Request password to decrypt PII before regenerating personal key

app/controllers/accounts/personal_keys_controller.rb

@@ -4,6 +4,7 @@ class PersonalKeysController < ReauthnRequiredController
     include PersonalKeyConcern
 
     before_action :confirm_two_factor_authenticated
+    before_action :prompt_for_password_if_pii_locked
 
     def new
       analytics.profile_personal_key_visit
@@ -20,6 +21,18 @@ def create
       redirect_to manage_personal_key_url
     end
 
+    private
+
+    def prompt_for_password_if_pii_locked
+      return unless pii_locked?
+      redirect_to capture_password_url
+    end
+
+    def pii_locked?
+      UserDecorator.new(current_user).identity_verified? &&
+        !Pii::Cacher.new(current_user, user_session).exists_in_session?
+    end
+
     # @return [FormResponse]
     def send_new_personal_key_notifications
       emails = current_user.confirmed_email_addresses.map do |email_address|

spec/controllers/accounts/personal_keys_controller_spec.rb

@@ -6,6 +6,7 @@
       expect(subject).to have_actions(
         :before,
         :confirm_recently_authenticated,
+        :prompt_for_password_if_pii_locked,
       )
     end
   end
@@ -60,5 +61,22 @@
       expect(response).to redirect_to new_user_session_url
       expect(flash[:error]).to eq t('errors.general')
     end
+
+    it 'prompts for password if PII is not present' do
+      user = create(:user, :signed_up, :with_piv_or_cac)
+      create(:profile, :active, :verified, user: user)
+      stub_sign_in(user)
+
+      post :create
+
+      expect(response).to redirect_to capture_password_url
+
+      subject.user_session[:decrypted_pii] = { verified_at: Time.zone.now }.to_json
+
+      post :create
+
+      expect(response).to redirect_to manage_personal_key_path
+      expect(flash[:info]).to eq(t('account.personal_key.old_key_will_not_work'))
+    end
   end
 end