
+	void DeviceFlow::setExpires(QDateTime v)
+	{
+		token_.notAfter = v;
+	}
+
+	QString DeviceFlow::refreshToken()
+	{
+		return token_.refresh_token;
+	}
+
+	void DeviceFlow::setRefreshToken(const QString& v)
+	{
+#ifndef NDEBUG
+		qDebug() << "DeviceFlow::setRefreshToken" << v << "...";
+#endif
+		token_.refresh_token = v;
+	}
+
+	namespace
+	{
+		QByteArray buildRequestBody(const QMap<QString, QString>& parameters)
+		{
+			QByteArray body;
+			bool first = true;
+			foreach (QString key, parameters.keys()) {
+				if (first) {
+					first = false;
+				} else {
+					body.append("&");
+				}
+				QString value = parameters.value(key);
+				body.append(QUrl::toPercentEncoding(key) +
+							QString("=").toUtf8() +
+							QUrl::toPercentEncoding(value));
+			}
+			return body;
+		}
+	} // namespace
+
+	bool DeviceFlow::refresh()
+	{
+		qDebug() << "DeviceFlow::refresh: Token: ..."
+				 << refreshToken().right(7);
+
+		updateActivity(Activity::Refreshing);
+
+		if (refreshToken().isEmpty()) {
+			qWarning() << "DeviceFlow::refresh: No refresh token";
+			onRefreshError(QNetworkReply::AuthenticationRequiredError, nullptr);
+			return false;
+		}
+		if (options_.accessTokenUrl.isEmpty()) {
+			qWarning() << "DeviceFlow::refresh: Refresh token URL not set";
+			onRefreshError(QNetworkReply::AuthenticationRequiredError, nullptr);
+			return false;
+		}
+
+		QNetworkRequest refreshRequest(options_.accessTokenUrl);
+		refreshRequest.setHeader(QNetworkRequest::ContentTypeHeader,
+								 MIME_TYPE_XFORM);
+		QMap<QString, QString> parameters;
+		parameters.insert(OAUTH2_CLIENT_ID, options_.clientIdentifier);
+		if (!options_.clientSecret.isEmpty()) {
+			parameters.insert(OAUTH2_CLIENT_SECRET, options_.clientSecret);
+		}
+		parameters.insert(OAUTH2_REFRESH_TOKEN, refreshToken());
+		parameters.insert(OAUTH2_GRANT_TYPE, OAUTH2_REFRESH_TOKEN);
+
+		QByteArray data = buildRequestBody(parameters);
+		QNetworkReply* refreshReply = manager_->post(refreshRequest, data);
+		timedReplies_.add(refreshReply);
+		connect(refreshReply, &QNetworkReply::finished, this,
+				&DeviceFlow::onRefreshFinished, Qt::QueuedConnection);
+		return true;
+	}
+
+	void DeviceFlow::onRefreshFinished()
+	{
+		QNetworkReply* refreshReply = qobject_cast<QNetworkReply*>(sender());
+
+		auto networkError = refreshReply->error();
+		if (networkError == QNetworkReply::NoError) {
+			QByteArray reply = refreshReply->readAll();
+			QVariantMap tokens = parseJsonResponse(reply);
+			setToken(tokens.value(OAUTH2_ACCESS_TOKEN).toString());
+			setExpires(QDateTime::currentDateTimeUtc().addSecs(
+				tokens.value(OAUTH2_EXPIRES_IN).toInt()));
+			QString refreshToken =
+				tokens.value(OAUTH2_REFRESH_TOKEN).toString();
+			if (!refreshToken.isEmpty()) {
+				setRefreshToken(refreshToken);
+			} else {
+				qDebug() << "No new refresh token. Keep the old one.";
+			}
+			timedReplies_.remove(refreshReply);
+			refreshReply->deleteLater();
+			updateActivity(Activity::Succeeded);
+			qDebug() << "New token expires in" << expires() << "seconds";
+		} else {
+			// FIXME: differentiate the error more here
+			onRefreshError(networkError, refreshReply);
+		}
+	}
+
+	void DeviceFlow::onRefreshError(QNetworkReply::NetworkError error,
+									QNetworkReply* refreshReply)
+	{
+		QString errorString = "No Reply";
+		if (refreshReply) {
+			timedReplies_.remove(refreshReply);
+			errorString = refreshReply->errorString();
+		}
+
+		switch (error) {
+			// used for invalid credentials and similar errors. Fall through.
