I'm establishing a mercurial server on my small hosting that is shared account with bluehost. I actually do have ssh access but do not need the apache config. Essentially the mercurial server runs off a single cgi script, during my situation domain.com/repos/hg.cgi (for use of all databases around the server). I've protected the "repos" directory utilizing a .htaccess file as well as an auth file.

However the way mercurial works, that for instance the repository "stack" is utilized such as this: domain.com/repos/hg.cgi/stack

This poses an issue, since authentication happened within the repos directory, and all sorts of customers that get access to that now get access to all of the databases.

It is possible to method to safeguard the person databases using only a .htaccess file?

Within each repository's .hg/hgrc file kinds customers that may and should not can get on:

[web]
allow_read = you,yourfriend
allow_push = you

Should you only want the localhost to gain access to it use

<File "/path/to/repos/hg.cgi/stack">
order deny, allow
deny from all
allow from 127.0.0.1
</File>

On the hosting that is shared system in which you have SSH access, if you're interested, you are able to share databases via shared SSH using hg-gateway. This way you do not suffer from typing or saving https passwords.