I'd like to host a password-protected gallery on a non-httpd server (a cheap public-facing object-bucket storage, OpenStack swift).

No .htaccess here but there is a good old alternative: Javascript checksums

The index.html providing a password form, whose value is checksum'ed/hashed so that we if the password is correct, we're get redirected to the random path (derived from the password, where the files are stored).

Could be md5 or a simpler checksum heuristic like this sample pseudo-code:

onSubmit() {
  let password = document.getElementById("passwd").value;
  if (md5("<salt>" + password) == "0xdeadbeef" )) {
     window.location = base64enc(password);
  } else {
     alert("failed");
  }
}

(I guess an heuristic possibly exists so that the hidden path could be preserved even if the password is changed afterwards, in order to avoid file moves/reuploads, for example by replacing base64enc(password) by aes_decrypt(password, <aes-encrypt-path>);

Though not exactly the same thing, the encrypt plugin may be worth taking a look. http://sigal.saimon.org/en/latest/plugins.html#module-sigal.plugins.encrypt

I second this. This is an elegant way to implement this stuff. Of course, if someone shares a link to such a secret image then it will be publicly viewable.

An even simpler way of implementing this is:

onSubmit() {
  let password = document.getElementById("passwd").value;
     window.location = sha256("<salt>" + password) + ".html";
}

An incorrect password would give a 404.