+			case QNetworkReply::AuthenticationRequiredError:
+			case QNetworkReply::ContentAccessDenied:
+			case QNetworkReply::ContentOperationNotPermittedError:
+			case QNetworkReply::ProtocolInvalidOperationError:
+				updateActivity(Activity::FailedHard);
+				break;
+			case QNetworkReply::ContentGoneError: {
+				updateActivity(Activity::FailedGone);
+				break;
+			}
+			case QNetworkReply::TimeoutError:
+			case QNetworkReply::OperationCanceledError:
+			case QNetworkReply::SslHandshakeFailedError:
+			default:
+				updateActivity(Activity::FailedSoft);
+				return;
+		}
+		if (refreshReply) {
+			refreshReply->deleteLater();
+		}
+		qDebug() << "DeviceFlow::onRefreshFinished: Error" << (int)error
+				 << " - " << errorString;
+	}
+
+} // namespace Katabasis
diff --git a/meshmc/libraries/katabasis/src/JsonResponse.cpp b/meshmc/libraries/katabasis/src/JsonResponse.cpp
new file mode 100644
index 0000000000..8daee82ebb
--- /dev/null
+++ b/meshmc/libraries/katabasis/src/JsonResponse.cpp
@@ -0,0 +1,51 @@
+/* SPDX-FileCopyrightText: 2026 Project Tick
+ * SPDX-FileContributor: Project Tick
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ *   MeshMC - A Custom Launcher for Minecraft
+ *   Copyright (C) 2026 Project Tick
+ *
+ *   This program is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include "JsonResponse.h"
+
+#include <QByteArray>
+#include <QDebug>
+#include <QJsonDocument>
+#include <QJsonObject>
+
+namespace Katabasis
+{
+
+	QVariantMap parseJsonResponse(const QByteArray& data)
+	{
+		QJsonParseError err;
+		QJsonDocument doc = QJsonDocument::fromJson(data, &err);
+		if (err.error != QJsonParseError::NoError) {
+			qWarning() << "parseTokenResponse: Failed to parse token response "
+						  "due to err:"
+					   << err.errorString();
+			return QVariantMap();
+		}
+
+		if (!doc.isObject()) {
+			qWarning() << "parseTokenResponse: Token response is not an object";
+			return QVariantMap();
+		}
+
+		return doc.object().toVariantMap();
+	}
+
+} // namespace Katabasis
diff --git a/meshmc/libraries/katabasis/src/JsonResponse.h b/meshmc/libraries/katabasis/src/JsonResponse.h
new file mode 100644
index 0000000000..0662c8ff61
--- /dev/null
+++ b/meshmc/libraries/katabasis/src/JsonResponse.h
@@ -0,0 +1,34 @@
+/* SPDX-FileCopyrightText: 2026 Project Tick
+ * SPDX-FileContributor: Project Tick
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ *   MeshMC - A Custom Launcher for Minecraft
+ *   Copyright (C) 2026 Project Tick
+ *
+ *   This program is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include <QVariantMap>
+
+class QByteArray;
+
+namespace Katabasis
+{
+
+	/// Parse JSON data into a QVariantMap
+	QVariantMap parseJsonResponse(const QByteArray& data);
+
+} // namespace Katabasis
diff --git a/meshmc/libraries/katabasis/src/PollServer.cpp b/meshmc/libraries/katabasis/src/PollServer.cpp
new file mode 100644
index 0000000000..1c8556aa98
--- /dev/null
+++ b/meshmc/libraries/katabasis/src/PollServer.cpp
@@ -0,0 +1,147 @@
+/* SPDX-FileCopyrightText: 2026 Project Tick
+ * SPDX-FileContributor: Project Tick
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ *   MeshMC - A Custom Launcher for Minecraft
+ *   Copyright (C) 2026 Project Tick
+ *
+ *   This program is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <QNetworkAccessManager>
+#include <QNetworkReply>
+
+#include "katabasis/PollServer.h"
+#include "JsonResponse.h"
+
+namespace
+{
+	QMap<QString, QString> toVerificationParams(const QVariantMap& map)
+	{
+		QMap<QString, QString> params;
+		for (QVariantMap::const_iterator i = map.constBegin();
+			 i != map.constEnd(); ++i) {
+			params[i.key()] = i.value().toString();
+		}
+		return params;
+	}
+} // namespace
+
+namespace Katabasis
+{
+
+	PollServer::PollServer(QNetworkAccessManager* manager,
+						   const QNetworkRequest& request,
+						   const QByteArray& payload, int expiresIn,
+						   QObject* parent)
+		: QObject(parent), manager_(manager), request_(request),
+		  payload_(payload), expiresIn_(expiresIn)
+	{
+		expirationTimer.setTimerType(Qt::VeryCoarseTimer);
+		expirationTimer.setInterval(expiresIn * 1000);
+		expirationTimer.setSingleShot(true);
+		connect(&expirationTimer, SIGNAL(timeout()), this,
+				SLOT(onExpiration()));
+		expirationTimer.start();
+
+		pollTimer.setTimerType(Qt::VeryCoarseTimer);
+		pollTimer.setInterval(5 * 1000);
+		pollTimer.setSingleShot(true);
