Skip to content

how to use simple HTTP auth with hg serve

2 settembre 2009
Logo Mercurial

Last night Kiwi and I were exploring Mercurial for our über-secret-project.
Mercurial is, like GIT, a distributed revision control system (if you want to deeply understand the differences between those two systems take a look to

After some tinkering with the great hg command, we discovered how to collaborate with other people using the informal sharing (thanks to hg serve).

With the informal sharing we both expose our repos in a read-only mode so we can hg clone or hg pull changes. No hg push is permitted (it is read-only!).

Note that:

Because it provides unauthenticated read access to all clients, you should only use hg serve in an environment where you either don’t care, or have complete control over, who can access your network and pull data from your repository.

hg serve hasn’t anything for access control… but we need it ‘cause our project is an über-secret-project. Of course we can use Mercurial with ssh, but hg serve is so cool :D

And here is the second part aka the beauty of WSGI specification.

Mercurial is written in python, the hg serve is also a python program and the hgweb (the mercurial web-app module) exposes a very toasty class: mercurial.hgweb.hgweb_mod.hgweb [kudos to tomfmason]

An hgweb object is a WSGI application so you can use it with any middleware you like. For a basic HTTP auth I used authkit (you can find a simple example in the pylonshq wiki, if you run the example please note that the protected area is under the http://localhost:8080/private path).

After a lot of swearing^H^H^H^Hting (I never used WSGI before) this is the result:

from paste import httpserver
from mercurial.hgweb.hgweb_mod import hgweb

from authkit.authenticate import middleware
from authkit.permissions import RemoteUser
from authkit.authorize import authorize_request

PATH_TO_REPO = '/home/vrde/work/secret-project'
TITLE = 'secret project repo'

hgapp = hgweb(PATH_TO_REPO, TITLE)
def simple_app(environ, start_response):
    authorize_request(environ, RemoteUser())
    response = hgapp(environ,start_response)
    return response

def valid(environ, username, password):
    return username == 'kiwi' and password == 'antani'

app = middleware(
    basic_realm='Secret Project Realm',

httpserver.serve(app, host='', port='8000')

If you want to try the snippet you need paste and authkit frameworks.

The code wraps the Mercurial server and asks for user and password, if the auth is successful the client can clone, pull or visit the web interface of the repo.

TODO: patch the hg serve source and add a parameter for the simple HTTP auth.


From → computer, English

One Comment
  1. I like the helpful information you provide in your articles.
    I will bookmark your weblog and check again here regularly.
    I am quite sure I will learn a lot of new stuff right here!
    Best of luck for the next!


Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:


Stai commentando usando il tuo account Chiudi sessione /  Modifica )

Google+ photo

Stai commentando usando il tuo account Google+. Chiudi sessione /  Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione /  Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione /  Modifica )


Connessione a %s...

%d blogger hanno fatto clic su Mi Piace per questo: