diff --git a/app.js b/app.js
index ef18f51..e94efa4 100644
--- a/app.js
+++ b/app.js
@@ -44,14 +44,6 @@ if (config.mini_assets) {
 var urlinfo = require('url').parse(config.host);
 config.hostname = urlinfo.hostname || config.host;
 
-config.upload_dir = config.upload_dir || path.join(__dirname, 'public', 'user_data', 'images');
-// ensure upload dir exists
-ndir.mkdir(config.upload_dir, function (err) {
-  if (err) {
-    throw err;
-  }
-});
-
 var app = express();
 
 // configuration in all env
@@ -77,30 +69,15 @@ app.use(passport.initialize());
 // custom middleware
 app.use(require('./controllers/sign').auth_user);
 app.use(auth.blockUser());
-app.use('/upload/', express.static(config.upload_dir, { maxAge: maxAge }));
-
-// old image url: http://host/user_data/images/xxxx
-app.use('/user_data/', express.static(path.join(__dirname, 'public', 'user_data'), { maxAge: maxAge }));
 
 app.use(Loader.less(__dirname));
-if (config.debug) {
-  app.use('/public', express.static(staticDir));
-  app.use(errorHandler({ dumpExceptions: true, showStack: true }));
-} else {
-  app.use(function (req, res, next) {
-    var csrf = csurf();
-    // ignore upload image
-    if (req.body && req.body.user_action === 'upload_image') {
-      return next();
-    }
-    csrf(req, res, next);
-  });
-  app.use('/public', express.static(staticDir, { maxAge: maxAge }));
-  app.use(errorHandler());
+app.use('/public', express.static(staticDir));
+app.use(errorHandler({ dumpExceptions: true, showStack: true }));
+if (!config.debug) {
+  app.use(csurf());
   app.set('view cache', true);
 }
 
-
 // set static, dynamic helpers
 _.extend(app.locals, {
   config: config,
@@ -109,21 +86,11 @@ _.extend(app.locals, {
 });
 
 _.extend(app.locals, require('./common/render_helpers'));
-
-app.use(function(req, res, next) {
-  res.locals.csrf = req.session ? req.session._csrf : '';
+app.use(function (req, res, next) {
+  res.locals.csrf = req.csrfToken ? req.csrfToken() : '';
   next();
 });
 
-if (process.env.NODE_ENV !== 'test') {
-  // plugins
-  var plugins = config.plugins || [];
-  for (var i = 0, l = plugins.length; i < l; i++) {
-    var p = plugins[i];
-    app.use(require('./plugins/' + p.name)(p.options));
-  }
-}
-
 // github oauth
 passport.serializeUser(function (user, done) {
   done(null, user);
@@ -136,12 +103,11 @@ passport.use(new GitHubStrategy(config.GITHUB_OAUTH, githubStrategyMiddleware));
 // routes
 routes(app);
 
-if (process.env.NODE_ENV !== 'test') {
-  app.listen(config.port);
-
+app.listen(config.port, function () {
   console.log("NodeClub listening on port %d in %s mode", config.port, app.settings.env);
   console.log("God bless love....");
   console.log("You can debug your app with http://" + config.hostname + ':' + config.port);
-}
+});
+
 
 module.exports = app;