I think it should be, because @auth means authentication, so needs authenticated user.
In your case I should do differently.
def secret():
if not request.client == '127.0.0.1' or not auth.user:
redirect(URL('default', 'user', args='login'))
return {"": "some cool stuff"}