+		connect(&pollTimer, SIGNAL(timeout()), this, SLOT(onPollTimeout()));
+	}
+
+	int PollServer::interval() const
+	{
+		return pollTimer.interval() / 1000;
+	}
+
+	void PollServer::setInterval(int interval)
+	{
+		pollTimer.setInterval(interval * 1000);
+	}
+
+	void PollServer::startPolling()
+	{
+		if (expirationTimer.isActive()) {
+			pollTimer.start();
+		}
+	}
+
+	void PollServer::onPollTimeout()
+	{
+		qDebug() << "PollServer::onPollTimeout: retrying";
+		QNetworkReply* reply = manager_->post(request_, payload_);
+		connect(reply, SIGNAL(finished()), this, SLOT(onReplyFinished()));
+	}
+
+	void PollServer::onExpiration()
+	{
+		pollTimer.stop();
+		emit serverClosed(false);
+	}
+
+	void PollServer::onReplyFinished()
+	{
+		QNetworkReply* reply = qobject_cast<QNetworkReply*>(sender());
+
+		if (!reply) {
+			qDebug() << "PollServer::onReplyFinished: reply is null";
+			return;
+		}
+
+		QByteArray replyData = reply->readAll();
+		QMap<QString, QString> params =
+			toVerificationParams(parseJsonResponse(replyData));
+
+		// Dump replyData
+		// SENSITIVE DATA in RelWithDebInfo or Debug builds
+		// qDebug() << "PollServer::onReplyFinished: replyData\n";
+		// qDebug() << QString( replyData );
+
+		if (reply->error() == QNetworkReply::TimeoutError) {
+			// rfc8628#section-3.2
+			// "On encountering a connection timeout, clients MUST unilaterally
+			// reduce their polling frequency before retrying.  The use of an
+			// exponential backoff algorithm to achieve this, such as doubling
+			// the polling interval on each such connection timeout, is
+			// RECOMMENDED."
+			setInterval(interval() * 2);
+			pollTimer.start();
+		} else {
+			QString error = params.value("error");
+			if (error == "slow_down") {
+				// rfc8628#section-3.2
+				// "A variant of 'authorization_pending', the authorization
+				// request is still pending and polling should continue, but the
+				// interval MUST be increased by 5 seconds for this and all
+				// subsequent requests."
+				setInterval(interval() + 5);
+				pollTimer.start();
+			} else if (error == "authorization_pending") {
+				// keep trying - rfc8628#section-3.2
+				// "The authorization request is still pending as the end user
+				// hasn't yet completed the user-interaction steps
+				// (Section 3.3)."
+				pollTimer.start();
+			} else {
+				expirationTimer.stop();
+				emit serverClosed(true);
+				// let O2 handle the other cases
+				emit verificationReceived(params);
+			}
+		}
+		reply->deleteLater();
+	}
+
+} // namespace Katabasis
diff --git a/meshmc/libraries/katabasis/src/Reply.cpp b/meshmc/libraries/katabasis/src/Reply.cpp
new file mode 100644
index 0000000000..c19113ac50
--- /dev/null
+++ b/meshmc/libraries/katabasis/src/Reply.cpp
@@ -0,0 +1,96 @@
+/* SPDX-FileCopyrightText: 2026 Project Tick
+ * SPDX-FileContributor: Project Tick
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ *   MeshMC - A Custom Launcher for Minecraft
+ *   Copyright (C) 2026 Project Tick
+ *
+ *   This program is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <QTimer>
+#include <QNetworkReply>
+
+#include "katabasis/Reply.h"
+
+namespace Katabasis
+{
+
+	Reply::Reply(QNetworkReply* r, int timeOut, QObject* parent)
+		: QTimer(parent), reply(r)
+	{
+		setSingleShot(true);
+		connect(this, &Reply::timeout, this, &Reply::onTimeOut,
+				Qt::QueuedConnection);
+		start(timeOut);
+	}
+
+	void Reply::onTimeOut()
+	{
+		timedOut = true;
+		reply->abort();
+	}
+
+	// ----------------------------
+
+	ReplyList::~ReplyList()
+	{
+		foreach (Reply* timedReply, replies_) {
+			delete timedReply;
+		}
+	}
+
+	void ReplyList::add(QNetworkReply* reply, int timeOut)
+	{
+		if (reply && ignoreSslErrors()) {
+			reply->ignoreSslErrors();
+		}
+		add(new Reply(reply, timeOut));
+	}
+
+	void ReplyList::add(Reply* reply)
+	{
+		replies_.append(reply);
+	}
+
+	void ReplyList::remove(QNetworkReply* reply)
+	{
+		Reply* o2Reply = find(reply);
+		if (o2Reply) {
+			o2Reply->stop();
+			(void)replies_.removeOne(o2Reply);
+		}
+	}
+
+	Reply* ReplyList::find(QNetworkReply* reply)
+	{
+		foreach (Reply* timedReply, replies_) {
+			if (timedReply->reply == reply) {
+				return timedReply;
+			}
+		}
+		return 0;
+	}
+
+	bool ReplyList::ignoreSslErrors()
+	{
+		return ignoreSslErrors_;
+	}
+
+	void ReplyList::setIgnoreSslErrors(bool ignoreSslErrors)
+	{
+		ignoreSslErrors_ = ignoreSslErrors;
+	}
+
+} // namespace Katabasis